Small and midsize businesses can mitigate security risks with patch management

Although software patch management can be time consuming, it’s a critical and foundational necessity.

istock 1076248966

New vulnerabilities in popular business software are discovered daily, and patches to fix those vulnerabilities are issued nearly as quickly. But software updates don’t help your business until they’re installed across all relevant endpoints,  and no number of tools in your arsenal can protect your organization if security gaps are left wide open. Unpatched software is one of the leading causes of security incidents cited in IDG’s 2021 Security Priorities Study.

However, the issue is challenging for small and midsize businesses (SMBs), which are often constrained by limited budgets, resources and expertise — as well as their need to focus on the day-to-day issues of running an IT infrastructure. In addition, cloud services and remote work scenarios have made it more difficult to gain visibility across assets and react fast and efficiently to security incidents, says Candid Wüest, Vice President of Cyber Protection Research at Acronis.

“Small and midsize businesses often struggle to manage 10 different security solutions in parallel,” Wüest says. This can lead to human errors or IT oversights, which are then exploited by attackers.

Many SMBs are also missing a solid foundation of security hygiene processes.

“Often the basics principles of security — such as strong authentication, patch management, and data protection processes — are not well-implemented, destabilizing any other solution that is put on top,” he says.

Overcoming IT overwhelm

SMBs are often aware that they should do more from a security perspective, but with so much on their plates already, many feel overwhelmed and don’t know where to start.

There’s also the volume of vulnerabilities that are discovered every day. All you have to do is look at the thousands of exploits for January 2022 alone that have been collected in the National Vulnerability Database, and it’s easy to see why it’s difficult to keep up with new patches.

Applying updates also requires more than clicking ‘install.’ Patches have to be reviewed and prioritized before they are applied. They also have to be tested to ensure they won’t create downtime or operational problems for an existing system.

To address these issues, many SMBs are turning to cloud services and help from managed services providers.

“Having a trusted advisor like an MSP can help set security priorities,’’ Wüest says. “The goal is to have efficient and automated procedures wherever possible to reduce complexity and time spent managing these environments.”

For example, timely patch management is critically important because more than 90% of exploitations occur after the patch for a vulnerability has been released, he says. “The widely exploited  vulnerability showed how important it is to patch systems quickly when a new vulnerability is discovered.”

Log4Shell is an internet vulnerability in the popular Java logging library Log4j. It allows an attacker to exploit code in log data within applications. This is a concern for businesses of all sizes because the vulnerability affected many different applications and software including common design, security, APIs, and integrator programs.

To minimize the impact of these threats, SMBs should develop a vulnerability assessment to detect vulnerable hosts and apply automated patch management to keep exposure time to a minimum, Wüest advises. “This goes back to having visibility and an up-to-date inventory of your infrastructure.’’

Additionally, SMBs should be smart about the timing of their patching process, and consider trialing new updates on a smaller scale before environment-wide rollout. “[Patching] may require maintenance windows and some testing for compatibilities, or at least an automated option to roll back to a previous state, should any issue occur,” Wüest says.

Streamline patch management and ensure your business has the security basics in place. Learn more at



Copyright © 2022 IDG Communications, Inc.