How to Handle Security Patches and Updates Effectively
Every piece of software your business uses — from the Windows operating system on your desktops to the firmware on your firewall — contains vulnerabilities. Some are discovered by security researchers and responsibly disclosed to the vendor, who releases a patch. Others are found by cyber criminals and exploited before a fix is available. The difference between a secure organisation and one that gets breached often comes down to how quickly and effectively security patches are applied.
For UK businesses, effective patch management is not just good practice — it's a regulatory expectation. The NCSC's Cyber Essentials scheme requires that high-risk and critical security patches are applied within 14 days of release. The ICO considers patching as a fundamental element of "appropriate technical measures" under UK GDPR. And yet, unpatched vulnerabilities remain one of the most common attack vectors used by cyber criminals targeting British organisations.
This guide provides a comprehensive framework for managing security patches effectively, from building a patch management policy to choosing the right tools and responding to zero-day threats.
Why Patch Management Matters
The statistics on unpatched vulnerabilities are sobering. According to multiple industry reports, over 60% of successful cyber attacks exploit known vulnerabilities for which a patch was already available. The average time between a vulnerability being disclosed and it being exploited by attackers has shrunk dramatically — from weeks to sometimes hours. Meanwhile, many organisations take 60 to 150 days to apply critical patches, leaving a dangerous window of exposure.
The business impact of failing to patch is not theoretical. The WannaCry ransomware attack of 2017, which caused devastating damage to the NHS and organisations worldwide, exploited a vulnerability in Windows for which Microsoft had released a patch two months earlier. Organisations that had applied the patch were protected. Those that hadn't — including many NHS Trusts — suffered significant disruption, with cancelled operations, diverted ambulances, and millions of pounds in recovery costs.
Beyond headline-grabbing incidents like WannaCry, unpatched systems are the bread and butter of opportunistic cyber criminals. Automated scanning tools constantly probe the internet for machines running vulnerable software, and once a vulnerability is publicly disclosed, the race between patching and exploitation begins in earnest. For UK organisations handling personal data, the consequences extend beyond operational disruption — the ICO has the power to impose fines of up to £17.5 million or 4% of annual global turnover for failures in data protection, and inadequate patching has been cited as a contributing factor in multiple enforcement actions.
The 2017 WannaCry attack cost the NHS an estimated £92 million in direct costs and lost output. The vulnerability it exploited (EternalBlue, MS17-010) had been patched by Microsoft in March 2017 — two months before the attack hit in May. Every organisation that had applied the patch was immune. This single incident illustrates, in the starkest possible terms, why timely patching is not optional.
Register for the NCSC’s Early Warning service and subscribe to vendor security bulletins (Microsoft MSRC, Adobe PSIRT, Cisco Security Advisories) to receive vulnerability notifications as soon as they are published. The difference between learning about a critical flaw on the day of disclosure versus a week later can be the difference between patching in time and suffering a breach.
Building a Patch Management Policy
Effective patch management starts with a clear, documented policy that defines your organisation's approach to identifying, testing, and deploying patches. A good policy covers scope, prioritisation, timelines, responsibilities, and exceptions.
Scope
Your patch management policy should cover all technology assets in your organisation: server operating systems (Windows Server, Linux), desktop and laptop operating systems (Windows 10/11, macOS), applications (Microsoft 365, Adobe products, line-of-business software), network devices (firewalls, switches, access points), firmware on hardware devices, and mobile device operating systems and applications. Many organisations focus their patching efforts on Windows servers and desktops but neglect network equipment, firmware, and third-party applications — which are increasingly targeted by attackers.
Prioritisation Framework
Not all patches are equal. A critical remote code execution vulnerability in your internet-facing web server is far more urgent than a minor UI fix in an internal application. Your policy should define how patches are prioritised based on the severity of the vulnerability, the exposure of the affected system, and the potential business impact of both the vulnerability being exploited and the patch being applied.
| Priority | CVSS Score | Deployment Timeline | Testing Required |
|---|---|---|---|
| Emergency | 9.0–10.0 with active exploitation | Within 24–48 hours | Minimal — focused smoke test |
| Critical | 9.0–10.0 | Within 7 days | Core application testing |
| High | 7.0–8.9 | Within 14 days | Standard testing cycle |
| Medium | 4.0–6.9 | Within 30 days | Standard testing cycle |
| Low | 0.1–3.9 | Next maintenance window | Standard testing cycle |
Roles and Responsibilities
A patch management policy is only as good as the people responsible for executing it. Your policy should clearly define who is accountable for each stage of the process. In many UK SMEs, the IT manager or a managed service provider bears primary responsibility, but it is essential to document this explicitly. Typical roles include a patch management lead who oversees the entire process, monitors vendor advisories, and makes prioritisation decisions; system administrators who perform testing and deployment; a change advisory board (even if informal) that approves emergency patches outside the normal cycle; and end users who are responsible for not deferring or cancelling updates on their machines. For organisations working with a managed IT partner like Cloudswitched, these responsibilities are typically shared under a clearly defined service level agreement, ensuring nothing falls through the cracks.
