Software patch
management plan:
Best practices
and considerations

Author: Mark Stone

Patching potentially-vulnerable software isn't the most exciting cyber security topic, but it's more complex than it sounds. Applying software patch management best practices is more critical today than ever before.

In 2020, over 18,000 publicly disclosed vulnerabilities were reported—the most in any year on record. The Verizon 2021 Data Breach Investigations Report goes into further detail about the types of breaches companies face and how the human element as well as unpatched systems and software can play a significant role in many breaches.

With reported vulnerabilities this high, adopting software patch management best practices is critical for any organization. However, patching must be carried out carefully and intelligently.

What is patch management?

Patch management is simple at its core; it's about making sure all your software and hardware is up to date with the most recent and secure versions installed. It encompasses a wide range of software, including browsers, applications, operating systems, desktops, laptops and even IoT devices.

Why are software patch management best practices critical?

With so many patches to manage, a pro-active patch management strategy can ultimately improve the utilization of scarce IT resources: it takes fewer people less time and energy to proactively patch than it does to be in a constant state of "all hands on deck" when a vulnerability is exploited.  With a proactive approach built on best practices, your company's cyber security posture can improve and your team could have more time for other value-added activities.

A robust software patch management plan provides numerous organizational benefits. Three of these benefits stand out:

1. Keeping hackers at bay

It's easier for hackers to target the known vulnerabilities. When those are patched, your IT environment could be safer. Many hackers will move on to easier targets.

2. Reducing downtime

A breach or attack can be devastating to your business and require significant time and resources to remediate. But a patch management plan could help guard against such attacks.

3. Increasing compliance

Depending on your industry, you may be required to maintain regulatory compliance or industry standards, and unpatched systems could result in penalties, fines and reputational damage.

What does a patch management plan look like?

A good software patch management strategy should leverage as much automation as possible; robust endpoint management software is recommended. As a general rule, patches should be applied as soon as possible. Each organization will likely have a different patch management strategy, but there are seven steps typically found in a solid strategy:

  1. Monitor: Keep up to date on all available vendor patches.
  2. Assess: Scan all of your endpoints to determine which require priority patching.
  3. Download: Get the patches from your vendor.
  4. Test in a test environment: Before putting them into production, always test in a staging environment to avoid potential issues.
  5. Deploy: Apply patches to production systems, preferably automatically and on a schedule, to minimize business impact.
  6. Test in a production environment: Make sure the software (or hardware) works as expected with no surprises.
  7. Report: Document the process wherever possible. As with anything in security, you can't manage what you don't measure.

Patch management best practices

Here are a few more best practices:

Switch to a unified console

A software patch management solution can be orchestrated with one console for optimal visibility into your endpoints.

Categorize patches

IT or security teams should regularly review patches and assess their severity and risk level so those with higher risks are prioritized.

Practice regular patch process standardization

Policies should be established to standardize your process to address specific types of endpoints (desktops, laptops, servers, smartphones). An endpoint management solution can do a lot of the work for you.

Consider managed services partners

A managed services partner can help to prioritize patching against critical vulnerabilities.

Work with Verizon's managed professional services to identify your vulnerabilities and design a cyber security strategy to address them.