Patch Management: Protect Against Zero-Days

Unpatched software is the number one entry point for attackers. Yet most SMEs struggle with patching—too many updates, not enough time, fear of breaking things. Here's how to build a practical patch management process that actually works.

Golden light river carrying updates toward a secured structure
Continuous updates keep your security current

Why Patching Matters

Every unpatched system is an open door for attackers:

60% of breaches involve known vulnerabilities that had patches available. Attackers love unpatched systems because exploits are reliable and well-documented.
15-day window On average, attackers weaponize a new vulnerability within 15 days of disclosure. After that, automated scanning finds every unpatched system.
Ransomware entry Most ransomware campaigns start by exploiting known vulnerabilities in VPNs, remote desktop, or web applications. WannaCry spread through a vulnerability Microsoft had patched months earlier.
Compliance requirement NIS2 and CyberFundamentals both require vulnerability management. No patching process = compliance failure.

What is a Zero-Day?

A zero-day vulnerability is a security flaw that's being actively exploited before a patch exists. The name comes from the fact that defenders have "zero days" to prepare.

Zero-day vulnerability

A flaw in software that the vendor doesn't know about yet, or knows about but hasn't fixed.

Zero-day exploit

Attack code that takes advantage of a zero-day vulnerability. Often sold on dark markets.

Zero-day attack

An actual attack using a zero-day exploit against real targets.

Recent Zero-Day Examples

MOVEit (2023-2025)

Clop ransomware group exploited zero-days in MOVEit file transfer software, affecting hundreds of organizations before patches were available.

Citrix Bleed (2023)

Critical vulnerability in Citrix NetScaler allowing session hijacking. Exploited within days of discovery.

Oracle WebLogic (2025)

Clop exploited zero-day in Oracle software for widespread data theft campaigns.

Building Your Patch Management Process

A practical approach that works for SMEs without dedicated security teams:

Step 1: Know What You Have

You can't patch what you don't know about. Create an inventory of:

  • Operating systems (Windows, macOS, Linux) and versions
  • Server software (web servers, databases, email)
  • Business applications (ERP, CRM, accounting)
  • Network devices (routers, firewalls, switches)
  • Cloud services and SaaS applications
  • Third-party libraries and dependencies
Tip: Use a simple spreadsheet to start. Include version numbers and who's responsible for each system.

Step 2: Subscribe to Security Alerts

Stay informed about vulnerabilities affecting your software:

  • Microsoft Security Update Guide for Windows/Office
  • Vendor security bulletins (check each vendor's security page)
  • CERT.be alerts for Belgian organizations
  • US-CERT/CISA alerts for critical vulnerabilities
  • Industry-specific ISACs if applicable
Tip: Create a dedicated email folder for security alerts. Check it at least weekly, daily for critical systems.

Step 3: Prioritize by Risk

Not all patches are equally urgent. Use this framework:

  • Critical: Active exploitation or internet-facing systems. Patch within 48 hours.
  • High: No known exploitation but severe impact. Patch within 7 days.
  • Medium: Limited impact or requires authentication. Patch within 30 days.
  • Low: Minimal impact. Include in regular maintenance cycle.
Tip: When in doubt, check if a CVE has a "Known Exploited" tag on CISA's KEV catalog.

Step 4: Test Before Deploying

Patches can break things. Reduce risk with testing:

  • For critical business systems, test on a non-production copy first
  • For workstations, deploy to a pilot group before company-wide rollout
  • Have a rollback plan if something goes wrong
  • Document any issues for future reference
Tip: If you can't test, at least schedule critical system patches outside business hours with someone on standby.

Step 5: Automate Where Possible

Manual patching doesn't scale. Automate the routine:

  • Enable Windows Update for automatic security patches
  • Enable auto-updates for browsers (Chrome, Firefox, Edge)
  • Use managed update services for servers (WSUS, Intune)
  • Enable auto-updates for cloud/SaaS applications
  • Consider patch management tools for larger environments
Tip: Automation handles 90% of patches. Reserve manual attention for critical systems and complex patches.

Step 6: Track and Verify

Ensure patches are actually applied:

  • Check patch status in Windows Update or management console
  • Verify critical patches with vulnerability scanners
  • Keep records for compliance audits
  • Follow up on failed patches
  • Review patch compliance monthly
Tip: Set a calendar reminder to review patch status monthly. Track exceptions and their justification.

Responding to Zero-Day Announcements

When a zero-day affecting your software is announced, act quickly:

1

Assess exposure

Do you have the affected software? What version? How many systems? Are they internet-facing?

2

Apply workarounds

Vendors often release workarounds before patches. Disable affected features, restrict access, or isolate systems.

3

Monitor for attacks

Check logs for signs of exploitation. Look for indicators of compromise (IOCs) if published.

4

Patch immediately

When the patch is released, apply it to exposed systems within 24-48 hours. Don't wait for testing.

5

Verify remediation

Confirm patches applied successfully. Re-scan for vulnerabilities. Check for signs of prior compromise.

Common Patching Challenges

"We can't patch—it might break something"

Solution: The risk of not patching is almost always higher. Test where possible, but prioritize security. Most patches don't cause issues.

"Our vendor says we can't update"

Solution: If a vendor doesn't support security updates, that's a major risk. Isolate the system, compensate with other controls, and plan to replace it.

"We don't have time to patch everything"

Solution: Focus on internet-facing systems and critical assets first. Automate routine patching. Accept some risk for low-priority systems.

"Patches come too frequently"

Solution: This is normal—software is complex. Automate what you can, prioritize the rest. A weekly patch review takes less time than incident response.

"Our legacy systems can't be patched"

Solution: Isolate them from the network, disable unnecessary services, implement additional monitoring, and plan for replacement.

Patch Management Tools for SMEs

You don't need enterprise tools to patch effectively:

Tool Description Cost
Windows Update / WSUS Built-in Windows tools. WSUS gives more control for businesses. Free
Microsoft Intune Cloud-based management for Windows, macOS, mobile. Part of Microsoft 365 Business Premium. Included in M365
NinjaRMM / Datto RMM MSP-focused tools also work for SMEs wanting more control. Per device/month
Vulners / OpenVAS Vulnerability scanners to verify patches are applied. Free / Open source

How Easy Cyber Protection Helps

Asset inventory — Track what software you have and what needs patching
Vulnerability tracking — Know which CVEs affect your systems
Compliance documentation — Evidence for NIS2 and CyberFundamentals audits
Patch policy templates — Ready-to-use policies defining your patch schedule

Frequently Asked Questions

How quickly should we apply security patches?

Critical patches (actively exploited or internet-facing): 24-48 hours. High severity: 7 days. Medium: 30 days. Low: next maintenance window. For zero-days being actively exploited, patch immediately—the risk of not patching exceeds any testing concerns.

What if a patch breaks our system?

This is rare but happens. Have a rollback plan (system restore point, backup, snapshot). For critical systems, test patches in a staging environment first. If a patch does cause issues, most vendors release fixes quickly. The risk of not patching usually exceeds the risk of a bad patch.

Do we need to patch everything?

Prioritize: internet-facing systems, systems with sensitive data, and critical business applications. Internal-only systems with no sensitive data are lower priority. But don't ignore them—attackers move laterally once inside.

What about third-party software?

Third-party apps (Adobe, Java, browsers) are frequently exploited. Enable auto-updates where possible. For business software, subscribe to vendor security bulletins. Include third-party software in your inventory.

Is patching enough for security?

Patching is essential but not sufficient. You also need access controls, endpoint protection, backups, employee training, and incident response plans. Think of patching as closing known holes—you still need other defenses for unknown threats.

Related Articles