Exception Management
Not every patch can be applied immediately. Some patches may conflict with critical line-of-business applications, cause known compatibility issues, or require system downtime that cannot be scheduled within the normal timeline. Your policy should include a formal exception process that requires a documented risk assessment for any patch that is deferred beyond its standard deadline, approval from an appropriate authority (IT manager, information security officer, or senior management), a compensating control to mitigate the risk while the patch remains unapplied (such as a firewall rule, network segmentation, or enhanced monitoring), and a defined review date by which the exception must be re-evaluated. Exceptions should be the exception, not the rule. If your organisation routinely defers patches, this is a sign that your patch management process — or your underlying IT infrastructure — needs attention.
Understanding Vulnerability Scoring (CVSS)
The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for assessing the severity of security vulnerabilities. Understanding CVSS scores helps you make informed prioritisation decisions about which patches to apply first.
CVSS Score Components
A CVSS score ranges from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities. The score is calculated based on several factors: the attack vector (can it be exploited remotely over the network, or does the attacker need physical access?), the attack complexity (is exploitation straightforward, or does it require specific conditions?), the privileges required (can an unauthenticated attacker exploit it, or do they need valid credentials?), the user interaction required (does the victim need to click a link or open a file?), and the impact on confidentiality, integrity, and availability of the affected system.
Beyond CVSS: Context Matters
While CVSS scores provide a useful starting point, they don't tell the whole story. A vulnerability with a CVSS score of 7.5 in your internet-facing web server is far more urgent than the same score in a system that's isolated on an internal network with no external access. Your patch prioritisation should consider the CVSS score alongside the asset's exposure (internet-facing vs internal), the asset's criticality to business operations, whether active exploitation has been observed in the wild, and whether compensating controls (such as firewall rules or network segmentation) reduce the risk.
The Shrinking Exploitation Window
One of the most alarming trends in cyber security is the dramatic reduction in the time between a vulnerability being publicly disclosed and threat actors beginning to exploit it at scale. Data from threat intelligence firms and the NCSC shows that this window has collapsed from weeks or months to, in many cases, just hours. The following chart illustrates the average number of days from public disclosure to first observed exploitation, based on aggregated industry data. This trend underscores why organisations cannot afford to wait — the patching window is closing faster every year, and the organisations that survive are those with the most efficient, automated patch management processes.
Testing Before Deployment
One of the primary reasons organisations delay patching is the fear that a patch will break something. This fear is not unfounded — patches do occasionally cause compatibility issues, performance degradation, or application failures. The solution is not to avoid patching (which is far more dangerous) but to implement a structured testing process that catches problems before patches reach production systems.
The Testing Process
A practical testing process for most UK SMEs involves three stages. First, deploy the patch to a small set of test machines that represent your production environment — ideally including at least one machine running each of your critical applications. Monitor these machines for 24 to 48 hours, checking for application crashes, performance issues, or unexpected behaviour. Second, if no issues are found, deploy to a pilot group — perhaps 10% of your production machines, selected to include a cross-section of departments and use cases. Monitor for a further 24 hours. Third, if the pilot is successful, deploy to the remainder of your production environment.
For emergency patches (CVSS 9.0+ with active exploitation), this testing cycle may need to be compressed to hours rather than days. In these cases, the risk of exploitation outweighs the risk of the patch causing issues, and a rapid deployment with close monitoring is the appropriate response.
Maintain a small but representative test environment that mirrors your production setup. This doesn't need to be expensive — a few virtual machines running your key applications is usually sufficient. The investment in a test environment pays for itself the first time it catches a problem patch before it reaches your production systems. Many organisations have learned this lesson the hard way, after a faulty patch took down their entire fleet of workstations during business hours.
Always create a system restore point or snapshot before deploying patches to production servers. If a patch causes unexpected issues, you can roll back quickly without waiting for Microsoft or the vendor to release a fix. For virtual machines, take a VM snapshot; for physical servers, use Windows System Restore or a backup solution that supports bare-metal recovery. This simple step can reduce your mean time to recovery from hours to minutes.
Patch Management Tools
Manual patch management — logging into each server and workstation individually to install updates — is impractical for any organisation with more than a handful of devices. Fortunately, several tools can automate and centralise the patch management process.
Windows Server Update Services (WSUS)
WSUS is Microsoft's free tool for managing Windows updates across a network. It allows you to download patches from Microsoft once and distribute them to all your Windows machines locally, saving internet bandwidth. You can approve or decline individual patches, target specific patches to specific groups of machines (enabling the phased testing approach described above), and report on patch compliance across your estate.
