Cyber Essentials: Patch Management

Patch management is about keeping software on computers and network devices up to date and capable of resisting low-level cyber attacks.

Any software is prone to technical vulnerabilities. Once discovered and shared publicly, these can rapidly be exploited by cyber criminals.

Criminal hackers can take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Prompt patching is essential for effective cyber security. When a new patch is released, attackers will quickly identify the underlying vulnerability in the application and release malware to exploit it. If a criminal hacker can successfully attack before the target patches the vulnerability, there is a high risk of a data breach.

A recent Ponemon Institute survey highlighted the scale of the problem, revealing that almost 60% of breaches suffered by organisations were because of unpatched vulnerabilities.

The survey also found that organisations that avoided being breached rated their ability to patch vulnerabilities in a timely manner 41% higher than those that had suffered a breach.

The UK government’s Cyber Essentials Scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification in order to prove their compliance.

Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.

New to the Cyber Essentials scheme? Find out more

Patch management is a key requirement of the Cyber Essentials scheme and will help you confirm that devices and software are not vulnerable to known security issues for which fixes are available.

To keep itself protected, your organisation should routinely ensure that software is:

• Licensed and supported;
• Removed from devices when no longer supported; and
• Patched within 14 days of an update being released in cases where the security patch meets one of the following criteria:
• Fixes a vulnerability with a severity the vendor describes as ‘critical’ or ‘high risk’
• Has listed fixes to vulnerabilities with a CVSS v3 score of 7 or higher
• There are no details of the level of vulnerabilities given by the vendor

 Use our patch management policy template to help protect your organisation.

Learn more about firewalls

Learn more about patch management

Learn more about malware protection

Learn more about access control

Learn more about secure configuration