A few years ago, the question security-conscious business owners asked MSPs was “What do I need to do to stop a data breach from happening to me?” Now the question is “Do we have this patch?”
Mike Puglia, Chief Product Officer at Kaseya, says media coverage of data breaches and cyberattacks have introduced “patch” into mainstream vocabulary. “Vulnerabilities in software are publically disclosed, and those vulnerabilities are the easiest way to compromise an organization,” he explains. “It doesn’t take any extra effort on the part of the hacker. They just have to capitalize on the fact that people didn’t patch.”
Puglia points out that with multiple patches to deal with weekly, every business is challenged to keep up—and a large percentage don’t. For this reason, your Patch Management as a Service offering can be very attractive to many of your clients and prospects, and need is easy to demonstrate. Tools are available that will allow you to offer a free security assessment by scanning a prospect’s system. “It shows them in a very black-and-white way that patches aren’t up to date — and then they’re interested in your services,” Puglia explains.
Patch Management as a Service Best Practices
To provide top-notch service to clients that entrust patch management to your MSP business, incorporate these best practices into your offering:
1 Build a Foundation with the Basics
Puglia says people often focus on the latest cyberthreat or data breach making headlines, but “consistency and regular updates are a better strategy.” He cites research from the 2016 Verizon Data Breach Investigation Report that found that 85 percent of data breaches could be traced back to just 10 patches, some of which had been issued years before. “There are systems sitting out there that were never updated,” he says. “You can improve security by doing the basics.”
2 Keep a Regular Schedule
Puglia says you should set a consistent time to scan and install patches for each client. For example, you could run weekly scans to find what’s missing in each client’s environment and then create profiles that apply all necessary patches across your client base once a month.
Automation is pivotal to maintaining a regular patching schedule. Puglia suggests using a tool that automatically collects information from vendors on current patches. “Without that ability, you’d have to go to each vendor’s website to look for patches according to different release schedules. Without automation, it’s unmanageable,” he says.
3 Establish a Reboot Policy
Some patches require a reboot. “The last thing you want to do is reboot immediately, which can make employees very unhappy,” Puglia comments. Discuss the best time to schedule reboots, which for some clients may be during early morning hours, on the weekend, or on a weekday evening. Some businesses may prefer that you use a pop-up window letting the user know they need to reboot but to allow them to defer a few times before the system forces the reboot. Puglia stresses that it’s vital to build flexibility into your policies to address each client’s needs and production schedule.
4 Maintain Control—Even Over Microsoft Patches
Microsoft no longer gives users the option to install patches, but you can defer feature upgrades so you have the chance to test them on a representative system and check them before installing them across your entire client base. Make sure you test the effect patches can have on your clients’ systems and deal with any negative repercussions.
5 Patch More than Microsoft OS
Puglia says MSPs often focus on Windows OS patches, but it’s crucial to address macOS and third-party business applications. MSPs often find that their clients haven’t kept up with patches for the software they use, making their networks vulnerable to cyberattack.
6 Keep Records
Puglia says MSPs often share reports to show the patches they’ve installed for their clients, but those reports are valuable for additional reasons. “They’re evidence that you’re taking appropriate steps to protect an organization. A lot of companies are taking out cyber insurance. If a business is hacked, an insurance company may say you weren’t taking reasonable steps to protect yourself and not pay out,” he says. Records showing that patches are up to date can help establish that a business is following through with security best practices. Patch management records may also be required to provide compliance with regulations and standards such as HIPAA and PCI DSS.