One question that is arising regularly is around the management of an effective security patching regime, and as such I thought it would be useful today to share some information on this important subject.
Patches, also known as software fixes or updates, are released by software vendors on a regular basis and are designed to fix bugs within the software and put in place measures to mitigate newly discovered security threats. Patches are released regularly for operating systems (like Microsoft Windows) and for most business software applications, as well as for technical software such as anti-virus and backup programmes. Application of patches in a timely and structured way is vital to ensure that the confidential and/or personal data that your business holds is protected from the latest security threats. Indeed the ICO – the UK regulatory body for GDPR – has given clear guidance on the importance of an effective patching regime in one of their recent blogs which stated:
“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
However, effective patching may not be as straightforward as it first sounds. Firstly for larger businesses with remote workers or staff who use their own laptop or device for work, there is the logistical issue of how to ensure updates (which are coming out constantly) get deployed to all these end-user devices.
There are also servers to be updated which requires a structured process to ensure technical expertise is made available, suitable testing is carried out and the updates are organised in such a way as to minimise disruption to the business, such as arranging business-friendly downtime slots should the servers need to be rebooted in order to apply the patches.
Timeliness is also an issue, since cyber criminals are now actively “reverse engineering” fixes from software companies like Microsoft, so that they work out what vulnerability the update addressed, and then exploit that vulnerability in organisations who have not yet installed the appropriate patch.
There’s then the issue of testing patches to ensure they are not going to cause a problem with other software you are using on your PCs or servers or cause your IT system to grind to a halt. Occasionally patches do cause problems, so having a roll-back plan that will work is vital to mitigate the risks when deploying any widespread PC update.
Finally, your cyber defences are only ever as good as your weakest link on any given day. With many cyber threats set to seek out the one device that isn’t patched, and enter your network via that device, it is vital that organisations have in place systems that give clear visibility over all devices on the network and their current patch status, and raise an alert for any device which has not been patched or where a patch has failed to deploy for any reason. It is all too easy for one computer to slip through the net if your systems for deploying updates are not highly structured – perhaps the device was turned off, the user rejected or postponed the update or there was a technical problem such as the computer running short of disk space.
Luckily there are ways to overcome these challenges, such as Epoq IT’s MySecurity service http://epoq-it.co.uk/service-and-support/mysecurity/. As a managed subscription service designed to take the strain out of day-to-day cyber security management for SMBs, patch management is just one of the features that is incorporated.
For more information about our GDPR services please visit http://epoq-it.co.uk/gdpr/.