During the COVID-19 pandemic, many organizations have implemented various policies and procedures to allow some or all of their workforce to work remotely. Whether these users are utilizing organization-owned equipment that has been issued to them or their own personal devices, it is critical that the organization take steps to ensure that security updates continue to be installed as they are released.
To help keep those remote users and systems connecting to your Information Systems environment, updates should be deployed for:
- Operating Systems and Included Applications (Microsoft Windows, Mac OS X, Edge, Safari, etc.)
- Third-Party Internet Browsers (Google Chrome, Mozilla Firefox, Opera, etc.)
- Other Critical Applications (EHR/EMR, Microsoft Office, Financial Applications, etc.)
The methods used for updating a remote computer can differ slightly, depending on if the system is owned by the organization or if it is the user’s personal computer. For organization-owned devices:
- If using a mobile device management (MDM) solution, ensure that the remote system is visible to the organization
- Ensure that the remote system is properly categorized in the organization’s Update Deployment solution (WSUS, SCCM, ConnectWise, etc.) so that it can receive updates that have been approved for deployment
- Coordinate with remote users to ensure that the remote system is powered-on and connected to the Internet/VPN at the scheduled time for deployment
For users that are utilizing their personal devices:
- Educate users on the importance of keeping their systems updated
- Provide guidance on how to search for and install updates for major operating systems and critical applications
- Provide guidance on which updates must be installed to maintain compliance with the organization’s security requirements
- Be prepared to assist users with updating their systems
Staying current with both updates released on a set schedule (such as the monthly Microsoft “Patch Tuesday” updates) and those released out-of-band will help reduce the risk of discovered vulnerabilities to the organization’s systems, even when those systems are being used remotely. For regular notice of new vulnerabilities and vendor updates/patches, consider subscribing to the weekly National Cyber Awareness System bulletins published by the Cybersecurity & Infrastructure Security Agency (CISA) at https://www.us-cert.gov/ncas/bulletins.
