If you’ve been a reader of this blog for any length of time, you have probably noticed that we’re firm believers in the importance of keeping software up to date. There’s a good reason for this: unpatched vulnerabilities remain among the most common root causes of large-scale data breaches. In one recent Ponemon Institute survey, for example, 60% of reported breaches occurred because the patch addressing a known vulnerability was available but had never been applied.
Among cybersecurity best practices, regular patching is relatively inexpensive , and highly effective in terms of risk reduction. But all too frequently, it’s not happening as often or quickly as it should be.
According to security researchers, it takes organizations an average of 151 days to patch a low to medium priority vulnerability, and 16 days to address a critical one. 44% of security professionals surveyed believe their organization is unable to patch vulnerabilities in a manner that can adequately prevent attacks.
Although it has become easier in recent years, the process of distributing and applying software updates at an enterprise scale can be time-consuming and complex. Even though software patches often perform as promised, the fear of breaking things — with downtime as the undesirable end-result — has kept many a well-intentioned patch management team from rolling out software updates promptly. Testing patches before they’re rolled out in production is always a good idea, but it can also be cumbersome
Patch management isn’t always easy, but improving your internal processes in this area can pay huge dividends when it comes to reducing real-world risks. Here are our top four tips for accelerating software updates:
#1: What gets measured gets done.
In our experience, the most effective patch management teams are those that collect metrics tracking their performance. IT organizations that have implemented a system to monitor what percentage of currently available security patches have been distributed within the environment they’re responsible for — and calculate an ongoing “patch score” on the basis of this data — have a clear understanding of where they’re doing well, where they’re moving backwards, and where they can make improvements.
Sharing this information in daily scrums or weekly review meetings can help keep individuals accountable for their progress.
#2: Follow the 80/20 rule.
According to the Pareto principle, a so-called “universal truth” that’s widely considered useful in time and business management, 20% of causes will account for 80% of results. Microsoft, for instance, has reported that 80% of the errors and crashes in its software products result from only 20% of the bugs in its code base.
This rule is broadly applicable to the patch management process. If you can automate 20% of your highest-impact, easiest-to-implement software updates, you may be able to mitigate 80% of your vulnerabilities. Rather than striving for patchperfection, aim to patch the vulnerabilities that are most likely to be exploited. Try to keep up with the software updates that are easiest to manage. (In most cases, these will be associated with mainstream software packages that have large development teams standing behind them.)
#3: Encourage individual employees to take personal responsibility for software updates within their control.
As increasing numbers of people work remotely and are expected to do so at least some of the time even in the post-COVID era, it’s become more important than ever to educate employees on the importance of maintaining the latest version of the software on their personal computers and mobile devices. Security awareness training can help convey this message, and it’s relatively inexpensive and simple to implement.
Just as end users don’t expect the IT department to charge their laptop batteries when they’re running low, they shouldn’t need extensive professional help with routine software maintenance. This is especially true in today’s world, where cloud software and service providers make turning on automatic updates very easy indeed.
#4: Finally, consider the cloud.
SaaS adoption has taken the world of enterprise computing by storm, and there’s good reason for this. SaaS offerings are flexible, cost-effective and readily tailored to provide the capabilities that business users need most. They’re also patched and updated by the vendor, an expert in their own specific software product.
Clever vendors like Zoom have learned to sweeten patch releases with new features and enhanced capabilities. Will you get more attractive icons? Better backgrounds? Noise cancellation? For the end user, applying software patches is almost like opening a birthday present. (Almost).
When patching requires less effort and is even — dare we say it — fun, it becomes easy to make it a routine and incorporate it into the drumbeat of daily operations.
Want to learn more about how your team can implement better processes to reduce information security risks and boost your overall resilience? Check out our CISO Advisory Services, or contact us to set up a free consultation with a member of our team of experts today.