In most companies, at least those who believe in managing security correctly, the rollout of all updates is controlled by the IT team. Only users with administrative access can install security patches, firmware and software updates or service packs. Basic users are also blocked from installing software on company assets. This is good practice and prevents shadow IT (where users can install unapproved and unsupported software). It does annoy users, as they must ask IT to add any applications they feel are necessary to add productivity to their roles. However, it does make sense and aids security, ultimately creating a list of approved software that satisfies all company activities.
Unfortunately, this activity is not enough as, regardless of hardware and software configurations, updates are necessary on at least a weekly basis, whether related to the OS, applications or installed hardware. Some experts recommend prompt installation while others advise performing some research before installation, to make sure the update does not have a negative impact on operations. I advise a combination–it’s better to verify on an offline machine before rolling out the update to all.
What is the ideal way to ensure reliable yet prompt update installation? In a traditional office environment, is it practical to supervise individual installs? Can we rely on all updates or will they cause additional problems?
Unfortunately, there is no single solution, given the plethora of hardware and software configurations available. It’s impossible for manufacturers to test on all possible system configurations not to mention on connected peripherals and other software. Therefore, as security vulnerabilities and other issues are identified by end-users and real-world usage, patches and updates are released. Managing all these updates on a company network is a task that requires prompt action but in a way that ensures business continuity, given that some updates cause problems.
How Important is Update Management?
Ignoring updates is not a good idea as hackers exploit known vulnerabilities, secure in the knowledge that companies are often slow to implement security updates. It’s not enough to focus on OS patches as commonly used applications such as MS Office, Acrobat and many more are all attractive targets, exploited to launch cyber-attacks, ransomware, or simply to harvest data. Therefore, a process is needed to stay on top of all updates.
Are you Prepared for Updates?
A company’s activities are often defined by processes, procedures and compliance requirements. Documentation is key to ensuring a defined strategy for all aspects of the business. Most will have a security policy, cybersecurity strategy, disaster recovery policy and other documents to ensure a defined process is maintained and improved where necessary. Update or patch management is no different. Define your process and follow it. If you haven’t decided how to officially handle updates in your organisation, it’s worth starting. Let’s make a few assumptions first:
- Most companies will have similar (if not identical) desktops and notebooks. In most cases, they will at least be from the same manufacturer if not the same model. It makes sense to do so as discounts are available for volume orders. A mix and match approach to desktops is rarely observed.
- All will have the same OS.
- A complete audit of the network has provided an inventory of all hardware and software on the business network.
- Installations and updates are managed by the IT team, with users unable to perform admin functions on their machines.
- System restore or other rollback function is installed on every machine in case a patch or update requires removal.
If all the above are not true, it complicates matters for the IT team. In my opinion, driver updates for hardware and application updates rarely cause problems and can easily be rolled back on a machine if problems occur. OS patches are another matter and need more careful rollout, given that they will apply to all machines. If flawed, a patch can grind operations to a halt. It’s for this reason, I’d recommend a dedicated machine for testing updates before rolling out updates to the entire network.
Define a Process
Therefore, a potential process could include a review beforehand. Ask some questions. These could include but are not limited to the following:
- Is the update plugging a security vulnerability or just a performance/feature update? Security updates receive priority.
- Have any problems been identified by those who have already installed the update? Google is your friend in this case.
- Who is affected by the update? If everyone, test on standalone machine before rollout.
- Is a network rollout possible or is it necessary to update each individual machine? Most sysadmins perform updates after hours to mimimise downtime.
Of course, there are other issues, especially for software companies or those who use software with a browser-based GUI. Such issues should be identified during online research.
In conclusion, it’s best to act on new updates as soon as possible. Automatic installs are possible but carry some risks. It may be best to avoid automated installs in some cases and follow a manual process based on prior experience with your company systems (most admins will identify a pattern of problematic updates). Regardless of the method used to process updates, ignoring them is not an option, especially when you consider that doing so could allow a data breach or result in network downtime. Can you take that risk?