Maksim Kabakou - Fotolia

Security Think Tank: Ad hoc patching is inadequate

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?

Patching is a fundamental component of technical vulnerability management. The timely application of patches – to operating systems, software, and so on – is essential if organisations are to protect themselves from known vulnerabilities.

However, as seen with WannaCry and other ransomware and malware-related attacks, organisations are often choosing not to apply patches, perhaps because of cost and/or resourcing.

There are no shortcuts to patch management – it must be done. The activity demands formal recognition within the organisation. Without ringfenced commitment, there will be something else demanding time/resources ahead of patching.

Sadly, it takes an attack as high-profile as WannaCry to make the senior management of some organisations sit up and take notice, questioning why infected systems had not been patched.

Very few security functions are congratulated for patching. However, taking this up a level and considering the role of the information security function in the organisation, it is ultimately the responsibility of the function leader to engage with senior management and explain how the function aligns with business needs. This implicitly includes patch management.

Each discipline covered by the information security function, including patch management, should establish the relevance of the discipline to the business, generate data-driven insights, such as key performance indicators and key risk indicators, and propose recommendations for the discipline.

The recommendations for patch management should be guided by a formal policy, supported by a framework for performing the activity (see my article here for more information on patch management policy and framework). For those organisations where patch management is currently ad hoc at best, developing a policy and framework may seem like another cost that they can do without.

However, continuing with ad hoc patching, as and when time and resourcing allows, is wholly inadequate if the organisation is to be protected from threats exploiting known vulnerabilities. Invest now and patching will be managed and controlled going forward – protecting the organisation better.

Read more on Hackers and cybercrime prevention