How to Handle Security Patches and Updates Effectively
Every piece of software your business uses — from the Windows operating system on your desktops to the firmware on your firewall — contains vulnerabilities. Some are discovered by security researchers and responsibly disclosed to the vendor, who releases a patch. Others are found by cyber criminals and exploited before a fix is available. The difference between a secure organisation and one that gets breached often comes down to how quickly and effectively security patches are applied.
For UK businesses, effective patch management is not just good practice — it's a regulatory expectation. The NCSC's Cyber Essentials scheme requires that high-risk and critical security patches are applied within 14 days of release. The ICO considers patching as a fundamental element of "appropriate technical measures" under UK GDPR. And yet, unpatched vulnerabilities remain one of the most common attack vectors used by cyber criminals targeting British organisations.
This guide provides a comprehensive framework for managing security patches effectively, from building a patch management policy to choosing the right tools and responding to zero-day threats.
Why Patch Management Matters
The statistics on unpatched vulnerabilities are sobering. According to multiple industry reports, over 60% of successful cyber attacks exploit known vulnerabilities for which a patch was already available. The average time between a vulnerability being disclosed and it being exploited by attackers has shrunk dramatically — from weeks to sometimes hours. Meanwhile, many organisations take 60 to 150 days to apply critical patches, leaving a dangerous window of exposure.
The business impact of failing to patch is not theoretical. The WannaCry ransomware attack of 2017, which caused devastating damage to the NHS and organisations worldwide, exploited a vulnerability in Windows for which Microsoft had released a patch two months earlier. Organisations that had applied the patch were protected. Those that hadn't — including many NHS Trusts — suffered significant disruption, with cancelled operations, diverted ambulances, and millions of pounds in recovery costs.
The 2017 WannaCry attack cost the NHS an estimated £92 million in direct costs and lost output. The vulnerability it exploited (EternalBlue, MS17-010) had been patched by Microsoft in March 2017 — two months before the attack hit in May. Every organisation that had applied the patch was immune. This single incident illustrates, in the starkest possible terms, why timely patching is not optional.
Building a Patch Management Policy
Effective patch management starts with a clear, documented policy that defines your organisation's approach to identifying, testing, and deploying patches. A good policy covers scope, prioritisation, timelines, responsibilities, and exceptions.
Scope
Your patch management policy should cover all technology assets in your organisation: server operating systems (Windows Server, Linux), desktop and laptop operating systems (Windows 10/11, macOS), applications (Microsoft 365, Adobe products, line-of-business software), network devices (firewalls, switches, access points), firmware on hardware devices, and mobile device operating systems and applications. Many organisations focus their patching efforts on Windows servers and desktops but neglect network equipment, firmware, and third-party applications — which are increasingly targeted by attackers.
Prioritisation Framework
Not all patches are equal. A critical remote code execution vulnerability in your internet-facing web server is far more urgent than a minor UI fix in an internal application. Your policy should define how patches are prioritised based on the severity of the vulnerability, the exposure of the affected system, and the potential business impact of both the vulnerability being exploited and the patch being applied.
| Priority | CVSS Score | Deployment Timeline | Testing Required |
|---|---|---|---|
| Emergency | 9.0–10.0 with active exploitation | Within 24–48 hours | Minimal — focused smoke test |
| Critical | 9.0–10.0 | Within 7 days | Core application testing |
| High | 7.0–8.9 | Within 14 days | Standard testing cycle |
| Medium | 4.0–6.9 | Within 30 days | Standard testing cycle |
| Low | 0.1–3.9 | Next maintenance window | Standard testing cycle |
Understanding Vulnerability Scoring (CVSS)
The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for assessing the severity of security vulnerabilities. Understanding CVSS scores helps you make informed prioritisation decisions about which patches to apply first.
CVSS Score Components
A CVSS score ranges from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities. The score is calculated based on several factors: the attack vector (can it be exploited remotely over the network, or does the attacker need physical access?), the attack complexity (is exploitation straightforward, or does it require specific conditions?), the privileges required (can an unauthenticated attacker exploit it, or do they need valid credentials?), the user interaction required (does the victim need to click a link or open a file?), and the impact on confidentiality, integrity, and availability of the affected system.
