As IT has become more complex and distributed, the overheads involved in keeping systems running have significantly increased. IT managers cite the time spent on updating, maintaining, and patching systems as one of their greatest overheads.
Security patching, in particular, can be a burden. Microsoft alone can release more than a dozen critical patches during its monthly "Patch Tuesday" bulletins. Then there are additional, out-of-band patches, patches from other software vendors, and updates for hardware, firmware and development systems.
Patching is a priority
Patching is critical as unpatched systems continue to represent a real security flaw in many business' networks. A study by NIST, the U.S. technology standards body, revealed that 90 per cent of successful attacks against companies exploited known vulnerabilities that could have been prevented if the systems had been correctly patched.
Patch management that is not centralised, gives rise to other issues, aside from the security risks and the time it takes up. Without the appropriate policies in place, companies run the risk of deploying untested patches that can cause problems for other applications or other areas of the IT infrastructure.
For example, an IT department that allows users to manage their own patch updates runs the risk of disrupting or breaking critical business processes with an untested patch. This is most common with highly customised applications or software written in house, however, off the shelf software is by no means immune to exposure.
Companies that do not centralise their patch management can also find that they have unnecessarily high energy bills. One of the most common reasons for not running desktop power management technology, or not instructing staff to switch off their PCs overnight is the need to install patches out of hours.
The case for patch management
As a result of these challenges, more businesses are looking at centralised systems for patch management. Patching desktop computers and servers, smartphones and tablets, and their applications – is too large a task to be carried out manually. Even if IT had the time to patch systems manually, automated patch management has been shown to be more reliable and more secure.
Automatic patching, for example, is designed to manage exposure to the growing number of exploits that are specifically built to take advantage of systems before they are patched or upgraded.
Although the IT security industry, rightly, focuses on "zero day" exploits that aim to make use of vulnerabilities before vendors issue a patch, in too many cases hackers and cyber-criminals are able to gain entry to unpatched systems long after the patches have been released.
Companies can cause downtime and disruption through an uncoordinated approach to patching, especially where patches are applied without testing and the necessary compatibility checks.
To minimise the risk posed by patches, companies should look at testing patches or using a patch supplier that handles testing, and quarantining the use of unpatched computers until the patches are tested.