Effective Strategies for SMBs

Traditionally the application of software patches have been carried out by most companies in a haphazard fashion and their approach to the problem varies widely. There seems to be two schools of thought. Some companies strive to install as many patches as they possibly can, while others do little or nothing only take action after they have fallen victim to the security attack.
Large organizations, due to the number and complexity of their computer systems, tend to suffer most from the problems of patch management but SMBs also have to confront the fact that they are also at risk.
It is well documented that Microsoft systems are prone to security vulnerabilities which hackers have successfully exploited. Worms such as Code Red, Nimda, Slammer and Blaster, caused devastating chaos amongst systems around the world. Since SMBs often use Microsoft systems, they are by default vulnerable and need to adopt a proactive patch management strategy to these and other vendors systems.
Although SAP systems are much less susceptible to security vulnerabilities than others, nonetheless the company offers patch management recommendations to its SMB customers as well as special tools to streamline the process.
According to Miho Emil Birimisa, SAP SMB product manager, the company issues its patches for its SMB products, mySAP All-in-One for midsize customers and SAP Business One for smaller customers, a few times a year.
“In the SMB market patch management is challenging, because you typically have to devote time that you naturally would want to invest in your business or related areas into keeping your software up and running the way you want it. Patch management is generally of interest in the SMB market because of its complexity: is it a technical issue; is it a business issue; what impact does it have within the solutions that are running; and how much time do I have to plan upfront in order to guarantee that after I apply a patch everything works the same way?”
He recommends that SAP channel partners work with customers to fulfill a holistic patch management strategy that can encompass both SAP products and those of other software vendors depending on the combination of solution sold to the customer.
“SAP tries to help those partners and customers by bundling certain patches on a quarterly basis into so-called support stacks, which contain logical combinations of patches that in most cases can be found in the market today. Those support package stacks reduce complexity,” he said.
“SAP provides the patches through an online platform in a very convenient way but it is the relationship between the SMB customers and the partner who make the decision as to what to apply and what not to apply. So we don’t let our partners, and we don’t let our SMB customers, blindly step into each and every support package that is out there. The partners make the decision about what combination to give to their customers,” he said.
SAP also has various instruments, or mechanisms, to help customers manage patches. SAP Notes Assistant relates to the mySAP All-in-One solution because it is part of the mySAP Business Suite portfolio, and automates the application of support packages, performing double checks on certain dependencies and prerequisites that have to be met in order to apply it and achieve the desired end result.
SAP Hot News, SAP Top Notes and SAP FAQ Notes our mechanisms used to inform customers about the relevance and importance of certain patches that have to be applied, said Birimisa.
He advised that SMB customers in principle, “think holistically” with regard to patch management. “Engage with a partner so that you have a strong offer to work with. Think holistically about databases, think about servers, think about the client application, think about the business not just the technology. Also think about security, once you apply certain patches, is this a trusted source, what is being affected and out of my going to introduce that patch into my own network,” he concluded.
Recently Microsoft moved to streamline its patch distribution service by bundling patches together for release in a once a month issue, although any critical security patches will be issued immediately. This is intended to reduce the burden on IT administrators and introduce the level of increased predictability so that future patch installation can be better managed.
According to Mark Shavlik, founder and CEO of Shavlik Technologies, which provides SMBs security solutions for their Microsoft-based systems, it is just too complicated and time-consuming for businesses to try to install patches manually.
“It is almost impossibly difficult and it is also confusing to identify which patches are needed and how to install them, so most of them ended up in the past just not doing anything about it,” he said.
Shavlik is one of several companies that make scanning-based tools for patch management. Scanning based products are deemed better suited to SMBs since they are less complex. Scanning systems identify where patches are needed and automatically install them. Vendors besides Shavlik include St Bernard Software, Gravity Storm and Ecora.
Systems management vendors, such as Alteris and LANdesk, are increasingly including patch management modules as part of their solutions while some vulnerability assessment suppliers like Citadel also moving into this space.
As a starting point Jan Sundgren, an Industry Analyst at Giga Research/Forrester Research advises SMBs to try Microsoft’s own patching services. “They may be able to go with what Microsoft has to offer. If they are really small that may be Windows Update. If they are a little bit bigger maybe Software Update Service and then of course if they do want to try a vendor, the first approach to try would be a scanning based vendor,” he advised.
Mark Shavlik advised that companies adopt a strategy in which they first put together an executive level approval to estimate the extent of the problem in the network. Then assign patching responsibility to one person.
To determine the severity of the problem, a tool can be used to scan the network to which computers to patch, and prioritize the order in which patches are to be installed. “Once you get a reasonable patch baseline you can give yourself say 60 days to get all critical patches on all computers and after that you have to have an ongoing plan where people are given budgets and time to patch their systems as they are released” he concluded.

Elspeth Wales
Elspeth Wales