We’ve seen very public examples of what happens when patching hasn’t been implemented: WannaCry, Petya/NotPetya, Meltdown and Spectre…….. the list goes on. Despite this, we find that many organisations we speak to have let their patching regime slide.
The problem isn’t always lack of resources. For some, patching has been put off for so long that it’s now almost impossible to tackle. We came across one organisation recently whose combination of in-house and outsourced systems meant that patching was simply too difficult, so some areas had not been patched for five years. Embedded systems are another frequent source of problems, as we found when we helped our customers address Meltdown and Spectre.
Finally, and let’s be honest, patching is boring, and in the majority of cases it won’t be fixing a serious vulnerability. This means that for many IT teams it’s continually pushed down the ‘to-do’ list by more interesting and seemingly more urgent tasks.
Of course, sometimes when a patch has been announced the hole may already have been exploited. However, the actual announcement publicises a vulnerability to every hacker out there, so the longer you put off remediation, the greater the risk that it will be exploited and your organisation will become a victim.
We’ve come across patching problems so often that we’ve created our own cloud-based solution: Patch Management as a Service. If patching is becoming a problem for your organisation, this might be what you need. In our experience, hot patching has minimal impact on cloud performance.
Whether or not you decide to consider this, we have six tips to help you get on top of patching. The first step is to assess your organisation’s appetite for risk and plan accordingly. You should then prioritise business critical systems, ensure that all internet facing systems are protected and of course remember middleware and applications, including Flash Player, Acrobat Reader etc. Step five is to look for ways to save time by automating patching using tools such as SCCM or use a managed service such as ours. There are more details in my recent article.
Finally, be realistic, and accept that one day you may be breached. As a minimum, you should have a cyber security incident response procedure in place, a back-up of all business-critical systems and a tested and proven disaster recovery plan.