Vishal, our Head of Products, contributed to Computer Weekly's Security Think Tank and provided tips to help small businesses develop a concrete patch management strategy.
What strategies can companies adopt to help keep up with and deal with the huge volume of software updates they are facing?
Although patch management plays a critical role in minimising business risk caused by outdated software in any IT infrastructure, its mention frightens many companies and their IT departments. This can result in a lack of action, meaning many organisations find themselves in a situation where their systems are outdated with the number of patches available to fix potential vulnerabilities and exploits becoming increasingly overwhelming.
Whether you are looking to introduce patch management or already have a policy in place, here are some tips which will help develop a concrete strategy:
1. Know your software and devices
The most important part of any patch management strategy is to know the devices and software that exist within your organisation. Create an inventory of all machines, software and any external systems or services that may access them, including mobile devices. As part of your patch management procedure, keep this inventory up to date. Sounds simple, but if you don't know what you have, you won't know what to patch!
2. Identify and prioritize
Patch management is overwhelming but becomes more manageable once organisations accept that not everything needs patching, every time. To understand the extent of your patch management scope, identify the patches that are available and list the updates that are absolutely necessary, prioritizing those that resolve major vulnerabilities. Sometimes you may find that multiple patches are available as service packs or software updates, reducing the need to apply hundreds of patches individually. The key is to minimise the amount of patching you are required to undertake, whilst not compromising the security of your organisation.
3. Establish a process and maintain it
Many companies undertake patch management as an afterthought and go through the process only when they feel they require it, but patch management shouldn’t be an ad hoc activity. A successful patch management strategy is one that is ongoing. Being realistic with the amount of IT resource available and setting it aside makes it much easier for organisations to maintain a regular schedule of patching. Keep it under control because the longer you leave it, the more you'll have to patch.
4. Test, test again and test once more!
Patching can create more problems than it solves, making testing absolutely crucial to minimise any negative impact that badly managed patching can leave behind.
Whenever a patch has been identified, run it on a test system before performing an organisational wide roll out. Even smaller organisations, which may not have the resource and hardware to set up and maintain an elaborate test environment, can do this by deploying the patch onto a system that is not business critical, either to members of the IT team or selected members of the organisation. The results of the testing, on hardware, software and any other systems you may have, should be documented and approved by system owners.
Remember, if testing doesn't exist in your strategy, patch management becomes riskier than the risks you are trying to remove.
5. Change management and rollback
So it’s now time for rollout but before doing so, ensure you have an effective change management process in place. Disregarding change management and patching without proper rollback plans can be so catastrophic, recovering from the repercussions can be even more challenging and overwhelming than every pre-deployment stage! Before patching, organisations must back up any critical systems, plan the steps of rollback and perform a rollback dress rehearsal.
In today’s environment, where security vulnerabilities and exploits seem to exist from day one, patch management can feel like a never-ending cycle. With these steps in place, that cycle will be become a well-managed process which when combined with a rigorous testing schedule, will generate the best return for the resource you have available. Don’t let the sheer volume of patches available make you want to bury your head in the sand. Make sure your patch management processes put you ahead of the game.