The Plain English Version
Patch management is the process of keeping your software up to date with security fixes. When vendors discover vulnerabilities in their software, they release patches to fix them. Your job is to apply those patches before attackers exploit the holes.
Think of it like maintaining a car - regular servicing prevents breakdowns. Skip the maintenance and eventually something fails, often at the worst possible time.
The Patching Window
When a vulnerability is discovered, attackers often develop exploits within days. Cyber Essentials requires critical patches to be applied within 14 days of release. For actively exploited vulnerabilities, you need to move faster.
Why Patching Matters So Much
Many of the biggest breaches exploited known vulnerabilities where patches were available but not applied. WannaCry ransomware spread through systems missing a patch that had been available for months.
Attackers actively scan for unpatched systems. Automated tools make it easy to find and exploit known vulnerabilities at scale.
What Needs Patching
- Operating systems - Windows, macOS, Linux, mobile devices
- Applications - Office, browsers, PDF readers, everything
- Firmware - Routers, firewalls, IoT devices
- Server software - Web servers, databases, email systems
- Cloud services - Configuration updates and security settings
Building a Patch Process
Effective patch management needs: inventory (know what you have), prioritisation (critical security patches first), testing (where practical), deployment (automated where possible), and verification (confirm patches applied).
For most SMEs, enabling automatic updates is the right choice. The risk of a patch causing problems is far lower than the risk of leaving vulnerabilities unpatched.
Common Challenges
Legacy systems that cannot be updated, business-critical applications that require testing, devices that are hard to reach, and simply keeping track of everything. These are real challenges, but they are not excuses - unpatched systems need compensating controls.