A few years ago, security-conscious business owners asked MSPs, “What do I need to do to stop a data breach from happening to me?” Now the question is, “Do we have this patch?”
Mike Puglia, General Manager of Security Products at Kaseya, says media coverage of data breaches and cyberattacks has introduced “patch” into mainstream vocabulary. “Vulnerabilities in software are publicly disclosed, and those vulnerabilities are the easiest way to compromise an organization,” he explains. “It doesn’t take any extra effort on the part of the hacker. They have to capitalize on the fact that people didn’t patch.”
Puglia points out that every business is challenged to keep up with multiple patches to deal with weekly, and a large percentage doesn’t. For this reason, your Patch Management as a Service offering can be very attractive to many of your clients and prospects, and the need is easy to demonstrate. In addition, tools are available that will allow you to offer a free security assessment by scanning a prospect’s system. “It shows them in a very black-and-white way that patches aren’t up to date – and then they’re interested in your services,” Puglia explains.
Patch Management as a Service Best Practices
To provide top-notch service to clients that entrust patch management to your MSP business, incorporate these best practices into your offering:
1 Build a Foundation with the Basics
Puglia says people often focus on the latest cyberthreat or data breach making headlines, but “consistency and regular updates are a better strategy.” Research by Tetra Defense found that 82 percent of successful attacks begin with exploiting unpatched vulnerabilities, such as the ProxyShell vulnerability in Microsoft Exchange servers and the Log4Shell bug. “Systems that were never updated are sitting out there,” Puglia says. “You can improve security by doing the basics.”
2 Keep a Regular Schedule
Puglia says you should set a consistent time to scan and install patches for each client. For example, you could run weekly scans to find what’s missing in each client’s environment and then create profiles that apply all necessary patches across your client base once a month.
Automation is pivotal to maintaining a regular patching schedule. Puglia suggests using a tool that automatically collects vendor information on current patches. “Without that ability, you’d have to go to each vendor’s website to look for patches according to different release schedules. Without automation, it’s unmanageable,” he says.
3 Establish a Reboot Policy
Some patches require a reboot. “The last thing you want to do is reboot immediately, which can make employees unhappy,” Puglia comments. Instead, discuss the best time to schedule reboots, which for some clients may be during early morning hours, on the weekend, or on a weekday evening. Some businesses may prefer that you use a pop-up window letting the user know they need to reboot but allow them to defer a few times before the system forces the reboot. Puglia stresses that building flexibility into your policies is vital to addressing each client’s needs and production schedule.
4 Maintain Control – Even Over Microsoft Patches
Microsoft no longer gives users the option to install patches. Still, you can defer feature upgrades to test them on a representative system and check them before installing them across your entire client base. Test the effect patches can have on your clients’ systems and deal with any negative repercussions.
5 Patch More than Microsoft OS
Puglia says MSPs often focus on Windows OS patches, but it’s crucial to address macOS and third-party business applications. In addition, MSPs often find that their clients haven’t kept up with patches for the software they use, making their networks vulnerable to cyberattacks.
6 Keep Records
Puglia says MSPs often share reports to show the patches they’ve installed for their clients, but those reports are valuable for additional reasons. “They’re evidence that you’re taking appropriate steps to protect an organization. For example, a lot of companies are taking out cyber insurance. If a business is hacked, an insurance company may say you weren’t taking reasonable steps to protect yourself and not pay out,” he says. In addition, records showing that patches are up to date can help establish that a business is following through with security best practices. Patch management records may also be required to provide compliance with regulations and standards such as HIPAA and PCI DSS.