Blog

Why Patch Management (aka Software Updates) is Critical to Data Security

According to Techopedia, “A patch is a software update comprised code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.”

Put simply, patches correct known vulnerabilities in software including operating systems and applications.

In May 2017, the WannaCry virus, according to Wikipedia, was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. One of the largest agencies struck by the attack was the National Health Service (NHS) hospitals in England and Scotland where up to 70,000 devices–including computers, MRI scanners, blood-storage refrigerators and theatre equipment–may have been affected. On May 12, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.

To read more about WannyCry and to see references for the above statistics, go here.

That’s a lot of damage. But it was completely unnecessary. All any organization had to do to prevent being infected was to:

  1. Be running a non-end-of-life operating system (e.g. not still holding on to ten-year-old Windows XP systems), and,
  2. Have faithfully applied patches to those systems.
So I just need to turn on Windows Updates?

With computer software, there is no such thing as set-it-and-forget it. Turning on Windows Updates is better than not having them on, but in a corporate setting, it isn’t enough.

It isn’t enough for the following reasons:
  1. When it stops working, the end user is almost certainly not going to notice leaving that system vulnerable. IT only takes one vulnerable system in the environment to invite great risk.
  2. Some patches do more harm than good, so testing prior to installation is critical.
  3. A solid patching strategy goes beyond the operating system and Microsoft applications. Third-party patching is critical to a comprehensive patch management strategy.
So, how should we handle it?

Patch management should be handled by your IT department according to industry best practices, which include:

  1. Testing patches before deployment and making informed decisions about patch timing.
  2. Monitoring the deployment of patches to make sure they are actually installed (and taking action when there is a problem).
  3. Monitoring and enforcing reasonable reboot policies as many patches cannot be fully installed until the next system reboot.
Need help?

JPMerc & Co. offers low cost, no obligation IT assessments. We’ll identify your current IT risks and offer cost-effective solutions. The report and the knowledge gained is yours to keep with zero obligation and no hard-sell. To learn more, connect with us!