Should You Leave Patching to Your End Users?

Every so often, I see people asking the question: Should you let users be responsible for patching their own computers? The simple answer to this is no. 

In my experience, users don’t understand the requirements around patching their computers or the importance of doing it. Therefore, as IT professionals, we must take over this important responsibility so our customers’ devices are not left unprotected. The only reason I can see why anyone would want customers to patch their own devices is if they don’t want to take on that liability themselves. Patching is essential in terms of the security of your customers. As most of the time companies do not have the necessary expertise—especially if they are smaller—it should not be their responsibility. 

It’s also a good revenue-generating service for the MSP. There is no question that patch management can be labor-intensive; however, it can be less laborious with the proper tools in place to automate the patching process. It is also a service that, unless monitored, can easily be skipped and/or forgotten, especially when it comes to failed patches.

What is the value of patching to the customer? 

The value to the customer can be expressed in several ways. In a compliance-driven business where patching is required, it is easy to define. When a business is required to patch its systems, the requirements are spelled out. Usually, these are around being able to document when patching was done and if devices are currently up-to-date. 

Another value to the customer can be set out in terms of lost productivity, and this can be considered in two ways: first is the time it takes employees to do patching; and second is the time lost when a device becomes unusable due to instability or infection. This does not even include costs that could be incurred due to a data breach or data lost to malicious encryption. Also, very few end users have the expertise to know if their devices are being patched properly.

As you can see, it is fairly easy to argue that having an MSP patch devices can be easier and more cost-efficient than companies doing it themselves. 

What is the value to the MSP? 

Revenue and efficiency are the two benefits to the MSP. As shown above, there are real costs involved in patching devices using internal resources. That cost can easily justify fees paid to an MSP. The advantage to the MSP is in automating that process to help reduce cost and increase profitability. These processes and tools can help MSPs not only be more efficient in patch deployment, but also in remediation of failed patches and reporting.

So how do you provide a patch solution to your customers?

1. Determine what tool best suits your needs.
2. Determine a patch scanning and installation process and schedule.
3. Implement your patch management solution.
4. Monitor on a weekly or monthly basis to make sure that all devices are being patched properly.
5. Remediate failed patches as necessary.
6. Generate monthly reports for customers.

Patch management reporting is one of those valuable things you should always include in your monthly reports to your customers. It is one of the few proactive services customers can actually see. It is concrete evidence they can check to make sure you are doing what you promised. One of the difficulties of being an MSP is justifying the expense, and proof of patching is one way to show your work.

In conclusion, patching should always be handled by the MSP. There are too many variables, and there is too much at stake for individual users or customers without an IT department to maintain their own patch management process. For the MSP, patching is a good source of revenue and provides proof the MSP is proactively managing their customers’ devices.

 

Additional reading:

• What are your options when a patch goes wrong?
• Five steps to an easier patch management process
• Is good backup recovery making end users lazy?
• Forgotten Passwords: The Bane of the Admin's Existence

 

Eric Anthony is director of customer experience at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed service provider business for over six years.

You can follow Eric on Twitter^® at @EricAnthonyMSP

 

Want more advice on growing your MSP business? Click here to read more of our blogs.

 

© 2018 SolarWinds MSP UK Ltd. All rights reserved.

 

The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates.  All other trademarks are the property of their respective owners.