And Why Executives Should Care…
Threats to network security seem to get announced weekly. Global ransomware attacks like WannaCry cause havoc around the world and billions of dollars in losses. Businesses are actually shuttering due to network attacks that disable, and even delete, critical data and infect supporting IT Systems. These threats are said to be the fault of bad actors who want to destroy our businesses or extort money from us. The reality is a little more complex, and some of the threat can come of third-party software patching practices.
Often a simple lack of software hygiene and proper vulnerability patch management can pose a significant, and preventable, threat to cybersecurity. Nearly every major attack we’ve seen has exploited known vulnerabilities that had patches available to close them. While thousands of companies suffered, the impacts of the attacks were avoided by those who were serious about closing vulnerabilities through software patching.
While many companies are somewhat effective at patching core Operating System (OS) software, they are far less disciplined at keeping third-party software current. Third-party software is software that works with an operating system, but is written by professionals not associated with the operating system maker. Software such as the Adobe Suite, Java, and even iTunes and the Firefox browser, require consistent patch hygiene. Mid-sized and large enterprises can have literally tens of thousands of instances and hundreds of software variants in their organizations. Even small companies have a variety of software being leveraged in daily operations. Every single piece of software, if left unpatched, is a door to attacking a system.
Keeping software secure from vulnerabilities through patching can be complex and time consuming. It often involves after-hours work and system downtime. It takes planning and post-deployment testing. With that said, we cannot forget that including third-party patches in the software patching process is critical.
Patching is the single most impactful defensive action we can take. In order for patching to be effective as a defense, it has to be as close to 100% complete as possible. It only takes one unpatched system to be a launch point for a cascading attack…don’t be the next victim.
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.