The havoc caused in businesses over the past few years by a series of increasingly devious computer viruses has highlighted the importance of having a policy on patching vulnerable software.
Worms such as MyDoom, Bagle and Sasser have ripped though private and public sector IT systems, costing millions of pounds in IT costs and lost revenue.
The number of computer viruses has risen sharply in recent years. In 2003 more than 4,000 security vulnerabilities were identified by the Cert Co-ordination Center - a US-based centre for reporting IT security threats - compared to about 1,000 in 2000, according to Forrester Research.
The market for patch management software has grown quickly to meet the proliferation of security threats. These products help organisations keep track of security vulnerabilities and the patches released by suppliers.
Patch management software offered by specialists such as Shavlik Technologies and PatchLink or by larger suppliers such as IBM and Computer Associates also help IT departments prioritise the application of different patches and pre-test them to check their performance and compatibility with other patches.
Suppliers including Microsoft and Oracle have been criticised by some users and industry groups for not making it easy enough for organisations to apply multiple patches for different security vulnerabilities.
In response, both suppliers have released monthly fixes for security vulnerabilities rather than on a weekly or ad hoc basis. The monthly patch updates bundle separate patches into a single release to make it easier for IT departments to apply updates.
But how effective a patch management strategy can be will also depend on the variety of IT systems it has to protect, according to Colin Mitchell, director of MIS at Halcrow Group, a consultancy that advises companies on their infrastructure.
Mitchell said his firm has cut the time taken to patch 3,000 PCs since standardising on Windows XP and Office 2003 under Microsoft's Software Assurance licensing programme. Previously, Halcrow ran Windows 95, 98 and 2000, all of which required different patches and processes.
Wolverhampton Council has also speeded up its patching process. Last month the council said it had cut the time taken to patch its systems from eight weeks to within 24 hours using Microsoft Systems Management Server. The installation cost £35,000, including consultancy, training, software and hardware.
Stuart Okin, Microsoft's chief security officer, said he hopes suppliers will work together to make patching easier. In the meantime, he said, Microsoft is working on easing the patching process.
Managing your patch suppliers
- Patching technology: Most patch management products use a server to scan systems on the network, identifying and distributing patches to those that need them. This works well for systems that are continuously on the network, such as servers and PCs.
- Choosing a patch management product : Products can vary and need evaluating carefully. Determine your needs for platforms, mobile users and administration and map these needs to the patch management's architecture and features.
- Consider free software: For smaller businesses without a complex IT infrastructure, free software tools such as Software Update Services may be the most cost-effective option.
- Consider future plans: What are your plans for system management or for more general technology to assess security vulnerabilities? Does it make sense to include patch management in upcoming purchasing decisions?