Patch management has always been a challenge for IT and cybersecurity teams as they do not only have to deliver patches frequently for bugs but also create comprehensive programs to cope up with emerging cybersecurity challenges. With a majority of the workforce working remotely due to the COVID-19 pandemic, it is time for businesses to rethink their patch management strategy.
Stephen Boyer, Chief Technology Officer at BitSight admits, “It’s a massive challenge all of a sudden.” He further adds, “People are working on networks that are not managed and controlled by corporations anymore.” According to BitSight, research has proven that home networks are more vulnerable to cybersecurity attacks than enterprise networks. How can you keep your remote workers safe when they are using an unsecured home network during a pandemic? By ensuring efficient patch management.
In this article, you will learn about six patch management tips from cybersecurity pros that will help your business during a pandemic.
The first thing is first. Maintain an asset inventory. It is the most crucial step for any patch management program. How can you protect assets that you do not know about? You cannot, right. In most cases, bugs, errors, and flaws usually come in assets that businesses tend to neglect or, even worse, did not know about their existence.
With more people working remotely, you will not only have to take care of on-premises machines but also IoT devices and mobile devices which are connecting to the cloud. Cloud hosting providers need to take steps to ensure the security and privacy of data. The biggest problem with users using different devices is that the system administrator doesn’t have much control over these devices, so it becomes even more difficult for them to release patches for these devices.
It seems that cybercriminals are few steps ahead of cybersecurity professionals in this cat and mouse race. As soon as the vulnerability is found, cyber attackers don’t take long to exploit it. On the other hand, it can take patch managers months to release patches, which can have disastrous consequences. That is why it is important for businesses to prioritize patch management.
To minimize the attack surface, it is important to develop an agile patch management system that can roll out patches within 24 hours. Focus on flaws that are commonly being exploited and pose a threat to IT infrastructure. Emphasis should be laid on infrastructure protection, then you can take it from there to clients and other stakeholders. Always document everything, so you do not miss out on anything. This will give patch managers visibility into when a resource has been patched and how long it has been. This way, you can easily roll out patches for resources that have not been patched for a long time.
Dustin Childs, a zero-day initiative manager at Trend Micro, knows many businesses who are reluctant to roll out patches. This could be due to fear of break down, lack of resources or reshuffling of responsibility due to the current situation. People responsible for patch management are now busy in making sure that the collaboration software is working properly. He also notes that companies like Microsoft are pushing more patches than ever before. If you are not patching, you are offering a window of opportunity to cybercriminals, which is exactly what they need to target your digital assets.
If patching frequently seems like a daunting challenge, you can automate the process just like many small and mid-size businesses do. With less time to react, you need to create an automatic system for patching vulnerabilities. Yes, you might need more resources to patch loopholes before they can be taken advantage of by hackers, but even if you don’t have the resources, you can still move in the right direction.
Accelerating patch delivery requires distributing responsibility amongst your teams and business units. That is where organizational structure comes into play. If you structure yourself in the right way, your team takes responsibility and divides the workload efficiently and results in a significant reduction in the time required to patch vulnerabilities as well as minimize vulnerability debt. The infrastructure and size of a company can also influence decisions regarding how to handle patching. You can opt for a centralized model or take a distributed approach, whichever suits your business well.
We will see shorter and more frequent patch cycles in the future. Patches that were released on a monthly basis will be rolled out in weeks or even days. Jon Clay, Director Global Threat Communications at Trend Micro said, “The reality is that with the number of exploits being developed and exploit kits growing, the requirement to patch more often is going to increase.”
He thinks that as businesses move to DevOps processes for software, we might see this cycle shrink further and you might receive patches within hours. Once this pandemic end, more and more businesses will start taking remote work seriously and create concrete policies for it. The business will have to figure out how to patch these vulnerabilities; otherwise, they will play in the hands of cyber attackers.
Which patch management techniques do you use during a pandemic? Feel free to share it with us in the comments section below.