The pandemic drove a mass migration to remote work. In addition to company-issued devices, your clients’ employees began using their personal laptops, PCs and other devices to connect to the business’ network, creating potential security risks. In addition to concerns that users may not have adequate antivirus or firewalls, AJ Singh, VP of Product for NinjaRMM, points out that they also require patch management to protect a business’s data and systems.
“Employees’ personal machines that might be used to access the corporate network often go unpatched,” he says.
So, while managed services providers (MSPs) and value-added resellers (VARs) were helping their clients transition to a work-from-home model, securing those newly dispersed networks required that any device connected to the network was up to date with patching.
To answer some of the questions that MSPs and VARs have about patch management, Singh shares his insights about delivering this service most effectively in today’s climate of remote work – or at any time when demand is high.
What are the most common mistakes that MSPs and VARs make with patch management?
Singh: Many common mistakes MSPs make with patch management come from a breakdown of processes or simple oversight. For example, MSPs shouldn’t rely on vendors to issue auto-updates, and they should make sure their patching schedule isn’t spaced so that devices stay unpatched for any amount of time.
Other common issues result from improper staging before pushing patches to production environments or MSPs lacking the right patching tool for third-party software a client uses. Finally, we also see instances when patch management hasn’t been set up.
How can MSPs and VARs correct those problems?
Singh: First and foremost, MSPs must use a robust patch management tool to help automate the patching process. Many remote monitoring and management (RMM) solutions can effectively automate patching while also being able to control a machine to reboot or install other updates remotely. Patching tools like RMMs can also handle third-party patching. This removes end-user errors and ensures that some auto-updates from vendors won’t break line-of-business applications. This often occurs with Java updates, for example.
Additionally, MSPs should increase the frequency of patches to ensure no device goes unpatched. They should also test patches before pushing them to production and ensure all devices connected to a corporate network are properly patched before use.
With more people working from more locations on more devices, is it challenging to train technicians to handle the workload?
Singh: Every technician comes with a different skill level and has their own understanding of how patching works. Not everyone is aware of the best practices that need to be adhered to when managing a corporate environment. It’s best to train them on the tool the MSP uses so that they are aligned with the tool’s functionality and aware of any caveats or hiccups with any particular customer environment. For example, the MSP might not be patching Organization X with the latest Java updates as it might break specific line-of-business applications.
Other hurdles to training could be that some technicians have their way of doing things and are unwilling to be trained on new methods. Training, in general, can be a challenge for MSPs, especially smaller MSPs, because it constitutes non-billable times, which doesn’t bring in revenue. Additionally, coordinating training can be difficult due to hectic schedules among technicians that often don’t match.
Have there been advances in technology that makes patch management easier?
Singh: Vendors like Microsoft and Apple have gotten better over the years in terms of patch stability. This, paired with RMMs based upon newer technology stacks, has been pretty effective in doing a great job at patching. Additionally, with patch compliance reporting, often built within most RMM platforms, MSPs can offer excellent visibility into patch compliance across the customer network.
Although your customers saw few viable options for allowing their employees to work from home when the pandemic forced offices to shut down, that didn’t mean hackers would take a break from cyberattacks – in fact; it was quite the opposite. They increased by 400 percent in the early months of the pandemic, often attempting to exploit unpatched vulnerabilities. However, you can help your clients keep their networks and data secure. “You should work closely with the business owner and devise an arrangement to take employees’ devices under management and patch them,” says Singh.