Updating and patching an IT estate is something that has been an on-going task for a long time. Both servers and end-user devices need to be maintained to ensure they remain protected against the latest threats and vulnerabilities. However, often, this is seen as an IT task that goes under the radar.
Where is the value to the business?
Updating computer systems is not very glamorous, requires an organised process with well understood procedures and reporting. It is much the same process regardless of the environment and therefore can be done by someone who has the IT skills but perhaps does not require knowledge of the business that the server/device supports. However, it is one of those activities that requires effort and time to complete. It can be costly since it regularly needs to be done outside of business hours.
Updating and patching is often de-prioritised and undervalued, since the value of this activity to the business, is rarely acknowledged by IT, never-mind the businesses that IT supports. I do find it odd that updating and patching as part of IT security is not considered in the same way as physical security of buildings and offices. Many organisations leave servers or devices unpatched, but would they knowingly leave a door unlocked to your office for months on end?
Should we just focus on “key systems”?
Very often, IT Managers will prioritise “key systems” that must be patched or kept up to date. However, this provides a false sense of security.
Whilst browsing my social media feed recently, I came across this account of the impact of the NotPetya virus on industry. This is an excellent piece which is well worth the time to read, since it gives a real account of what happened prior to, during and after a significant IT security issue. One of the paragraphs that struck me was:
“Before NotPetya’s launch, Microsoft had released a patch for its EternalBlue vulnerability. But EternalBlue and Mimikatz together nonetheless made a virulent combination. “You can infect computers that aren’t patched, and then you can grab the passwords from those computers to infect other computers that are patched,” Delpy says.”
The quote has some names of specific vulnerabilities within it but essentially, it shows that anything other than an up-to-date IT environment is a vulnerable one. Given the reported data breaches we have seen recently, this is an on-going problem. We have had too many CEOs, CIOs and other company executives facing the media after a breach recently. If the cause of the breach is something that no-one could have done anything about, that is unfortunate. If it is because the organisation thought that IT updates and patching was too difficult / disruptive / costly beforehand, or if they thought it was being done but wasn’t, some may consider this to be incompetence.
Process and reporting
So, how does the organisation know the current state of their environment? How can they know the risks that they are accepting? (or know the risks that they are unwittingly accepting?) This is where good reporting comes in.
For Windows 10 devices, Microsoft provide a variety of reporting options such as Update Compliance and Microsoft Defender Antivirus update monitoring through Intune. Organisations need to make sure they are using these tools and acting on the information they receive to actively maintain their environment.
For the data centre (either in Azure or not, and for Windows Servers or Linux), Azure Security Center can provide reporting and provide recommendations on update compliance and improving security in general. However, again, IT Teams need to proactively monitor this information, block out the noise from the reporting and act on the important signals.
A well-managed update and patching process is also used when a brand-new vulnerability becomes known (these are known as zero-day vulnerabilities). The question you should ask your IT manager is how quickly can we be protected from a zero-day vulnerability once a patch is produced? That is, how quickly can we get a patch out to the estate to ensure we are protected?
Who is responsible for keeping us safe?
Given the squeeze that many organisations are seeing in budgets, it is understandable that they perhaps do not want to spend money on the overtime required for patching outside of normal business hours. Maybe, the IT Team are working with a significant workload even before they consider updates and patching so don’t have time to complete this as well. This can be where a managed service such as risual Managed Services (rMS) can help. An organisation can outsource the responsibility for updates and patching which can include compliance reporting to rMS leaving the IT Team free to concentrate on the work that really needs their skills and knowledge of the business. IT retains the accountability but responsibility falls to a 3rd party who are monitored through appropriate reporting.
Isn’t this just technical business as usual?
In the physical world, we generally have a reasonable amount of knowledge about the threats that exist and whether we are close to those threats. We can deal with these threats and can all do our best to make sure we don’t succumb to them. However, in today’s interconnected virtual world, we can’t see those threats so easily, but they lie just beyond the firewall. Perpetrators from around the world can mount an attack on an organisation whenever they sense a vulnerability. We hear about them often but even when they make headline news, there is complacency within many organisations.
IT Teams need to ensure that updates and patching are a prioritised, business-critical activity. This requires business awareness. It is the same as having physical security on buildings. Security is not optional or something that can be partially done. IT teams need to make sure these activities are completed regularly. An organisation can, however, have a friend to help them with it and have them report on what the operational risks are from an objective, 3rd-party perspective.
Whichever way you choose to manage your updates and patching, as a CxO, you need to be aware of your current state of compliance and any business risks you might be running. Asking your IT team is a good place to start.