4 Patch Management Mistakes MSPs Should Avoid

An optimized Patch Management as a Service Offering will minimize disruption to operations as well as keep systems up to date.

Patching has been around for a long time. It’s not the most exciting part of an MSP’s job, and you usually take care of it behind the scenes. However, it can make you a hero by preventing some of the most common types of exploits that hackers use to compromise networks and steal data.

Interestingly, research for a study by SolarWinds and IDC revealed only 27 percent of cybersecurity teams cite patch management as a strategy to defend against cyberthreats. A press release issued by SolarWinds states, “This lack of patch management activities and reduced focus on network endpoints is alarming, as these basic cyberhygiene best practices must be combined with detection to help ensure that the ‘front door’ isn’t left wide open.”

As essential as patch management is, it’s not a perfect science. Some patches require rebooting; others don’t. Some can make third-party applications stop working — and some can cause production to grind to a halt.

Alex Quilter, Sr. Director, Product Management, SolarWinds MSP, says MSPs need to understand the nature of patch management and build processes that minimize the downside. Here are some mistakes managed services providers need to avoid to preserve their clients’ productivity while keeping their systems up to date:

  • Not Aligning Your Schedule with Your Client’s — Quilter says any time an MSP provides a service, you need to set a course that makes the most sense for your client as well as your team. Patching and rebooting need to be scheduled so they don’t interfere with your client’s business operation, which means some will prefer it at night, some during the day, and others at variable times. “You have to find ways to accomplish patching while running your own operations,” he says. “Align activities outside and inside your four walls to optimize for both schedules.”
  • Not Planning for the Worst — It’s risky to discover a patch, immediately install it for your clients, and walk away. You need to research and test patches to determine their potential to cause systems to break. Quilter reminds you to always have a roll-back plan in place in case you encounter unexpected issues and need to restore your client’s system.
  • Falling Behind — You not only have to deal with the unpredictability of how the next patch can impact your clients’ system or applications — but you also can’t predict how many patches you will have to deal with. “There’s an ebb and flow,” says Quilter. “There could be a month when security researchers discover a lot of vulnerabilities, but there could have been nothing the month before. There’s not a consistent level of activity.” While it may be tempting to skip a month in which only a few patches are released, Quilter says to make sure you don’t fall behind. “Smaller delivery has less risk,” he points out. “Regular monthly patching provides the greatest value.”
  • Wearing OS-Patch Blinders — A potentially dangerous mistake is only focusing on OS patches for workstations and servers. Almost everything in the network — security cameras, routers, switches, IoT devices — all require firmware updates to address security issues.

Patch Management Pitfalls That Can Impact an MSP’s Bottom Line

Quilter also points out that there are mistakes that MSPs can make when providing patch management services that can decrease profitability. Maximize your efficiency by:

  • Automate to do the minimum amount of manual work to provide service to the maximum number of customers.
  • Minimize the number of tools you use so you can address OS and third-party patches from one application.
  • Keep patch management tools updated as vendors address changing release policies and other industry trends.

You can also focus sales and marketing efforts for better conversion. Quilter says although you can market this service to any vertical or type of business, it’s smart to focus on prospects in regulated industries, such as credit-card accepting merchants regulated by PCI DSS or healthcare organizations that must meet HIPAA requirements. Prospects that are required to install patches regularly may be looking for help to stay in compliance as well as keep their systems optimized and secure. 

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of XaaS Journal and DevPro Journal.