Why and How to Keep Software Patches Current

Why and How to Keep Software Patches Current

Software patches are key elements of a layered approach to cybersecurity. Patches can fix bugs and optimize software. More importantly, they fix security vulnerabilities that can be exploited by cybercriminals.  Keeping patches current is crucial to keeping your systems more secure.

How Vulnerabilities are Discovered and Tracked    

Publicly disclosed cybersecurity vulnerabilities are identified, defined, and cataloged by the CVE Program.  CVE is an international effort that helps cybersecurity professionals coordinate their work prioritizing and developing fixes, helping keep everyone safer.

There is one CVE Record for each vulnerability in the catalog.  Every vulnerability is rated as a low, medium, high, or critical risk.  Patches are developed and prioritized for deployment based on these categories.

Why to Keep Patches Current

The disclosure of vulnerabilities to the public through CVE Records can be an open invitation for cybercriminals. They’ll go on the prowl looking for unpatched systems, either using manual scans or computer bots. By keeping patches current, the hackers are more likely to pass you by.

Since many vulnerabilities are only discovered after they’re exploited by cybercriminals, it can take time to develop the fix. Once the patch is available, it only makes sense to apply it as soon as you can.

If you don’t patch, you’re incurring “technical debt.”  The risks grow bigger and bigger each time you skip patching and allow the number of identified risks on each machine to grow.

Your company’s solid reputation could be damaged by any breach.  Current patching helps protect that intangible asset you’ve worked tirelessly to build.

Patching is a best-practice requirement for cybersecurity risk assessments, so be careful when you answer those questionnaires.  A cyber liability insurance carrier could deny your claim if you’ve falsely stated that you patch.

Finally, if you’re breached due to a vulnerability that has a known patch available, the task of defending your actions to clients, regulators, and insurers becomes challenging and potentially costly.

How to Keep Patches Current

  • Make sure your IT provider remotely applies patches from Microsoft and other key software vendors on a regular basis.
    • Critical security updates should be applied right away.
    • If patches are being applied during off hours, follow your IT team’s instructions, such as leaving your computer turned on, to make sure your machine doesn’t miss the patch.
  • If your IT provider doesn’t manage patches for you, set all computers to automatically update. Avoid using the “Remind Me Later” button.
  • Set browsers (Chrome, Edge, Firefox, etc.) to automatically update.
  • Set your phone and tablet to automatically update.
  • Make keeping patches current a part of your cybersecurity awareness culture.

Patch Reporting is Key

Keeping patches current is not enough.  Having the reporting in place to prove it could be essential in the event of a breach.

Patch reports should be available after each patch cycle (at least weekly) and include the following:

  • A list of every computer in your environment.
  • All completed and failed patches by machine.
  • Computers that are missing patches, both critical and non-critical.
  • Computers that are missing critical patches along with the corresponding CVE record codes.
    • Typical industry standards are to apply critical patches within 30 days.
    • We encourage deploying critical patches promptly.

Make Cybersecurity Awareness Routine

Always be careful online. An exploit could infect your computer simply because you unknowingly viewed an unsafe website, opened a dangerous email, or played infected media. Avoid being an unwitting accomplice to hackers.

The other tools you use (MFA, password managers, zero trust, and more) along with your ability to identify potentially dangerous emails and texts gives you the upper hand.

The number of new security alerts that emerge every week can be overwhelming.  Managing patches effectively is a key part of the toolkit that helps keep your systems more secure.

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.