Maksim Kabakou - Fotolia

Security Think Tank: Five tips for creating a patch management strategy

What strategies can companies adopt to help keep up with and deal with the huge volume of software updates they are facing?

Although patch management plays a critical role in minimising business risk caused by outdated software in any IT infrastructure, its mere mention can frighten many companies and their IT departments.

This can result in a lack of action, meaning many organisations find themselves with outdated systems, with the number of patches available to fix potential vulnerabilities and exploits becoming increasingly overwhelming.

Whether you are looking to introduce patch management or have an existing policy in place, here are some tips that will help develop a concrete strategy:

1. Know your software and devices

The most important part of any patch management strategy is knowing the devices and software that exist in your organisation.

Create an inventory of all machines, software and any external systems or services that may have access to them, including mobile devices. As part of your patch management procedure, it is vital to keep this inventory up to date.

While this sounds basic, if you do not know what you have, you will not know what to patch.

2. Identify and prioritise

Patch management can be overwhelming, but becomes more manageable once organisations accept that not everything needs patching every time.

To understand the extent of your patch management scope, identify the patches that are available to you, and list the updates that are absolutely necessary, prioritising those that will resolve major vulnerabilities.

Sometimes you may find that multiple patches are available as service packs or software updates, reducing the need to apply hundreds of patches individually. The key here is to minimise the amount of patching you are required to undertake, while not compromising the security of your organisation.

3. Establish a process and maintain it

Many companies undertake patch management as an afterthought, and go through the process only when they feel they need it. But patch management shouldn’t be an ad hoc activity; a successful patch management strategy is an ongoing process.

Being realistic with the amount of IT resources available and setting it aside makes it easier for organisations to maintain a regular schedule of patching. It is essential to keep it under control as the longer you leave it, the more you will have to patch.

4. Test, test again, and test once more

Patching has the potential to create more problems than it solves, which makes testing absolutely crucial to minimise any negative impact that badly managed patching can leave behind.

The most important part of any patch management strategy is knowing the devices and software that exist in your organisation

Whenever a patch has been identified, run it on a test system before performing an organisation-wide roll-out. Even smaller organisations, which may not have the resource and hardware to set up and maintain an elaborate test environment, can do this by deploying the patch onto a system that is not business critical, either to members of the IT team or selected members of the organisation. The results of this testing, on hardware, software and any other systems you may have, should be documented and approved by system owners.

It is important to remember that if testing does not exist in your strategy, patch management can become riskier than the risks you are trying to remove.

5. Change management and rollback

Before rolling out a patch, ensure you have an effective change management process in place. Disregarding change management and patching without proper rollback plans can be catastrophic, and recovering from the repercussions can be even more challenging than every pre-deployment stage that has come before.

Prior to patching, organisations must back up any critical systems, plan the steps of rollback and perform a rollback dress rehearsal.

In today’s environment, where security vulnerabilities and exploits seem to exist from day one, patch management can feel like a never-ending cycle. With these steps in place, however, that cycle will become a well-managed process which, when combined with a rigorous testing schedule, will generate the best return for the resources you have available.

Do not let the sheer volume of patches available make you want to avoid the process completely, but instead allow your patch management processes to put you ahead of the game.

Vishal Kara is head of products at London-based software company Piriform.

Read more on IT risk management