By Eric Aarrestad, VP & GM, Unified Endpoint Management Business Unit at HEAT Software
There was a time when knowledge of computing was the sole reserve of industry professionals and enthusiast. Hard to imagine now that most of us own and use half a dozen or so smart devices on a daily basis. The same trend of upward relevance is true of IT security too. Once a subset of an already niche industry, it is now a board level issue worldwide. Indeed, in today’s security and business environment, business leaders armed with a working knowledge of fundamental IT security measures, such as patching, will be more valuable than ever. For those who think patch management requires a sewing kit, now is the time to learn the basics.
For starters, IT security is an increasingly complex challenge given the proliferation of devices, applications and data. The sheer number and type of vulnerabilities is staggering, with hacking tools easier to come by and the potential payoffs greater than ever. Patching is an essential part of IT security and is probably more resource and cost effective than any other IT security measure out there – which executives can end up wasting a fortune on.
Understanding the evolving Microsoft update and patch process is a great starting point in understanding patch management. Thankfully, Microsoft has made great efforts to make everything as simple as possible. On the second Tuesday of each month, Microsoft sends out a list of updates (or patches) which companies need to implement in order to stay secure. This process is called Patch Tuesday and has been around for many years.
However, the industry is changing quickly and monthly updates are far from the be-all and end-all of patch management today. Since the launch of Windows 10, users can now also choose to receive individual updates as soon as they are available, rather than waiting for them to be rolled out to the masses, much like you would on your smartphone device. Allowing this kind of flexibility is great, but it also adds a layer of complexity, as businesses need to define and choose which approach works best for them. As a general rule, the larger the company, the more convenient a monthly patching cycle will be. However, the most heavily regulated and security conscious companies may prefer to opt for instant 24/7 updates.
So what are these updates and what do you need to know? Patches can cover a huge variety of issues and vary considerably in terms of significance. There are critical patches for known vulnerabilities, which hackers are actively using to attack businesses and steal assets. There are also smaller bug fixes which can negatively affect performance and compatibility, which still need to be made but can be de-prioritised. IT pros will know the difference, but if you’re operating as part of a small team without a dedicated IT team, fortunately Microsoft spells out which is which.
Another key task is to prioritise applications related to compliance. For online retailers, for example, anything related to card processing or industry specific regulations such as PCI-DSS should be classified as critical – everything else, less so.
Most businesses will have some kind of update / patching policy in place already, but few are adequately refined and many will be in need of an update since the Windows 10 launch (or simply after years of neglect). Establishing policy and procedures reflecting the above is an essential step to securing your businesses. Very few employees outside of IT will need to understand the nitty gritty of each individual patch, but it helps to become familiar with and acquire patch management tools to help your business proactively manage policies.
Outside of Patch Tuesday, it’s important to have a grasp on your organisation’s readiness for out of cycle and third party patching. These are non-Microsoft patches that can be just as critical, but easier to ignore and impossible to schedule. If you’re informed of a critical out of band patch, you can better believe it’s exactly that. It’s a nod that this particular vulnerability can’t wait until the next Patch Tuesday, and you’d be strongly advised to take notice.