top of page
  • Kathleen Maxted

How to Maintain Cyber Essentials Compliance Through Automated Patch Management.

One of the most common ways attackers target and breach organisations is through unpatched security vulnerabilities. You only have to take a look at some of the latest attacks, such as the LastPass breach, where attackers exploited a third-party RCE vulnerability, to see the impact of leaving your devices exposed.


Patch management is identifying, acquiring, testing, and installing updates to software applications and operating systems to keep them up-to-date and secure. It is a crucial element in maintaining the security and integrity of your devices and protecting against these attacks.


Meeting regulatory requirements for cyber security is another critical reason for implementing patch management solutions.


The UK government-backed Cyber Essentials scheme is an example of this. It is designed to help organisations of all sizes protect themselves against cyber attacks by implementing essential cyber security controls, one of which is to manage software updates and patches. Cyber Essentials provides a baseline level of cyber security that organisations should meet to protect themselves from common cyber threats.


One of the critical requirements of the scheme is to ensure that all software is up-to-date, and organisations must have a process in place to manage patches effectively. This involves identifying vulnerabilities, testing patches to ensure they do not cause issues, and deploying the updates in a timely manner (within 14 days).


The Applicant must ensure all in-scope software is kept up to date. All software on in-scope devices must be:

  • licensed and supported

  • removed from devices when it becomes un-supported or removed from scope by using a defined “subset” that prevents all traffic to/from the internet

  • have automatic updates enabled where possible

  • updated, including applying any manual configuration changes required to make the update effective within 14 days* of an update being released.


Managing these updates for all your third-party software can be resource and time-intensive. Being able to apply these patches automatically can be invaluable to your business to maintain compliance, simplify your patching process and, most importantly, ensure your business is protected from the latest exploited vulnerabilities.


Our partner, Automox, is a cloud-native platform that automates patch management and endpoint hardening, making it an ideal solution for organisations looking to meet Cyber Essentials' requirements.


Automox allows you to manage, configure, and track third-party inventory - and then natively patch it all from one place, whether the devices are on-prem or remote.


Implementing a patch management solution like Automox can help organisations ensure that all devices are up-to-date with the latest patches and updates by automating the patch management process, saving time and resources for IT departments. The platform can patch all endpoints in real-time, regardless of location, and provides comprehensive reporting and compliance monitoring, making it easier to demonstrate compliance with regulatory requirements. Especially with Cyber Essentials expanding its scope to cover remote users.


So, how does Automox do it? Below outlines the key requirements and how Automox can help


All software on in-scope devices must be:


Licensed and supported

Automox can provide a full inventory of endpoint software versions deployed. You can use this to compare against the software's supported versions.


Removed from devices when it becomes un-supported or removed from scope by using a defined “subset” that prevents all traffic to/from the internet

Automox supports this ability via Worklets. Worklets allow you to run and automate custom tasks across any OS, meaning that you could use one of Automox's pre-built Worklets/create your own in order to remove unsupported software from devices.


Have automatic updates enabled where possible

Automox supports this via default patch policies.


Updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:

The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’

The update addresses vulnerabilities with a CVSS v3 score of 7 or above

There are no details of the level of vulnerabilities the update fixes provided by the vendor.

Automox supports this via default patch policies and/or Worklets, depending on the vulnerability in question.


In conclusion, simplifying your patching process is crucial for protecting your devices from cyber threats and meeting regulatory requirements. The Cyber Essentials scheme provides a baseline level of cybersecurity that all organisations should meet, and patch management is a key requirement. Automox is an excellent solution for meeting these requirements and ensuring your devices are secure and up-to-date with the latest patches and updates. By implementing an automated patch management solution, organisations can reduce the risk of cyber attacks, protect their data, and demonstrate their commitment to cybersecurity.


115 views0 comments

Comments


bottom of page