A Guide to Patch Management Policy

December 3, 2018 9:08 am Geraldine Strawbridge

There’s no denying that cybercrime is getting worse every year. We only have to glance at the headlines to read about the latest company that’s been breached, the organisations brought down by crippling ransomware attacks, the CEOs that have fallen victim to a spear phishing attack and the critical infrastructure that has been compromised by nation state attacks. It seems the list is never ending.

The total cost of cybercrime is expected to hit $6 trillion by 2021, and the World Economic Forum has ranked cybercrime as among the top three risks the world will face this year. The statistics can be overwhelming and for many organisations it’s a question of ‘how do we improve our cybersecurity and where do we start?’

One of the first areas an organisation should look at securing is their software. Cybercriminals are continually exploiting vulnerabilities in operating systems and common applications including Microsoft office, Internet explorer, Adobe and Java to launch targeted attacks.

This is exactly how cyber criminals managed to pull off some of the biggest cyber-attacks in recent history. In 2017, the WannaCry attack that infected more than 200,000 computers in 150 countries, and the Equifax breach that exposed the data of more than 143 million Americans, were both the result of criminals exploiting unpatched vulnerabilities in servers operating Windows 7 and Windows 8.

In both cases, a fix for these vulnerabilities was made available in the months preceding the attacks but the organisations failed to update their software.

As cybercriminals become more advanced in their attack methods, organisations are going to become more exposed to these threats unless they proactively look for any vulnerabilities in their software and patch them immediately.

What is Patch Management?

Patch management is the practice of updating software to address the vulnerabilities that cybercriminals exploit. A patch is essentially a piece of code that’s installed into an existing software program to correct a problem, or ‘bug’ as it’s commonly referred to. It’s also used to improve an application’s general stability or to fix a security vulnerability.

A common example of a patch is a Windows update. These updates may be issued to fix security vulnerabilities, remove outdated features, update drivers or improve the overall functionality for an enhanced user experience.

Read our Ultimate Guide To Phishing

Most software programs will issue several patches after their initial release so organisations need to continually apply these patches to ensure their systems are protected.

What are the dangers if software is left unpatched?

A software vulnerability is security hole or weakness found in an operating system or computer program. Hackers are continually looking to exploit these weaknesses by inserting code to target a specific vulnerability.

The code will usually be loaded with malware which can infect a system without the user ever knowing. The malicious software can then be used to steal data, spy on online activities or it can open the door to a major ransomware attack.

According to Gartner, 99% of exploits are based on vulnerabilities that have already been known to security professionals for at least one year, and most of these have patches that can address these problems.

The dangers of ignoring critical software patches could be catastrophic for an organisation as we’ve seen in recent cyber-attacks.

Why do organisations need a patch management policy?

Unpatched systems provide hackers with an easy entry point into corporate networks. Patches are essential in keeping machines up to date, stable, and safe from malware and other threats.

The implementation of an effective patch management policy will enable organisations to have better control over their data resources, ensuring they are aligned with regulatory requirements. It will also ensure a swift response to any cyber incidents that may occur.

Good patch management is estimated to prevent up to 85% of all cyber-attacks so organisations cannot afford to be complacent in their approach to regular patching.

What should a patch management policy include?

An effective patch management policy will need to be based around the following criteria.

1. Determine what patches are suitable for your business

Every organisation is different so it’s vital that your patch management policy addresses the security issues and updates that are relevant to your specific industry. It’s important to have a designated individual or team that is responsible for the security and management of your systems.

2. Testing

It’s vital to test the patch as soon as it’s applied. A flawed patch could cause problems with a system that’s being updated, or it may impact other critical business functions. To reduce the risk of any problems occurring, each patch should be tested in a controlled environment before issuing it to every computer on the network. As a further precaution, the patch releases should be staggered to specific departments to minimise the risk of any disruption.

3. Maintain relationships with key vendors

Operating system and network vendors will regularly release and distribute information on product security issues and patches. Microsoft issues its security updates on the second Tuesday of every month, which is commonly referred to as patch Tuesday. Vendors will continually release patches depending on what glitches they find so its important for organisations to keep in close contact with these vendors to stay up to date on the latest updates.

4. Deploy patches in a specific time frame

Effective patch management is a time sensitive business. Hackers are relentless in their pursuit to exploit the latest vulnerabilities, so organisations need to be on the ball and issue patch updates as soon as they become available.

Applying security patches at the right time reduces the risk having a data breach and all the associated problems that come with it such as data theft, data loss, reputational damage and huge fines as a result of non-compliance with regulatory requirements.

5. Compliance with regulations

In order to demonstrate compliance with regulations, organisations need to show they have taken all the necessary steps to secure their systems. Auditors may require reports of what patches were applied and when, so it’s vital that organisations have the correct systems in place to accurately document what patches have been issued.

6. Cost

The cost of not following good patch management processes can be severe. In the immediate aftermath of an attack, organisations may lose access to critical business systems which will impact productivity. Depending on the scale of the breach, organisations may then face severe financial penalties in addition to a drop-in share price, loss of customers and damage to reputation.

The increasing sophistication and growth of cyber-crime has meant that companies need to have the strongest systems in place to combat this constantly evolving threat. To ensure that staff are engaged and educated, we have created the best quality cyber security and compliance content available on the market. Get in touch for further information on how we can help protect your organisation.