Bugwatch: A patch in time

This week Volker Wiora, vice president of global information systems at Altiris, explains that by using software that centralises and automates the task of patch distribution, firms can make it part of the day-to-day business continuity strategy.

Chief executives and chief financial officers know that viruses can damage their businesses and cost millions.

But many do not realise that antivirus software alone will not help when it comes to the increasingly frequent flaws that are being exposed in corporate software.

The biggest threat to security are these flaws, which demand instant attention and patching. IT teams spend more than $2bn a year trying to patch up these network security flaws, according to analyst Aberdeen Group.

But still the process of security patch management is not being understood at the level that really matters: in the boardroom.

As we become even more reliant on IT, it is all the more necessary to have procedures in place to minimise system downtime and ensure the security and availability of information across the organisation.

The increasing complexity of IT systems also brings an increased number of potential flaws in the software, with over 4,000 vulnerabilities reported in 2002, according to the Software Engineering Institute advisory team.

The infamous SQL Slammer worm of 2002 caused huge amounts of damage. It managed to do this because many companies' approach to patch distribution was reactive not proactive, and IT teams just couldn't cope with the huge, instant demands made of them to protect systems against the virus.

Virus protection alone is not enough, even if it is automatically updated. SQL Slammer, for example, can only be patched by running a Microsoft supplied update.

When a software vendor releases a product it may have flaws which can be exploited by hackers, and malicious worms which can bring the entire IT network down.

When a flaw is discovered, the vendor will usually release a patch which mends the gap in the program, stopping any worm or hack attacks on that part of the system.

It is up to the IT team at the end-user organisation to implement and manage these fixes, so that their software flaws are patched up.

But the increased importance of patching to the day-to-day running of a business has left many IT teams fighting a losing battle.

Significant damage is being done to businesses in loss of revenue and data, loss of customer satisfaction, trust and loyalty and ultimately damage to corporate reputations.

Security patching is one of IT managers' top worries for 2004, and it is becoming a full time job. But it doesn't need to be.

By using software that centralises and automates the task of patch distribution, organisations can manage distribution and make it part of the day-to-day business continuity strategy, rather than a panicked, reactive scramble against the latest virus.

Top-level management must realise the potential threat to business, and make funds available to the IT team before it's too late.