June 02, 2020 / by Adam Murray / In security

The importance of patching for maintaining good cyber hygiene

The Morrison government estimated in 2019 that cybersecurity incidents cost Australian businesses $29 billion every year. As the IT community continually identifies new security vulnerabilities in the landscape, companies need to make sure to patch these vulnerabilities quickly before hackers can exploit them.

A patch is a software update that resolves the bug in the software that causes the vulnerability. Fifteen years ago, major banks were patching their servers less than once a year – a major exercise. Now, monthly patching is one of the most critical tasks your business can perform to ensure that your environment is secure and that you’re maintaining good cyber hygiene.

It’s no longer feasible to have your resources spending weeks out of every month coordinating, testing, and deploying patches. At Tikabu, we’ve seen companies with people logging on to hundreds of servers and manually deploying patches. And even after all this effort, the manual nature of the task meant that many patches were still missed and that the environment was not secure. What’s more, the task consumed hundreds of man-hours that would be better spent creating business value.

It takes how long?

In another example, there are companies in which just getting a change approved to do the patching (that they recognise as necessary) can waste a ridiculous amount of productive time and effort.

Not patching, is not an option!

In today’s treacherous IT landscape, not patching is not an option. But there are several things you can do to ensure you have an efficient process:

1. Make sure you’re using tools and automation to reduce the burden of patching your server fleet. Many tools are available, but some of the most popular include:
   • Windows Server Update Services (WSUS) – a free tool
   • Microsoft Endpoint Configuration Manager (formerly, System Center Configuration Manager)
   • Azure Automation Update Management
   • Ivanti Security Controls
   • Red Hat Satellite Server
2. Ensure that you have visibility into the patching. Do you have a dashboard that shows you real-time compliance?
3. Educate the business about patching and why it should be mandatory and not optional
4. Create a consistent schedule for when to apply patches
5. Have standard changes and processes in place for patching to reduce the administrative overhead

Layers like an onion

There are many layers to patching; the operating system is just one such layer. For example, your application may be built on Java or use open-source packages. You need to patch these components, too. If you build the applications in-house, then the application teams should be responsible for testing and applying these updates. But if they are third-party apps, you’re reliant on your vendors.

Have you built processes to allow for the patching of your fleet in a streamlined manner? If you’re struggling with patching your servers – whether it’s visibility issues or process problems – contact Tikabu today.