Currently, 57% of data breaches are attributed to poor patch management. This means that over half of data breaches are entirely preventable, but what is patch management? We're going to take a look at what patch management is, the different types and importance of hardware and software patch management, and some handy advice for business owners.
What Is Patch Management?
We all use software, and lots of it. Windows 10 is software, Microsoft Outlook is software, Google Chrome is software, Adobe Reader is software. Your phone, laptop, tablet – they all have software on them.
We use software every day, in both our home lives and our business lives, but no piece of software is ever perfect. Typically, software developers will release something called a 'patch' periodically. A patch is a fix or update to help improve the software.
Hardware and software patch management means being on top of new patches that have been released and ensuring that all of the technology in your business is up to date for the best cybersecurity and most efficient running.
What Types of Patches Are There?
There are three reasons why a patch will be released.
- Fixing an existing problem: If some part of the software isn't working as it should do, a patch is released to fix it.
- Adding new features: Often, patches add new features or updates to improve the app's functionality or user experience. For example, Microsoft will sometimes release a 'feature update' which contains lots of changes to Windows 10.
- Security: The software makers will sometimes find security flaws with the software after it has been released and people are using it. They'll release a patch, often urgently, to fix a security risk. Security patches are the most important for your business.
Firmware Updates for Hardware
Within your business, it's not just computers that have software on them. Just think for a moment about all of the individual bits of hardware that you have.
Everyone will have a computer and a VoIP phone. You'll have a firewall, a router, some switches and wireless access points so you can access the WiFi. You might even have a server in your office. All these devices are run with software on them.
When it comes to hardware, the software used on the devices is commonly known as firmware. The manufacturers release firmware updates for them for the same reasons as software – to keep them secure and add new features.
Software patch management and hardware patch management are equally important – if you're getting behind on updates, you could be posing a serious risk to your business.
A zero-day vulnerability is the name given to a security flaw that is discovered but does not yet have an available patch. If a hacker finds these vulnerabilities, they can exploit them, and little can be done. They're known as 'zero-day' vulnerabilities because the developer has zero days left to solve them – it has to be immediate, or the software can pose serious risks.
A good analogy is the COVID pandemic. At the start, there was an illness that nobody had seen before, and nobody knew how to cure it. The illness was the vulnerability, but no patch (cure) existed when the problem was discovered. As a result, scientists had to work tirelessly on vaccines that are now rolling out worldwide. Problem solved.
Just few weeks ago, a major issue was identified with the Microsoft Windows operating system called PrintNightmare. This vulnerability allowed attackers to exploit flaws to run code, download malware, create new user accounts and view, change or delete data.
The problem was that there wasn't a fix available for it at first, and even when the fix was released, it wasn't perfect – some users who installed it found that they couldn't connect to their own printers. Microsoft has since released a working patch to solve the issue.
Good IT Patch Management
Many businesses simply don't invest in IT patch management, which is why lots of data breaches and cyberattacks are able to happen. Interestingly, 74% of companies don't apply patches because of a lack of staffing.
As the owner of a business, you shouldn't be trying to manage your own software patches. That is where your IT support company or your IT department will come in. A good IT support company will take charge of IT patch management. They will make sure that all relevant updates are installed on all of your devices promptly.
The Cyber Essentials framework dictates that you should install important patches to your devices within fourteen days of the manufacturer releasing them. We think fourteen days is pretty generous; we'd say seven days, at the latest.
Here's the thing. We often go into new clients, and one of the first things we check is the status of the updates. And more often than not, the updates are well off. We've seen businesses who haven't had updates in more than a year sometimes, and that can cause a massive security risk in your firm.
Advice for Business Owners
As I mentioned earlier, it shouldn't be your job to ensure that patches are being installed on your hardware and software – you should have an in-house IT department or outsourced IT company to do that for you. However, you should ensure you get a monthly report detailing all of your hardware and software and what recent patches have been applied.
Do you remember the ransomware attack on the NHS in 2017? That was caused by a security flaw on some of the computers. The patch that could've fixed that flaw had been available for some time, but because it hadn't been installed on those computers, the attack cost the NHS over £92m.
Don't leave it to chance, and don't assume that your IT team are doing it; we've seen the truth, and plenty of them aren't.
We hope you feel more informed about what patch management is and why it's so important to your business. If you're feeling trapped by your IT provider or just think it's time to change IT services, contact us today to book a consult and audit of your existing systems. We'll review how we can help you keep your business secure and running smoothly.