No.1 - Patch your systems regularly

Patching your system does not just mean Microsoft Windows — it means your website, databases, and infrastructure hardware such as firewalls and routers, as well as Linux servers, mobile devices, CCTV systems and IoT devices.

Consider that if a patch is released, the vulnerability may have existed for some time already and may have been exploited. If you then take 30 days to test and deploy a patch, that’s a long time during which the vulnerability could be used against you.

Focus on building a simple, repeatable process for rapid testing and deployment – and have an emergency patching process for critical vulnerabilities with known exploits. Otherwise, aim to patch everything as quickly as you reasonably can. Cyber Essentials recommends within 14 days of release.

A warning: If you are not patching a system because it’s at the end of life, that’s not OK. It’s like driving a car without insurance or servicing — that accident will happen, and when it does, the impact will be worse.

Good organisations practice renewal and manage the lifecycle of their systems so that they are replaced before they are obsolete. If you have obsolete software or hardware that can’t be patched, you should isolate the offending system on your network and ask your IT Director some tough questions.

For an externally facing out-of-support system, you may have to take it offline entirely. If so, it’s a price worth paying. An early warning sign that your IT lifecycle management practices are inadequate and need review is if you are paying extended licensing agreements for old systems.?