Virtual1 (en-GB)

How strong is your patch-game?

20/11/2020

So, what do we mean when we talk about patching. Patching, in a nutshell is a set of changes to a computer programme or its supporting data to update, fix or improve it. Most people use patching to fix potential security vulnerabilities or other issues that put them, or their business at risk.

However, anyone who’s ever had responsibility for patching – usually a company’s IT department – knows that what might sound like a quick-fix job, rarely plays out this way in practice.

Patching your processes can cause a whole host of challenges, which is the reason companies can’t do it every second of every day. Whether it’s the challenges that arise from the associated costs of patching – like anything, patching takes time and money – the risks associated with messing with IT systems or, the permissions required to undertake a patch roll-out, it’s wise to plan your patching carefully to mitigate any potential issues. But how?

First, let’s look at why we patch.

Patching is crucial. Whether your business is big or small, patching remains the single, critical thing to protect your company’s digital assets. Applying patches quickly, and as required, lessens the threat of cybercriminals gaining unauthorised access to your company’s devices and data. That is, as long as it’s done properly.

But what if you’re on a reliable version of software where the device does everything you want it to?

"If it's not broke, don't fix it" – right? Wrong.

Miscreants on the internet are always poking around trying to break things and the chances are, if a vulnerability exists, this will come to light through a security bulletin from the vendor or a third-party security alerts service. At this point, you'll want to apply a patch to fix it and keep your systems as secure as possible.

Why? Because 60% of security breaches involve vulnerabilities for which a patch was available, but not applied,* and you don’t want your company to get caught out.

New system features are another key reason to patch, but that’s an obvious one.

The other reason to patch is to resolve a bug. It might be one that you’re experiencing that is causing issues or, one that a work-around was applied to, but now you want the "official" fix.

Lastly, there is the fact that the protocols used on the internet are not generally "standards" as we know the term but simply "agreements" between vendors via the Internet Engineering Task Force (IETF). This means that one vendor’s implementation may differ from the next. These differences can be resolved in time, but it takes a new patch to benefit from them. So you would patch to prevent experiencing these incompatibilities.

So, when should you patch – and how often?

Patching generally comes in major releases with significant new functionality, and minor releases, which are usually quick-fixes or minor capability requested by a niche of the vendor's customers.

Patches are also generally graded as "long-term support" and more interim ones. Organisations with a large number of devices tend to prefer the long-term versions of support. This is because the patches can be done less frequently and will have perhaps been more rigorously tested before being issued than the less significant ones (less patching is quite often a good thing).

So, assuming you haven't had to fix an issue and there hasn't been a security alert that needed responding to, the patch timetable is driven by "new features vs risk of change".

For network equipment, a quarterly review is ideal – with the intention to do one major update every 12-18 months to maintain a good support level. Minor revisions can happen more frequently but are driven purely by necessity. For infrastructure firmware for things like blade servers, twice a year is fine as the risk to change usually outweighs any functional benefits.

However, whatever route you choose to take to support your company’s patching needs, the infrequency of the ‘patch timetable’ means it’s not always easy to stay on top of. Patching, quite simply, can be a pain in the neck – but one no company can afford to ignore! This is especially true when we consider that 20% of vulnerabilities exposed by unpatched software are classified as high risk or critical to businesses.*

Enter, centralised proactive patching…

The invention of integrated data protection and security services is helping companies toughen up their processes by pre-empting cyber threat before it happens.

New creations like CyberProtect are guaranteeing businesses minimal downtime by providing centralised patching to protect software, streamline maintenance routines and reap proactive protection for their critical data and processes.

CyberProtect will help you protect all of you devices using just one agent to deliver anti-malware, backup, remote desktop, and patching.

In today’s digital world, where cyberthreat is understandably on the up, it’s no surprise that proven secure, centralised patch management and proactive protection is key to businesses survival.

How to strengthen your defences

While patching is recommended periodically, there are also tactics you can enforce within your systems to reduce your overall patching needs. These are particularly helpful when patching becomes a difficult or even, impossible task, as a result of your system permissions. These procedures include:

  • Setting out business continuity plans: for any potential system downtime, it’s wise to have pre-prepared (and pre-practiced) incident response plans in place to maintain your service integrity and availability at all times.
  • Backing up your critical data: make sure that all of your backups are separate from your computer hardware, recent, and able to be restored as required. This will deter any issues with bugs or loss of data on your primary hardware and let you restore your data quickly when required! (DataProtect+ can help you do this).
  • Setting stricter security measures: by putting in processes that help recognise unexpected changes and issues with your systems, as they occur, you can resolve your clean up quicker.
  • Strengthening your set-up: using programmes with predesigned security goals like CyberProtect, with dedicated technical teams that have the skills to design, review and address security risk, you make any disruption from outside factors very difficult.

To learn more about patching or how you can better protect your company’s critical systems and data, contact your account manager or email marketing@virtual1.com and discover how we can support your company’s security needs.

*Sources: CSO Online; Edgescan Stats report