WSUS is a solid choice for smaller organisations that primarily need to patch Windows operating systems and Microsoft products. However, it doesn't handle third-party application patches (like Adobe, Java, or Chrome), which must be managed separately.
Microsoft Intune
For organisations using Microsoft 365, Intune provides cloud-based endpoint management including patch management. Intune can manage Windows updates, deploy software updates, enforce compliance policies, and report on device health — all from the cloud, without the need for on-premise infrastructure. It's particularly effective for managing remote and hybrid workers whose devices may not always be on the corporate network.
Microsoft Configuration Manager (SCCM / MECM)
For larger organisations with complex patching requirements, Microsoft Endpoint Configuration Manager (formerly SCCM) provides enterprise-grade patch management capabilities. It can manage Windows and third-party application patches, deploy patches to thousands of machines with precise targeting and scheduling, report on compliance in granular detail, and integrate with WSUS for Windows update management. Configuration Manager is the most powerful option but also the most complex and expensive to deploy and maintain.
Automated Patching Pros
- Consistent, reliable deployment
- Reduced manual effort and human error
- Detailed compliance reporting
- Scheduled deployments during off-hours
- Centralised management of all devices
- Faster response to critical vulnerabilities
Manual Patching Risks
- Inconsistent coverage — devices get missed
- Time-consuming — doesn't scale
- No centralised visibility or reporting
- Difficult to enforce timelines
- Prone to human error
- Impossible to demonstrate compliance
Automated Patch Management
Manual Patch Management
Patch Tuesday and the Monthly Cycle
Microsoft releases its monthly security updates on the second Tuesday of each month — known as "Patch Tuesday." This predictable schedule allows organisations to plan their patching cycles accordingly. A typical monthly patching cycle might look like this:
Week 1 (Patch Tuesday): Microsoft releases updates. Your IT team reviews the patches, identifies those relevant to your environment, assesses their severity, and begins testing on pilot machines.
Week 2: Testing continues. Patches that pass testing are approved for wider deployment. Any issues are investigated and mitigated before proceeding.
Week 3: Approved patches are deployed to production servers and workstations, typically during a scheduled maintenance window (evenings or weekends to minimise disruption).
Week 4: Compliance checking. Verify that all targeted machines have received the patches successfully. Follow up on any machines that failed or were offline during the deployment window. Generate compliance reports for management and audit purposes.
It is worth noting that not all vendors follow a predictable release schedule. Adobe typically aligns with Microsoft's Patch Tuesday for its major products, but many other software vendors release patches on an ad-hoc basis whenever vulnerabilities are discovered. Your patch management process must accommodate both scheduled and unscheduled patch releases. A well-configured patch management tool will automatically detect new patches from multiple vendors and flag them for review, regardless of when they are released.
Zero-Day Response
A zero-day vulnerability is one that is being actively exploited before the vendor has released a patch. Zero-day incidents require a different response from routine patching — they demand immediate action to reduce exposure while waiting for an official fix.
Immediate Response Steps
When a zero-day vulnerability is announced, your IT team should immediately assess whether your organisation is affected. Identify which systems run the vulnerable software and determine your level of exposure. If a patch is not yet available, implement compensating controls — temporary measures that reduce the risk of exploitation. These might include firewall rules to block the attack vector, disabling the vulnerable feature or service, network segmentation to isolate affected systems, or increased monitoring for signs of exploitation.
Subscribe to vulnerability notification services such as the NCSC's Early Warning service, Microsoft Security Response Center (MSRC) alerts, and CVE databases to ensure you learn about zero-day vulnerabilities as quickly as possible. The faster you know about a threat, the faster you can respond.
Building a Zero-Day Playbook
Rather than reacting to each zero-day incident from scratch, prepare a documented response playbook in advance. Your zero-day playbook should define an escalation chain (who needs to be notified and in what order), a rapid asset inventory process (how to quickly identify all affected systems), pre-approved compensating controls that can be deployed without waiting for a full change advisory board review, communication templates for internal stakeholders and, where applicable, customers or regulators, and criteria for deciding when the risk justifies an emergency out-of-cycle patch deployment with minimal testing. Having this playbook ready means that when a zero-day is announced — often on a Friday evening or during a bank holiday — your team can respond systematically rather than scrambling. The NCSC recommends that UK organisations rehearse their incident response plans at least annually, and your zero-day playbook should be part of that exercise.
The NCSC offers a free Early Warning service for UK organisations that provides alerts about cyber threats, including zero-day vulnerabilities that may affect your systems. The service analyses a range of intelligence sources and proactively notifies organisations that may be at risk. Registering for this service is free and strongly recommended — it could give you critical hours of advance warning when a new threat emerges.
