Get Your Data Protection Right: Have You Checked Your Patch Manager?

Because GDPR compliance is hard to achieve for many companies, there’s a tendency to see it as a negative thing. But is this true? If you view it as an ally and use GDPR to improve your data protection, you move nearer to compliance as a benefit.

Start thinking of GDPR as “Getting Data Protection Right,” and you’ll be closer to what it’s really about. GDPR is a set of principles and guidelines which you can use to build a data protection framework. And that, in turn, fosters trust with clients and protects you against data breaches.

We have identified nine pillars of data protection that need your attention and which fit into a GDPR framework. This article looks at the fourth of them; patch management. As you probably know, “patches” are changes made to computer programmes to fix security vulnerabilities. They’re easy enough to understand but often less easy to manage.

The Importance of Good Patch Management

There are various ways a cybercriminal might illegally access a company’s sensitive data. Still, the most common of them is hacking. The Verizon 2019 Data Breach Investigations Report (DBIR) found that 52% of breaches came about this way.

Looking at the same Verizon report, the top three types of hacking are stolen credentials (i.e. weak or compromised passwords), backdoor attacks and vulnerability exploitation. Patches address the last of these, and a good patch management regime is essential to a data protection framework.

One startling fact about vulnerability attacks is that they are usually preventable. There is nearly always an inviting gap between the time a patch is created to the time it is deployed by the user. In its 2015 DBIR, Verizon noted that 99.9% of exploited vulnerabilities had been identified over a year earlier in a CVE (Common Vulnerabilities and Exposures list).

A famous example of vulnerability exploitation is the 2017 Equifax data breach, in which the personal details of 145.5 million US Equifax consumers were exposed. This website-app vulnerability was the Apache Struts CVE-2017-5638, which was ID’d and allotted a CVE number in March 2017. The breach took place from May to July 2017 through 9,000 undetected queries.

While the Equifax data breach was big news and attracted a record-breaking $700 million fine, the time scale of events was unremarkable. Cybercriminals typically exploit vulnerabilities within 60 days (sometimes much sooner), while most companies take 100 to 120 days to patch them. These figures reveal a reliable window of opportunity and underline the importance of patch management.

Patch Management Problems & Solutions

Staying on top of software updates and installing patches promptly is one area that contributes to the Cyber Essentials self-certification program. This government-backed scheme helps protect your business and proves your security commitment to potential new clients.

There are some tasks companies can perform right away to reduce the risk of data breaches, such as setting operating systems and other software to “auto update”. Businesses should be wary, too, of running software no longer supported by developers. Unsupported software allows newly discovered vulnerabilities to remain unpatched.

Good patch management software overcomes many of the updating problems companies experience. Here are some of the common issues:

• Prioritising: Vulnerabilities must be rated for their criticality and patches applied first to those which pose the highest security risks. Many businesses are overwhelmed with software vulnerabilities and treat them all equally. Factors such as the likelihood of exploitation and its probable impact should be considered. The Common Vulnerability Scoring System (CVSS) is the industry-standard method for assessing threat severity.
• Microsoft bias: Some companies focus on patching Microsoft products using tools such as Windows Server Update Services (WSUS), leaving other products vulnerable. Increasingly, criminals target Adobe, Apple, Google Chrome, Mozilla and Linux products among others. You need a solution that works across all platforms and systems with thoroughly tested patches.
• Time consuming: Manual patching processes are complex, labour-intensive, monotonous and prone to human error. As a result, patch management is sometimes given scant attention or completely ignored. A solution to this is automated patch management, which will scan for missing patches, deploy patches and generate status reports for IT admin.
• Drain on resources: Manual patch management, in particular, places a great strain on IT resources. It requires team decisions on which patches are most urgently needed, investigation of the effect of patching (how the patch will affect other applications – patches can easily break things), patch deployment and follow-up testing.

Automated patch management resolves a lot of the problems companies face and is favoured by most modern enterprises. There are many patch-management products on the market, including Comodo One, CyberSmart, SolarWinds and Microsoft SCCM.

Patch Management and GDPR

Patch management ties in with other key elements of a GDPR framework, such as accountability. It also falls under the official “integrity and confidentiality” GDPR principle. Sidestepping patch management is not an option if you want to Get Data Protection Right.

The threat of fines under GDPR is minuscule for many companies—a last resort for regulators—but it was an unpatched vulnerability that caused the ICO to fine the Carphone Warehouse £400,000 under the Data Protection Act (DPA) for a 2015 data breach. This exposed the data of 3-million customers and 1,000 staff.

As long as your company respects its data subjects and takes all reasonable measures to protect their data, GDPR is a friend rather than a foe. Using PrivIQ software as a hub, you can build a data-protection framework to be proud of. Start today!