In this blog series, we will discuss each of the Cyber Essentials scheme’s five security controls that, according to the UK government, could prevent “around 80% of cyber attacks”. Our third blog covers patch management and addresses the need for organisations to keep software up to date with security patches.
Patch management is essential for improving security
Prompt patching is essential for effective cyber security. When a new patch is released, attackers use software that looks at the underlying vulnerability in the application being patched. This is something that criminal hackers perform quickly, allowing them to release malware to exploit the vulnerability within hours of the patch being released. If a criminal hacker can successfully attack before the target patches the vulnerability, there is a high risk of a data breach.
Some of the most serious breaches have been caused by unpatched software.
The Equifax breach and WannaCry ransomware incidents both involved criminal hackers exploiting unpatched vulnerabilities in servers operating Windows 7 and 8. In both breaches, the criminal hackers were able to target organisations that ran unpatched Windows software.
The scale of the problem has recently been highlighted in a survey conducted by Ponemon, which found that almost 60% of the breaches suffered by organisations were because of unpatched vulnerabilities.
Importantly, the same survey identified that organisations that avoided being breached rated their ability to patch vulnerabilities in a timely manner 41% higher than those that had been breached.
Securing your patch management efforts
For small to medium-sized enterprises (SMEs), one recommendation to help with patch management efforts is to maintain an asset register of all installed software. This should detail the software installed, when licences need renewing, where patch information can be obtained and any supplemental information (such as dependencies on other pieces of software or whether there are automatic updates).
Once the register has been set up, it will reduce the effort involved in maintaining your infrastructure and help in gaining Cyber Essentials certification.
Another recommendation is to determine if there are any unpatched devices in the network and perform a risk analysis for the missing patches. Various tools on the market can assist in scanning the environment.
Once these steps are complete, remediation should be performed to bring all systems up to date with the latest patches.
How to protect yourself
Patch management is a key requirement for the Cyber Essentials scheme and will help you confirm that devices and software are not vulnerable to known security issues for which fixes are available.
To keep its software up to date, your organisation should routinely ensure that software is:
- Licensed and supported;
- Removed from devices when no longer supported; and
- Patched within 14 days of an update being released, in cases where the patch fixes a vulnerability with a severity the vendor describes as ‘critical’ or ‘high risk’.
Being Cyber Essentials-certified demonstrates your commitment to cyber security. The details of any organisation that has certified to the scheme can be searched by anyone wishing to assess their supply chain on the NCSC’s (National Cyber Security Centre) dedicated page.
Join us in our free webinar to learn what the Cyber Essentials scheme is and the role that it plays within the Cyber Resilience Strategy for Scotland. You will also learn the expectations and deadlines for achieving Cyber Essentials certification for Scottish public bodies, and more.