6 Patch Management Best Practices for Financial Services Institutions from the FFIEC

Financial services organizations are no strangers to cybersecurity threats. The sector is among the most attractive to bad actors due to its literal and figurative wealth of information, with valuable data ranging from employee login credentials to tax filing details to debit and credit card accounts to personal stats like addresses, phone numbers, birthdays, and social security numbers.

Attackers hit financial institutions hard and often and don’t limit themselves to big banks. Smaller businesses including credit unions, mortgage and loan brokers, investment firms and more face consistent, damaging threats - and can suffer devastating consequences. Companies with fewer than 500 employees suffer average losses of more than US $2.5 million per data breach. That’s a big deal for small businesses that typically earn $50 million or less in annual revenue.

With so many endpoints and such valuable data, financial services (FinServ) orgs require a robust cybersecurity strategy. Hackers continuously evolve their tactics and their targets must do their best to keep up. But frequently the costliest breaches come not from the most sophisticated attacks but from a lack of routine cyber hygiene. The Equifax breach, which impacted 143 million U.S. accounts, was caused by an unpatched Apache Struts vulnerability. The Apache Software Foundation released the patch for the hole on March 7, 2017, but Equifax had failed to apply it by the time the attack took place on July 29 that year.

Scenarios like the Equifax breach clearly demonstrate the importance of strong cyber hygiene, especially in the financial services industry. For many FinServ firms, however, patch management is easier said than done. Why?

  • As cybercriminals increase the speed and volume of their attacks, technology providers release patches more and more frequently, which makes it harder for their customers to keep up.
  • The responsibility for patch management often straddles the IT Ops and SecOps departments, resulting in communication and operational breakdowns.
  • Organizations face a shortage of skilled cybersecurity talent, leading 74% of companies to believe that they can’t patch fast enough because they don’t have enough staff.
  • Traditional processes can’t handle the firehose of threats and patches, yet more than half of companies still use spreadsheets and emails to track and assign patching tasks.

6 Patch Management Best Practices from the FFIEC

While the facts and figures above paint a challenging picture for financial services organizations, there are a variety of ways to improve and streamline patch management. The Federal Financial Institutions Examination Council (FFIEC) summarizes several of these in their guidance on patch management, which offers recommendations on “procedures for identifying, evaluating, approving, testing, installing, and documenting patches.”

At a high level, the FFIEC recommends that “Management should implement automated patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) are appropriately updated.”

Additional best practices for financial services institutions include:

  1. Subscribe to automated notifications from vendors. Whether that means signing up for emails from software vendors or creating Google alerts for keywords specific to your infrastructure (“Sophos patch update”, for example), put procedures in place so that critical information comes to you. That includes management - not just the lowest folks on the IT totem pole.
  2. Create a paper trail of how you evaluate each patch. The FFIEC recommends evaluating “the impact of installing the patch by assessing technical, business, and security implications” - which is relatively obvious. Their more salient point is to thoroughly document that process so that if you decide not to install it, you can easily demonstrate why.
  3. Build a prioritization process. Like the evaluation process, a prioritization process not only makes it simpler to determine which patches to deploy in what order, it provides a structure for documenting why you made those decisions. Additionally, the FFIEC suggests a separate exception process with appropriate documentation for any patches that management chooses to delay or not apply.
  4. Ensure that patches installed on production are also installed in the disaster recovery environment and that any inventories and DR plans are appropriately updated.
  5. Minimize business impact. Strategies here include backing up the production system, defining reasonable patch windows, and restricting the implementation of patches to defined time frames to minimize potential down time when possible.
  6. Mitigate unintended consequences. Any patch comes with risk, from degrading system performance to introducing new vulnerabilities. The FFIEC recommends a series of actions to mitigate unintended consequences including verifying the integrity of the patch, protecting and monitoring the systems used to distribute patches, and extensive testing of each patch on a test system before implementation.

From local credit unions to the world’s biggest banks, cyberattacks and data breaches are a constant and serious threat. Strategic patch management, including the right tools and the right processes, can play a significant role in combating attack vectors and ensuring that FinServ orgs can protect their data, their customers, and their brand.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic