Skip to content
Security, Simplified
Patch Management Beginner 6 min read

Patch Management for SMBs: Closing the Window Before Attackers Climb Through

Unpatched software is the most exploited entry point for cyber attacks. Learn how to automate Windows and macOS updates, prioritise third-party patching, and build a simple process that keeps your systems protected.

The Problem

Every piece of software contains vulnerabilities. When vendors discover these flaws, they release patches to fix them. When you delay applying those patches, you leave known weaknesses exposed to exploitation.

This is not a theoretical risk. The ACSC Essential Eight lists patching applications and operating systems as two of the eight most critical controls because unpatched software remains the most common method attackers use to gain initial access to business networks.

The moment a vendor publishes a security update, they effectively disclose the vulnerability it fixes. Attackers immediately reverse-engineer these patches to understand the flaw—and then start scanning for systems that have not yet applied the fix.

Why This Matters

Delayed patching creates a widening window of opportunity for attackers:

  • Known vulnerabilities are actively exploited. Automated scanning tools probe millions of systems daily, searching for unpatched software with known flaws.
  • Ransomware commonly enters through outdated software. Many ransomware incidents begin with exploitation of vulnerabilities that had patches available weeks or months before the attack.
  • Regulatory frameworks expect timely patching. The Essential Eight Maturity Model requires patches for “extreme risk” vulnerabilities to be applied within 48 hours. Many cyber insurance policies now ask about patching cadence during underwriting.
  • Delays compound quickly. Clicking “Remind Me Tomorrow” feels harmless, but each delay extends your exposure and makes the update process increasingly disruptive when you finally act.

For SMBs, the risk is amplified because attackers know smaller organisations often lack dedicated IT teams to stay on top of updates.

What Good Looks Like

A well-managed patching environment has these characteristics:

  • Operating system updates install automatically within days of release
  • Browsers update silently in the background
  • Third-party applications are tracked and updated systematically
  • Critical or actively exploited vulnerabilities are addressed within 48 hours
  • Updates are scheduled to minimise disruption to business operations

You do not need enterprise patch management tools to achieve this. For most SMBs, enabling automatic updates and establishing a monthly review process is sufficient.

How to Implement It

1. Enable Automatic Operating System Updates

Do not rely on staff to manually approve updates. Configure automatic installation with restart scheduling that avoids business hours.

For Windows 10/11:

  1. Open Settings > Windows Update
  2. Enable “Get the latest updates as soon as they’re available”
  3. Click Advanced options and set “Active Hours” to your working day (e.g., 8am–6pm)
  4. Windows will then install updates and restart during non-active hours

For macOS:

  1. Open System Settings > General > Software Update
  2. Click the information icon next to “Automatic Updates”
  3. Enable all toggles: Download new updates, Install macOS updates, Install Security Responses and system files

2. Keep Browsers Updated Automatically

Web browsers are a primary attack surface because they execute code from untrusted sources constantly. All major browsers—Chrome, Edge, Firefox, Safari—have automatic update mechanisms that should remain enabled.

Verify updates are working:

  • Chrome/Edge: Menu > Help > About — the browser will check for and install updates
  • Firefox: Menu > Help > About Firefox — updates download automatically

If browser updates are being blocked by IT policy, this should be reviewed as a priority.

3. Address Third-Party Software

Operating systems and browsers are only part of the picture. Third-party applications—PDF readers, video conferencing tools, media players—often receive less attention but are equally targeted.

Common applications requiring regular updates:

  • Adobe Acrobat/Reader
  • Zoom, Microsoft Teams, Slack
  • Java (if still required—consider removing if not)
  • 7-Zip, WinRAR
  • Remote access tools (TeamViewer, AnyDesk)

Options for third-party patching:

  • Manual monthly review: Set a calendar reminder to check for updates on all installed software
  • Vendor auto-update features: Many applications can update silently if configured (e.g., Adobe Acrobat: Preferences > Updater > Automatically install updates)
  • Patch management tools: For businesses with more than 10 machines, tools like Ninite Pro, PDQ Deploy, or the patching features in RMM (Remote Monitoring and Management) platforms can automate third-party updates centrally

4. Prioritise Based on Risk

Not all patches carry equal urgency. Focus your fastest response on:

  • Actively exploited vulnerabilities (often labelled “zero-day” or “known exploitation in the wild”)
  • Critical severity as rated by the vendor or CVSS score of 9.0+
  • Internet-facing systems including VPNs, firewalls, and web applications

The CISA Known Exploited Vulnerabilities Catalog lists vulnerabilities confirmed to be actively used by attackers—if a patch appears here, it should be applied immediately.

5. Reduce the Attack Surface

The simplest vulnerability to exploit is one you do not need to patch—because the software is not installed.

Review installed software and remove:

  • Applications no longer in use
  • Legacy versions superseded by newer tools
  • Browser plugins or extensions with unnecessary permissions

If your organisation still relies on software that is no longer receiving security updates (end-of-life), prioritise migrating to a supported alternative. Running unsupported software means vulnerabilities will never be patched.

Connecting Patching to Broader Security

Patching works alongside other fundamental controls:

  • Endpoint detection and response provides a safety net when exploitation does occur, detecting malicious activity even if a vulnerability is exploited before patching
  • Backups ensure you can recover if an attack succeeds despite your patching efforts
  • Multi-factor authentication limits what attackers can do even if they compromise a device through an unpatched vulnerability

No single control is sufficient. Patching reduces opportunity; other controls reduce impact.

Action Item: This week, verify that automatic updates are enabled on all company-managed Windows and macOS devices. Create a calendar reminder for a monthly review of third-party software updates. If you have more than 10 devices, research whether your IT provider offers centralised patch management.