Maksim Kabakou - Fotolia

Security Think Tank: Apply risk-based approach to patch management

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?

The old mantra of “patch everything” is long gone. Many organisations cannot keep up with the multiplicity of systems and applications that need patching as IT becomes ever more pervasive, bring your own device (BYOD) increases, and testing all the combinations of devices, apps and operating systems becomes impossible, given the resources available.

As a result, organisations need to move away from the “patch everything 100%” and apply risk management to focus on critical systems and deploy limited resources to maximum effect.

Organisations need to identify the information that is most valuable, and the information they need to keep their operations running – such as patient records, backups, financial data – and the risk of its unavailability.

Lack of availability also needs to be examined, and not in terms of weeks or months, but in terms of minutes, hours or days. The impact of the lack of availability should be identified in business or customer-service terms. This means that the business managers and people who use the data on the “front line” will have to be involved in this risk assessment.

Once the impact is known, the systems where the information is stored and processed (at a minimum) should be identified, and then a patching regime for those systems can be created.

The backups – and the systems those backups reside on – should also be part of the same patching regime. If the systems are outsourced, the contract needs to have specific patching and recovery clauses inserted.

The patching regime should involve automated patching, with manual follow-ups to ensure these systems are up to date. Operational requirements will have to take second place to patching under this regime: patching is an operational necessity.

Read more from Computer Weekly’s Security Think Tank on patching strategies

For other systems, automated patching is the way forward, using in-built processes in the operating systems where possible. Organisations will have to understand that 100% coverage will not occur so other processes and procedures must be in place to mitigate the effects of missing patches, including incident management.

For legacy systems and software, where patching is not an option, organisations will need to look at replacements, or other ways to minimise vulnerability, such as separate networks, controlling access to data and cloud provision. These systems and the appropriate solutions should be prioritised as these represent the greatest risk.

Read more on Hackers and cybercrime prevention