The OGO Blog

Uh Oh… What Happens When Your Credit Union Misses a Patch?

Credit union patching from ongoing operations

Uh oh… your credit union missed a patch. What do you do now?

Well, you should do something. That’s not to say that you should panic. (Not yet, at least.) And you shouldn’t just ignore it into oblivion. No, there’s a kind of middle ground that should work a bit better for you.

No Patch, No Problem? Not Exactly.

Patching seems like such a low-stakes endeavor. But, as we’re all pretty well aware by now, it’s not. It’s freakishly important.

For starters, the NCUA requires that you stay up to date with your patches. A robust, comprehensive patch policy is one of the countless regulatory requirements you must deal with. So, even if patching were otherwise inconsequential, you would still be legally required to stay current with patches.

But patching is not otherwise inconsequential. It’s very consequential. The easiest way for a hacker to get into a system is through a known exploit that an organization didn’t patch. Whether through an error, a mistake, negligence, or gross incompetence, a surprising number of patches don’t end up patching.

And the consequences of missing a patch can be… catastrophic. You may have heard of a little company called Equifax? A known, unpatched vulnerability compromised the data of over 150 million people in that breach. It could have been avoided had they been better about patching.

This is all to illustrate a point: you must patch. You must patch early. You must patch often. You can’t not patch.

Credit Union Patching Priorities

At Ongoing Operations, we encourage patching at least once per ongoing operations patch management for credit unionsmonth. That ensures that any critical updates—Windows or otherwise—are never more than a few weeks old. We also tend to prioritize patching to ensure smooth, safe operations. Here are the most common patches we handle:

  1. Critical updates
  2. Definition updates
  3. Security updates
  4. Updates
  5. Update rollups

There are other patches, updates, upgrades, features, third-party patches, and so on that also come out. Our patching policy changes for these releases because they may not interact well with some credit union systems. They must be handled with care or, in some cases, avoided altogether.

However, for the listed patches above, we are assiduous patchers. We even maintain an extra-long patch window to ensure that everything has time to go through. We do our best to ensure that all available patches are detected, downloaded, and installed without issue.

But that’s not to say that there’s never an issue.

When A Patch Doesn’t Patch

If any single one of the five major patches isn’t installed when it’s supposed to be, that’s okay. Kind of. It’s not a disaster yet.

If a patch isn’t installed, there are a few steps you’ll need to take:

  1. Report the failed patch
  2. Troubleshoot the failed patch
  3. Retry installing the patch during the next patch window
  4. Repeat as necessary

If you’ve had to “repeat as necessary” more than one or two times, then it might be time to panic. In that case, it’s best to ramp up efforts. Contacting the company or bringing in a managed patching service can get you over a hurdle that might otherwise totally impair your credit union.

Further Reading

We have too many years of experience helping credit unions stay on top of their patching requirements. Subscribe to our blog to learn more about patching (and other exciting preparedness issues). Or follow the links below to see what else we’ve written about patching lately.


Also, speak with an expert about managed patching for your credit union if you never want to deal with missing a patch again.