Patching. We all know we need to do it, but sometimes it takes a backseat to other IT initiatives. 

Another of the Australian Signals Directorate’s Essential Eight mitigation strategies that should be your baseline level of protection against vulnerabilities, patching is a feature due to cyber attackers' propensity to exploit weaknesses in IT systems.

Windows patches are often the only ones that are considered, however, in the ASD’s Essential 8 Security Controls, patching applications is considered a more effective security practice than patching operating systems. It is important to consider all applications and Operating Systems within your environment.

It is critical that businesses regularly patch applications on their systems. According to the Australian Cyber Security Centre this includes, but is not limited to, Microsoft Office, PDF readers, Java, Flash and web browsers. We all remember WannaCry and Petya and don’t want to be vulnerable if a similar incident were to occur.

Zero-day attacks can have a catastrophic impact on businesses, so it pays to have a best practice patch management process in place to ensure your business is in the best possible position. After all, it’s rare for businesses to implement software patches before hackers take advantage of known vulnerabilities, which increases the risk of vulnerable systems being infiltrated.


So, how do I create a best practice patch management process for my business?

There are seven steps to creating this process for your business. These are based on our experience of 20+ years’ in the industry, so do feel free to reach out if you would like assistance putting your plan together.


Step one: Audit

The first step involves listing out all of your existing applications along with your security controls. It’s important to see what you have available to you before you get too far into the process of how your patching process is going to work. 

It also pays to look at the current roles and responsibilities within your team and determine if they are correct or if there needs to be a reshuffle. If you’re missing key skills within your current team, there may be a business case for a new hire or you might choose to use our services to fill the skills gap – our Security Operations Centre (SOC) is a state of the art facility that was purpose built to help businesses just like yours to win against cyber criminals.


Step two: Categorise

Plan to have a standard for your business and ensure that this categorisation is well documented as part of your process. Each application you use should be assigned a category based on the risk to the business. For example, business critical applications should be given the highest level of categorisation, meaning they are patched within a certain timeframe (48 hours is recommended).

Applications with a lower level categorisation may be assessed as being a lesser risk, so can be patched over a longer period of time. This allows for your team to work on only the most important patches first, with the less urgent work taking place when possible. 

A framework like the common vulnerability scoring system or CVSS can also be useful in determining what to prioritise.


Step three: Monitoring

Determine how you are going to keep track of new vulnerabilities and patches. Software, hardware and operating system companies will broadcast patches once a vulnerability has been identified. They’ll also often create patches between major updates in order to keep you safe. There are also tools on the market that will scan and identify patches for the applications you use.

The other side of monitoring is ensuring your patching is successful. See the section on reporting below but do also factor in the need to have checks and balances so that you’re catching any issues before they become a problem for your business.


Step four: Automate

Automate what you can, for example, automating vulnerability scans will allow your team members to be freed up to work on other business critical activity. 

If you’re not doing so already, install and set antivirus scans to run daily on all devices and update weekly. Any employees that BYOD or work from home or from personal mobiles, should also have antivirus and anti-malware software installed on each of these devices. 

Automate patching for Windows and non-Windows systems as well as third-party applications and develop scripts to remove the need to manually validate automation.


Step five: Testing

It’s important to test in a sandbox or staging environment to determine if there are any potential conflicts with your existing setup before applying the patch to your production environment.

It also pays to have a backup plan, so that if something does go wrong, you’re not causing business to halt while a solution is found. Having a set of machines that are the first to receive a patch could make all the difference in ensuring the success of this activity.


Step six: Reporting

A large proportion of businesses do not apply patches in a reasonable amount of time. This can be due to lack of resourcing, conflicting business priorities, or the cost to consistently patch.

Reporting on how quickly vulnerabilities are patched is a great way to show value to the business and can be used to create and measure KPIs, as well as helping with employee planning in terms of headcount and training requirements.


Step seven: Iterate

Like all good things in IT, iteration is key when it comes to ensuring your process maintains best practice. This can be as simple as convening a group regularly to do some analysis and provide feedback on the current process, along with discussing any changes to the environment that may impact your business moving forward. 

These steps are a great guide to getting started, but we understand that each business has unique needs, and that’s why we’re here to help. If you would like assistance in defining or updating your best practice patch management, reach out today.


If you liked this article, you may also like:

Saying no to Ransomware

SSL 101: what to do when SSL attacks are on the rise

Action plan: what to do when your devices are lost or stolen


Rudy Mitra

Marketing Specialist