Why Software Patching Matters More Than You Think

The Uncomfortable Truth About Most Cyber Attacks

Here's a statistic that should change how you think about software updates: the majority of successful cyber attacks exploit vulnerabilities for which a patch — a software fix — already existed at the time of the attack. The attacker didn't find a brand-new flaw. They used a known one that the victim simply hadn't got around to fixing.

This means that for a huge proportion of breaches, the attack could have been prevented by simply keeping software up to date. Patching isn't glamorous. It doesn't feel like security work. But it is arguably the single most impactful thing any Australian small business can do to reduce its cyber risk.

What Is a Software Patch?

Software — whether it's your operating system, your browser, your accounting app, or any other program — is written by humans, and humans make mistakes. Some of those mistakes create security vulnerabilities: weaknesses in the software that attackers can exploit to gain unauthorised access, execute malicious code, or steal data.

When a vulnerability is discovered, the software developer creates a fix — called a patch — and releases it as an update. Once the patch is released, the vulnerability becomes public knowledge. Attackers now know exactly what to look for and can scan the internet for unpatched systems to exploit.

This is why the window between a patch being released and it being applied is so critical. Every day your software remains unpatched after a security update is released is a day you're exposed to a known, exploitable risk.

How Quickly Do Attackers Move?

The answer is: very quickly. Security researchers and cybercriminal groups alike monitor software vendor announcements for new patches. Within hours of a patch being released, attackers are often actively scanning for and exploiting unpatched systems.

Major vulnerability disclosures — like the Log4Shell vulnerability in 2021 or the MOVEit vulnerability in 2023 — saw mass exploitation within days. Businesses that patched promptly were protected; those that delayed were compromised at scale. These weren't targeted attacks on specific businesses — they were automated sweeps of the entire internet, looking for anyone still running the vulnerable software.

What Needs to Be Patched?

When most people think of software updates, they think of Windows Update. But patching requirements extend much further:

• Operating systems — Windows, macOS, iOS, Android
• Web browsers — Chrome, Firefox, Edge, Safari
• Office and productivity software — Microsoft 365, LibreOffice
• Business applications — accounting software, CRM, project management tools
• Plugins and extensions — particularly browser plugins, which are frequently targeted
• Server software — if you run any on-premises servers
• Firmware — on routers, switches, printers, and IoT devices
• Security software — antivirus and endpoint protection tools need updates too

This is a significant list, and it's one reason patching tends to slip for small businesses without dedicated IT support. But the good news is that most of this can be automated.

The ASD Essential Eight and Patching

Patching is so important that the Australian Signals Directorate (ASD) places it at the top of their Essential Eight framework — a set of baseline controls recommended for all Australian organisations. The Essential Eight includes two separate patching controls:

• Patch operating systems — applying security patches within defined timeframes based on risk
• Patch applications — particularly internet-facing applications and those most likely to be targeted

The Essential Eight recommends that critical vulnerabilities (those rated as high or critical severity) in internet-facing services be patched within 48 hours. For other systems, patching within two weeks is the target at the baseline maturity level. These timeframes might seem aggressive, but they reflect how quickly attackers move.

Enabling Automatic Updates

For most small businesses, the most practical approach to patching is enabling automatic updates wherever possible. This removes the manual burden and ensures patches are applied promptly.

Windows

Go to Settings > Windows Update and ensure automatic updates are turned on. You can configure Active Hours to avoid updates interrupting business hours. Consider enabling "Receive updates for other Microsoft products" to keep Office and other Microsoft software updated simultaneously.

macOS

Go to System Settings > General > Software Update. Enable automatic updates and tick all available options, including "Install Security Responses and system files" — these are rapid security patches that Apple can deploy outside of regular update cycles.

Browsers

Chrome and Edge update automatically in the background. Ensure browsers are closed and reopened regularly so updates can complete. Firefox also updates automatically. Check the "About" page in any browser to confirm it's running the latest version.

Business applications

Cloud-based applications (like Xero, Microsoft 365 online, or Google Workspace) are updated by the vendor automatically — you don't need to do anything. Desktop applications typically need to be updated manually or configured to auto-update.

When Automatic Updates Aren't Enough

Automatic updates work well for mainstream operating systems and applications. But they don't cover everything. Firmware on routers, switches, printers, and IoT devices rarely updates automatically — you need to check for and apply firmware updates manually. Older or niche business applications may not have auto-update functionality. This is where a regular patching review — at least monthly — becomes important.

Key Takeaways

• The majority of successful cyber attacks exploit known vulnerabilities that already had patches available
• Attackers scan for unpatched systems within hours of a vulnerability being disclosed
• Patching applies to operating systems, browsers, apps, plugins, and firmware — not just Windows Update
• The ASD Essential Eight recommends patching critical vulnerabilities in internet-facing systems within 48 hours
• Enable automatic updates on all devices and operating systems wherever possible
• Conduct a monthly review for systems that don't auto-update — particularly router and device firmware

Patching is one of the most effective — and most overlooked — cyber defences for small businesses. Find out how your patching practices compare with the free assessment at flagged.com.au.