Businesses today utilize countless different applications on their computers. With the ever-present threat of cyber-attacks, application developers are constantly releasing security “patches” for their software to close vulnerabilities and prevent data breaches. A small number of these patches ever get installed, though. That’s because many businesses assume software updates and patches happen automatically. Have you ever seen those prompts to update Adobe, restart your computer for Windows updates, or install the latest version of macOS? Most updates require the end-user to acknowledge or allow the update before it will install. As you might imagine, very few end-users pay attention to these prompts. Some users are even instructed to ignore the prompts. All these little missed updates cumulate into a significant cyber risk to the business.
Updates Are Challenging
One of the reasons why patching is such a prevalent cybersecurity issue is because updates are challenging. Many users have had bad experiences with an update breaking something unexpectedly and interrupting their workflow. Other users simply aren’t comfortable installing things they aren’t familiar with. On top of that, there is no consistency to updates. Every application requires updates on different days of the month and even different times of the day. Oftentimes, those updates prompt the user in the middle of their workday. It’s no surprise then that users will get in the habit of ignoring these prompts altogether.
Management Is Essential
The first step in solving this problem of missing security updates is to simply gain visibility to what patches are missing. Most managed I.T. service providers (“MSPs”) offer “Patch Management” services to their clients. To deliver this service, the provider utilizes a specialized set of tools that routinely scans all your systems and compares the list of patches they currently have installed to those that are available from the application developer. With this information, action can be taken to deploy updates and make sure they are installed successfully.
Some organizations may choose not to outsource these services and instead purchase their own tools or use built-in capabilities to manage updates. As long as there is oversight and accountability for these processes, this is a perfectly acceptable approach. All too often, however, leaders assume these tools and technologies will take care of themselves once set up correctly, only to find out later many of their systems haven’t been updated in months or even years. For this reason, most organizations opt to outsource these functions to MSPs.
Simply outsourcing patch management to an MSP doesn’t guarantee your security patch woes will disappear, though. As mentioned previously, updates are challenging. Some updates can completely break simple functionality like printing. Some updates can take hours to install, which would be devastating to a business’s operations if started in the middle of the workday. Some updates can’t be installed at the same time as another software update. For these reasons, successful patch management solutions require carefully crafted strategies that have been proven over time across many different technology environments and industries.
Mature MSPs, such as Digital Boardwalk, have refined these systems and processes for more than a decade to deliver a painless experience for their customers. Some key indicators an MSP has a refined patch management strategy are:
- Clearly defined and published patching schedules (days of the week, deployment windows)
- A staged patch testing and deployment method (early identification of problematic updates)
- A fallback strategy if systems are offline during deployment windows
- Capabilities to update operating systems (e.g. Windows) as well as third-party software (e.g. Adobe)
- Deployment schedules for updates that must be installed manually
- A resource or team dedicated full-time to monitoring and remediating update issues