BYOD further complicates the pictures, as users bring different applications running on different operating systems that aren’t owned or under control by IT.
Vendors such as Adobe, Google, Oracle and Mozilla are highly prevalent in corporate environments, have many vulnerabilities that need to be addressed and are more highly targeted by attackers. As an example, in 2015, Flash player exploits made up as much as 70% of the exploits in Angler, an off-the-shelf exploit framework that was available on the black market but recently met its demise.
In these cases, relying on auto updaters is not an option as they can be disabled, ignored by users and can break. Even widely used auto updaters are vulnerable to breaking; Google Chrome’s auto update mechanism broke in 2016 for a period of six months or more. A lot of vulnerabilities can accumulate in that period that make a system perfect prey for the cyber-criminal.
#4 Apply coverage on and off premise
Patching your OS and applications can mean nothing, however, if not done for every computer in every location. As IT enables users to leave the network or even work remotely without ever touching the network, it still needs to secure these users as if they were on premise. Patch management systems and other security controls should provide the same level of coverage and control off premise as they do on premise.
A zero-day exploit can happen at any time and you can’t predict when a user will be back on network or connect to VPN and bring these security threats to the rest of the network. In today’s increasingly dispersed workforce, in which many end users are in various locations off-premise, it’s essential that you treat all end users the same to avoid unanticipated breaches.
#5 Patch every week
As more end user systems can leave the network, patching frequency becomes more important. You may be following the patching patterns of prominent tech influencers, but they could be wrong for you. Microsoft may keep to a predictable security patch release cycle (Patch Tuesday, second Tuesday of every month, except February 2017), but most other vendors have unpredictable release schedules. Oracle releases its quarterly patches on the first month of the quarter and Adobe releases quarterly in sync with Microsoft Patch Tuesday. Google and Mozilla don’t have set schedules, releasing as each branch matures and is ready to launch.
Each of these companies clearly has its own schedule that works for its specific software, but their frequencies are not right for everyone. For those who want to make patching frequency a main part of their security strategy, releasing new patches twice weekly is a great approach, which can especially help protect laptops.
Sign up for CIO Asia eNewsletters.