Debunking the Patch Tuesday Hype Machine

A familiar pattern reared its ugly head in my e-mail inbox Tuesday afternoon. And while I mean no disrespect toward my PR friends, it’s starting to annoy me.

The second Tuesday of each month has become something of a holiday for PR firms whose clients include all the big security software vendors — Patch Tuesday, when Microsoft releases security updates for the latest attack-prone flaws in Windows, Internet Explorer, etc.

The e-mails I get tend to play up the latest flaws as if the apocalypse is at hand. Patch immediately, their clients warn, or doom will almost certainly befall your company computer networks. This past Tuesday was no exception, when Microsoft rolled out a fix for three bugs in its Windows Server Message Block (SMB) file and print service.

To make the tone graver still, Oracle and Research In Motion released critical security updates Tuesday as well.

My PR friends will probably get angry as they read this. My response: I know you’re just trying to do a job, and I even believe you when you say the goal isn’t to stir up FUD, but to simply raise awareness and ensure companies install security patches quickly. That’s an admirable goal, and there’s no doubt such a message is necessary on the consumer side, where the not-too-tech-savvy masses are tearing up the Internet on laptops, PCs and mobile devices with no thought about security.

But my observation in the business world is much different, making the need for alarmist Patch Tuesday announcements unnecessary.

I’ve visited a lot of IT shops in recent years, including those at Children’s Hospital, the Papa Gino’s pizza chain and the Boston Celtics. The purpose of the Children’s Hospital visit was specifically to observe their monthly patching procedures. At the other places, the mention of Patch Tuesday sparks the same response: They have a standard patching procedure that stretches over seven days from the initial patch release. It’s all a routine for them. No butterflies in the belly.

The first day is for evaluating the patch load and which ones are most important for the organization to install first. The order of importance is not the same from place to place. Next comes a few days of putting the patches on test machines to see if they break other programs on the network. Patching ASAP is not useful if the patch causes critical business applications to misfire and grind to a halt. Usually about a week in, after those glitches have been tweaked, the patches are rolled out. Thanks to Microsoft’s automatic update machinery, the process is as straightforward as clicking on boxes next to the patches you want.

If it’s all so routine for these people, why all the grave warnings from security vendors each month?

My IT sources usually don’t understand why vendors are yelling at them to patch immediately. For the reason described above, they can’t rush the process. Meanwhile, they are not too worried about fresh flaw exploits because they have a multi-layered array of security tools and policies to keep out any malware that may target the latest Microsoft holes while the patches are being tested and tweaked.

Like I said, the alarm-bell approach is probably necessary for the consumer crowd. But much less so on the business side.

So, PR friends, if I don’t bite on your Patch Tuesday e-mails, don’t take offense. It’s just that our core audience wants us to be focusing on other things.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com.