- Use Cases
- Why Dizzion
From WannaCry to the Equifax breach, it’s no wonder that fixing software vulnerabilities in a timely manner is a current theme within cybersecurity. While this task falls with the IT team, CIOs that oversee IT need to be aware of the organization’s patching processes and ensure that it’s being properly implemented. Patching known vulnerabilities is one of the “lowest hanging fruit” activities a company can take on its path to cybersecurity.
Regularly asking these six questions – and digging further into any unsatisfying answers – will help ensure your organization is prepared to quickly patch areas of exposure and minimize risk.
If you don’t have a reliable log of where the software that needs to be patched is deployed, you run the major risk of missing an instance, leaving the vulnerability open. Maintaining inventory documentation may be a tedious task, but it’s absolutely necessary to have an inventory so you can quickly and completely address issues.
As more employees work remotely, use their own devices or as your company engages more contractors outside of your immediate ecosystem you need to ensure this shift in work habits doesn’t leave your network vulnerable. If you cannot control the security and updates of an employee’s personal device used for work purposes, strongly consider implementing virtual desktops to help isolate your environment and gain better control no matter the endpoint device and its upkeep.
Without a written, documented procedure for rolling out updates or patches the process is left to the discretion of individual team members. In the best case scenario, patches are implemented in an inconsistent manner; in the worst case scenario they don’t get implemented at all.
With the state of cybersecurity today, hackers are increasingly taking advantage of known vulnerabilities and poor patching practices. With both WannaCry and the Equifax breach, the vulnerability was known and unaddressed by many for months, allowing malicious parties plenty of time to take advantage of the hole.
There should be a documented timeline for patching and updating software and an understanding (even if it’s simply a reasonable estimate) of how long it takes to complete the task.
Some vulnerabilities present a bigger risk than others. Companies should have a way to assess risk impact and a plan to adjust the patching protocol accordingly. As CIO, it’s important you understand this process so you can have reasonable expectations and make adjustments to resources if needed.
Patches and updates take time away from more business driving tasks – particularly if the IT staff has to touch every individual device. The longer devices go unpatched, the greater potential for a breach. Ask your team if there are solutions that would make this process easier and faster. (Virtual desktops offer centralized control for easier, faster patching and some fully managed desktop as a service providers perform catching for the client based on the client’s schedule.) Not only do you minimize risk by more quickly implementing patches, but it also allows IT teams to get back to more innovative or business critical tasks.