Patch Tuesday? Or Patch Every Day.

Organizations must maintain a strong foundation as the cybersecurity landscape continues to evolve. Did you know that over twenty years ago Microsoft started implementing Patch Tuesdays? While patches and software updates used to serve as an IT requirement, cyberattacks such as WannaCry elevated them to a security requirement. Software updates and security patches are a critical component to a strong defense against cyber threats. Without properly updating and patching your software, attackers can exploit the unresolved security vulnerabilities. Today, it’s Patch Tuesday and tomorrow is exploit Wednesday.

Why is Patching Important?

Recently, Veritas released a cyber recovery checklist to help guide organizations in creating a cyber recovery plan. One of the foundational requirements of this guide starts with updating software and security patches. This step should be done within the first 30 days of creating the organization’s cyber recovery plan because without the most up-to-date and fully patched software, this can be an invitation to cybercriminals. As Caroline Wong, Chief Strategy Officer of Cobalt.io, states in the book Back to Basics: Focusing on the Fundamentals to Boost Cybersecurity and Resilience, "We must fix security issues. It's not good enough to just focus on finding security issues - the quality of software and data protection does not improve until problems are addressed and eliminated."

Patch Tuesday is quickly followed by Exploit Wednesday for organizations who have yet to make a plan. Threat actors have become highly skilled at acting swiftly. Delaying the implementation of a patch creates an unintentional opening for a cyber threat. With the security vulnerabilities now publicly available from Patch Tuesday, the opportunity to take advantage of unpatched machines is irresistible to a hacker. In April 2024, on Patch Tuesday, Microsoft released 149 CVEs (common vulnerabilities and exposures). That was one month of patches. Imagine how vulnerable an organization would be if they delayed implementing 149 patches – from just one month.  

How Can You Stay on Top of Updates and Patches?

The impact missing Patch Tuesday is insurmountable. Here are my 5 recommendations on how to stay on top of updates and patches.

1. Tools: Having full visibility of all the applications and software used within the organization is critical to developing a patch release and security update plan. By understanding the full environment, a comprehensive update and patch plan can be developed.
2. Execute Regularly: Don’t delay or postpone. Patches and updates are released to help strengthen your defenses. Once a plan is established for implementing patches and updates, stick to it.
3. People: It takes one person to accidentally exploit an organization to cybercriminals. Educating your employees to prioritize software updates not only helps prevent that accident, but it can also secure your organization even more. Add another layer of defense by ensuring you have employees properly trained and skilled in vulnerability management. Train your team to be suspicious of even the slightest anomaly and to take their update notifications seriously.
4. Processes: Even when things are planned to go right, something can always go wrong. Having a business continuity plan to guard against all kinds of threats and incidents is critical. When developing these processes, make sure to employ zero-trust principles.
5. Test: Don’t wait for patches to fail across the organization before reviewing your process. Test your plan and make improvements where necessary.

Don’t Delay – Update Today.

Deploying security patches and software updates is imperative for everyone across the organization today. Out-of-date software has several implications including allowing attackers to exploit unmitigated security vulnerabilities. Ignoring software and security updates can built up and while it may seem time consuming in the moment, it isn’t more time consuming than a cyber-attack. Make a plan today to implement security updates and stick to it.

Don’t Fight Today’s Cybercrime with Yesterday’s Technology.

Listen into our Veritas L!VE episode to hear more on this topic from myself and Caroline Wong.  

Learn what else you can you to defend against cyberattacks be cyber resilient.