If you ask a security professional which single control would prevent the most breaches, the answer is rarely the most technically sophisticated one. It is patch management. Keeping software up to date against known vulnerabilities closes the attack vectors that the majority of threat actors rely on. And yet it remains one of the most inconsistently applied controls in UK organisations.

The gap between knowing patches are important and actually deploying them consistently is wide. It involves asset inventory, change management processes, compatibility testing, and operational discipline that is easy to deprioritise when other demands compete for IT resource.

Expert Commentary

William Fieldhouse, Director of Aardwolf Security Ltd

“Patch management sounds unglamorous, but it is the control that prevents the majority of successful network intrusions. When we look at how ransomware groups gain initial access, unpatched internet-facing services feature in the majority of cases. The fix is not complex. The discipline is.”

Why Patching Gets Deprioritised

Legacy systems present a genuine challenge. Applications that cannot be patched without breaking functionality, or that run on operating systems no longer receiving updates, create a class of permanent risk. Organisations often know these systems are exposed but lack a clear path to remediation.

Change management processes that require lengthy approval cycles slow patch deployment to a pace that threat actors easily outrun. When the window between a CVE being published and active exploitation in the wild is measured in days, a two-week change approval process is a structural vulnerability.

Incomplete asset inventories make the problem worse. You cannot patch what you do not know you run. Organisations frequently discover unknown systems during penetration tests or after incidents, systems that have been running unpatched for months or years.

The Attacker’s Perspective

External network penetration testing directly demonstrates the exposure created by unpatched services. Testers scan for known CVEs against the services visible from the internet and attempt exploitation. Findings typically include services that the organisation believed were current but were not, and services that were forgotten entirely.

Ransomware operators and initial access brokers both run automated scanning at scale. Within hours of a significant CVE being published, scanning activity increases dramatically. Organisations that have not patched within days are actively being targeted by automated tooling.

Building a Realistic Patch Programme

Effective patch management starts with a complete, accurate asset inventory. Every system, every application, every network device needs to be known and assigned an owner. Without that foundation, patch programmes have blind spots.

Vulnerability scanning services run continuously, identifying new vulnerabilities as they are published and flagging affected systems. Integrating scan output with your patch workflow creates a closed loop between vulnerability discovery and remediation.

Risk-based prioritisation is more practical than attempting to patch everything immediately. Internet-facing services, systems processing sensitive data, and systems running actively exploited CVEs take priority. A tiered approach with defined SLAs for each risk tier makes the programme manageable and auditable.