Beyond CVSS: Context Matters
While CVSS scores provide a useful starting point, they don't tell the whole story. A vulnerability with a CVSS score of 7.5 in your internet-facing web server is far more urgent than the same score in a system that's isolated on an internal network with no external access. Your patch prioritisation should consider the CVSS score alongside the asset's exposure (internet-facing vs internal), the asset's criticality to business operations, whether active exploitation has been observed in the wild, and whether compensating controls (such as firewall rules or network segmentation) reduce the risk.
Testing Before Deployment
One of the primary reasons organisations delay patching is the fear that a patch will break something. This fear is not unfounded — patches do occasionally cause compatibility issues, performance degradation, or application failures. The solution is not to avoid patching (which is far more dangerous) but to implement a structured testing process that catches problems before patches reach production systems.
The Testing Process
A practical testing process for most UK SMEs involves three stages. First, deploy the patch to a small set of test machines that represent your production environment — ideally including at least one machine running each of your critical applications. Monitor these machines for 24 to 48 hours, checking for application crashes, performance issues, or unexpected behaviour. Second, if no issues are found, deploy to a pilot group — perhaps 10% of your production machines, selected to include a cross-section of departments and use cases. Monitor for a further 24 hours. Third, if the pilot is successful, deploy to the remainder of your production environment.
For emergency patches (CVSS 9.0+ with active exploitation), this testing cycle may need to be compressed to hours rather than days. In these cases, the risk of exploitation outweighs the risk of the patch causing issues, and a rapid deployment with close monitoring is the appropriate response.
Maintain a small but representative test environment that mirrors your production setup. This doesn't need to be expensive — a few virtual machines running your key applications is usually sufficient. The investment in a test environment pays for itself the first time it catches a problem patch before it reaches your production systems. Many organisations have learned this lesson the hard way, after a faulty patch took down their entire fleet of workstations during business hours.
Patch Management Tools
Manual patch management — logging into each server and workstation individually to install updates — is impractical for any organisation with more than a handful of devices. Fortunately, several tools can automate and centralise the patch management process.
Windows Server Update Services (WSUS)
WSUS is Microsoft's free tool for managing Windows updates across a network. It allows you to download patches from Microsoft once and distribute them to all your Windows machines locally, saving internet bandwidth. You can approve or decline individual patches, target specific patches to specific groups of machines (enabling the phased testing approach described above), and report on patch compliance across your estate.
WSUS is a solid choice for smaller organisations that primarily need to patch Windows operating systems and Microsoft products. However, it doesn't handle third-party application patches (like Adobe, Java, or Chrome), which must be managed separately.
Microsoft Intune
For organisations using Microsoft 365, Intune provides cloud-based endpoint management including patch management. Intune can manage Windows updates, deploy software updates, enforce compliance policies, and report on device health — all from the cloud, without the need for on-premise infrastructure. It's particularly effective for managing remote and hybrid workers whose devices may not always be on the corporate network.
Microsoft Configuration Manager (SCCM / MECM)
For larger organisations with complex patching requirements, Microsoft Endpoint Configuration Manager (formerly SCCM) provides enterprise-grade patch management capabilities. It can manage Windows and third-party application patches, deploy patches to thousands of machines with precise targeting and scheduling, report on compliance in granular detail, and integrate with WSUS for Windows update management. Configuration Manager is the most powerful option but also the most complex and expensive to deploy and maintain.
Automated Patching Pros
- Consistent, reliable deployment
- Reduced manual effort and human error
- Detailed compliance reporting
- Scheduled deployments during off-hours
- Centralised management of all devices
- Faster response to critical vulnerabilities
Manual Patching Risks
- Inconsistent coverage — devices get missed
- Time-consuming — doesn't scale
- No centralised visibility or reporting
- Difficult to enforce timelines
- Prone to human error
- Impossible to demonstrate compliance
Patch Tuesday and the Monthly Cycle
Microsoft releases its monthly security updates on the second Tuesday of each month — known as "Patch Tuesday." This predictable schedule allows organisations to plan their patching cycles accordingly. A typical monthly patching cycle might look like this:
Week 1 (Patch Tuesday): Microsoft releases updates. Your IT team reviews the patches, identifies those relevant to your environment, assesses their severity, and begins testing on pilot machines.
