Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Dec 24 2024
Security

Patch Management Protects Vital Infrastructure and Services

Government agencies must coordinate platforms, processes and people to achieve cyber resilience.

Neglecting regular patch management can create gaping security holes, leaving agencies susceptible to malware, ransomware and other attacks. In fact, according to Sophos, almost a quarter of state and local government IT leaders report exploitation of unpatched vulnerabilities as the root cause of ransomware.

Ignoring updates to software and operating systems that prevent exploitation of known security flaws can prove devastating both operationally and financially. Ransomware recovery costs alone more than doubled over the past year for state and local governments, from $1.21 million in 2023 to $2.83 million in 2024 (excluding the cost of any ransom paid). While most ransomware attacks originate from compromised credentials or exploited vulnerabilities, those that begin with the latter can be particularly severe, causing even slower recovery time.

Click the banner to start optimizing backup and recovery.

 

Attacks on unpatched systems managing critical infrastructure and essential citizen services such as water treatment plants, power grids or emergency responses can cause significant disruption. They can also lead to the exposure of sensitive citizen information such as Social Security numbers, financial details and medical records, and even legal fines for failing to maintain proper security standards.

Prioritize Compatibility and Testing to Avoid Bad Updates

Since the fundamental responsibility of state and local governments is to protect critical infrastructure that preserves public safety and quality of life, patch management hygiene is a vital cyber resilience strategy. However, compatibility issues with existing systems and applications can cause software updates to lead to application errors, degraded performance and system crashes ranging from inconvenient to catastrophic. 

Recent incidents include interrupted service for millions of telecom customers, widespread IT outages across a cybersecurity provider’s global customer base and even emergency dispatch system outages such as Washington, D.C.’s recent 911 technology failure spotlight the importance of meticulous planning and execution of updates.

EXPLORE: State and local governments have made progress against ransomware.

Create a Patch Management Strategy to Plan for Success

State and local governments face unique challenges related to patch management, including limited IT staffing resources to effectively manage patching; budget constraints preventing investment in advanced tools; updates across complex legacy systems; and even a lack of understanding regarding the importance of patching, its security implications and how to carry out effective patch management.

Luckily, many options, several of which are outlined below, are available to help IT teams prevent unexpected disruptions to future software deployments.

Apply Patches Early and Often to Prevent Security Issues

One of the easiest, most cost-effective ways to mitigate risk is by patching applications and software as soon as patches become available. The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog can offer helpful guidance on implementing a patch management schedule to regularly update all systems, applications and platforms to their latest versions.

IT teams should conduct regular vulnerability assessments with frequent scans, focusing on deploying risk-based prioritization of patching. A best practice is to prioritize updates based on severity, potential application impact and any relevant compliance requirements such as HIPAA or those outlined in the National Institute of Standards and Technology’s Cybersecurity Framework.

51%

The percentage of state and local government organizations that took more than a month to fully recover from ransomware attacks this year

Source: Sophos, “The State of Ransomware 2024,” April 2024

A progressive, or phased, approach to software rollout can help limit end-user impact. Canary and blue-green deployment strategies are two such methods designed to minimize risk to live production environments. Called "canary" deployments because they are similar to how miners used canaries to detect dangerous gasses in coal mines, this approach releases updates to a small group of users or servers to test reliability before widespread rollout. 

In blue-green deployments, one environment is active at any given time while the other is on standby, allowing switching between versions. This allows testing of the new version (green) while the current version (blue) runs. If anything goes wrong with green, rapidly switching back to blue ensures a seamless user experience. For government and public services applications, which can’t afford significant downtime, the fast rollout and easy rollback of blue-green deployments can be particularly helpful.

Automate and Orchestrate Patching with Platform Engineering

Balancing security and governance with release velocity is a constant struggle. In a fast-paced DevOps environment, it can be difficult to properly test application compatibility and other software components to ensure they don’t introduce new issues or break existing functionality. Bad code can easily slip through the cracks.

To avoid skipping crucial steps in patching, automation via platform engineering practices can boost speed to market while also orchestrating deployments with careful planning and implementation. Automated tools and scripts integrated into the continuous integration and continuous deployment process can detect available patches; scan dependencies, libraries and frameworks; and easily identify vulnerable components.

DISCOVER: These three focus areas can build a powerful cyber resilience program.

Educate Users About the Important of Patching

In some cases, education on proper patch management practices can go a long way. Cybersecurity training emphasizing the importance of keeping software updated and explaining the risks of using out-of-date applications or deprecated assets is especially important when working with legacy tools and systems common in state and local governments.

Ultimately, analyzing how platforms, processes and people all work together truly ensures successful testing and rollouts. It’s a matter of development, workflow and training.

UP NEXT: AI isn’t new to cybersecurity, but some of its use cases are.

Kindamorphic/Getty Images