Patch Management: Why Keeping Software Updated Is Non-Negotiable

When a software vendor discovers a security vulnerability in their product — a flaw that could be exploited by an attacker — they release a patch: an update that fixes the flaw. From the moment that patch is released, the race begins. Security teams apply the patch to their systems. Attackers reverse-engineer the patch to understand the vulnerability it fixes and develop an exploit. The organisations that patch quickly are protected. Those that don't are exposed — and the attacker knows exactly where to look.

This is why patch management — the practice of keeping software up to date with security fixes — is one of the most consequential security controls available to a small business. It is also one of the most frequently neglected, because it requires ongoing effort and can occasionally cause disruption when an update breaks something.

What Patching Actually Addresses

A security vulnerability is a flaw in software that allows an attacker to do something the software was not designed to allow: execute arbitrary code, bypass authentication, escalate privileges, read data they shouldn't be able to access, or crash a system. Vulnerabilities are discovered constantly — by security researchers, by vendors' own quality processes, and by attackers.

When a vulnerability is discovered and publicly disclosed, it is assigned a CVE number (Common Vulnerabilities and Exposures) and a severity score. High and critical severity vulnerabilities are actively exploited, often within days of public disclosure. The window between disclosure and widespread exploitation has shortened significantly over the past decade as criminal groups have become more operationally capable.

The NCSC's guidance, reflected in the Cyber Essentials scheme, requires that high and critical security patches are applied within 14 days of release for internet-facing systems. This is not an arbitrary timeline — it reflects the empirical observation that the exploitation window for critical vulnerabilities is typically measured in days to weeks after public disclosure.

What Needs to Be Patched

The mistake many small businesses make is patching some systems but not others, or patching operating systems but not applications. A comprehensive patch management process covers:

Operating Systems

Windows, macOS, iOS, and Android all release regular security updates. Windows Update, macOS Software Update, and the equivalent mechanisms on mobile devices should be configured to download updates automatically and should be applied promptly. The single most important operating system patch decision a small business can make is to stop using operating systems that are no longer receiving security updates — Windows 7, Windows 8, and Windows 10 (after October 2025) — because vulnerabilities in these systems will never be patched.

Applications

Every application on every device: web browsers, Microsoft Office, Adobe products, PDF readers, media players, and any other software that handles files from external sources. Browsers and document processing applications are particularly high-value targets because they handle untrusted content by design — a malicious webpage or document is the most common delivery mechanism for browser and Office exploits.

Firmware and Network Devices

Routers, switches, firewalls, and access points run firmware that also requires updates. Firmware vulnerabilities in networking equipment are actively exploited — particularly in small business routers, which are frequently left on manufacturer default configurations and never updated. The firmware update process for networking equipment is typically less automated than for operating systems and requires a deliberate process.

Server Software

If you run any servers — email, web, file, database — the software they run requires patching. Web-facing server software (web servers, content management systems, remote access portals) is particularly high priority because it is directly accessible from the internet.

Building a Simple Patch Management Process

For a small business without a dedicated IT team, a practical patch management process doesn't need to be complex. It needs to be consistent.

Automate what you can. Windows Update, macOS auto-update, browser automatic updates, and mobile operating system updates can all be configured to apply automatically. For Windows business environments, Microsoft Intune or Windows Server Update Services (WSUS) can centralise patch deployment. Automation removes the dependency on individual staff members remembering to apply updates.

Assign responsibility. Someone needs to be responsible for ensuring patches are applied and for addressing systems that can't be automatically patched. In a small business, this is typically the IT provider, but the business owner should be aware of what the IT provider's patch management process is, how often it runs, and how it handles devices that aren't in the office.

Handle exceptions deliberately. Sometimes a patch can't be applied immediately — it causes a compatibility issue with a critical business application, or it requires testing before deployment in a production environment. Exceptions should be documented (not simply deferred indefinitely), and mitigating controls should be in place while the vulnerable system remains unpatched. A vulnerability that can't be patched immediately should be monitored more closely, not ignored.

Track end-of-life dates. Software that has reached end of life — meaning the vendor no longer releases security patches — is permanently vulnerable. Plan for the retirement or replacement of end-of-life systems before, not after, the end-of-life date.

Legacy Systems: The Difficult Conversation

Almost every small business has at least one legacy system — a piece of software or hardware that is old, no longer supported, but still in use because replacing it is expensive or complicated. A Windows XP machine running a specialist application. A network-attached storage device with firmware from 2018 that the manufacturer no longer supports.

Legacy systems that cannot be patched should be isolated from the rest of the network — put on a separate VLAN, behind a firewall rule that permits only the minimum necessary traffic. This doesn't eliminate the risk but contains it: a compromised legacy system on an isolated segment cannot be used as a jumping-off point into the rest of the network.

The honest conversation about legacy systems is: the cost of maintaining a vulnerable system, when calculated as the risk-adjusted cost of the incident it could enable, is almost always higher than the cost of replacing it. The disruption of replacing a legacy system is finite and manageable. The disruption of a ransomware incident that entered through that system is not.

Vulnerability Scanning

For organisations that want visibility into their patch status beyond manual checks, vulnerability scanning tools periodically interrogate all devices on the network and report on what is out of date and what vulnerabilities are present. This provides a structured, evidence-based view of patch status and helps prioritise remediation by the severity of identified vulnerabilities.

Vulnerability scanning is included in the SOC in a Box service — monthly scans with EPSS-prioritised results shared with the client's IT provider and analyst-authored remediation guidance. For businesses without a managed service, standalone scanners are available, though without the analyst layer they require technical knowledge to interpret.