Effective Patch Management in a Remote and Hybrid Work Environment

Remote work means more devices connected to the network — and potentially more unpatched vulnerabilities.

Patch Management

Since 2020, many companies redefined how their employees work, changing perceptions of a typical “workday”. Buffer research found that 98 percent of people would like to work remotely at least part of the time. While many companies plan to accommodate employees’ preferences, remote work also means that managed services providers (MSPs) and value-added resellers (VARs) must expand their services to protect applications and systems wherever clients use them.

AJ Singh, VP of Product for NinjaRMM, points out, “Employees’ personal machines that might be used to access the corporate network often go unpatched.”

To answer some of the questions that MSPs and VARs have about patch management, Singh shares his insights about delivering this service most effectively in today’s climate of remote work.

What are the most common mistakes MSPs and VARs make with patch management?

Singh: Many common mistakes MSPs make with patch management come from a breakdown of processes or simple oversight. For example, MSPs shouldn’t rely on vendors to issue auto-updates, and they should ensure their patching schedule isn’t spaced so that devices stay unpatched for any time.

Other common issues result from improper staging before pushing patches to production environments or MSPs lacking the right patching tool for third-party software a client uses. Finally, we also see instances when patch management hasn’t been set up.

How can MSPs and VARs correct those problems?

Singh: First and foremost, MSPs must use a robust patch management tool to help automate patching. Many remote monitoring and management (RMM) solutions can effectively automate patching while also being able to control a machine to reboot or install other updates remotely. Patching tools like RMMs can also handle third-party patching. This removes end-user errors and ensures that some vendor auto-updates won’t break line-of-business applications. This often occurs with Java updates, for example.

Additionally, MSPs should increase the frequency of patches to ensure no device goes unpatched. They should also test patches before pushing them to production and ensure all devices connected to a corporate network are patched adequately before use.

With more people working from more locations on more devices, is it challenging to train technicians to handle the workload?

Singh: Every technician comes with a different skill level and has their own understanding of how patching works. Not everyone knows the best practices that must be adhered to when managing a corporate environment. It’s best to train them on the tool the MSP uses so that they are aligned with the tool’s functionality and aware of any caveats or hiccups with any particular customer environment. For example, the MSP might not be patching Organization X with the latest Java updates as it might break specific line-of-business applications.

Other hurdles to training could be that some technicians have their own way of doing things and are unwilling to be trained on new methods. Training, in general, can be a challenge for MSPs, especially smaller MSPs, because it constitutes non-billable times, which doesn’t bring in revenue. Additionally, coordinating training can be difficult due to hectic schedules among technicians that often don’t match.

Have there been advances in technology that make patch management easier?

Singh: Vendors like Microsoft and Apple have gotten better over the years in terms of patch stability. This, paired with RMMs based upon newer technology stacks, has been pretty effective in doing a great job at patching. Additionally, with patch compliance reporting, often built within most RMM platforms, MSPs can offer excellent visibility into patch compliance across the customer network.

Close Gaps

Threat actors took advantage of the fact that vulnerabilities in employees’ personal systems and devices weren’t current. Attacks increased by 400 percent in the early months of the pandemic. However, you can ensure companies that permanently adopt a remote or hybrid work model can keep their networks and data secure. “You should work closely with the business owner and devise an arrangement to take employees’ devices under management and patch them,” says Singh.