Just how important is Patch Management?
Good patch management is estimated to prevent approximately 85% of all attacks and it is clearly worth the effort. In the perfect world updates and security patches issued by software vendors would be installed as soon as they are issued. The reality requires not only planning but in some cases testing before the efficacy of the update has been confirmed.
Updates can be categorised using a scoring system and the most commonly used is CVSS, namely the Common Vulnerability Scoring System, developed in the US. For most SMEs this process of categorisation may be overkill whereas larger organisations will need to organise the process carefully, and identifying the key updates to react swiftly to will remain important.
The CERT-UK publication explains the importance of applying patches but also notes the reasons why organisations often do not deal with this important task as follows: -
- Lack of comprehension that the more vulnerabilites available to hackers, the more likely they will be succesfull.
- Denial - it will not happen to us. This reason is widely reported but since more SMEs are losing money, owners and managers should no longer deny these risks can apply to them.
- Ignorant of the present of a hacker already in their system and whose presence is being hidden.
- Concern over legacy systems and that updates will render important software and hardware inoperable and causing potentially severe problems for the business. This fear can be overcome by extensive testing before implementation.
- Delaying the patch(es) for operational reasons and seeking other ways to mitigate the risks of exploitation.
The full publication provides more information about this key area which is also one of the five discplines within the Cyber Essentials standard. The publication is available from our Information page.