Applying patches may be a basic security principle, but that doesn't mean it's always easy to do in practice.
The ways that we patch our organisations' IT may change over time, but patching - in general - has always been good for security. This blog explains why the NCSC repeats the 'patch your boxes' advice so often, whilst acknowledging the challenges that patching often presents.
Why we patch
Vulnerabilities in technology are always being discovered and in response, vendors regularly issue security updates to plug the gaps. Applying these updates - a process commonly known as patching - closes vulnerabilities before attackers can exploit them. Patching can also fix bugs, add new features, increase stability, and improve look and feel (or other aspects of the user experience).
So patching matters for more than just security reasons. It ensures you're getting most from your IT, and that it's working smoothly with other people and organisations.
For all these reasons, patching remains the single most important thing you can do to secure your technology, and is why applying patches is often described as 'doing the basics'. But although applying patches may be a basic security principle, that doesn't mean it's always easy to do in practice.
Why patching can be hard
There are lots of reasons why your approach to patching can't simply be 'patch all of things, all of the time'. These include:
Patching takes time, and costs money. It can be repetitive, unrewarding labour (even the NCSC sometimes has to do it by hand), so the people doing it may make mistakes. Ideally, you would want to test the patches before rolling them out fully - which can help uncover any problems they may cause, but which also takes more time, and money.
You can only patch something if you know it exists, and what state it's in now. And it's hard to maintain accurate, up-to-date asset inventories across larger IT estates.
Patching introduces risk. Sometimes a patch breaks something vital, in a way you couldn't reasonably have foreseen. Again, this can be because it's often hard to keep up to date with all the IT equipment you have, and how it works together.
For small companies, a failed patch roll-out is painful. For large organisations, it can cause as much impact as a cyber attack, stop thousands of people from working, and require massive resources to fix.
You might not always be able to patch the equipment you rely on. For instance equipment that:
doesn't belong to you (so you aren't allowed to patch it)
belongs to you, but someone else is responsible for patching it
is not allowed to be patched (eg some medical equipment)
is old enough that it no longer receives security updates
None of the above are reasons not to patch as much you can, but they do explain why you need to plan your patching regime carefully.
Making a better patching plan
Your approach to patching will depend on what your organisation does, how you approach security, and how much you have to spend.
Security always involves combining different defences, and often making trade-offs, to try and reduce your overall business risk to acceptable levels.
The NCSC's vulnerability management guidance tells you how to get started with creating a patching strategy that works for your organisation by assessing and prioritising vulnerabilities, and the NCSC has further ideas on how to make patching part of your organisation's 'business-as-usual'.
When patching is hard or impossible, this is where your defence-in-depth tactics come to the fore. You can:
manage your assets well (know what you have and what it's doing, and have ways of finding out when something changes)
have a security monitoring capability, to help with problem detection and cleanup
create and practise incident response/business continuity plans
All this will help you prevent attacks where you can, and detect, respond and clean up where you can't.
What else helps you and your organisations to manage this tricky security problem well? What else would be useful to you, that you don't have now? We'd like to hear your thoughts and experiences - please share them with us by contacting us online, or letting us know on social media (access to all our social media channels can be found at the top of this page via the icons).
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).