sAs of the very recent and no doubt still stinging cyber attack I thought I would hit this question head on with some rather frank honesty. When did you last patch your systems?
I have mentioned patching before and this time I’m not pulling any punches. Everyone and I mean everyone should know security patches are something to install each month as part of continuous improvement. Microsoft release patches on roughly the second Tuesday of every month. They should in my opinion be deployed to test systems on that day or within 7 days. What happens to the test system if the patches screw it up? Well, you restore from backups. You do have backups right?
These patches once installed then lead to some testing of those servers to make sure that any software on them still functions. If it stops working you roll back the patches and work out which one is causing the issue. Then you try again without the patch causing the issue to start with to confirm it is a problem. Then you either do not install the offending patch if you believe it is not needed or you make it work with it installed. The one thing you never do with patching is NEVER patch anything.
As soon as patches are released the information about them is available to hackers. That can literally read through the latest vulnerabilities being patched and create exploits for them. This is a dangerous time to be sitting on unpatched systems. Google give Microsoft a 90 day lead to fix any issue they find. Then they announce it to the world no matter if people feel it is right or wrong even if Microsoft have not got a patch for it yet. Any decent IT service provider would have tested these patches for their clients and rolled them out through their change management processes.
Any company with an internal department worth their salaries should have been doing the same each month. Cyber security is not a joke. The losses in respect to data theft, reputation and financial losses can be staggering even over short periods of time. The company you work for could be out of business in a matter of weeks or a few months after a devastating attack.
If you think a single piece of equipment like a firewall or anti virus are going to stop an attack you are living in the dream world. Security has to be a broad strategy and in depth. Multiple defences on multiple lines just like a standard battlefield.
Personally I would expect every system to be patched within 2 weeks of patches being rolled out to your test systems. That should be a complete patching of all systems within 2 to 3 weeks of release. Rolling patches straight to production systems is risky hence the time to test them first. Not rolling them out at all should be a P45 generating event.
This weekend past will have been a serious wake up call to many companies and organisations around the world. If anything is to be learned, the need for regular patching schedules should be at the top of your list. I foresee tens thousands of man hours of overtime being spent as unprepared departments scramble to patch every neglected system on the net. Both in terms of biological health and in IT, prevention is better than cure. You will most likely find it a lot cheaper too.
So when is the best time to patch your systems the answer is before a major cyber attack and not during/after it. So spend the next few days creating a patching schedule and patch your systems!