Patch management can benefit businesses and organizations of all sizes and in all verticals, but it’s not top of mind for every prospect. Your next opportunity to sign a new client may be when something breaks.
Mike Killingbeck, Product Manager with ConnectWise Automate, says many end users aren’t regularly patching their operating systems or third-party software, picking and choosing what to patch — or just putting it off because they don’t have time — then when their system breaks they call an MSP. Although not the ideal scenario, that situation may set the stage for a conversation about how your business can keep their systems up to date with Patch Management as a Service. “It’s a pretty easy sale once the end customer understands how you can prevent problems from happening again,” Killingbeck says.
Must-Have Patch Management Solution Features
To build an efficient and profitable patch management practice, Killingbeck suggests that the solution you choose includes the following features:
Automation — Killingbeck says he’s encountered MSPs who aren’t automating patch management to the fullest extent, and, as a result, have full-time employees dedicated to the task. “The costs of labor are much higher than costs of an automation solution,” he comments, “and you absolutely need a toolset that allows you to be proactive with patching and lessen the administrative burden.”
Automated patch management tools will communicate with vendors — in some cases for both OS and third-party software — to find new patches, eliminating the need to do that research on your own.
These tools will also allow you to establish policies that can apply patches across all of the clients you manage, at times that work best with their schedules. “I follow the 95-5 rule,” Killingbeck says. “95 percent of patches should be managed by a single policy across your entire client base, and 5 percent will be one-offs that you handle manually. There’s no need to do individual policies for every client. It’s redundant.” He points out that it will take time to find commonalities among your customers and to implement the policies, but overall, it results in significant time savings.
Staging—“You never want to push out a newly discovered patch on day one,” Killingbeck stresses. Your Patch Management as a Service offering should include staging that allows you to install patches on systems in your office to test the outcomes. He also suggests first patching systems for a few trusted users before sending them out to your entire client base.
He points out that some patch management solutions don’t include staging options, so in those cases, it’s up to you to build and use test environments. “If staging is native, it’s helpful,” he says. He adds that it’s also tempting to skip this step, especially if you’re dealing with a security patch that corrects a vulnerability that hackers are exploiting, but it’s important to stage every time. “Remember, when you’re providing a service, you’re responsible for the outcome,” he comments.
Third-party patching—Killingbeck says your Patch Management as a Service offering needs to do more than patch at the operating system level. Third-party software can also need to be patched to correct a security vulnerability or a bug that’s affecting performance. Your solution should give your team the same automation capabilities for third-party software as for the OS. A dashboard that your technicians and help desk can use to quickly see the status of a client’s patches is also a helpful feature.
Reporting—Your patch management solution should also give you the ability to provide regular reports on the services your MSP business provided each month. Killingbeck says some systems will allow you to automatically generate and send a report the day after patches are completed. “End users will want to see proof of the value you’re providing,” he comments.
Your Success Depends on More Than a Feature-Rich Solution
Although it’s important to choose a patch management solution with the right features, Killingbeck says it isn’t enough. You need to educate yourself about the industry and the security landscape. He says to leverage information such as Microsoft’s Security Update Severity Rating System and CVSS scores from NIST’s National Vulnerability Database. “You need to keep up with trends and understand what’s happening,” he says.
He comments that the log4j vulnerability is raising awareness among end users that a patch is necessary to protect their systems—and clients are calling their MSPs to make sure they have the patch. “Stay informed and provide the information your clients need,” he says. “Better yet, make sure their systems are already patched and send out a report before they have a chance to worry.”
MSPs also need to do their due diligence to understand the relationships between servers, workstations, VM hosts and VM guests, so that patches won’t interfere with productivity. “Things are changing constantly,” Killingbeck comments. “We need to keep up with them.”