Patching: the unglamorous lifesaver

Why software updates matter, what actually needs updating, and how to make patching manageable for a small business without dedicated IT staff. The vegetables of cyber security.

_Part 6 of 12 in the Cyber security for the small business series._

Software updates are the vegetables of cyber security. Everyone knows they are important, nobody finds them exciting, and they are all too easy to put off. But patching — the process of applying updates that fix security vulnerabilities — is one of the most effective defences available to any business.

Why updates matter

Every piece of software has bugs. Some of those bugs are security vulnerabilities — flaws that attackers can exploit to gain access, steal data, or install malware. When a software vendor discovers a vulnerability, they release an update — a patch — that fixes it. Until you apply that patch, your system remains vulnerable.

Attackers actively monitor software updates to learn about newly disclosed vulnerabilities. They then scan the internet for systems that have not yet been patched. This is not sophisticated hacking; it is industrial-scale opportunism. The window between a patch being released and attackers exploiting unpatched systems has shrunk to days, sometimes hours.

The single largest commercial ransomware case in UK pathology in recent memory — the Synnovis incident of 2024 — and a long list of others, started not with a brilliant hacker but with an old, unpatched system that someone forgot.

What actually needs updating

Everything. Specifically:

Operating systems. Windows, macOS, iOS, Android, Linux. These are the foundation of your devices and the most critical to keep current.

Web browsers. Chrome, Firefox, Edge, Safari. Browsers are a primary attack surface because they process untrusted content from the internet constantly.

Email clients and productivity software. Microsoft Office, Google Workspace applications, PDF readers (Adobe Acrobat is a particularly common target).

Business applications. Accounting software, CRM systems, project management tools, and especially any content management system running your website (WordPress is the most attacked piece of software on the internet, almost entirely through unpatched plugins).

Firmware. The software embedded in your router, printer, network-attached storage, and other hardware devices. This is the most commonly overlooked category, and the one attackers love most.

Plugins and extensions. Browser extensions, WordPress plugins, any add-ons to your core software. A safe plugin from 2019 that has not been updated since is a known weak point.

Making updates manageable

For a small business, the simplest approach is to enable automatic updates wherever possible. Modern operating systems and most major software applications can be configured to download and install updates automatically. This removes the burden of remembering and the temptation to postpone.

For systems that cannot update automatically — your router, your website, anything where you have to log in and click update — set a regular schedule. A monthly update day where someone is responsible for checking and applying updates to those manually-updated systems is far better than an ad hoc approach. Put it in the calendar the same way you put in the VAT deadline.

End-of-life software is a particular risk. When a vendor stops supporting a product, security updates stop. Running unsupported software — such as Windows 7, or an outdated version of WordPress — is like leaving a known broken lock on your door. It must be replaced, or, if that is not immediately possible, isolated from the rest of your network so a compromise of it cannot reach anything that matters.

The NCSC keeps a list of currently supported versions of common software if you are not sure.

The mobile question

Phones and tablets count. The phone in your pocket is a computer with access to your business email, your contacts, your customer data, and, in many cases, your bank. iOS and Android both push updates regularly. Set them to install automatically. Phones that are more than two iOS versions behind, or running an Android version that no longer receives updates, should be replaced. Replace the phone is cheaper than recover from a breach.

What June looks like

If you do one thing this month, audit your update settings. On every machine and device in the business, check:

Are operating system updates set to install automatically?
Is the web browser set to update automatically?
Is the antivirus or built-in security tool set to update automatically?
Is the router firmware up to date? (Log into the router admin page and check the version against the manufacturer's website.)
Is any software running that is no longer supported by its vendor?

Write down the answers on one sheet of paper. The list of things that failed this audit is your June work.

Next month

July: your network. Wi-Fi, the router that is currently your only firewall, and what to do about staff working from home.

Cyber Essentials note

This month's work covers Cyber Essentials control 5, Security Update Management. Two of the five controls are now substantially in place if you have followed through on April and June.