How high up in the list of priorities should your patching be? Tales of woe and gnashing of teeth stopping this endeavour? Or heroes on the front line?

We all know about “Patch Tuesday”, Microsoft release date for patches to it’s operating system, .net and other software. We all have plans around this activity and many of us have processes set up to facilitate these updates. Well, ok, most of us do.

However your ICT estate does not comprise of MS alone. You will have other kit that has software running it. You might even have linux servers as well as switches and routers available from a variety of vendors.

Do you know if these are up to date?

I recall a conversation regarding patching with a group of data centre techies and managers. We addressed the MS side quite easily and with little headache for the most part. However, after an audit, it was apparent that the linux servers had not been patched in years, and by years I mean more than six or seven. Mainly because it was felt that they didn’t need patching when they were rolled out, linux being considered more secure.

However patching is not only about killing exploits. It is also about increasing the efficiency of the software as well as hardware. So these servers were running flavours of linux that were very much out of date, that in some cases had vulnerabilities. All were impacted in terms of running the latest revision of firmware, drivers, and OS.

Then we have the other parts of the estate – switches, routers, firewalls, load balancers, storage devices. Certainly all these can be compromised and result in embarrassing the IT department. As IT professionals we certainly don’t want that, right?

So how do you weigh the risks? There are costs involved, obviously, as well as possible impact on production. I recall one organisation running a update on their back up software that resulted in a pretty major catastrophe by taking the storage array off line.

Keeping up to date with your vendor’s updates is vital as is understanding what the update will do both during the up date and after. Will it break applications for example (with storage), will the device reboot and leave your network unprotected (firewall)? Hopefully the answer is no. However if there is one thing that you should do, if at all possible is test the updates first before releasing. Unless it is a hugely critical security update (and even then I seriously suggest testing before release, and have a back up plan to hand when it goes wrong) you can take time to do this.

If you have to wait for a suitable window in which to do an update then that is ideal to also do testing. Testing tells you if the update is stable, it gives you an opportunity to learn about any changes and certainly should tell you if you can expect any major issues.

Sure patching is a pain and no one really likes to do it because the pain it can cause but as indicated above there are steps that do help reduce or limit that pain. However you need to weigh up the pro’s and con’s as a business.

Ultimately you are protecting the business.

Advertisements

Small Businesses and ICT…how do you turn over the engine room keys to someone you can trust

Further to my post below from yesterday, I asked myself what would small businesses that have limited technology expertise do with regards to updating software or operating systems. I can imagine that there are many such companies where perhaps the principle of it ain’t broke, don’t fix it is the prevailing mindset.  No doubt it is not an inherently bad thing to be somewhat resistant to change but is that so with technology?

Well I can imagine that long running corporations, running huge legacy systems on ancient big iron, are very nervous of doing anything that might well bring these down and creating adverse conditions in which to conduct business. One reason I would think they do not look to going to new infrastructure, the pain of moving would be incredibly high and perhaps even so painful it brings the business to its knees. However they still do a lot of work to maintain those systems, including code releases and changes of hardware. They tend to do it very carefully. Well the ones that have an understanding of the risk a system failure poses to the business. Of course these businesses are able to hire highly skilled and experienced engineers and systems managers.

Of course not all small businesses (in fact I’d say most small businesses don’t) have huge complex systems or are running legacy code on ancient mainframes. However their technology, if it goes wrong, could have the same impact…it could drive the business under. However the difference is that the small business does not have highly skilled engineers nor managers.

So how do small business approach things like ICT support? Often they outsource their IT to professional managed service providers who do all the work for them or they rely on friends or family. Either of these are not intrinsically bad if they have undergone some measure of due diligence. If you are willing to turn over what is effectively the engine room of your business I certainly hope you know who you are turning it over to and that they are capable!

It might sound awkward to ask your friend or family member if they are competent ICT support people, but would you also ask the same of another company you want to hire to look after your IT? The answer has to be yes. However in both cases do you know  what questions to ask? You are not an expert, otherwise you’d be looking after your own ICT, right?

Well I have a very basic check list you might think of using to ask not only your friends and family but managed service providers as well. Some questions will only be applicable to these managed service providers.

  • What certifications do you (or your engineers) have?
    • Are they relevant to my needs?
      • How?
  • Can you provide me with business or customer references that are relevant to my needs?
  • How long have you been providing support?
  • Do you carry liability insurance?
  • What kind of Service Level Agreements are you able to work to? If I need 24/7/365 support can you provide it?
  • What do you do if you cannot fix my problem within the Service Level Agreement? Do you have an escalation plan?
  • Do you need to be onsite to fix my problems or can you do it remotely? If you are doing it remotely what kind of security measures do we need to put in place and why?

These questions are worded not sound harsh but to get both parties to think about the depth of the support relationship and how important your ICT is to you and your business.  It is not intended to insult your friends or families but would you rather keep your friendship or family member than give them the job in which it turns out they are wholly unable to commit to and it kills your business? When asking these questions to a managed service provider there really ought not to be a problem because if they are any good they will be able to answer them easily. They will also welcome probing questions. If the managed service provider is evasive or unable/unwilling to provide timely answers its a good sign you want to look elsewhere.