Why patching alone isn’t the answer to cybersecurity

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on whatsapp

Patch all the things all of the time” is a saying often heard in the world of IT security. While it is true patching is a critical part of our cybersecurity, this saying is far too simplistic. Why?

Patching is not that simple.  It requires downtime and planning as patches can cause critical business functions to stop working.  Sometimes the assets we need to patch are either not known by the IT department or the responsibility of who needs to patch them has not been clearly defined. Often systems or devices are outdated and can no longer be patched at all.

During our security and compliance assessments, we often see things like a solid operating system patching program, but many patches missing from hypervisors, devices, applications, firmware, and so forth.

What do you need to consider to make sure you have an appropriate patching program?

  • Do you have a complete asset inventory of all things that need patching?
  • Is the patching responsibility for all assets clearly defined?
  • Is there a patch plan for each type of system or device?
  • Are there methods of testing patches prior to deployment?
  • Do you have any compensating controls for outdated systems that can’t be patched?

By no means are we saying not to make patching a critical part of your security program. What we are saying is don’t just rely on automatic updates to keep your systems safe.

Tracy Fox

Sign Up For Our Blog

Get our latest content delivered to your inbox.

partner with foresite consulting to become a More Effective Leader

Develop the skills and strategies you need to take your company to the next level of success.

Foresite Cybersecurity Announces Pivot to Open XDR & Compliance Platform