Q: With the recent Spectre and Meltdown patches hitting headlines lately, we’ve been examining our patch management processes. What are some best practices we should keep in mind when implementing the latest patch for our SMB customers?
Patches have been a hot topic lately, and missing even one patch can leave your SMB customers vulnerable to becoming a victim to the latest exploit or threat. The 2016 Verizon Data Breach Report showed that 85 percent of successful hacks used the top 10 exploits, however if those systems had been patched, most of those attacks could have been prevented.
To help guide you in the right direction for patch management, we talked to Chris Crellin, the senior director of product management at Barracuda MSP. He shared five patch management best practices every MSP should follow.
Best practices for patch management
Patch management is an essential component to helping your SMBs’ business run efficiently, and it can often be another defense against cybercriminals entering their network. Follow these best practices to help patch management go smoothly:
1. Make sure your customers’ subscriptions and maintenance fees are paid. Often, with SaaS or on-premises solutions, vendors will require that an annual or subscription-based fee be paid to receive all the new updates and patches. If you or a customer has not paid these fees, you might miss out on the newest release. If you aren’t being billed automatically for these subscriptions, try using your CRM tool to keep an updated list of when the next payment needs to be sent.
2. Test patches in a sandbox environment in advance. Before rolling out an update to your SMB customers, test the patch in a sandbox environment to ensure that it’s not infected. Generally, you should always patch, but there can be risk with implementing the new software update right away—which is why you should always test first. Early movers and those that auto-update often are the first to run into any bugs or problems. If you’re updating customers that have mission-critical software, it’s best to test before updating unless there is a specific vulnerability that the patch protects against. Auto-updates can be a great way to make sure every patch is implemented—however, it’s best to test the patch beforehand to make sure it’s compatible.
3. Implement a patching process to keep business interruption at a minimum. Don’t schedule a software patch during peak business hours. Instead, look for a convenient time when most of your customers’ employees will be offline. This will minimize business interruption, which can help keep your SMB customers happier. When you implement a patch, you also need to make sure all devices are updated. Missing one or two devices can leave a gap for vulnerabilities to infect the network. Generally, you can integrate most patches with your RMM tool and roll them out in bulk, which can help you manage hundreds or thousands of devices at once.
4. Sell patch management as part of your managed services offering. If you’re routinely doing software patches for your managed service customers, integrate the cost of this into their service contract—even if it’s simply a line item showing them all the value you deliver to them each month. Patch management is a value-added service that can help them avoid becoming a victim of the latest zero-day threat, so be sure at the very least, to point this out in your quarterly review.
5. Watch out for patch notifications from your vendors. One of the most important things to keep track of in terms of patch management is when the next patch will be and what the patch will be fixing. Paying attention to notifications with your vendors to ensure that you and your SMBs’ systems will stay up to date. Failing to do so could leave the door open for vulnerabilities.
By implementing these best practices, you can ensure that your customers are receiving the software updates they need to keep their business functional. If in your test you find that a software update is not compatible with their environments, push the vendors to make the necessary changes. For example, some anti-virus software may be incompatible with internet security software, or previously installed security software applications. If you would like to continue using both components, check with your vendors to see if there is an update in the works that will allow you to use both products. Cybercriminals are always looking for a way into SMBs’ networks, and a properly patched environment can save your customers from becoming the next easy victim.
Photo: Rawpixel.com / Shutterstock. .