All customers that take advantage of our IT Monitoring and Management Service have their desktop and laptop computers automatically enrolled in our Patch Management Service. This service locates software patches from a number of vendors and then downloads and installs them across your computer network.
What is a patch?
Most software publishers actively look for faults with their software and – if they find a fault – will then issue a fix. The fixes are often released as software patches and will typically fix faults in their software, or as is increasingly common, to close a security vulnerability. Some patches are considered to have varying levels of importance, ranging from “Critical” to “Low” priority. As the frequency with which security vulnerabilities are found continues to rise, it’s important you have a policy in place to deal with these patches.
How are patches installed?
There is only really one efficient way to install patches – and that is automatically. It would be an extraordinary waste of time to visit each computer, figure out what patches you need, and then find and install them. Automated patch installation is the best way to handle this process.
How does this work in practice?
Our IT Monitoring and Management Service includes a patch management tool which will run a vulnerability scan every two days. If you need a patch installed, our system will detect it and “Moderate”, “Important” or “Critical” patches are slated for automatic installation later the same day. Patches in the “Low” or “Other” categories are ignored.
- Desktop computers run a vulnerability scan every day but will install these patches on a Monday, Wednesday and Friday at around 4PM.
- Laptop computers run a vulnerability scan every day but will install these patches on a Tuesday, Thursday and Saturday at around 4PM.
- If the target computer is not on at the specified time, the vulnerability scan will run the next time the computer is switched on.
Some patches require you to reboot the computer. We could do that automatically but this is typically inconvenient and so we simply urge customers to properly shut down their computers at the end of each day. In this way, patches that need a reboot are applied when the computer starts up. Where customers have to keep their computers on overnight we recommend they are rebooted at least weekly.
From time to time we do find that some patches do not properly install. To mitigate this, our system is set to retry installation a couple of times. If after the second attempt at installation the patch fails, we are sent an alert and may contact you to investigate the reason for this failure.
What are the disadvantages of this service?
Once in a while a patch that is installed can cause undesired results. The patch could be faulty, or could cause a different issue with an unpatched piece of software. This is a problem we’re unable to mitigate easily and fixing these issue forms part of day to day business support. These situations are rare, but the dangers of unpatched software far outweigh the occasional fault and you shouldn’t opt out of patch management at your site.
What else should I know about this service?
Patch management is now considered a “must have” solution and will keep your system safe from many common vulnerabilities. In addition to patches for Microsoft software such as Windows and Office, our patch management will hunt down and install patches for a number of other vendors including Adobe, Apple, Google, Mozilla, Oracle, and more. Patch management, however, is NOT a replacement for antivirus or firewall software and is just one component of the computer security landscape.