As a trusted cybersecurity service provider, we regularly advise public safety customers about the importance of patching mission-critical systems, as well as IT networks, and how this can prevent and mitigate damage from cyber attacks. As one of the themes of 2022 Cybersecurity Awareness Month, it’s an excellent time to revisit why regular system upgrades and software patching should be a standard component of your cybersecurity program.
Although it’s a foundational element of cyber resilience, many organizations continue to avoid patching for various reasons. In a previous blog, “Why Organizations Second-Guess When It Comes To Patching”, a good analogy for security patching was described as working out on a regular basis. Workouts can be time consuming, and there are often more urgent matters that require our attention. As a result, it’s easy to find excuses to skip them, which can lead to issues that may impact our long-term health. The same premise applies to patching and cybersecurity.
Evolving Cybersecurity Environment and Risks
The threat landscape has become more dangerous and complex, with threat actors seeking to exploit zero-day vulnerabilities in public safety networks. If successful, these cyber attacks can disrupt or take down mission-critical communications, resulting in loss of life or property, injuries and financial costs associated with cyber insurance premiums and the costs of remediation. This reality is reflected in the new cybersecurity policies for federal agencies issued by the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA). Software patching is one of the most effective measures you can take to protect your mission-critical system. With so much attention in the media and in the security industry on data breaches and ransomware, though, why aren’t organizations patching?
Patching Avoidance
A cybersecurity study by the Ponemon Institute estimated that nearly 60 percent of companies don’t patch their systems on a regular basis. Alarmingly, this trend also holds true in public safety. According to the 2022 Motorola Solutions Law Enforcement Survey, fewer than half of respondents’ agencies deploy cybersecurity services such as security monitoring and patching.
The most common reason for not patching is the perceived risk that the recommended software patch could break something that is vital to communications. In this case, the solution becomes a problem which cannot be predicted before deployment. Other reasons agencies avoid patching include the time it takes to install them, incomplete or missing software and device inventories, the sheer volume of applications to update and the lack of IT resources to maintain update schedules. Avoiding patching can leave organizations open to significant risks, however.
Challenges of Patching
As noted in our previous blog on patching, even a small amount of downtime to patch systems is not an option for some organizations. This is especially true when dealing with mission-critical systems, such as those in public safety, or life-saving systems like those in healthcare.
Patch updates can cause unintentional or secondary issues with applications and operating systems, which gets back to the comment we made earlier about risk. Whether it’s true or not, the IT operations team can report that systems “run slower” after patches have been installed and systems rebooted. The data is fairly mixed in supporting these claims, yet as anyone who has worked in IT knows, user perception can be reality.
Best Practices for Patching
As CISA and other cybersecurity authorities routinely warn, software updates via patches are critical to address known problems or vulnerabilities that are frequently exploited by malicious cyber actors. To streamline the patching process, public safety agencies need to first inventory the software and devices being used across their network and document if and when they were patched, and version number of the last patch applied. Second, they need to track all updates going forward and understand when and how often vendors typically issue patches. Lastly, before deploying a patch, it’s critical to test it in a lab environment, particularly if it’s for a mission-critical system that can’t have downtime. This pre-deployment testing allows for identification of any impacts to other interconnected systems and provides time for corrective actions before going live.
Key Benefits of Patching
As part of an overall cybersecurity program, proactive patching provides public safety agencies with numerous benefits. In addition to an improved security posture, cyber resiliency and risk mitigation, additional key benefits include:
- Peace of mind: By reducing the potential impact of cyber attacks that exploit network vulnerabilities, system administrators and IT support personnel have less to worry about and can focus on improving mission-critical operations and response times.
- Cybersecurity standards compliance as recommended by CISA: Patch management processes and systems can minimize the amount of downtime that may be required for unpatched devices discovered across the network.
- Reduced cybersecurity insurance premiums: Patch management systems can help you meet compliance requirements by ensuring that all devices are running the latest software.
A new CISA report, Cyber Risks to Land Mobile Radio, also recommends enabling automatic updates whenever possible, on a regular cadence. In addition, the report recommends developing an internal test environment, if it’s feasible, in which the latest operating systems, applications, updates and patches can be tested before installing them on a live system. Since this is out of reach for many agencies, Motorola Solutions offers pre-tested patches for mission-critical systems through our Security Patching Services.
Summary
There are many ways cybercriminals can infiltrate and compromise mission-critical systems, including phishing, malware, identity theft, brute-force password hacking and more. It’s imperative to stay ahead of these cyber threats, given the potential of downtime or even catastrophic loss of or corruption of data. Organizations need to balance cybersecurity with mission impact and business objectives by using a risk-based methodology. Patching remains one of the most effective ways to prevent cyber attackers from exploiting vulnerabilities, and should be a priority in your agency’s security program.
As recommended by the National Institute of Standards and Technology (NIST), a proactive approach to software updates includes prioritizing patches, testing patches before deployment, and establishing an automatic update process. Any potential challenges of patching should be considered a cost of doing business and rigorously followed and tracked. The bottom-line is that delaying patch deployment gives attackers a larger window of opportunity.
The good news is that public safety agencies don’t have to evaluate and face these risks alone. Automation and patch management tools are a strong ally in this fight, as are security professionals who can provide best practices for cyber vulnerability management. Our team of highly knowledgeable people who stay current with security certifications, combined with best-in-class organizational policies and procedures and state-of-the-art automation and analytics tools, enables us to uniquely deliver enhanced cybersecurity solutions that address your needs today and in the future.
Contact us to find out more about our Security Patching Services.