How Cyber Essentials can help secure your patch management

In this blog series, we will discuss each of the Cyber Essentials scheme’s five security controls that, according to the UK government, could prevent “around 80% of cyber attacks”. Our third blog covers patch management and addresses the need for organisations to keep software up to date with security patches.

If you’ve missed it, take a look at our first blog here, and our second blog here.

Patch management is essential for improving security 

Prompt patching is essential for effective cyber security. When a new patch is released, attackers use software that looks at the underlying vulnerability in the application being patched.

This is something that criminal hackers perform quickly, allowing them to release malware to exploit the vulnerability within hours of the patch being released. If a criminal hacker can successfully attack before the target patches the vulnerability, there is a high risk of a data breach.

Some of the most serious breaches have been caused by unpatched software.

The Equifax breach and WannaCry ransomware incidents both involved criminal hackers exploiting unpatched vulnerabilities in servers operating Windows 7 and 8. In both breaches, the criminal hackers were able to target organisations that ran unpatched Windows software.

The scale of the problem has recently been highlighted in a survey conducted by Ponemon, which found that almost 60% of the breaches suffered by organisations were because of unpatched vulnerabilities.

Importantly, the same survey identified that organisations that avoided being breached rated their ability to patch vulnerabilities in a timely manner 41% higher than those that had been breached.

Securing your patch management efforts

For small to medium-sized enterprises (SMEs), one recommendation to help with patch management efforts is to maintain an asset register of all installed software.

This should detail the software installed, when licences need renewing, where patch information can be obtained and any supplemental information (such as dependencies on other pieces of software or whether there are automatic updates).

Once the register has been set up, it will reduce the effort involved in maintaining your infrastructure and help in gaining Cyber Essentials certification.

Another recommendation is to determine if there are any unpatched devices in the network and perform a risk analysis for the missing patches. Various tools on the market can assist in scanning the environment.

Once these steps are complete, remediation should be performed to bring all systems up to date with the latest patches.