Accessibility Tools

Skip to main content

Cyber Essentials Certification - Software Patching

Replace This Image

Patching software has been an irritant for users and administrators as it can taken hours to complete. Implementing patches is very important to protect against attacks and ransomware.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

Glossary Terms in this Blog Article - Hover over word to view definition or, click word to access complete Glossary List.

Introduction to Software Patching in Cyber Essentials

Research has shown that:

  • More than half of all breaches are attributed to poor patch management.
  • The average time to patch high-risk vulnerabilities is 102 days.
  • In 2020 more than 20,000 software security vulnerabilities were released.

We know that attackers watch which applications with large user bases are being patched to identify which vulnerabilities they should exploit and take advantage off next. They do this armed with the knowledge that many users won't apply the patch or update for months or even years.

What Organisations get Wrong with Patching?

In many cases, even though systems administrators may know that to protect their systems they have to patch quickly, they may still struggle to do what is required. Let’s take a look at some of the things which contribute to patches not being implemented as they should be.

  • Not managing the process of critical patches on critical systems – some systems cannot be set to update automatically for many reasons, therefore any patches on these systems need to be managed effectively. Although some vendors have stated forward times for patches, not all do, and an unscheduled release of a patch can impact a small under-resourced team where critical patches may not be installed for weeks or months.
  • Lack of asset management – not knowing or controlling what applications, systems and devices are authorised can cause patching problems. In terms of devices, this can include physical security (surveillance) devices like CCTV systems, door and access control systems, etc. Not knowing what needs to be patched can be a very big problem.
  • The belief that a devices or system can be patched later without any adverse impact – research shows that attackers have been known to take 30 days or less to produce an exploit and still successfully damage systems. The time to fix the damage created by a breach for example, often takes 186 days or more costing an average of over several hundreds of thousands of pounds or dollars per incident.
  • Not setting up alerts for patch availability for critical systems – in many cases applications and systems can be set to check and alert that an update is available, but if the system is not set to check for updates, no one will know about it. Resulting in an unpatched devices or system.
  • Not prioritising critical patches or critical systems – when there are so many applications, devices or systems which need to be updated, administrators need to prioritise and determine the order that updates should take place to protect the Organisation’s critical systems first.
  • Overall lack of resources – this may be caused by any combination of things, including, too few staff, too many systems, too many updates, historical patching backlog or each patch consuming too much time.
  • The need to minimise operational downtime – in many SMOs the IT team or person is under-resourced and focused on keeping everyone productive. This sometimes means working on getting new machines ready so that there is no down time, and patching is something that is often considered as something that contributes to downtime.
  • The unknown impacts of patches – patches have been known to break applications and systems, and the administrator does not have the confidence that a patch will not cause other issues.
  • Managing remote worker systems – since the pandemic most Organisations have been working remotely, which makes it harder to manage and assure that all systems are completely updated. The rise in ransomware during the pandemic may be related.
  • The inaccurate belief that attackers won’t be able to identify an Organisation is running a particular application, or that it is unpatched. Many applications, systems and devices don’t need to connect to the internet, but so many do, and may do so unknowingly to the user. When the application, system or device does so, that is when an attacker may be able to identify it, or it can be probed from outside the network.
  • An assumption that the anti-malware system can provide the protection required – this is a myth, as most exploits are written taking both the vulnerability and anti-malware into consideration with the capability to evade detection.

It is unfortunate that patching causes unproductive employee time, and that it doesn’t contribute an output that the Organisation has identified a need for. However, over time many large Organisations have understood the importance of patching and responded to it with good practices, some of which are relevant for Small Organisations.

This is just an overview, as different organisations have different priorities, their circumstances for patching or not patching may be different.

Infographic 1, The Risk Challenges with Software Patching.Threat Map Infographic

The Impacts of Not Patching?

It would be wrong for anyone to say that not patching automatically leads to being attacked by ransomware. The perspective security professionals often take is that, whereas an Organisation has to defend or protect against every possible vulnerability being exploited, attackers only have to find one single vulnerability. So, by reducing the total attack surface an Organisation is reducing overall risk.

Research by the Ponemon Institute showed that 34% of affected organisations knew that they had unpatched vulnerabilities, but they took no action to protect themselves. Further, that 99.9% of attacks are based on known vulnerabilities which have already been addressed in a patch.

Since patch management is a part of vulnerability management, which itself is an element of risk management, not having an effective patch management programme does indicate bad risk management practices.

When the UK NHS was hit with ransomware a few years ago, it was due to a Windows vulnerability which had been patched three months earlier. But because some organisations can't (or don’t) move fast enough, they were left exposed and suffered as a result. On this occasion most of the NHS Trusts which were affected by the ransomware actually just rebuilt their systems using back-ups from several days earlier. This means that many of them lost around three days of data, but this doesn’t take into consideration the cost and work lost by those who had down time while systems were being reset, or the cost of the reset.

Very simply, we are saying that the cost and inconvenience of patching is lower than the impact and cost of not patching and getting malware and or a data breach.


Infographic 2: on the Awareness, Knowledge, Skills, Tools, Response and Sharing for this topic.Awareness content infographic



This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.


Photographs from

Meet your Bloggers

Sarb Sembhi

Sarb Sembhi, Virtually Informed

Sarb is the Chief Technology Officer and Chief Information Security Officer for Virtually Informed.

He writes and speaks about:

  • Strategic issues in Smart Environments and related technologies;
  • Digital Safety Skills for anyone not working in Cyber Security, and;
  • Business / security challenges for small businesses and start-ups.

Nick Ioannou

Nick is Director of Boolean Logic Limited, a blogger, an author and public speaker.

Nick has authored:

  • 'Internet Security Fundamentals',
  • 'A Practical Guide to Cyber Security for Small Businesses' and
  • 'A Practical Guide to GDPR for Small Businesses',
  • as well as contributing to three 'Managing Cybersecurity Risk' books and 'Conquer The Web'.

SaRB for Small & Medium-sized Organisations (SMO's)

SaRB for SMO's mission is to be the place that Small and Medium-sized Organisations and non-profits get together to look up, explore and understand cyber security and related risks. We deliver information and tools to take better responses to cyber related threats, vulnerabilities and exploits. We invite you to become members of our community to access:

  • the latest information on threats targeting smaller organisations;
  • possible response options for your organisation and sector;
  • weekly or fortnightly newsetters;
  • webinars and events specifically for our subscribers;
  • gated templates, tools and gated content to save time and improve cyber security risks.

Subscribe to SaRB for SMO's