Cyber Essentials: Patch Management

Patch management

Patch management is about keeping software on computers and network devices up to date and capable of resisting low-level cyber attacks.

Any software is prone to technical vulnerabilities. Once discovered and shared publicly, these can rapidly be exploited by cyber criminals. 

Criminal hackers can take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Why is patching important?

Prompt patching is essential for effective cyber security. When a new patch is released, attackers will quickly identify the underlying vulnerability in the application and release malware to exploit it. If a criminal hacker can successfully attack before the target patches the vulnerability, there is a high risk of a data breach.

A recent Ponemon Institute survey highlighted the scale of the problem, revealing that almost 60% of breaches suffered by organisations were because of unpatched vulnerabilities.

The survey also found that organisations that avoided being breached rated their ability to patch vulnerabilities in a timely manner 41% higher than those that had suffered a breach.

How to protect yourself

The UK government’s Cyber Essentials Scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification in order to prove their compliance.

Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.

New to the Cyber Essentials scheme? Find out more

Patch management is a key requirement of the Cyber Essentials scheme and will help you confirm that devices and software are not vulnerable to known security issues for which fixes are available.

To keep itself protected, your organisation should routinely ensure that software is:

  • Licensed and supported;
  • Removed from devices when no longer supported; and
  • Patched within 14 days of an update being released in cases where the security patch meets one of the following criteria:
  • Fixes a vulnerability with a severity the vendor describes as ‘critical’ or ‘high risk’
  • Has listed fixes to vulnerabilities with a CVSS v3 score of 7 or higher
  • There are no details of the level of vulnerabilities given by the vendor

Use our patch management policy template to help protect your organisation.

The five Cyber Essentials controls

Patch management

 Learn more about patch management

Malware protection

Learn more about malware protection

Access control

Learn more about access control 

Secure configuration

Learn more about secure configuration

Secure your organisation with Cyber Essentials

With IT Governance, you can complete the entire certification process quickly and easily using our online portal for as little as £300.

Find out more

PROTECT YOUR
BUSINESS
THIS WINTER