Third-Party Application Patching
Windows updates get the most attention, but third-party applications are increasingly targeted by attackers. Adobe products, Java, web browsers, Zoom, and other commonly used applications all require regular patching. In fact, some security researchers estimate that third-party application vulnerabilities now account for more successful attacks than operating system vulnerabilities.
Tools like Ninite Pro, PDQ Deploy, or Intune's Win32 app management can automate the deployment of third-party application updates. Some third-party patching is also supported natively by Configuration Manager with appropriate plugins. Regardless of the tool, ensure that third-party applications are included in your patch management policy and subject to the same prioritisation and testing processes as operating system updates.
Pay particular attention to web browsers, PDF readers, Java runtime, and remote access tools — these are consistently among the most frequently exploited application categories. Many modern browsers (Chrome, Edge, Firefox) support silent automatic updates, and you should ensure this feature is enabled across your estate rather than relying on users to update manually. For organisations using Google Chrome in a managed environment, Chrome Browser Cloud Management provides centralised visibility and policy control at no additional cost, and similar capabilities exist for Microsoft Edge via Intune or Group Policy.
Enable automatic silent updates for all web browsers across your organisation. Browsers are the single most targeted application category, and modern browsers like Chrome and Edge can update themselves in the background without disrupting users. Combine this with a policy that forces browser restarts within 48 hours of an update being downloaded to ensure patches are actually applied, not just downloaded and waiting.
Measuring and Reporting Patch Compliance
What gets measured gets managed. Regular reporting on patch compliance is essential for maintaining standards, demonstrating due diligence to auditors and regulators, and identifying areas where your patch management process needs improvement.
Key Metrics to Track
The most important patch management metrics include mean time to patch (the average number of days between a patch being released and it being applied across your estate), patch compliance rate (the percentage of devices that are fully patched at any given time), critical patch compliance (the percentage of critical patches applied within your defined SLA), and exceptions (the number and age of approved patch exceptions, where a specific patch has been deliberately deferred due to compatibility issues).
Reporting for Compliance and Governance
Beyond internal operational use, patch compliance reports serve important governance and compliance functions. If your organisation is pursuing Cyber Essentials certification, your assessor will want to see evidence that critical patches are applied within 14 days. If you handle payment card data (PCI DSS), you must demonstrate that security patches are applied within one month of release. And if you are subject to UK GDPR, the ICO may request evidence of your patching practices as part of an investigation into a data breach. Maintaining clear, timestamped patch compliance reports provides the documentary evidence you need to demonstrate due diligence in all of these scenarios.
Patch Management Maturity Scorecard
Use this scorecard to assess your organisation's patch management maturity across key dimensions. Each metric represents a critical capability area — scores below 70 indicate areas that need immediate attention, while scores above 85 suggest a well-established process. Most UK SMEs score between 50 and 75 on their first assessment, with the most common gaps in third-party application coverage and zero-day response readiness.
Cyber Essentials and Patch Management
The NCSC's Cyber Essentials scheme includes patch management as one of its five technical controls. To achieve Cyber Essentials certification, your organisation must demonstrate that all software and firmware are licensed and supported (no end-of-life software), that automatic updates are enabled where possible, and that high-risk and critical security patches are applied within 14 days of release. For Cyber Essentials Plus certification, these requirements are verified through hands-on technical assessment.
Meeting these requirements is straightforward if you have a well-defined patch management policy and appropriate tooling. The 14-day requirement for critical patches aligns with the timeline recommended earlier in this guide, and the requirement to remove unsupported software provides additional motivation to maintain a current, supported estate.
For many UK organisations, Cyber Essentials certification is not merely a best-practice aspiration but a commercial necessity. Since 2014, the UK Government has required Cyber Essentials certification for all suppliers bidding on contracts that involve handling sensitive or personal information. An increasing number of private-sector organisations are following suit, requiring their supply chain partners to hold Cyber Essentials as a minimum standard of cyber hygiene. Beyond the compliance requirement, the process of achieving and maintaining certification provides a structured framework that drives genuine improvement in your security posture — and patch management is invariably the area where the most immediate gains are realised.
Need Help with Patch Management?
We provide fully managed patch management services for UK businesses, covering Windows, macOS, Linux, third-party applications, and network device firmware. Our team ensures your systems are consistently patched, compliant with Cyber Essentials requirements, and protected against the latest threats — so you can focus on running your business.
Get in TouchStrengthen Your Patch Management with Cloudswitched
Cloudswitched provides fully managed patch management and Cyber Essentials certification support for UK businesses. From automated patch deployment and compliance reporting to zero-day response and third-party application updates — our team ensures your systems stay secure, compliant, and resilient against the latest threats.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
