Even if you have successfully addressed the operating system patch problem, what about application software? At least with Windows, you can fairly easily run Windows Update and check the patch status. Application software patching is much more complicated, because many vendors are involved, each with their own update mechanism.
I am confident that many of you reading this, faced with a problem you cannot easily solve, are wondering if patch management is all that important in the first place. Please don't talk yourself out of being worried about this issue. A large percentage of PC infections with malware, including ransomware (which is at the top of everyone's list these days), result directly from the exploit of known vulnerabilities. We basically invite the bad actors to attack us by ignoring the patches provided to address problems.
A good indication of the severity of our patch problem is the fact that many of the vulnerabilities being successfully exploited today were fixed by patches released months or even years ago. SecurityWeek, in a February 2015 article citing Hewlett-Packard's Cyber Risk Report, said that 44% of vulnerabilities exploited in 2014 involved vulnerabilities between two and four years old. Do I have your attention yet?
Underscoring the importance of this issue is the fact that all of the major compliance standards, including HIPAA, PCI DSS and SOX, reference patch management. It is clear to the authoring organizations that patching is critical to data security.
Hopefully, you are now convinced of the importance of proper patch management practices. Assuming so, here are some things you can do to simplify the process.
Assign someone. Regardless of methodology, patch management will never be done well unless someone is given responsibility for it. The assigned individual(s) must check new PCs for proper patch management settings as they are deployed, and frequently spot-check the settings and update status.
Have a policy and procedure. Arm the assigned individual(s) with a written policy and procedure, defining how the patch management and monitoring process will be carried out on a daily basis.
Log and verify results. The results of any patch checks should be logged, with the log checked by someone else.
Automate. There are a variety of automation tools that can help ensure that patches are deployed. Microsoft's Windows Server Update Service (WSUS) can be a key part of the solution, along with asset management systems like Dell KACE and ManageEngine.
Outsource. There are a variety of managed services providers that can install a small tool on each PC, allowing them to manage and monitor the deployment of patches. If you go this route, you will be better served with a security specialist, rather than a general IT company that provides this as one of a long list of services.
Sign up for CIO Asia eNewsletters.