A patch is a set of changes for computer software that is meant to update, fix or otherwise improve the program. Most patches add new features, fix bugs or optimize software in some way, but many patches are for security purposes. When developers are made aware of a security issue for their software they create a fix for that issue and distribute it to the users using a new patch. Therefore, it’s very important from a security point of view that all of the software that your company uses has the latest security patches applied as soon as possible. There are some legitimate business concerns that often keep patching from being done in a timely manner. In this article I break down exactly why it’s important to apply security patches, what the common issues that prevent patching are and how to prevent those issues from happening.
Why are security patches important?
The biggest and most obvious reason is that they fix security vulnerabilities in your software. Most security patches will come with a detailed breakdown of what the security issue is, what impact it can have on the business, the severity level of it and how it can be exploited by a potential hacker. If the vendor went through the trouble of creating a patch just for this issue, you can trust that it is important and if you have any doubts you can read the patch notes before deciding if it’s something that you are concerned with.
Secondly, whenever these patches are pushed out they are disclosed to the public. The same way businesses will be able to see exactly what the vulnerability is and how it can be exploited in the patch notes, anyone looking to hack into your company will also have access to this same information. This public disclosure of the vulnerability increases the likelihood that people will start targeting companies, looking for anyone running the vulnerable version of that software. This can be done by manual scans or through computer bots that will scan the web looking for systems running the vulnerability version of the software. Once a match is found, it’s relatively easy for them to exploit that vulnerability because they have all the information they need to exploit that vulnerability.
Thirdly, it looks very bad for regulatory compliance or overall company image if you are breached because of a vulnerability that already has a patch. Many regulations require companies to have “good” security processes in place, but they don’t get very specific on what that means so that they can have broader enforcement power. Keeping that in mind, you want to ensure that all patches are applied in a relatively short amount of time because it can seem like you aren’t prioritizing security if you fail to do something as “simple” as applying a patch to your computers.
Why is it difficult to patch Computer Systems in a Business Environment?
Dependencies: If a piece of software is being used by other systems, there’s a chance that applying a patch to that software will make it incompatible with the other systems that are currently using it. In the worst case scenario it will mean that important business processes won’t be able to run, which can lead to loss of services to customers and employees.
Legacy Systems (End of Life): If you have really old hardware systems, some people will be hesitant to apply software patches because it may cause the computer hardware itself to fail. In the case of an end of life system (one that is no longer supported) this means that if the computers fail, they will be very difficult to replace or at least more costly because it won’t be covered by the vendor.
Scheduling: For most systems, you can simply apply the patch after hours, when they are not required for any business reason. However, for systems that run 24/7 or close to it, finding the best time to apply a patch can be difficult.
Tips for Patch Management
Read the Patch Notes: Before deciding that a patch is necessary understand the patch notes and the risk that the patch is addressing. Then you can make an informed decision if it’s better to apply the patch or to use some other method to mitigate the risk.
Consult with Business Units: Working with the business units that use that software will make it easier to figure out what dependencies are involved with the software you want to patch. Then you can figure out what potential business impact this will have for the company and weigh the risks of patching the software vs the benefits. If you have serious concerns you patch one or two systems to ensure that they will still function as needed before pushing it out to all systems.
Have a rollback plan: In the event that a patch breaks something that you didn’t expect, it’s important to have a rollback plan. A rollback plan is simply a means of restoring the software back to a previous version, in the event that the new version is causing more problems than you expected.
Have the Business Units accept the Risk: If applying the patch is deemed too risky because of potential business impact, it’s important that you have the business unit or business leader responsible for that determination, sign off on accepting the risk. In the event that a security breach does happen, you don’t want to be responsible because you didn’t do your job, let them own that decision.
Recap
A security patch addresses a security issue that was identified by the software vendor. Regularly applying patches are important for preventing security breaches due to vulnerabilities in company software. Before applying a patch, you should evaluate the risks to business processes that are dependent on the current version of the software as well as any risks to legacy computer systems. You should work with the business units who use those systems to find the best time to apply patches. If they insist that it is too risky, make sure to have them formally accept the risk and document it so that you are not held liable later on if a data breach does occur. Lastly, you want to have a good rollback plan, this way if you do perform the patch but it causes more problems than you expect, you can go back to the previous version and business can continue with no issues.