A significant proportion of successful cyberattacks exploit vulnerabilities that had patches available at the time of the attack. The attacker didn’t find a zero-day vulnerability or use sophisticated techniques; they used a known weakness that the victim hadn’t gotten around to fixing.
Patch management is the discipline of keeping software updated systematically. It’s not glamorous, but it’s one of the most effective security controls available to any business.
What Patching Actually Means
Software contains bugs. Some bugs cause crashes or unexpected behaviour. Others create security vulnerabilities: flaws that an attacker can exploit to gain unauthorised access, execute malicious code, or escalate privileges on a system.
When a vendor discovers or is notified of a security vulnerability, they release a patch: an update that fixes the flaw. Once a patch is released, the vulnerability is often published publicly, which means attackers know exactly what to target on unpatched systems.
The window between a patch being released and attackers actively exploiting the vulnerability it addresses has shrunk to days in many cases. Unpatched systems are known, catalogued, and targeted.
What Needs to Be Patched
The common focus is Windows updates, but patch management applies to everything:
- Operating systems: Windows 10, macOS, Linux, server operating systems
- Applications: Microsoft 365, browsers (Chrome, Firefox, Edge), Adobe products, Java
- Network devices: firewalls, routers, switches, access points (firmware updates)
- Server software: web servers, database servers, remote access platforms
- NAS and storage devices: DSM, QTS, TrueNAS (all release security updates)
- Security software: antivirus and EDR products themselves need to be kept current
Attackers exploit whichever layer is weakest. A fully patched Windows 10 installation on a network with an unpatched firewall running a known vulnerability is still at risk.
Windows Update: The Basics
For Windows workstations and servers, Windows Update is the primary patching mechanism. Microsoft releases updates on Patch Tuesday (the second Tuesday of each month), with out-of-band updates for critical vulnerabilities when warranted.
Settings to review:
- Ensure Windows Update is enabled and not blocked by policy
- Configure active hours so updates don’t interrupt work; ensure restarts happen outside of business hours
- In Windows 10, Settings > Update & Security > Windows Update > Advanced Options provides control over update behaviour
- For Windows Server, updates can be managed through Windows Server Update Services (WSUS) for centralised control across multiple machines
Don’t defer indefinitely. Windows allows deferral of feature updates but not security updates for extended periods. A device that hasn’t received updates in months is a known risk.
Third-Party Application Patching
Windows Update handles Microsoft products. Everything else requires separate attention.
Browsers update automatically in most configurations; verify that auto-update is enabled and not blocked.
Adobe products (Acrobat, Reader) are frequently targeted; enable automatic updates or check regularly.
Java is less common than it once was but remains present in some business environments. Keep it updated or remove it if not needed.
Line-of-business applications vary; check with the vendor for their update release schedule and process.
For businesses with multiple machines, a Remote Monitoring and Management (RMM) tool allows patch status to be monitored and updates deployed across all devices from a single console. This is standard practice for MSPs and significantly reduces the overhead of keeping a fleet of machines current.
Network Device Firmware
Routers, firewalls, switches, and access points all run firmware, and all release security updates. These are easy to overlook because they don’t prompt you the way Windows does.
Set a schedule to check firmware versions on your network devices quarterly at minimum. Many devices support automatic update checks; enable these where available.
Vulnerabilities in network devices are actively exploited. Unpatched VPN appliances and firewalls have been the entry point for significant attacks on small businesses. This is not a theoretical risk.
A Practical Patch Management Process
For a small business without a dedicated IT team, a workable process:
- Workstations: enable Windows Update with automatic installation outside business hours. Review for any failed updates monthly.
- Servers: review and apply Windows Server updates monthly, outside business hours, with a snapshot or backup taken before applying.
- Network devices: check firmware versions quarterly. Sign up for vendor security advisories if available.
- Applications: enable automatic updates where available. Check manually for applications that don’t auto-update.
- Document: keep a simple record of what’s been patched and when. This is useful for diagnosing problems and demonstrating due diligence.
For businesses with an MSP, patch management is typically included in the managed service; confirm the scope and reporting cadence with your provider.
Testing Before Deploying
In enterprise environments, patches are tested on a small group of machines before broad deployment to catch compatibility issues. For most SMBs, this level of process isn’t practical. A reasonable middle ground:
- Apply patches to one or two machines first and confirm normal operation before rolling out broadly
- For servers, take a VM snapshot before applying updates so you can roll back if something breaks
- Review the update notes for anything flagged as potentially impactful before deploying