How important is patch management for a small business?
It’s an excellent question. Medium-to-large companies spend hundreds of thousands of dollars each year keeping up with these security patches, product updates, hardware and software product upgrades, firmware and other updates. Considering that most of the business-critical software in use today includes a service plan, these costs can easily rise into the millions. On top of this, technologies to automatically monitor, test and deploy updates are constantly fighting for a piece of corporate IT budgets.
As it stands, practically all IT departments openly state that most non-critical patches are simply ignored because constantly testing and deploying them would take all their time and resources. Why test them first? Because all patches worth installing have a critical impact on networks, applications and, ultimately, business operations. Each software or firmware change must work perfectly or the business could face hours, perhaps days of unplanned human effort to roll things back to the previous, stable state.
If it sounds like a major headache, that’s because it is. However, the annual Top 20 Security Vulnerabilities list (compiled by the FBI in association with SANS) consistently points to the fact that at least 90 per cent of these vulnerabilities cause security breaches that could be avoided through software updates. That’s a significant statistic that points to the fact that security is firmly within the technical capabilities of all businesses, if only a proper patch management strategy were adopted. It also demonstrates the danger of complacency, in particular when it comes to such a critical part of business.
Do small businesses have to get serious about patch management? Absolutely. The alternative is both expensive and irresponsible. Most worrisome statistics are built from surveys across all business sectors and sizes, and we are consistently reminded that almost 80 per cent of Canadian companies are considered to be small businesses. Simply put, most security breaches are a result of small business negligence in the area of patch management or security maintenance. Most serious of all is the fact that an unpatched vulnerability affects not only its “host” company but also the computers and networks of the individuals and companies it comes in contact with. The risk extends to employees, clients, partners and all the confidential information they all share. The cost of complacency now includes compliance with industry standards and privacy laws (such as PIPEDA), placing the offending company directly within the crosshairs of regulators. Maintenance costs notwithstanding, the price of penalties and public embarrassment are now the key drivers for compliance and secure best practices.
When it comes to best practices, small businesses really do have an advantage over large enterprises. You typically benefit from a less complex infrastructure, more tools at your disposal and you have a lot less data to worry about. With this combination in mind, the task becomes much more manageable and even presents opportunities for automation. In fact, I can give you three tips for effective small business patch management.
- Automate critical tasks: Enable Automatic Updates in Windows for critical updates, set-up automatic anti-virus signature updates and allow other software to warn you when updates become available so you can decide when to apply a patch or accept the risk by ignoring relatively minor changes (albeit ones that can take a long time to install and potentially impact your operations).
- Stay on top of changes that impact your business: Read the news, sign-up for relevant newsletters and vendor communications. Filter what isn’t critical and concentrate on understanding the risk to your business, because if you don’t, no one else will. Keep track of helpful Web pages such as Microsoft’s own Small Business Patch Management site located at: http://www.microsoft.com/technet/security/smallbusiness/topics/patchmanagement.mspx.
- Monitor the effectiveness of the technology that you use and apply manual patches where necessary. Make a list of all the critical IT components that your business depends on and create a schedule for reviewing those patches. If your business is very small, chances are that this will be a very simple process. If your network is larger than five or 10 machines, it makes sense to automatically monitor updates using either Windows’ own tools (such as the Baseline Security Analyzer) or third-party software such as GFI’s Languard NSS (which even helps you to remotely apply patches). In such cases, you may even want to employ Microsoft SUS (Software Update Services, detailed at the above link). Even larger businesses may want to consider solutions provided by PatchLink, BigFix and Shavlik.
Regardless of your chosen solution, a percentage of all patches will have to be applied manually, so be ready to test them on a separate computer or in a test environment to ensure that they won’t cause any trouble. More importantly, have a rollback plan, in case something happens and you have to get back in control.
So it’s all about awareness and control. Effective patch management requires you to know the magnitude of the risk, the extent of the impact of every patch and the ability to control the operation. If you can streamline this process by applying best practices, some discipline and one or two of these tools, youíll be well ahead of the game.
Claudiu Popa, CISSP, PMP, CISA, is one of Canadaís information security experts and chief security officer of Informatica Corp.. Claudiu helps Canadian small businesses protect information assets against current security threats including viruses, hackers, thieves and blackouts. Write to him at Claudiu@InformaticaSecurity.com.
Contact the editor