Patch Management Got a Whole Lot More Complicated Recently. Here’s What to Do.

Remote work meant more devices connected to the network — and potentially more unpatched vulnerabilities.

Patch Management

The pandemic drove a mass migration to remote work. In addition to company-issued devices, your clients’ employees began using their personal laptops, PCs and other devices to connect to the business’ network, creating potential security risks. In addition to concerns that users may not have adequate antivirus or firewalls, AJ Singh, VP of Product for NinjaRMM, points out that they also require patch management to protect a business’ data and systems.

“In the new world of COVID-19, employees’ personal machines that might be used to access the corporate network, often go unpatched,” he says.

So, while managed services providers (MSPs) and value-added resellers (VARs) were helping their clients transition to a work-from-home model, securing those newly dispersed networks required that any device connected to the network was up to date with patching.

To provide answers to some of the questions that MSPs and VARs have about patch management, Singh shares his insights about delivering this service most effectively in today’s climate of remote work—or at any time when demand is high.

What are the most common mistakes that MSPs and VARs make with patch management?

Singh: Many of the common mistakes MSPs make with patch management come from a breakdown of process or simple oversight. For example, MSPs shouldn’t rely on vendors to issue auto-updates, and they should make sure their patching schedule isn’t spaced so that devices stay unpatched for any amount of time.

Other common issues are a result of improper staging before pushing patches to production environments or MSPs lacking the right patching tool for third-party software used by a client. Of course, we also see instances when patch management simply hasn’t been set up.

How can MSPs and VARs correct those problems?

Singh: First and foremost, MSPs need to use a robust patch management tool to help automate the patching process. Many remote monitoring and management (RMM) solutions can effectively automate patching while also being able to remotely control a machine to reboot or install other updates. Patching tools like RMMs can also handle third-party patching. This takes end-user error out of the equation and ensures that some auto-updates from vendors won’t break line-of-business applications. This often occurs with Java updates, for example.

Additionally, MSPs should increase the frequency of patches to ensure no device goes unpatched. They should also test patches before pushing them to production and make sure all devices that connect to a corporate network are properly patched prior to use.

With more people working from more locations on more devices, is it a challenge to train technicians to handle the workload?

Singh: Every technician comes with a different skill-level, and consequently have their own level of understanding of how patching works. Not everyone is aware of the best practices that need to be adhered to when managing a corporate environment. It’s best to train them on the tool the MSP uses so that they are aligned with the tool’s functionality and also are aware of any caveats or hiccups with any particular customer environments. For example, the MSP might not be patching Organization X with the latest Java updates as it might break certain line-of-business applications.

Other hurdles to training could be that some technicians have their own way of doing things and are unwilling to be trained on new methods. Training, in general, can be a challenge for MSPs, especially smaller MSPs, because it constitutes non-billable times, which doesn’t bring in revenue. Additionally, coordinating training can be difficult due to hectic schedules among technicians that often don’t match.

Have there been advances in technology that makes patch management easier?

Singh: Vendors like Microsoft and Apple have gotten better over the years in terms of patch stability. This, paired with RMMs based upon newer technology stacks, has been pretty effective in doing a great job at patching. With patch compliance reporting, which is often built within most RMM platforms, MSPs can offer great visibility into patch compliance across the customer network.

Close Gaps

Although your customers saw few viable options to allowing their employees to work from home when the pandemic forced offices to shut down, that didn’t mean hackers would take a break from cyberattacks—in fact, it was quite the opposite. They increased by 400 percent in the early months of the pandemic, often attempting to exploit unpatched vulnerabilities. You have the ability to help your clients keep their networks and data secure. “You should work closely with the business owner and come up with an arrangement to also take employees’ devices under management and patch them,” says Singh.