To Patch or Not to Patch During COVID-19?
Maybe you have a mature patch management policy, and maybe you donât. Regardless, when everyone moved out of the office, the question of whether to patch or not to patch got a little hairy.
You have devices your organization owns and devices the organization doesnât own that are allowed access to the environment. So the question is, should you maintain your patch policy, suspend it, or make case-by-case decisions based on how critical the patch is?
The first month, most people were choosing not to take a chance, but as the months go on, the risk of not patching goes up. Skipping one month is different than skipping three.
Running Through Your If-Then Scenarios
Letâs start with company-owned devices. The more technically mature organizations are using enterprise remote access platforms (i.e. Citrix, Horizon, RDS etc.), so they donât have to worry about the patch level of home machines or whatâs on them. Company-owned machines can deploy patches as usual.
Mid-sized funds may have a different set of problems. If employees are using VPN, thereâs little control over home machines. Not having a mature process for remote access at scale is a risk some firms are being forced to deal with right now.
If thatâs you, then you have to consider whether to turn on auto-updates. At a bare minimum, itâs advisable to address critical security updates in a timely manner for company-owned devices that donât have a way to be maintained remotely.
For personally-owned devicesâthe ones youâre allowing to access your resourcesâthe reality is you donât have much control over those. However, consider whether those machines are accessing actual resources and not just web interfaces. If theyâre accessing resources, Agio suggests you encourage users to apply security updates for operating systems and commonly used applications like Microsoftâs suite of products.
Employing Posture Checks
Understand what patch level youâre at on all endpoints. Home machines are a higher risk, and thereâs no way to manage those. The only real way to patch if youâre using VPN is to have a firewall that can do an advanced posture check to confirm their baseline is set. Make sure the machines are patched before they come on the network (e.g., patched anti-virus, etc.).

Making Deliberate Decisions
Review critical security updates and make a deliberate choice to apply or not apply. If thereâs an event, know what system gets the forensics review if it comes to that. You should be able to say, âWe chose not to do this because it would create an operational riskâ or âWe updated it, and we still had trouble.â
Patching Remote Machines
Most firms are trying to patch desktops as best they can, but the big challenge is the inability to get to those desktops if they donât come back online. Business continuity is interrupted, so whatâs the solution?
First, designate personnel who will go into the office and get things up and running, ensuring they possess proper building credentials so there are no access issues.
For the COOs and CFOs of the world, keep in mind if you have a third-party managing your systems, they wonât be able to get into your office to fix the problem; you need to have your personnel ready to go. If you donât have a designated employee, then you must heavily weigh the risk/reward of patching.
Second, letâs say youâre a CTO with a thousand desktops; you deploy a patch, and you may lose 2-5% of your machines because the update fails and leaves you with a âbrickedâ system. Do you take that risk? Our advice â review the nature of the vulnerability the patch is addressing and determine if your compensating controls are adequate to reduce your exposure.

Secure Backup Machines for Critical Personnel
Designate any spare machines for executives and the people who need to be functioning 100% of the time. This is a preventative measure that if actually needed, will make you look good for planning ahead.
In Conclusion
If you donât have a technically mature system in place, and canât control company machines remotely, apply critical security updates to company-owned devices in a timely manner. Personal devices are less of a risk if theyâre only accessing web portals, but we encourage you to apply critical security updates for the OS and the Microsoft suite of apps.
If all of this is exhausting and patch management is something youâre ready to offload, give us a call. We can help.
Share post
Featured Posts
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.