Okay, its not new and its not shiny. In fact, we know that some people go out of their way to avoid it. Its routine work, its often problematic, it takes time and causes disruption to systems that need to be always be on, but its essential that organisations stay up to date with patching. Here is why:-
Lets start with the most obvious; many patches resolve vulnerabilities within the Operating system or Applications; left unpatched, these vulnerabilities run the risk of being exploited; which could lead to data loss, reputational damage, downtime and in some cases being held to ransom. One security vendor (Tripwire) surveyed over 300 IT professionals, 34% of them admitted that they were breached as a direct result of unpatched systems; an earlier report from Voke Inc suggested that 80% of all breaches can be attributed to poorly patched systems. This isn’t something that can be ignored.
Depending on the industry, most IT departments will need to produce a report showing that their systems are compliant from a licensing, version and patching perspective. A number of organisations are also looking to obtain Cyber Essentials or Cyber Essentials Plus certification; which has started to become a baseline standard for businesses in all industries. We’ve started to see Cyber Essentials become a required status as part of new business bids and procurement processes (regardless of industry). An unpatched environment will lead to a fail or at least a set of mandatory recommendations to bring the environment up to standard.
Whilst the opposite can be true if patches are not tested properly, keeping the environment up to date should improve reliability. We’ve all been on the receiving end of a call from a vendor who has suggested we update to a newer version or apply a recent patch to solve an ongoing problem, so it makes sense to stay ahead of the issues once patches have been through user acceptance testing.
Its not all about prevention, some updates will include performance and feature enhancements which offer benefit over and above the deployed version.
What have we missed here?
Don’t brush patching under the carpet, the longer you leave it the longer the road to a complaint status and if you cant do it yourself, speak to a provider that can help you get started or manage the process for you.