Practically Perfect Patching

June 19, 2021

How do you ensure patches are deployed in a timely fashion to reduce the number of vulnerabilities in your network and software to protect your organisations from ongoing threats?

We see many frameworks recommending a set number of hours or days to implement patches or in some cases see clients request set periods to deploy all patches by a set number of hours or days with no consideration of the usefulness or practicality or even effectiveness of the proposed patch.

Key variables


Some environments are developed so that a lot of the internal network is not exposed to the internet.  In this case the external ring of the network that is exposed to the internet is patched more aggressively than the internal environment.

Assessing your Unique Risk

Deploy patches using a risk-based approach.

As a business agree what an impact is and group them into bands.

Accessible Resources

Automatically update patches that do not require a reboot or service restart (this can be setup by your IT specialist).

Have the right skills sets in your team and agree how and when patches will be deployed based on your risk model.

Key considerations

Actual impact the business if the vulnerability is exploited
  • Consider the impact to your business if the vulnerability was exploited.  Would it take out your services?  Would it expose confidential data?  
  • What is the impact of the vulnerability the patch addresses in exploited?
  • If your business manages photos of cats in a database a patch marked by a global software company as Critical or Extreme would not be critical to you as your information is not of value.
Likelihood of a threats actor to successfully exploit the vulnerability the patch addresses
  • Consider the likelihood of the threat event occurring.  
  • What is the likelihood based on the structure of the environment and the resources required and the targets of the threats actors to successfully exploit the vulnerability the patch addresses.
  • Using industry scores can give you threat intelligence companies views of how brilliant the potential attack will be.
Patching Debt

Every time you delay a patch for business reasons it will be in the queue for later on.  Do you have the staff to do this, what will be the priority when they begin implanting these patches?

Learn More About InfoSecAssure

Learn more about how InfoSecAssure can help you achieve great information security outcomes so you can get on with what you do best.

Secure your business.
Today is the day to build the business of your dreams. Let us help you secure your assets without blowing your budget — and focus on the things that count!