Patch Management

Patching is central to maintain a good cyber posture for your organisation. NCSC Cyber Essentials mandate monthly patching at the very least in order to ensure that as new bugs and vulnerabilities are found they can be protected or mitigated against.

Patching is defined by the NCSC as: applying updates to devices or software to improve security and/or enhance functionality. Read our blog on CVEs for more details.

Gartner believes that 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.

https://www.gartner.com/smarterwithgartner/focus-on-the-biggest-security-threats-not-the-most-publicized/, accessed on 17/09/2020.

Manual Patching Versus Automated Patching

Is it worthwhile investing in automated Patch Management tools, and while it is ‘automated’ are these tools plug-and-play? The answer is a ‘yes but, no but’ situation.

Patching encompasses all your information systems, it will necessarily reflect the complexity of your organisation. The more complex, the less likely you will be to have a plug-and-play system.

The main costs of Patching are as in order as follows:

  • Time (BAU hours or Overtime out of hours, more commonly the latter)
  • License (where you need to pay for to be able to access their updates, e.g. Accounting software)
  • Expertise (where the patching is so materially complex that consultants are needed to manage it)

N.B. Expertise is counted last because it can be trained or documented; while expensive in the short-term it is not as though it is a major barrier to good Patching providing an organisation can afford an expert’s time.

Putting this caveat aside how can we make this easier and more cost-effective for organisations of all sizes?

SMEs

Small and Medium Size organisations with limited budgets have a range of tools available to help simplify routine patching. We recommend automating where you can for consistency, and saving time and money.

As such here is a list of vendors that offer automation tooling:

We are very fond of our partner Panda Security’s solution, needless to say many vendors in friendly competition with Panda will also have Patch Management tools available. Their add-on can be integrated with your existing antivirus so it is a one-click add-on which Patches: Operating Systems (e.g. Windows) and Applications from more than 170 software vendors.

Does Patching really matter?

As an IT Consultancy that specialises in working with Legal, Professional Services, and Creative organisations we would of course say yes.

Yes it does cost money to keep Patching consistently, but Gartner believe that 99% of security breaches are as a result of KNOWN vulnerabilities.

Cyberattacks are not ‘targeted’ very much in the sense that when one walks into a pond by mistake, the pond hasn’t targeted you in particular – nor has the rain, or the planet. But it does happen. When a preventable cyberattack happens it costs money.

We hope this has helped to illustrate the importance of good Patch Management on your information systems, and if you have questions, queries or simply wish to talk-tech you can always Chat with us to find out more.