February 12, 2021 By Sue Poremba 4 min read

Software without the most recent patch is like an unlocked door for threat actors. They know the openings are there and can just walk in. But patching and a software update schedule can make sure that door stays locked.

Applying patches isn’t difficult. Click a few buttons, reboot and you are good to go. Even better, your group may have an automated system that handles patching. Yet, these holes may remain unpatched for long periods of time, becoming one of the biggest risks to your network and data. First, why does such an important task get overlooked so often? Next, why should you pay more attention to a software update schedule?

The Basics of a Technology Refresh Plan

A tech refresh plan might be ignored if there is a lot of confusion surrounding the organization’s software update schedule and rules. Does each person have to handle the patches on their work devices, or does IT handle it? If IT does it, they may want to install patches during their regular workday. But other employees may fight that because the patching process may disrupt their workflow. After all, no one wants to be in the middle of processing a huge database just to see the system reboot in the middle of it. So, the patches get put aside for when they are convenient for everyone. Except, of course, there is no such thing as convenient for everyone in the company. Patching is likely to disrupt someone.

The increase of remote workers has also thrown a new wrinkle into software patching. The use of personal devices used by those working from home has, too. Keeping an eye on tech refreshes is a serious dilemma for security and IT teams.

The solution is a software update schedule that spells out who is in charge of updates and patches, when and how these updates happen, and penalties to employees who refuse to follow the schedule.

Why You Need a Software Update Schedule

Most people don’t understand the need for regular updates and fixes. They may be familiar with Microsoft’s Patch Tuesday, but think that manages all the software on their computer. Cyber attacks aren’t top of mind for most employees. Naturally, they are most concerned with their own work duties and how to complete them most efficiently. So, they don’t understand the risks of unpatched software.

Or, they may not want to update their software because it changes the way it looks or works. They don’t believe that updates really make the software work better. Rather, they just see how annoying it might be to learn a new way of doing things.

On the IT and security side, there is a learning curve, too. IT can learn to better understand the rhythms of the people using the network and software. This helps them understand how to break down patches and make sure the software update schedule causes the least disruption to the work routine.

Having a software update schedule brings everyone into the communication loop. Doing this helps IT and security manage around monthly work schedules to reduce downtime, and employees understand why one Microsoft patch doesn’t cover everything.

Audits and Tests Reveal Security Holes

If there is one single security hole within your network, patches and upgrades will fail. You have to know everything touching the network. That includes every server, every virtual and physical device, every type of operating system and its version and all of the personal devices and shadow IT.

Once every endpoint and asset is accounted for, categorize their updates within the software update schedule, either pre-scheduled or for emergency patches. If an Apple device needs an urgent update, you will know exactly where these devices are used within the company. From there, you can either schedule the patch or alert the end user that a patch download is necessary as soon as possible.

It is also a good idea to create a test environment before rolling out a company-wide patch or update. This allows you to make sure the update will work within your system or if it will crash your system. Also, be prepared for situations where an upgrade may work fine for the majority of devices but cause failure on a few.

Endpoint auditing is not a one-and-done project. Instead, it must happen often to account for new devices onboarded or outdated ones taken offline.

Policies in which employees are allowed to bring their own devices (BYOD) will be the most difficult piece of the audit and update puzzle. End users are bad enough at ignoring updates on their computers, and they are even worse at mobile device and IoT updates, which aren’t as regular or as often. Consider a mobile device management solution that allows IT and security some control over patch and update management.

Manual Versus Automated Software Update Schedules

Will your software update schedule be a manual process or automated? Automated is more efficient, as the solutions regularly scan for patch updates and vulnerabilities. The IT team can include those update installations in the software update schedule.

However, the best option is a mix of the two. Automation will keep everything attached to the network updated and secure. However, there may be cases where manual updates are required (such as BYOD or an unconnected device). A member of the IT or security team would be responsible for conveying this need to the staff, sending reminders of the software update schedule and when emergency patches occur. They should stress the importance of a well-patched system. The patch coordinator or team should also consider creating documentation of update deployment protocols or custom patching considerations. This person or team will also be responsible for device audits, which would also be included in the update documentation.

This may seem like an overwhelming task, and it can be. But, patching and updating to close security holes is an important and sometimes complicated process. But putting together a regular schedule and having a plan in place streamlines the process. From there, you can avoid the headaches and costs of a severe data breach.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today