The EU Data Protection Regulation has proposed steep fines (€100m) for companies that fail to comply with measures pertaining to security breaches and data theft – with effective patch management strategies.
Regulatory agencies take non-compliance seriously, and unpatched software is one of the biggest culprits of compliance issues.
Recently, a healthcare company in the US paid a regulatory fine of $150,000 for HIPAA (Health Insurance Portability and Accountability Act 1996) security violations arising from unpatched and unsupported software in their IT environment.
If you think the cost of not keeping your IT environment up-to-date is only in the form of regulatory fines, you need to reconsider that notion. You have to add the costs of patching to the equation when you formulate a patch management strategy.
Calculating the cost of patching isn’t difficult. Here is a simple formula to help you determine what your cost would be:
(Hours x Rate x Systems) + (Patch Failure% x (Hours x Rate x Systems)) = Cost to Patch
(2 hours to patch a system x £50/hour rate x 1000 systems) + (5% patch failure% x (2 hours to patch a system x £50/hour rate x 1000 systems)) = Cost to Patch
£100,000 + £5000 = £105,000
Suppose you are spending this £105,000 every month. Then you realise that this cost just keeps going up. This could be because:
- Your patch management strategy is manual and time consuming
- You don’t have a process in place to account for newer cyber threats
- You employ a mix of manual and automated patching (ie, WSUS for automating Microsoft® patches, leaving 3rd-party updates for end-users to do themselves)
- You spend too much time dealing with firefights
- You have troublesome software, like Java™, that requires specialised install scenarios, eventually preventing failed updates
- Some of the patches that you roll out are breaking systems, or worse, introducing new security headaches
In such cases, you may have to revisit your existing patch management strategy to see if you need to consider some other factors in addressing recurring issues.
Prepare notes on each of the following questions and you may stumble upon those key points that would help you tighten your patch strategy.
- Which computers or groups are always connected to the Internet (and/or transactional in nature)?
- When a threat arises, how am I going to assess its impact on critical systems (point #1), and prioritize the patches?
- What will be my fallback plan when a patch fails, breaks, or introduces more security issues?
- What is my current approval process?
- How am I documenting best practices and what I’ve learned from previous firefights?
The more you automate your patch management processes, the less stressful they become. That said, your patch management strategy can be a continually evolving exercise in your organisation.
You need a consistent and organised patching strategy to be effective in preventing security nightmares, while keeping the costs of patching to a minimum.
Originally published on IFSEC Global