Why live systems need the time to be patched.

I was recently in a conversation with a number of programmers and developers discussing the security of the systems that they have built.   One of the most noticeable comments that came out of the discussion was “it is better to be off line for x amount of time voluntarily than be taken off line for an indefinite period of time because of a cyber attack”.

Management does not seem to realise the problems associated and time required with keeping software and systems secure and up to date.   When it comes to patching systems and keeping them secure there are times when a system has to be rebooted, or the environment has to be updated from version 2 to 3 or access parameters have to be changed to make it more secure.

They all require time to implement and in some cases development time to incorporate all of the new system changes and system requirements.   It is not an instantaneous fix.    Even in today’s world of instantaneous communication time is still needed to make sure that it all works.

To management this is something the repercussions of not doing is never seen.   A fully live and productive system that a business relies on for a substantial component of revenue needs to understand that the time required to keep the system updated has to be factored in.   Even basic requirements like email systems, file and print have to be managed correctly.

Yes development can be achieved by working through a development and test site, but the changes and processes that have been created in this environment have to be changed on the production environment at some time.   That time is the time that the production system will be off line.

Write it into the SLA that there will be time needed for the application of updates and upgrades so that productivity is least effected.   We have a window of 2 hours factored into our SLA on the first Saturday night after update Tuesday, this gives us a couple of days to test the updates on a development system before applying them to the production systems of our clients.

Once again it is communication that will make the difference.  By keeping stakeholders informed with the processes required as well as the time needed to incorporate the changes the development team as well as the system users are under less stress.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.