Patching is a critical element of any managed services offering. It serves both to protect and to maintain operating systems and business-critical software. The problem with patching is that it requires time, reboots, and sometimes a little extra work. So how do you maximize patching effectiveness without inconveniencing the customer?
First and foremost, patching the operating system and components such as PDF readers and plug-ins is a critical security function. Vulnerabilities within the most common software components found on most systems are one of the most frequent vectors used by malicious actors. The threat surface of a customer can be greatly reduced by employing consistent and frequent patching schedules.
The challenge for managed services providers (MSPs) is to make sure those patches are automatically applied and reported on when they are not—too often we hear stories of systems that were compromised using vulnerabilities that were patched by vendors months and even years ago.
Patching is also important because it fixes bugs in the software your customers use. These bugs can cause software to crash, applications to stop talking to each other, and systems to lose data. These types of issues cause a different set of problems for your clients—lost productivity. Downtime due to these types of issues costs real money when we take into account salaries and lost sales. Keeping your customer up and running is what you’re really being paid for; therefore, patching should be a high priority for you and your customers.
However, patching can be disruptive. This is just an unfortunate part of the process. Devices frequently require reboots to install patches, which could interrupt users. Applications need to be closed to update, and patches do not always install properly, requiring additional remediation to complete. This is why, when selling patch management, you should always mark up the service to include the occasional labor required to manually remediate a patch.
The impact of these issues can be somewhat reduced in a couple of ways:
Schedule for least impact
You should always try to schedule patching for when it will have the least impact on customers. For a typical 9 to 5 office, week nights and weekends work well for this. For a 24/7/365 business, this may be more difficult to schedule, but as I have said before setting expectations goes a long way with resolving frustrations before they come up.
Reboot before starting your patching process
Rebooting guarantees that you have no users logged in, all applications are closed, and no browser windows are open. It is a clean environment to begin the patch installs. The majority of failed patch installs occur because of logged-in users and open applications.
Ensure you have reporting on installs
Your patching process must include a system for notifying you when patches fail to install so you can resolve them quickly.
I know from personal experience that the fear of having a customer complain about being interrupted or inconvenienced by the patching process can prevent you from doing it. However, as security threats increase and businesses become more dependent on their software applications, we must set patching as a high priority. At the same time, we must be careful to set our pricing correctly so that as MSPs we continue to remain profitable while providing quality service.
Eric Anthony is principal of customer experience at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed services provider business for over six years.
You can follow Eric on Twitter at @EricAnthonyMSP
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.