Alternate format: How updates secure your device (ITSAP.10.096) (PDF, 350 KB)
To protect your devices from cyber threats, update your device operating systems and applications regularly and install security patches. Updates and patches don’t just fix bugs or improve usability or performance; they address known security vulnerabilities. When a vendor issues a security patch, follow your organization’s patch management process to apply the patch as soon as possible.
A vulnerability is a weakness or flaw in security efforts. Technical vulnerabilities may exist in the design, implementation, operation, or management of an IT system, device, or service.
Patch management is your process for acquiring, testing, and installing patches and upgrades on your systems and devices. Proper patch management can also help you mitigate the risks associated with security vulnerabilities. You can use automated patch management software to keep your applications and software up to date. Below are some key patch management actions.
Identify the patch
Vendors may use different means to communicate vulnerabilities and patches. Some vendors publish consolidated bulletins that also contain recommended deployment instructions.
The Cyber Centre also publishes alerts and advisories on vulnerabilities that affect Canada’s critical infrastructure.
Test the patch
You should test the patch before applying it to verify the patch is compatible with your existing software and environment. Check if there are additional requirements for the patch to be installed or function as expected.
Notify those affected
Let all affected personnel know when the patch is available. Clearly state all instructions and deadlines for applying the patch.
Install the patch
Apply security patches as soon as possible to ensure the safety of devices. However, running the patch may interfere with device functionality or interrupt programs. To avoid disruptions, schedule updates and patching during off-hours.
For personal devices, we recommend enabling automatic updates as a form of patch management. When applied automatically, patches are not tested. However, you lower your risks of compromise because the patch is applied to your device as soon as it is released.
Risks of patching
We recommend installing patches and updates to maintain the ongoing, positive functionality and security of systems and devices. However, patches can disrupt business functions in the following ways:
- A patch can interfere with the functions in other applications or interrupt other programs.
- A patch may require that you reboot devices, which can result in data loss.
- A patch may reveal other issues with the program, including other security flaws.
To reduce the risk of disruptions and data loss, you should always analyze and test patches before you install them in your environment.
We recommend retiring and replacing unsupported systems and devices. Unsupported devices are devices for which vendors no longer provide software support, such as issuing updates or patches.
Legacy and unsupported devices are susceptible to vulnerabilities that will never be patched, increasing your organization’s level of risk. Additionally, legacy devices may be older products that don’t have the latest security capabilities.
If an update is not available, you may want to use a temporary workaround to address issues. Workarounds are published by the vendor to disable or restrict access to the vulnerable service.
Your IT department should track all temporary workarounds to ensure patches are downloaded to overlay and support each other (rather than workarounds overlapping each other). Workarounds are not a permanent solution. Once the patch is made available, you should apply it as soon as possible and the temporary workaround should be removed.
Risks of not patching
Postponing or ignoring updates and patches can cause performance and usability issues, such as unresponsive applications, inaccessible features on applications, and lagging systems.
In addition to performance and usability issues, unpatched systems and devices create an opportunity for threat actors. Unpatched systems and devices may have vulnerabilities that threat actors can exploit to infect devices with malware or gain access to information.
If you have outsourced your IT services to a cloud or managed service provider, your service provider may be responsible for updating and patching systems. You should review your service contract for the roles and responsibilities related to patch management.
Even if you’re using a service provider, you are still responsible for updating and patching peripheral devices or systems and devices that fall out of the scope of your contract.
Top 4 tips to remember
- Patch to maintain the ongoing functionality and security of devices.
- Consider using a patch management system to keep devices and applications up to date.
- Analyze and test patches before installing them.
- Use devices that are supported by the manufacturer.