IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Recently, a healthcare company in the US paid a regulatory fine of $150,000 for HIPAA (Health Insurance Portability and Accountability Act 1996) security violations arising from unpatched and unsupported software in their IT environment.
The EU Data Protection Regulation has proposed steep fines (€100m) for companies that fail to comply with measures pertaining to security breaches and data theft.
Regulatory agencies take non-compliance seriously, and unpatched software is one of the biggest culprits of compliance issues.
If you think the cost of not keeping your IT environment up-to-date is only in the form of regulatory fines, you need to reconsider that notion. You have to add the costs of patching to the equation when you formulate a patch management strategy.
Calculating the cost of patching isn’t difficult. Here is a simple formula to help you determine what your cost would be:
(Hours x Rate x Systems) + (Patch Failure% x (Hours x Rate x Systems)) = Cost to Patch
(2 hours to patch a system x £50/hour rate x 1000 systems) + (5% patch failure% x (2 hours to patch a system x £50/hour rate x 1000 systems)) = Cost to Patch
£100,000 + £5000 = £105,000
Suppose you are spending this £105,000 every month. Then you realise that this cost just keeps going up. This could be because:
Your patch management strategy is manual and time consuming
You don’t have a process in place to account for newer cyber threats
You employ a mix of manual and automated patching (ie, WSUS for automating Microsoft® patches, leaving 3rd-party updates for end-users to do themselves)
You spend too much time dealing with firefights
You have troublesome software, like Java™, that requires specialised install scenarios, eventually preventing failed updates
Some of the patches that you roll out are breaking systems, or worse, introducing new security headaches
In such cases, you may have to revisit your existing patch management strategy to see if you need to consider some other factors in addressing recurring issues.
Prepare notes on each of the following questions and you may stumble upon those key points that would help you tighten your patch strategy.
Which computers or groups are always connected to the Internet (and/or transactional in nature)?
When a threat arises, how am I going to assess its impact on critical systems (point #1), and prioritize the patches?
What will be my fallback plan when a patch fails, breaks, or introduces more security issues?
What is my current approval process?
How am I documenting best practices and what I’ve learned from previous firefights?
The more you automate your patch management processes, the less stressful they become. That said, your patch management strategy can be a continually evolving exercise in your organisation.
You need a consistent and organised patching strategy to be effective in preventing security nightmares, while keeping the costs of patching to a minimum.
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
How to Tighten Your Security Patch Strategy to Prevent Cyber BreachesThe cost of patching is greater than you think, warns Narendran Vaideeswaran, product marketing manager at SolarWinds.
Narendran Vaideeswaran
IFSEC Insider | Security and Fire News and Resources
Related Topics
The critical importance of cyber secure camera solutions in securing retail’s future
Why retail stores are more vulnerable than ever to cybercrime
39% of businesses experienced a cyberattack in 2021, as UK Government releases its Cyber Security Breaches report