Cyber Essentials Part 5 – Patch Management

This is the final part in our five-part series covering the government backed Cyber Essentials scheme, which is designed to set a base standard for cyber security in organisations. It deals with five specific areas: –

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Patch management

These key areas form the bedrock of security for IT systems. All organisations should ensure these the five basic areas are covered either by their in-house IT team or their external IT partner.
In part 4 I covered Malware Protection. This time I cover Patch Management.
If you have seen my previous blog articles or LinkedIn post you may have already realised this is a part of security that I am passionate about. Everyone understands at least 3, if not all 4, of the other elements of the Cyber Essentials scheme. But people really don’t understand this part to the extent that I would like. But it is one of the simplest parts to fix. Our Windows PC’s in default mode constantly nag us to perform these updates. But you would be surprised how many PC’s are not patched.
The reason it is so important to apply these patches / updates is that they are fixing known vulnerabilities in software. Going back to May 2017 and the global outbreak of the WannaCry ransomware, this spread so rapidly due to unpatched PC’s. Once the malware had got into a network and inside the firewall it then hunted around the network for unpatched computers. In some organisations, like the NHS, the results were devastating.
But patching doesn’t stop at Windows updates. You will have various other bits of software on your computers that may also have vulnerabilities. Software like Adobe Air, Flash & Reader; Chrome; Firefox; Java, Apple Software, the list goes on. Furthermore, it doesn’t stop at your PC’s either. What about your servers? What about your networking equipment, not least your internet firewall, and WiFi equipment. These devices may have firmware updates that should applied.
Both your software applications and devices should be currently supported by the vendor, licensed appropriately, and patched within 14 days of an update being released if the patch is fixing a critical or high-risk vulnerability.
At Reach I.T. Management we include centrally managed and monitored patch management for windows and third-party software vendors like the ones mentioned above as part of our support packages. We schedule daily checks for these updates and force them onto our clients’ computers to ensure compliance with the demands of Cyber Essentials. If a machine fails to update the system automatically creates a support ticket for us to investigate. We take care of your patch management for your total peace of mind.
If you want to discuss how we could help you with any of the above then please do call me on 01788 440024 or fill in the contact form on our website.