How to strengthen your patch management processes

Tips for streamlining patch management and increasing customer value

Mark Whiffen, senior product manager, Barracuda MSP

By Mark Whiffen, senior product manager, Barracuda MSP

The migration to cloud-based apps, Software-as-a-Service (SaaS) solutions and other deployment models has made patch management much more complex and challenging. The proliferation of hosted applications means that IT departments have to stay on top of multiple patches from a broad range of vendors, across an increasingly remote user base.

IT departments, faced with more work and staff that is already stretched thin, have turned to MSPs to help keep their software up to date. But, even MSPs often struggle to keep up with deploying patches and ensuring updates have been implemented correctly on every device. With security threats continually emerging and evolving, those potential gaps can create critical vulnerabilities.

A study by the Ponemon Institute found that 57 percent of organizations that reported a data breach also admitted there was a patch available to safeguard against the problem that created the breach in the first place. 

The complexity of protecting against vulnerabilities and breaches isn’t going to improve any time soon, but automation can make patch management easier for MSPs and their customers to implement. For example, remote monitoring and management (RMM) solutions provide the ability to apply patches across an entire organization at once. Tools like Barracuda’s Managed Workplace RMM take that one step further with features like patch scanning that can help identify devices that require additional patches.

By automating the update process and improving visibility into patch-related vulnerabilities, MSPs can fix these problems before they lead to a costly data breach. These automation capabilities can also help streamline the deployment of patches from multiple software vendors across an entire fleet of devices via a single interface.

A holistic approach to patch management

While RMM is essential in addressing patch management challenges, there are other measures MSPs can take that enable them to provide better patching services, and thus better customer protection. MSPs can: 

Create an inventory of customer devices and applications. MSPs need to include the entire fleet of devices in a patch management program (including nodes such as IP surveillance cameras, mobile computers, and other smart devices). Additionally, the whole range of both on-premise and cloud-based applications should be included in the program (along with devices that require regular firmware updates). This will give you a better view of existing vulnerabilities, and help you determine the scope of the patching challenge.

Define a patch frequency schedule. Your service level agreements (SLAs) should include guidelines for how quickly patches will be deployed after they are released based on criticality and device categories. To minimize disruption, time updates to avoid peak business hours. The RMM tool can help make sure that these off-hours updates are completed across all devices.

Make sure subscription and maintenance fees are paid. Many software applications include an annual fee for updates and patches. Make sure clients are billed automatically for these fees and can track when payments are due.

Test patches in advance of deployment. Establish dedicated resources – if the capability is not already built into your RMM tool – to test patches before releasing them. A failed patch can take multiple devices offline and leave your customers vulnerable. In addition to testing, have a plan in place to roll back a bad patch that may have negatively affected the user experience. Using a sandbox environment can help ensure that updates don’t adversely affect mission-critical applications.

Communicate planned downtime ahead of time. Once a patch is ready to be implemented, give your customers a heads up before you complete the update. It’s also vital to educate customers about a subsequent part of the patching process, which entails rebooting equipment. A reboot will necessitate some downtime, but without it the patch won’t be complete and the vulnerabilities won’t be resolved.

Consider software consolidation strategies. Software proliferation has exacerbated the patching challenge. If you can encourage customers to consolidate on a smaller number of vendors, you can reduce both overhead and risk.

Track the patching process. Monitor vendor patch notifications and track when updates are due for release. Provide regular reports to clients to keep them updated on the patches that have been deployed and outline potential risks and exposures. 

Include patch management in your managed services offering. Patch management is a valuable part of protecting your clients’ applications and data. It should be included in the cost of your service contracts.

Patch management is an increasingly critical task when it comes to making sure your clients are protected against cyber threats. MSPs should position themselves to help customers assess the effectiveness of their patch management processes and offer automation tools and services that can relieve the burden of managing this ever-expanding task.

Mark Whiffen is Senior Product Manager for Barracuda MSP, a provider of security and data protection solutions for managed services providers.