Narendran Vaideeswaran

Product Marketing Manager, Solarwinds

Author Bio ▼

Narendran Vaideeswaran is Product Marketing Manager at SolarWinds.
September 7, 2015

Sign up to free email newsletters


The State of Physical Access Control in EMEA Businesses – 2020 Report

How to Tighten Your Security Patch Strategy to Prevent Cyber Breaches

cyber patch strategyRecently, a healthcare company in the US paid a regulatory fine of $150,000 for HIPAA (Health Insurance Portability and Accountability Act 1996) security violations arising from unpatched and unsupported software in their IT environment.

The EU Data Protection Regulation has proposed steep fines (€100m) for companies that fail to comply with measures pertaining to security breaches and data theft.

Regulatory agencies take non-compliance seriously, and unpatched software is one of the biggest culprits of compliance issues.

If you think the cost of not keeping your IT environment up-to-date is only in the form of regulatory fines, you need to reconsider that notion. You have to add the costs of patching to the equation when you formulate a patch management strategy.

Calculating the cost of patching isn’t difficult. Here is a simple formula to help you determine what your cost would be:

(Hours x Rate x Systems) + (Patch Failure% x (Hours x Rate x Systems)) = Cost to Patch

(2 hours to patch a system x £50/hour rate x 1000 systems) + (5% patch failure% x (2 hours to patch a system x £50/hour rate x 1000 systems)) = Cost to Patch

£100,000 + £5000 = £105,000

Suppose you are spending this £105,000 every month. Then you realise that this cost just keeps going up. This could be because:

  • Your patch management strategy is manual and time consuming
  • You don’t have a process in place to account for newer cyber threats
  • You employ a mix of manual and automated patching (ie, WSUS for automating Microsoft® patches, leaving 3rd-party updates for end-users to do themselves)
  • You spend too much time dealing with firefights
  • You have troublesome software, like Java™, that requires specialised install scenarios, eventually preventing failed updates
  • Some of the patches that you roll out are breaking systems, or worse, introducing new security headaches

In such cases, you may have to revisit your existing patch management strategy to see if you need to consider some other factors in addressing recurring issues.

Prepare notes on each of the following questions and you may stumble upon those key points that would help you tighten your patch strategy.

  1. Which computers or groups are always connected to the Internet (and/or transactional in nature)?
  2. When a threat arises, how am I going to assess its impact on critical systems (point #1), and prioritize the patches?
  3. What will be my fallback plan when a patch fails, breaks, or introduces more security issues?
  4. What is my current approval process?
  5. How am I documenting best practices and what I’ve learned from previous firefights?

The more you automate your patch management processes, the less stressful they become. That said, your patch management strategy can be a continually evolving exercise in your organisation.

You need a consistent and organised patching strategy to be effective in preventing security nightmares, while keeping the costs of patching to a minimum.

Get your summer security fix in this essential free 'State of the Nation' webinar

Explore the state of security in the United Kingdom in this unmissable webinar led by industry titans Professor Dave Sloggett, Surveillance Camera Commissioner Tony Porter, TSI's Rick Mounfield, BSIA's Mike Reddington and Alex Carmichael of the SSAIB.


Related Topics

Notify of
Inline Feedbacks
View all comments