Patching in the Time of Remote Work

It’s imperative that employers implement a patch cadence, regardless of whether employees agree with it

This may sound controversial, but unfortunately, my experience shows it to be true: When humans are prompted to do something without risk or reward, they tend not to do it. In their remote environments, just as when they were in the office, the reminders still pop up on employees’ screens: “Updates Available for Your Device.” But, when given the choice, employees more often than not select “Remind Me Tomorrow”—whether because they’re busy, impatient or don’t understand the importance of regular updates.

Prior to the COVID-19 pandemic, employees could avoid practicing proper endpoint device hygiene because they were protected behind the firewall and network cybersecurity measures put in place by their employers. Enterprise organizations often implement a multitude of tools and solutions to scan for viruses, weak points and network intrusions, therefore mitigating some of the risk of employees’ unpatched or out-of-date devices. However, with distributed workforces, organizations can no longer be so reliant on centralized network security. This is why patching cadence is more critical than ever.

The shift to remote work has put a major strain on enterprise IT departments; meanwhile, employees are juggling their new work-from-home reality and are often unaware of the critical importance of patching. A recent analysis of anonymized endpoint data found some sobering details about the current state of enterprise security in the remote work era. On average, Windows 10 devices are 82 days out of date with current patching. But sensitive data continues to pile up on endpoints, with a 106% increase in sensitive data found on devices versus pre-COVID as of July 31.  And, 60% of data breaches result from patches that were available, but not installed- and that is how the cybersecurity gap widens.

No company wants to enforce patch updates that could disrupt an employee’s productivity, especially in a remote work setting. Overall, the onus should not be on the end user, but rather the company as a whole. The good news is that, from 2018 to 2019, the amount of enterprise devices running Windows 10 increased by 24%, making patch cadence easier to implement, as many users are running the same system. However, there are a few different steps that organizations can take to encourage better patch habits:

  • Make it mandatory: When the decision is between a momentary pause in productivity versus a data breach or network exploitation, enterprises should 10 times out of 10 choose to force their employees to patch their devices. By forcing a reboot, you are making sure that workers will schedule productive blocks around the reboot. You won’t be interrupting productivity and the endpoint device will still be updated.
  • Make it consistent: Create a consistent patch cadence that everyone in the organization plans around and can anticipate. For example, start a patch rollout the third Tuesday of every month, with a deadline for all devices to be updated by Friday. This provides a week for IT to validate patches, and a known four-day cadence for all users to plan their updates and reboots.
  • Make it interactive: Often, employees will respond to competition. By instilling a sense of gamification to patch updates, you’re more likely to get higher participation rates, as no employee wants to be the reason their department is lagging. Implement participation metrics and reward the department with the highest patch percentage.
  • Make sure you have visibility: Organizations across the board need better visibility into where their assets are. Do they know where they have sent all of their devices? Do they have insight into how they’re being used, and where they’re being moved? Without that information, companies can never truly ensure that they’re doing every possible thing to keep their devices secure, as they simply don’t have the visibility needed to check that box.

Remote work has entirely changed the way companies should be approaching cybersecurity. There is an increased need for patching and a renewed urgency for companies to educate employees on good endpoint security hygiene. Whether it be employees working from a public place, downloading sensitive files locally to circumvent the VPN or simply the increased speed at which cybersecurity tools decay on personal networks, there are many reasons for employers to make patching a mandatory practice.

The future of work is extremely uncertain and varies greatly by region and even by company, whether a return to the office is planned or work from home remains indefinite. Whatever the case, it’s imperative that employers implement a patch cadence, regardless of whether employees agree with it. In the long run, it will ensure the protection of company information, sensitive data, employees’ personal information and more. By following this playbook, organizations can set themselves up for success in the new normal.

Avatar photo

Jason Short

Jason Short serves as Vice President of Product Management for Absolute Software. Prior to Absolute, Jason worked as Director of Product Management for Symantec. Jason is a graduate of the University of Denver and Arizona State University, and currently resides in Denver, Colorado.

jason-short has 1 posts and counting.See all posts by jason-short