Home Page Navigation Contents Contact Sitemap Search
HomeTips for SMEsPatch man­age­ment in an SME environment

Patch man­age­ment in an SME environment

Run­ning updates is an effec­tive mea­sure to elim­i­nate existing secu­rity vul­ner­a­bil­i­ties of com­plex dig­ital sys­tems. Good patch man­age­ment will facil­i­tate smooth imple­men­ta­tion in an SME envi­ron­ment, too.

The most impor­tant points to remember:

  • Define reg­ular time slots out­side pro­duc­tion periods to main­tain your systems.
  • Only ever obtain secu­rity updates from reli­able sources.
  • Check effec­tive­ness and “side effects” of secu­rity updates before installing them on pro­duc­tion systems.
  • Estab­lish a plan for dis­trib­uting secu­rity updates on your systems.
  • Keep an up-to-date back-up at hand, just in case some­thing goes wrong with an update.
  • Doc­u­ment all main­te­nance work under­taken on a system.

Secu­rity updates

IT sys­tems are devel­oping at an ever faster pace. Appli­ca­tion func­tion­al­i­ties keep increasing, and hard­ware and soft­ware life cycles have a ten­dency to become shorter. Man­u­fac­turers there­fore try to cir­cu­late their latest inno­va­tions quickly using updates.

In an SME envi­ron­ment, you might well demon­strate a cer­tain degree of restraint in this regard, since not every inno­va­tion can be effi­ciently inte­grated into your oper­a­tions. One firm excep­tion though are secu­rity updates, which should be run as soon as possible.

Every com­plex system has some hidden errors or vul­ner­a­bil­i­ties. How­ever, these fre­quently remain unde­tected and harm­less. Once they have been dis­cov­ered though, they pose an increasing risk of IT vul­ner­a­bil­i­ties, since this is when a race against time starts.

On the one hand, hackers start to look for ways of exploiting such exposed vul­ner­a­bil­i­ties for their own ends, and to develop so-called exploits. If they suc­ceed, mali­cious third par­ties can for instance obtain unau­tho­rised access to your sys­tems and data.

On the other hand, man­u­fac­turers begin to fix these vul­ner­a­bil­i­ties as soon as they can with the help of secu­rity updates or patches, so to fore­stall any poten­tial exploits or to render any existing exploits harmless.

Patch man­age­ment

Basi­cally, secu­rity updates should there­fore be run com­pre­hen­sively and as quickly as pos­sible. Some­thing which is gen­er­ally easy to handle on a pri­vate single-user system though could prove tricky in an SME envi­ron­ment. It is there­fore nec­es­sary to pro­ceed sys­tem­at­i­cally by way of a patch man­age­ment process.

To install your secu­rity updates, the fol­lowing steps should be followed:

  • Iden­ti­fi­ca­tion of any sys­tems affected, and appro­priate secu­rity updates.
  • Obtaining secu­rity updates from a trust­worthy source, in par­tic­ular even for sys­tems without their own direct Internet access.
  • Pre­lim­i­nary testing of the effec­tive­ness and “side effects” of secu­rity updates on non-crit­ical systems.
  • System-depen­dent clear­ance of secu­rity updates and com­ple­tion of instal­la­tions out­side pro­duc­tion periods.
  • For crit­ical sys­tems: Plan­ning tem­po­rary fall­back solu­tions and scenarios.
  • Doc­u­men­ta­tion of all changes made.

Since this is a rolling process, we rec­om­mend estab­lishing peri­odic, fixed time slots for main­taining your sys­tems. This way, you can col­lect, check and pre­pare secu­rity updates over a cer­tain period of time, but delay their instal­la­tion until the next time slot for secu­rity update installations.

Patch man­age­ment involves procuring, testing and installing soft­ware updates. Their main pur­pose is to close secu­rity gaps in oper­ating sys­tems and applications.

Fur­ther information 

There are sev­eral fac­tors con­tributing to iden­ti­fying any sys­tems affected, and appro­priate secu­rity updates. On the one hand, hard­ware itself plays a role. It is mainly firmware and dri­vers which will need to be kept up-to-date. Then there’s the oper­ating system and appli­ca­tions installed which will need to be checked for avail­able updates.

There are auto­matic scanner func­tions for sys­tems with direct Internet access which will peri­od­i­cally estab­lish an inven­tory of all hard­ware and soft­ware and then look for avail­able updates online. In an SME envi­ron­ment though, such sys­tems should only be used in a sup­port func­tion, if at all. We strongly advise against any unmon­i­tored instal­la­tion of updates though. It should always be an engi­neer who is in con­trol of the instal­la­tion process.

Obtaining secu­rity updates can also prove tricky, since updates most easily found on the Internet are not always “orig­inal prod­ucts”. In such cases there is a risk of pur­ported secu­rity updates actu­ally intro­ducing an exploit into your system. If at all pos­sible, you should always stick with a manufacturer’s offi­cial dis­tri­b­u­tion channels.

Before you run any update on a pro­duc­tion or even crit­ical system, you should ensure it is com­pat­ible with the system and its envi­ron­ment con­cerned. Opti­mally, this should be done by testing the effec­tive­ness and “side effects” (i.e. any poten­tial adverse reac­tions) of secu­rity updates in an iso­lated, non-pro­duc­tion envi­ron­ment. The problem is that fre­quently, no such thing is avail­able in an SME environment.

Yet it is still advis­able to pro­vide for a system-inde­pen­dent clear­ance of secu­rity updates, e. g. by run­ning them on less crit­ical sys­tems first. Only after a cer­tain period of obser­va­tion and some testing should you then also update your other systems.

For crit­ical sys­tems in par­tic­ular, you should reserve suf­fi­ciently exten­sive time slots out­side of pro­duc­tion hours to install any updates. Sim­i­larly, you should pre­pare a fall­back sce­nario and solu­tions with the help of back-ups, just in case you are unable to install an update successfully.

All steps of the update process should be recorded in doc­u­men­ta­tion in a trans­parent manner. In case you have to find any errors later, you can draw impor­tant con­clu­sions as to their ori­gins from this.

You might also be interested in these articles:

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic course

Find out about cur­rent Internet threats and some easy pro­tec­tive mea­sures, and how to securely use e-banking.

fur­ther information

Online course mobile banking/payments

Find out about mobile banking, mobile pay­ments and how to securely use these apps.

fur­ther information

Online course for the under-30s

Learn how to use your smart­phone securely. Next to basics, we will show you what you should know about social media, clouds, mobile banking and mobile payments.

fur­ther information

Course for SMEs

Is your organ­i­sa­tion suf­fi­ciently secure? Learn which mea­sures you can take to sig­nif­i­cantly strengthen your organisation’s IT security.

fur­ther information