Keeping endpoints patched and up to date is one of the biggest challenges IT professionals face across virtually every organization and industry. In fact, IT pros estimate that just 66% of their software estate is current at any given time. Considering that nearly 60% of cyberattack victims say their breaches could have been prevented by installing an available patch, the patching void translates directly to gaping holes in network security.
For most organizations, the average time to patch is 102 days. Yet there is troubling evidence shows that this is far too slow—from the time a patch is announced, it takes 7 days for cybercriminals to exploit the known vulnerability.
Can your organization afford to take that kind of gamble?
Unfortunately, patching devices is a necessary evil in order to keep up with the pace of new threats. And, the resources required to even get to 95% patch deployment are considered disproportionately high compared to the perceived benefits in many organizations.
Getting to 95% or even 100% doesn’t have to be a costly, time-consuming and overwhelming chore. Here are 5 quick tips to make patching a painless process, and finally get your organization to the 100% mark.
1). Gain access to endpoints. IT pros report having visibility over just 64% of endpoints on the network. That means they have no idea what’s happening on more than a third of machines, creating a huge security gap. Devices are no longer kept at an office desk; they are spread across cities and remote workers. The bottom line is that you can’t protect what you can’t see. Deploying an endpoint management solution that gives you visibility over every device—even those that are remote and lightly connected with internet access just a few minutes a day—can be game-changing for your patching program.
2). Remotely manage devices. In order to avoid interference with user productivity, many organizations will delay patching until the device is idle. The problem that creates is that many go to sleep, disconnect or even shut down during idle time. Not to mention, this method doesn’t work for laptops at home, or on a plane, and are only switched on for a few hours, or even minutes a day. Having the ability to remotely access and ensure devices are patched is crucial to patch success. This requires a real-time IT solution that only needs seconds to figure out what patches are required, transfer them and install them. The best ones do this without disrupting the user. This seems like an obvious solution, but without the right tools is an arduous, time-consuming process—if it even happens at all.
3). Cache content and schedule deployment. Another big challenge for patching is the size of content. With bi-annual Windows 10 updates, it could mean trying to push a 5Gb file to hundreds of machines simultaneously. This creates a major bandwidth bottleneck that not only delays patching but brings the entire network to a crawl. And, if a machine goes offline in the download process, it often means starting all over. Instead, use an automated patching solution that allows you to cache content and schedule deployment. For example, in a remote office, designate a master machine to download and host the content from the server, and then distribute it to peer machines on a local network. Done during off-hours, this process means machines get the updates they need without dragging down the entire network or interfering with users.
4). Include a reboot protocol. There’s a saying in IT Ops, “If it’s not rebooted, it’s not patched,” and this is absolutely true. Patches are installed on the reboot, so if you’re skipping this step, the patch isn’t complete. Downloading patch after patch without a reboot can also cause a cascade of installation errors when you do finally reboot the machine, as some patches have prerequisites. Failure to reboot simply digs a deeper hole solves nothing and creates more work. It’s essential to include a reboot protocol into every patch deployment. Automating this process not only ensures that it happens but also does so quickly to prevent uninstalled patches from piling up.
5). Nail down reporting. Once you’ve got a handle on a patching system that works, it’s time for a status check. Having real-time access to every endpoint gives you a baseline to know where you stand and what still needs to be done. With a robust reporting tool that can automatically query endpoint devices, you can see which machines are patched, what’s not patched and which ones are pending a reboot. With this insight, you can tackle the devices for which a patch went south or that need manual intervention, or perhaps a complete rebuild to bring them into compliance.
One thing’s for sure: patching will never be fully “done.” The more software and solutions you’re running, the more vulnerabilities discovered, and patches issued. The only way to manage it successfully and efficiently is to implement tools that automate as much of the process as possible. By allowing the tools to do the heavy lifting, IT staff can focus on those machines that need extra attention, and perhaps finally get their heads above water.
About the Author:
Sumir Karayi is the founder and CEO of 1E, an endpoint management company, in 1997 with the goal to drive down the cost of IT for organizations of all sizes. Under Sumir’s leadership, 1E has become a successful global organization and has been inventing solutions to help IT get more done every day for 20 years. 1E is also a trusted partner, with 31 million licenses deployed across more than 1,700 organizations in 42 countries worldwide.