Modern patch management software provides insights on how patches have been disruptive to help identify the problem patches before they break a network.

MSP Patch Management: The Delicate Balance Between Operational Risk & Security Risk

Tell me if this story sounds familiar. You have a large and sophisticated client paying you to manage their IT infrastructure and maybe even some of their physical and cyber security. A major new patch to fix a vulnerability comes out for core systems that are tightly integrated into the organization’s workflow. Being the conscientious MSP that you are, you want to ensure your client stays safe, you deploy it…

And something breaks.

Maybe it’s something small that only causes a minor interruption in business operations. Or maybe it’s something much more significant, and your team is scrambling for days to contain the fallout. In either case, you’ve just committed the cardinal sin in IT services. People pay you to not have to worry about managing complex IT, and suddenly they have to worry about the business impact of IT systems being down or not fully functional.

So how do you prioritize your patching regime to balance business continuity with cyber risk? 

Patch Management for MSPs

There’s nothing worse than a disappointed customer for a Managed Services Provider (well, maybe a disgruntled sysadmin who spends their entire weekend trying to fix a patch-induced mess). So how do you balance the need to patch with the need to maintain business continuity without disruption? Here is a truth worth considering:

  • 98% of patches won’t cause disruption and can be safely (and promptly) applied to the systems you are managing. The entire crux of the issue is being able to differentiate between safe and unsafe patches from an operational perspective, at scale.

What makes this problem really hard is that both operational and cyber risks are rapidly and continuously changing. In 2023 the ransomware group CL0P identified and exploited CVE-2023-34362, a 0-day exploit in Progress Software’s managed file transfer solution, MOVEit. This resulted in dozens of organizations falling victim to ransomware, tens of millions of dollars in ransom payments, and many times that in business and cybersecurity costs. 

It’s not a simple balancing act. The operational risk of patches and the cyber risk that inspires organizations to implement them are both constantly and sometimes quickly moving targets that require an adaptive approach. 

The Inadequacy of Traditional MSP Patch Management Solutions

So you may say to yourself, we just need to build more systematization and patch testing in the way that we do patching for our clients. Systematization and patching are always a good idea, but unfortunately, are becoming increasingly inadequate (and have always been exceptionally resource-intensive) for the task at hand. 

Both the number of internet-facing devices and the number of cyberattacks against those devices are exploding.

If there’s one thing you can count on besides cybercrime continuing, it’s that organizations will also continue the unabated path of IT sprawl without always thinking through security considerations. Some traditional patch management systems take software dependencies into account, but even these struggle with the sheer volume of complex and customized systems that need to be managed. 

It’s pretty clear that MSPs and IT service providers need a way of identifying which patches can be safely applied without causing operational harm. It’s one of the exact reasons why organizations choose to work with managed services and security services providers – they want to outsource the complexity and focus on their business. 

The Value of Streamlining Patch Management for MSPs (and everyone else too) 

Your customers value simplicity. As has already been mentioned, they don’t want to have to worry about the safety and reliability of their IT infrastructure. This leaves your company constantly trying to walk a delicate balance between patching IT systems before a threat actor identifies an exploit, meeting compliance requirements, and trying not to ruin your customers’ business through a major outage caused by a rogue patch. 

Streamlining patching to enable fast, efficient application of mission-critical patches can be a massive value differentiator for your managed services provider. Some benefits include: 

  • More referrals: Customers feel comfortable referring MSPs to other businesses that don’t break their stuff, and especially don’t cause outages that cost them money. 
  • Fewer operational costs: Many MSPs charge fixed monthly costs to simplify pricing for their clients. This simplifies client acquisition and billing but can leave the MSP footing the bill for rogue patches that cause damage.
  • High-profit margins: What if you could reduce the number of damaging patches by double digits while also automatically applying those with high confidence of no disruption? Streamlining patch management can substantially enhance profit margins at little cost. 

Building a patch management system that works for your MSP customers isn’t only a technical challenge – it’s also a business challenge that, if solved, can pay substantial dividends. 

Here’s an interesting question – What if you could crowdsource patch management data for MSPs? 

The only thing better than learning from your own mistakes is learning from the mistakes of others. At trackd, we’ve come up with a radically simple but elegant solution to help organizations differentiate between the 98% of patches that are necessary and safe, and the 2% that will have your clients calling you on the weekends. 

What if you could learn from the experience of other organizations and MSPs on how a patch affected their environment? What would change if you could reference the experience of 200+ other organizations that had already safely and effectively applied the patch with no issues? Or conversely, that 10 organizations had experienced significant disruption after an emergency vendor patch? 

That’s where trackd comes in. 

Think of trackd as the Google reviews for patches – crowdsourced intelligence about which patches break sh#t and, more importantly, which ones don’t. trackd allows you to leverage the lived experience of hundreds of organizations, vCISOs, MSPs, and IT admins to automatically patch with confidence.