As Microsoft releases 111 patches to address security vulnerabilities across 12 products, we look at the patch management risks that your business should know about.
The workplace is changing at an alarming pace with many office workers going from on premises to remote working. With many organisations having long global supply chains, keeping sensitive information safe from increasingly sophisticated threat actors out to steal data for profit, is crucial. This is especially important now more than ever, as many people are working on unsupported devices outside of the corporate network.
Microsoft’s May 2020 Patch Tuesday update addressed 111 security vulnerabilities across 12 different products, the third largest in its history. Out of the 111 fixes, 13 were classed as critical, which means that devices were highly vulnerable to hackers allowing them to take full control of peoples’ computers. Of the other vulnerabilities, 91 were classed as “important”, three were “moderate” while four were “low.” No zero-day vulnerabilities were patched during the May update.
Updates generally always seem to appear at the most frustrating times, but whilst working from home it is crucial to implement them. As well as adding things like new features and content they also provide vital security patches.
The truth is that no development team can anticipate every future cyberattack, even with cybersecurity software being a top priority. Patches allow them to respond quickly to vulnerabilities and escalating threats which is especially important now as working practices are changing.
Four patch management risks that you should know about
1. Service interruptions can be costly
A patch can resolve some vulnerabilities and won’t affect system uptime. However, most security patches require rebooting systems or disrupting their normal function long enough to install the patch. Depending on the user and the system, this time cost might be trivial, or it can have a significant effect on the organisation and its core business.
2. Security patches are released frequently
Every year software engineers uncover up to 6,000 vulnerabilities and therefore the sheer number of security patches released is massive, which is one of the reasons systems are behind. Keeping up with patches for systems that are consistently targeted is challenging. Automatic updates can ease this problem, but it isn’t necessarily an option for organisations that need to test out patches before deploying them to users.
3. Security patches can impact functionality
Security patches are tested on a wide range of products, however depending on the urgency of releasing a patch, it is not always possible to test with every possible configuration and for businesses that use software developed in-house, patches can have unexpected side effects. Sometimes, this leads developers to leave vulnerabilities in their code, as they know that by fixing it completely will break too many systems that rely on the software.
The only way to alleviate these risks is to test all patches before releasing them to your businesses systems. This process will take time and effort but is crucial, as well as vigilant attention to available updates for your software systems.
4. Some devices can’t be patched
The role of network managers is key when it comes to devices that can’t be patched, such as Smartphones. If a device is more than one or two years old, users have to wait quite a while for patches, if they get released at all. By implementing an effective patch management plan can help to mitigate this. Tracking available patches, testing them and deploying security patches, helps to keep systems secure with little downtime. Although this is no mean feat when workers are using their own unsupported devices.
Security patches are one of the most critical tools users have for effective cybersecurity. A fully updated system is one of the best defences against sophisticated cyberattacks. Larger businesses have a big task to keep their systems patched and it’s a fine balancing act between keeping a network secure and minimising downtime.
Northdoor’s experienced team can help your business to respond to the challenges of cybersecurity. With our products and services, we can help your business combat and overcome cybersecurity threats.