How should organizations address the need to keep software up to date with security patches without it costing too much or being too labor intensive?
The old mantra of “patch everything” is long gone. Many organizations cannot keep up with the multiplicity of systems and applications that need patching as IT becomes ever more pervasive, bring your own device (BYOD) increases, and testing all the combinations of devices, apps and operating systems becomes impossible, given the resources available.
As a result, organizations need to move away from the “patch everything 100%” and apply risk management to focus on critical systems and deploy limited resources to maximum effect.
Organizations need to identify the information that is most valuable, and the information they need to keep their operations running – such as patient records, backups, financial data – and the risk of its unavailability.
Lack of availability also needs to be examined, and not in terms of weeks or months, but in terms of minutes, hours or days. The impact of the lack of availability should be identified in business or customer-service terms. This means that the business managers and people who use the data on the “front line” will have to be involved in this risk assessment.
Once the impact is known, the systems where the information is stored and processed (at a minimum) should be identified, and then a patching regime for those systems can be created.
The backups – and the systems those backups reside on – should also be part of the same patching regime. If the systems are outsourced, the contract needs to have specific patching and recovery clauses inserted.
The patching regime should involve automated patching, with manual follow-ups to ensure these systems are up to date. Operational requirements will have to take second place to patching under this regime: patching is an operational necessity.
For other systems, automated patching is the way forward, using in-built processes in the operating systems where possible. Organizations will have to understand that 100% coverage will not occur so other processes and procedures must be in place to mitigate the effects of missing patches, including incident management.
For legacy systems and software, where patching is not an option, organizations will need to look at replacements, or other ways to minimize vulnerability, such as separate networks, controlling access to data and cloud provision. These systems and the appropriate solutions should be prioritized as these represent the greatest risk.