Running updates is an effective measure to eliminate existing security vulnerabilities of complex digital systems. Good patch management will facilitate smooth implementation in an SME environment, too.
The most important points to remember:
- Define regular time slots outside production periods to maintain your systems.
- Only ever obtain security updates from reliable sources.
- Check effectiveness and “side effects” of security updates before installing them on production systems.
- Establish a plan for distributing security updates on your systems.
- Keep an up-to-date back-up at hand, just in case something goes wrong with an update.
- Document all maintenance work undertaken on a system.
IT systems are developing at an ever faster pace. Application functionalities keep increasing, and hardware and software life cycles have a tendency to become shorter. Manufacturers therefore try to circulate their latest innovations quickly using updates.
In an SME environment, you might well demonstrate a certain degree of restraint in this regard, since not every innovation can be efficiently integrated into your operations. One firm exception though are security updates, which should be run as soon as possible.
Every complex system has some hidden errors or vulnerabilities. However, these frequently remain undetected and harmless. Once they have been discovered though, they pose an increasing risk of IT vulnerabilities, since this is when a race against time starts.
On the one hand, hackers start to look for ways of exploiting such exposed vulnerabilities for their own ends, and to develop so-called exploits. If they succeed, malicious third parties can for instance obtain unauthorised access to your systems and data.
On the other hand, manufacturers begin to fix these vulnerabilities as soon as they can with the help of security updates or patches, so to forestall any potential exploits or to render any existing exploits harmless.
Basically, security updates should therefore be run comprehensively and as quickly as possible. Something which is generally easy to handle on a private single-user system though could prove tricky in an SME environment. It is therefore necessary to proceed systematically by way of a patch management process.
To install your security updates, the following steps should be followed:
- Identification of any systems affected, and appropriate security updates.
- Obtaining security updates from a trustworthy source, in particular even for systems without their own direct Internet access.
- Preliminary testing of the effectiveness and “side effects” of security updates on non-critical systems.
- System-dependent clearance of security updates and completion of installations outside production periods.
- For critical systems: Planning temporary fallback solutions and scenarios.
- Documentation of all changes made.
Since this is a rolling process, we recommend establishing periodic, fixed time slots for maintaining your systems. This way, you can collect, check and prepare security updates over a certain period of time, but delay their installation until the next time slot for security update installations.