In 2017, Equifax lost the most sensitive of information for nearly 148 million Americans. The worst part about this seismic incident is that there was no excuse for it to happen; the breach was entirely preventable. According to Wired:
“. . . Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of [147] million people from being exposed. It didn’t.”
Unfortunately, as reckless and negligent as this seems, this type of behavior is par for the course for many of today’s businesses. Particularly when we consider the situation surrounding Spectre and Meltdown:
“. . . research revealed that nearly every computer chip manufactured in the last 20 years contains fundamental security flaws. . . and while software patches are available, they may have impacts on system performance. . . the flaws are so fundamental and widespread that security researchers are calling them catastrophic.”
With critical vulnerabilities exponentially rising, small and medium-sized business needs to learn how to implement an effective patch management process as a means to avoid joining the long list of data breaches in 2018 (so far).
Here are 6 steps for enforcing a strong patch management process.
#1: Make Patch Management a Priority
IT employees are the ones who manage the patching process. However, business managers often split these resources across a variety of demands and requests.
To effectively maintain network security, company leaders need to hold patching as a pinnacle priority by allocating the appropriate time, resources, and manpower to the effort; and doing so in routine fashion.
The most effective strategy is to hold team members and managers accountable for ensuring this process is handled and maintained in a timely fashion. If you need a way to help manage all of your documents, then consider using ediscovery.
#2: Appoint Ownership
The IT department tends to tout a myriad of members who apply patches regularly. This is a mistake as the task is then owned by no single individual. Without crystalline accountability for who oversees what, the chain of command and communication channels can quickly break down.
If your organization’s size warrants it, consider talking higher-ups into hiring a full-time patch management and validation specialist. While some might view it as extremes, the imperativeness of this position should be clear given the plethora of security breaches in the last 10 years.
If a dedicated patch specialist simply isn’t an option for your company, then opt to hire a consultant to assist your brand with security patch revision validation and deployment.
No matter which route you go, it is imperative to possess a powerful patch management software that can help to automate the process, manage the company’s security infrastructure, and bring new tools to a department.
#3: Accurately Assess Your Inventory
IT needs to be keenly aware of every system operating within a company’s ecosystem to effectively identify which patches are necessary as vendors release them. After all, you can’t patch what you don’t know is there.
While some of you at larger organizations might be thinking this is impossible, consider the fact that the 2017 Trustwave Global Security Report revealed that 99.7% of web applications include at least one vulnerability.
If IT and security managers fail to take the entirety of the company’s system into consideration – including proprietary systems and third-party apps, services, platforms, libraries, and devices – threats and vulnerabilities are multiplying by the day.
Review the threats of all your systems facets and aspects, asses the risks, establish priority, and begin securing your network.
#4: Promote a Testing Procedure
Before deploying a patch, it is necessary to look at all your company’s systems to ensure that the patch won’t break anything. To safeguard from such an event, you need to test the patch and move through all the trial and verification steps necessary to verify that there will be no adverse consequences from its deployment.
The best way to do this is to create a testing lab that mimics your system environment. While this approach is costly and time-consuming, it is far less costly than having a patch break a vital system.
#5: Be Committed
Patching is an incredibly complicated and delicate matter within modern IT stacks that feature various points of integration, customized components, add-ons, mobile endpoints, and a multitude of other variables.
With that in mind, business owners and IT managers need to accept that there will be some issues that can be resolved, and those that can’t. When certain issues cannot be patched, they need to be documented.
For many organizations, these exceptions – even if written down – will never be revisited. To maintain a secure environment, it is necessary to regularly go back and reassess these exceptions to review if a new solution has emerged and that it is not introducing new risks that were originally unforeseen.
#6: Archive and Analyze
In addition to archiving system inventory information, brands need to closely monitor and document patches that have been released from vendors, scheduled patch testing, and deployment dates, and patch completion times dates.
To manage all this information in an effective and streamlined way, it’s wise to develop or employ a dashboard that creates visibility on the entirety of your patch management initiatives. This will also help IT gain a greater understanding of where vulnerabilities have been patched and where they still exist.
Additionally, monitoring metrics such as percent or number of systems up-to-date, number of patches failed, etc. are all critical to track to fully understand the health of an organization’s digital ecosystem.
The easiest way to create such a system with this information is to employ one of the many patch management platforms on the market.
People tend not to care about patch management until something goes wrong; Equifax’s breach is a prime example. Don’t practice the same low-security standards. Employ these six patch management best practices to avoid becoming the next company to make the news because it was hacked.
