Ask any SysAdmin about the most challenging part of their job, and along with keeping massively complex networks up and running they’ll probably say patch management. However, with businesses increasingly reliant on networks functioning and accessible 24/7/365, a network being taken offline to install and deploy patches means a drop in productivity and money lost, neither of which help the business bottom line. Looking at it in this way, the juxtaposition of the top two challenges/priorities for a SysAdmin becomes a major challenge in itself!
So, how can SysAdmins overcome this, and achieve the fine balance between security and network availability? With cybercrime and attacks against businesses costing on average $3.92 million, it makes sense to lose some uptime and money to protect one’s business. Whilst the discussion surrounding network uptime is an important one, it shouldn’t be the be all and end all for proper patch management strategies. There are several other factors at play, which must be explored and integrated into an effective patch management strategy.
Access to data
For organisations that provide a service to consumers and hold important consumer data (which today, means most of us), GDPR is an ongoing preoccupation. Article 32 of GDPR is concerned with the encryption and pseudonymisation of personal data, but it also discusses the ability of a company to ‘restore availability and access to that personal data in a timely manner in the event of a physical or technical incident’. This can be interpreted, and has been by many, to mean that network uptime is far more important than taking networks down for maintenance. After all, if a network is down and someone demands their data is removed, or if something goes wrong and a network can’t be spun back up, the company in question is at risk of a fine. This could amount to up to €20 million or 4% of annual global turnover – whichever is greater. This is not a small sum, but in believing that uptime means safety, organisations are playing with fire.
Duty to test
Article 32 also outlines how any company processing data must ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. This can include the right level of investment in security tools, but it can also be interpreted to mean that an organisation must ensure basic security practices are adhered to. This includes patching on time, which can be considered an ‘appropriate’ measure. This throws a spanner in the works regarding uptime. However, companies cannot forget that GDPR comes with legal obligations and hefty penalty fines for non-adherence. As such, the lesson should be clear: sacrifice constant uptime and take a minor hit to turnover, to ensure the security of your customers and the reputation of your business and protect against financial damage in the future.
Finally, you might want to consider just how important keeping and processing data is to your business. Data protection is a part of daily life, but until recently, collection and use of data has been haphazard. Today, and as a result, holding onto data can be a liability rather than a business asset. However, if personal data is critical to your business, a different attitude towards profit, network uptime, and patch management needs to be cultivated – and needs to be acknowledged and implemented from the top down. After all, under GDPR, board members are now criminally liable for data loss, so it stands to reason that basics of security must be front-of-mind in the same way they are for SysAdmins and IT teams.
SecureData has a long history of consulting on proper security practice, ranging from the basics all the way up to pentesting. The industry your business operates in doesn’t matter, nor does the size or scope of your firm: we can help you work out the security approach that best suits your business and help you to implement it.
If this sounds like something of interest, why not drop us a line, and see how we can help? We look forward to hearing from you!