Patching: Why It Feels Annoying And Why It Saves You

A manufacturing plant in Dothan called us after a ransomware attack. Their entire production system was locked. Orders couldn't be processed. They were losing $200,000 per day.

The attackers got in through a vulnerability in their VPN — software that let remote employees connect to the network. The vulnerability had been patched by the vendor eight months earlier. The manufacturing company hadn't applied the update.

The patch existed. The attack was preventable.

This happens constantly. Not just to small manufacturers. Municipalities, hospitals, school districts, local governments — all hit by attacks that were patched months or years earlier.

What this solves (in real business terms)

Patching means updating software to fix security vulnerabilities. Software has bugs. Some of those bugs let attackers in. Patches fix those bugs.

The challenge: there's always another vulnerability. Software vendors release patches constantly. Keeping up feels like a treadmill.

But it's the most effective thing you can do. The 2017 WannaCry ransomware attack hit 300,000 computers in 150 countries. The vulnerability existed. The patch existed. Microsoft released it a month before the attack. Companies that patched were untouched.

What can go wrong

Unpatched VPN vulnerabilities. The Dothan manufacturer. Remote access software (VPNs, RDP, remote desktop tools) exposed to the internet is a common entry point. When a vulnerability is disclosed, attackers know it immediately. They scan for unpatched systems.

Outdated server software. Your file server, email server, or database server running old software. If it's exposed to the internet or accessible from compromised workstations, it's an attack path.

End-of-life software. Windows 7, Server 2008, older iOS versions — software that no longer gets security updates. Every vulnerability in end-of-life software is a door that will never be locked.

Business critical systems can't be patched. A machine that "can't handle updates" because it's running critical legacy software. These need isolation from the network, not just hopes and prayers.

Patch Tuesday confusion. Microsoft releases patches on the second Tuesday of every month. IT teams test and deploy. Sometimes patches break things. Fear of breaking production systems leads to patching delays — which creates windows of vulnerability.

Remote workers with unpatched home computers. If your team works from home and accesses company resources, their personal computers are part of your attack surface. Unpatched home PCs can be compromised and used as a bridge into your business systems.

What it costs (honest ranges)

• Automatic updates (Windows, Mac, iOS): Free — already built in, just needs to be enabled
• Patch management software (Microsoft Intune, Kandji for Mac, Automox): $3-$8/device/month for business-grade patching
• Managed security provider: $10-$30/user/month usually includes patch management
• IT consultant for patch management: $500-$1,500/month for ongoing management

For most SMBs: enable automatic updates everywhere and use a patch management tool if you have 20+ devices.

Vendor questions (copy/paste)

1. "What's our current patch status? How many devices are behind on updates?"
2. "Do we have any end-of-life software still in use that needs to be replaced?"
3. "How quickly do we deploy critical patches — within 24 hours, 7 days, or 30 days?"
4. "How do we handle patching for remote employees' home computers?"
5. "What's our process for testing patches before deployment to production systems?"
6. "Do we have any systems we can't patch? If so, what's the mitigation plan?"

Minimum viable implementation

Step 1: Enable automatic updates on everything

Windows:

• Settings > Update & Security > Windows Update
• Check "Automatic" and "Restart this device as soon as possible"
• For business PCs, use Windows Update for Business (free with Windows Pro)

Mac:

• System Preferences > Software Update > Automatically keep my Mac up to date

iOS/Android:

• Settings > Software Update > Automatic Updates

Step 2: Inventory your devices

You can't patch what you don't know about. Create a list:

• All company computers (Windows, Mac)
• All servers
• All network devices (routers, switches, firewalls)
• Mobile devices used for work
• IoT devices on your network (printers, cameras, etc.)

For each, note: who's responsible for patching, what's the current OS version, when was it last updated.

Step 3: Identify end-of-life software

Check if any of your software is no longer supported:

• Windows 7/8/8.1 (no longer supported)
• macOS versions older than current minus 2
• Server 2008/2012 (no longer supported)
• Old Router firmware

Replace or isolate. End-of-life software doesn't get security updates. It's a permanent vulnerability.

Step 4: Prioritize by exposure

Critical (patch within 24-72 hours):

• Remote access software (VPN, RDP)
• Firewalls and network equipment
• Email servers
• Any software exposed to the internet

Important (patch within 7-14 days):

• Workstations (Windows, Mac)
• Internal servers
• Productivity software

Step 5: Set up a monthly check

Even with automatic updates enabled, set a monthly reminder to:

• Check for any failed updates
• Verify all devices are updating
• Review any patches that were deferred (and why)

Step 6: Handle exceptions carefully

If a system can't be patched (critical legacy software):

• Isolate it from the network if possible
• Put compensating controls around it (limit access, monitor for suspicious activity)
• Plan to replace it — the risk doesn't go away

When to hire help

Do it yourself if:

• You have fewer than 15 devices
• All devices are current and support automatic updates
• You don't have complex server infrastructure

Get help if:

• You have 20+ devices with mixed OS versions
• You have servers that need regular patching
• You have remote workers with home computers accessing company systems
• You've had an incident related to unpatched software
• You have end-of-life software that needs to be replaced
• You want someone monitoring patching compliance automatically