How to Tighten Your Security Patch Strategy to Prevent Cyber Breaches

Recently, a healthcare company in the US paid a regulatory fine of $150,000 for HIPAA (Health Insurance Portability and Accountability Act 1996) security violations arising from unpatched and unsupported software in their IT environment.

The EU Data Protection Regulation has proposed steep fines (€100m) for companies that fail to comply with measures pertaining to security breaches and data theft.

Regulatory agencies take non-compliance seriously, and unpatched software is one of the biggest culprits of compliance issues.

If you think the cost of not keeping your IT environment up-to-date is only in the form of regulatory fines, you need to reconsider that notion. You have to add the costs of patching to the equation when you formulate a patch management strategy.

Calculating the cost of patching isn’t difficult. Here is a simple formula to help you determine what your cost would be:

(Hours x Rate x Systems) + (Patch Failure% x (Hours x Rate x Systems)) = Cost to Patch

(2 hours to patch a system x £50/hour rate x 1000 systems) + (5% patch failure% x (2 hours to patch a system x £50/hour rate x 1000 systems)) = Cost to Patch

£100,000 + £5000 = £105,000

Suppose you are spending this £105,000 every month. Then you realise that this cost just keeps going up. This could be because:

• Your patch management strategy is manual and time consuming
• You don’t have a process in place to account for newer cyber threats
• You employ a mix of manual and automated patching (ie, WSUS for automating Microsoft® patches, leaving 3^rd-party updates for end-users to do themselves)
• You spend too much time dealing with firefights
• You have troublesome software, like Java™, that requires specialised install scenarios, eventually preventing failed updates
• Some of the patches that you roll out are breaking systems, or worse, introducing new security headaches

In such cases, you may have to revisit your existing patch management strategy to see if you need to consider some other factors in addressing recurring issues.

Prepare notes on each of the following questions and you may stumble upon those key points that would help you tighten your patch strategy.

1. Which computers or groups are always connected to the Internet (and/or transactional in nature)?
2. When a threat arises, how am I going to assess its impact on critical systems (point #1), and prioritize the patches?
3. What will be my fallback plan when a patch fails, breaks, or introduces more security issues?
4. What is my current approval process?
5. How am I documenting best practices and what I’ve learned from previous firefights?

The more you automate your patch management processes, the less stressful they become. That said, your patch management strategy can be a continually evolving exercise in your organisation.

You need a consistent and organised patching strategy to be effective in preventing security nightmares, while keeping the costs of patching to a minimum.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today