Alternate format: How updates secure your device (ITSAP.10.096) (PDF, 324 KB)
Updating software addresses vulnerabilities and protects your device. Vendors release patches to fix bugs, address known vulnerabilities and improve usability or performance. Although all patches are updates, not all updates are patches. For example, an update may be issued to upgrade software features whereas a patch may be issued to resolve a specific flaw that would leave you and your organization vulnerable to a data breach. If a vendor issues a patch to resolve a security issue, your organization should take steps to apply it as soon as possible.
Types of patches
- Bug fix patch: Repairs functionality issues in software like an error that causes unexpected device behaviour
- Security patch: Addresses security vulnerabilities to protect the system from threats such as malware infecting devices through security flaws
- Feature patch: Adds new functions to the software like enhancements to application performance and speed
Patch management is your strategy and process for acquiring, testing and installing patches and upgrades on your systems and devices. You can use automated patch management software to ensure your applications and software are kept up to date.
The patch management process includes the following actions:
- identifying when a new patch has become available for your device
- testing the patch (when possible) to ensure it is compatible with your existing software and environment
- reviewing additional requirements that may be necessary for the patch to be installed or function as expected
- sending notifications when patches are available
- installing the patches
- verifying the patches have been installed effectively
For personal devices, setting up auto-updates is recommended as a form of patch management. Although auto-updating does not test patches, it keeps your device as secure as possible by taking the appropriate measures that are available to you as soon as possible.
If an update is not available, you may want to use a temporary workaround to address issues. Workarounds are published by the vendor to deactivate or restrict access to the vulnerable service. Your IT department should track all temporary workarounds to ensure patches are downloaded to overlay and support each other (rather than workarounds overlapping each other).
Workarounds are not a permanent solution. Once the patch is made available, you should apply it as soon as possible and the temporary workaround should be removed.
Risks of not patching
Postponing or ignoring updates and patches can increase your organization’s level of risk. Some of the risks include:
- system lags or crashes during use
- unresponsive applications
- vulnerabilities that are exploited to infect devices with malware
- hackers gaining access to, stealing or encrypting your sensitive information, or preventing your device from working
- inaccessible features on applications
Risks associated with patching
We highly recommend that you install patches and updates to ensure the ongoing, positive functionality and security of your systems and devices. There are some risks to be aware of when applying patches and updates. For example:
- installing a patch can interfere with the functions in other applications
- rebooting devices for updates might interrupt other programs, resulting in loss of data or disruption of service
- installing patches may reveal other issues with the program, including other security flaws.
To avoid these risks, you should back up your data, then review and test patches before implementing them. To learn more about backing up your organization’s data, see Tips for backing up your information (ITSAP.40.002).
It is understandable that downloading patches may interfere with the functionality of your device, such as the scheduled time required for reboot. We strongly recommend that security patches be updated as regularly as possible, to ensure the safety of your device. Patching should be approached as a continual process for your organization’s IT operations.
Unsupported and legacy devices are devices that vendors no longer issue updates or patches for. These devices are susceptible to vulnerabilities that will never be patched, which increases your organization’s level of risk. We recommend that you replace systems and devices when the manufacturer no longer provides software support.
Top tips to remember
- Patching ensures the ongoing functionality and security of devices
- Using a patch management system can help your organization keep devices and applications up to date
- Testing and examining all patches before installing them is an important step in your patch management process
- Using devices that are supported by the manufacturer ensures that your systems are patched and updated as necessary