How to create a good Patch Management strategy

Ben Taylor

In the modern IT world, patch management has (arguably) become just as important as antivirus.

Modern cybercriminals have started to target individual businesses, and their entry-point is now just as likely to be via a phishing website or a sneaky social engineering attack as a “traditional” virus or Trojan.

Once the hackers have found a way in, they can then begin to exploit operating system vulnerabilities, or those within third-party plug-ins and software packages.

In this article, we present a simple five-step guide to establishing a good patch management strategy.

1. Think about ALL the software

Software vulnerabilities aren’t only found in operating systems. In fact, some of the more high-profile security flaws have been found in third-party products like Java, Flash and Adobe Reader.

Activating Software Update Services and walking away is not creating a reliable patch management strategy – it is doing, at best, half a job.

2. Consider the entire infrastructure

IT infrastructures are no longer merely about office PCs, servers, and a few laptops. The IT team must now consider tablets, smartphones and (probably) many more mobile users.

All of these devices, which are likely found all over the country (if not the world) are potential vulnerability sources, and need considering as part of your strategy. If you need convincing, just think about the security flaws found within Apple’s iOS7 within days of its recent release.

3. Consider a patch management system

Trying to manually keep track of all of the patches and updates across an infrastructure has become near impossible. It’s best to implement a patch management system that covers all of your software and devices.

Ideally you should choose a product with asset management capabilities, so that laptops that have remained away from the office for prolonged periods don’t go unpatched.

4. Test your patches

Exploited vulnerabilities can wreak havoc on your business, but so can untested patches that cause unexpected side effects when they’re released into the production environment.

Testing every patch that hits your live environment should be something you do as a matter of course. Thankfully, a combination of good patch management software and cheap virtualization technology has made creating a test-bed network far less expensive than it once was.

5. Educate your users

Ideally, you should aim to take all aspects of patch management out of your user’s hands. It shouldn’t be down to a user whether or not to install an update.

However, you should still educate users as to the importance of updates, and keep them in the loop when a major update comes out (once again, the launch of iOS7 is a good example of this).

Patch management needn’t be an endless, manual slog. Solutions exist that remove much of the hard work from the IT team. If you are apathetic towards the importance of patching, it’s only a matter of time before you fall victim to one of the many new vulnerabilities discovered each week.