Persuading your execs to let you employ a regular, consistent patch management system can be an uphill struggle for all but major patches or software updates like those for operating systems or ones that add key features. It can seem non-urgent and patches can easily fall on the back burner.
Sony’s latest incident should help remind you how bad things can go if you do get hacked. Tech that most of us rely on every day became ticking time bombs for Sony employees – as a result of the hack, they’ve all but stopped using email, voicemail and other business critical applications. Employees now fear identity theft since their private emails and documents have been leaked. And Sony customers can read the confidential emails employees exchanged between them self.
So don’t be fooled: keeping your systems updated with the latest patches is crucial and can prevent a host of security and compliance issues (not to mention user experience issues that can grind productivity to a hault). We’re here to help: below is a handy guide on working with your execs next time they grumble about the nuisance of implementing a patch.
1. Educate key decision makers within your company or client companies on the benefits of patching
(and the critical business issues that can result if you don’t).
Without implementing patches, your system is vulnerable and allows hackers to use malware in order to exploit those vulnerabilities. Once a hacker has installed malware into your system, the hacker can attack other systems, spam your clients, steal and publicize your data without you ever knowing. Providing a quick rundown of all the devastating recent security attacks (check out our previous posts on MS14-068, WinShock and Shellshock) should hopefully be more than enough to prove your point.
2. Explain that hacks and system breaches are unpredictable, so we can’t wait; we need to implement patches as they come out to protect our network.
It is always better to patch as soon as they are available instead of doing all the patches in weekly or biweekly cycles. Hackers unfortunately do not respect patch cycles, and try to exploit weaknesses whenever possible, so never postpone your patching. You can outsource your patches to a patch management system like Panorama9 (shameless plug!) to automate the process.
3. Communicate any potential risks and estimated downtime alongside the benefit of dealing with it now.
A lot of the reason for pushback on patch management is the uncertainty of how it will affect the status quo. There are definitely risks when applying new patches: updates may disrupt service and there is also the possibility of lost data or breaking the current system. You will allay many of these fears simply by communicating what may or may not happen once you implement the patch, what your contingency plan is for dealing with any hiccups, and reiterating why it’s important to stay current on patches. Most patches don’t take long to install, so the majority of these types of updates should be painless and largely invisible to the rest of the company.
4. Position patch management as a way to protect your existing software investments.
Commonly used software like Java, Flash, Acrobat, and MS Windows are often the most targeted for security hacks. Luckily, they come with built-in update features, but ensuring compliance is still an important part of the patch management plan. If you have any of these applications, be sure that it is configured and working and remember to use a monitoring system to warn you if the software malfunctions or if specific users are behind on software updates.
5. Remind everyone that patching ultimately saves time, resources, and money for the company.
Without a patch management system, you may be faced with devices that fail to apply the automated updates, causing you to spend more time manually following up with each device. With a patch management system, you can customize the plan so new patches are applied automatically, you will be warned if some devices fail to receive the last patch, and be able to pull an extensive report dictating what happened and which devices are still vulnerable. You’ll also be able to catch potential issues early, saving the company untold time and expense (not to mention lost trust with customers) in the event of a security breach or other network issue.
It’s risky not to implement released and safe patches, but worse if there was no patch management plan implemented. Having a patch management plan not only saves time that could be used in other areas but also is an extra security measure that makes sure your data and service are still safe, and no one can use your system to spy on others. In the end, without patch management best practices and a well carried-out plan, all those things are at risk and damage control will only cost you extra.