Week 2: Testing continues. Patches that pass testing are approved for wider deployment. Any issues are investigated and mitigated before proceeding.
Week 3: Approved patches are deployed to production servers and workstations, typically during a scheduled maintenance window (evenings or weekends to minimise disruption).
Week 4: Compliance checking. Verify that all targeted machines have received the patches successfully. Follow up on any machines that failed or were offline during the deployment window. Generate compliance reports for management and audit purposes.
Zero-Day Response
A zero-day vulnerability is one that is being actively exploited before the vendor has released a patch. Zero-day incidents require a different response from routine patching — they demand immediate action to reduce exposure while waiting for an official fix.
Immediate Response Steps
When a zero-day vulnerability is announced, your IT team should immediately assess whether your organisation is affected. Identify which systems run the vulnerable software and determine your level of exposure. If a patch is not yet available, implement compensating controls — temporary measures that reduce the risk of exploitation. These might include firewall rules to block the attack vector, disabling the vulnerable feature or service, network segmentation to isolate affected systems, or increased monitoring for signs of exploitation.
Subscribe to vulnerability notification services such as the NCSC's Early Warning service, Microsoft Security Response Center (MSRC) alerts, and CVE databases to ensure you learn about zero-day vulnerabilities as quickly as possible. The faster you know about a threat, the faster you can respond.
The NCSC offers a free Early Warning service for UK organisations that provides alerts about cyber threats, including zero-day vulnerabilities that may affect your systems. The service analyses a range of intelligence sources and proactively notifies organisations that may be at risk. Registering for this service is free and strongly recommended — it could give you critical hours of advance warning when a new threat emerges.
Third-Party Application Patching
Windows updates get the most attention, but third-party applications are increasingly targeted by attackers. Adobe products, Java, web browsers, Zoom, and other commonly used applications all require regular patching. In fact, some security researchers estimate that third-party application vulnerabilities now account for more successful attacks than operating system vulnerabilities.
Tools like Ninite Pro, PDQ Deploy, or Intune's Win32 app management can automate the deployment of third-party application updates. Some third-party patching is also supported natively by Configuration Manager with appropriate plugins. Regardless of the tool, ensure that third-party applications are included in your patch management policy and subject to the same prioritisation and testing processes as operating system updates.
Measuring and Reporting Patch Compliance
What gets measured gets managed. Regular reporting on patch compliance is essential for maintaining standards, demonstrating due diligence to auditors and regulators, and identifying areas where your patch management process needs improvement.
Key Metrics to Track
The most important patch management metrics include mean time to patch (the average number of days between a patch being released and it being applied across your estate), patch compliance rate (the percentage of devices that are fully patched at any given time), critical patch compliance (the percentage of critical patches applied within your defined SLA), and exceptions (the number and age of approved patch exceptions, where a specific patch has been deliberately deferred due to compatibility issues).
Cyber Essentials and Patch Management
The NCSC's Cyber Essentials scheme includes patch management as one of its five technical controls. To achieve Cyber Essentials certification, your organisation must demonstrate that all software and firmware are licensed and supported (no end-of-life software), that automatic updates are enabled where possible, and that high-risk and critical security patches are applied within 14 days of release. For Cyber Essentials Plus certification, these requirements are verified through hands-on technical assessment.
Meeting these requirements is straightforward if you have a well-defined patch management policy and appropriate tooling. The 14-day requirement for critical patches aligns with the timeline recommended earlier in this guide, and the requirement to remove unsupported software provides additional motivation to maintain a current, supported estate.
Need Help with Patch Management?
We provide fully managed patch management services for UK businesses, covering Windows, macOS, Linux, third-party applications, and network device firmware. Our team ensures your systems are consistently patched, compliant with Cyber Essentials requirements, and protected against the latest threats — so you can focus on running your business.
Get in Touch
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.