Why Updates Matter
Let's be blunt: unpatched software is one of the easiest ways for attackers to compromise your business.
- Known vulnerabilities get published (CVEs)
- Attackers build exploits targeting those vulnerabilities
- Automated tools scan the internet for vulnerable systems
- Your unpatched computer becomes an easy target
The window between vulnerability disclosure and active exploitation is shrinking—sometimes hours, not days. A systematic approach to updates is essential.
The Challenge for Small Businesses
Enterprise IT teams have dedicated patch management systems and staff. Small businesses face different challenges:
- No dedicated IT person: Updates fall to whoever's technically inclined
- Fear of breaking things: "The last update broke my accounting software"
- Time pressure: Staff postpone updates to finish urgent work
- Varied devices: Mix of Windows, Mac, phones, each with different update mechanisms
- Critical applications: Some software needs testing before updates
This guide provides a practical routine that balances security with business continuity.
What Needs Updating
Critical (Update Immediately)
| Component | Why Critical | Update Frequency |
|---|---|---|
| Operating system | Most exploited | Monthly minimum |
| Browsers (Chrome, Firefox, Edge) | Constant target | Auto-update, check weekly |
| Email client | Phishing vector | Monthly |
| Microsoft Office / Google Docs | Malware delivery | Monthly |
| Security software (antivirus) | Definition updates | Daily (automatic) |
Important (Update Monthly)
| Component | Why Important | Notes |
|---|---|---|
| PDF readers (Adobe, Foxit) | Malware delivery vector | Adobe has security updates monthly |
| Java (if still needed) | Frequently exploited | Remove if not needed |
| Flash (remove entirely) | End of life, dangerous | Should not be installed |
| Video conferencing apps | Growing attack surface | Zoom, Teams update frequently |
| Password manager | Protects all passwords | Usually auto-updates |
Business Applications (Test Then Update)
| Component | Approach |
|---|---|
| Accounting software | Test update on one machine first |
| CRM | Check vendor release notes |
| Industry-specific software | Verify compatibility |
| Custom/legacy applications | May need delayed updates |
A Simple Monthly Routine
The Second Wednesday Approach
Microsoft releases patches on the second Tuesday of each month ("Patch Tuesday"). A sensible schedule:
Second Tuesday: Microsoft releases patches
Wednesday-Thursday: Early adopters report issues
Friday/Weekend: Apply updates (if no major issues reported)
Monthly Checklist
Week 1 (Post-Patch Tuesday)
- [ ] Review Microsoft patch announcements
- [ ] Check for critical vulnerabilities (Zero-days being exploited)
- [ ] Apply critical/zero-day patches immediately if needed
- [ ] For normal patches, schedule for weekend
Week 2
- [ ] Apply OS updates to test machines first
- [ ] Apply OS updates to all machines
- [ ] Update browsers (verify auto-update working)
- [ ] Update Adobe products
Week 3
- [ ] Update business applications
- [ ] Test critical workflows after updates
- [ ] Document any issues and resolutions
Week 4
- [ ] Review update status across all devices
- [ ] Follow up on any machines that didn't update
- [ ] Plan for any delayed updates
Windows Update Management
For Individual Computers
Settings → Windows Update → Check for updates
Configure active hours to prevent restart during work:
Advanced options → Active hours → Set your work hours
Using Group Policy (Small Networks)
If you have Windows Pro and a simple network:
1. gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Windows Update
2. Configure:
- "Configure Automatic Updates" = 4 (Auto download, schedule install)
- "Scheduled install day" = 0 (Every day) or specific day
- "Scheduled install time" = After hours (e.g., 03:00)
Using Intune (Recommended)
If you have Microsoft 365 Business Premium:
1. Intune admin centre → Devices → Windows → Update rings
2. Create update policy:
- Quality update deferral: 3-7 days (time for early issues to surface)
- Feature update deferral: 30-60 days (major updates need more testing)
- Maintenance window: Set to after hours
- Deadline for updates: 7 days (forces install)
Windows Server Updates
Servers need more careful handling:
- Never auto-update production servers
- Schedule maintenance windows
- Update test/dev servers first
- Have rollback plan ready
- Consider Windows Server Update Services (WSUS) for control
macOS Update Management
For Individual Macs
System Settings → General → Software Update
Configure automatic updates:
- Check for updates: On
- Download new updates when available: On
- Install macOS updates: On (or off for more control)
- Install Security Responses: On (small, critical patches)
Managed Macs (MDM)
Use Jamf, Kandji, or similar:
- Defer major OS updates (30-60 days)
- Allow security updates promptly
- Schedule installations after hours
- Notify users before forced updates
Browser Updates
Browsers update frequently and should auto-update. Verify it's working:
Chrome
Settings → About Chrome
Should show "Chrome is up to date" or update automatically when you visit.
Firefox
Settings → General → Firefox Updates
Set to "Automatically install updates"
Edge
Settings → About Microsoft Edge
Follows similar pattern to Chrome.
Safari
Updates with macOS system updates.
Weekly check: Visit the "About" page in each browser to verify current version.
Application Updates
Microsoft Office
File → Account → Update Options
- Enable automatic updates
- Or manually check: "Update Now"
Microsoft 365 apps auto-update by default. If using volume license, you may need to configure updates.
Adobe Creative Cloud
Creative Cloud app manages updates:
- Set automatic updates on
- Or check weekly
- Major version upgrades may need testing
Other Applications
Many apps now auto-update. For those that don't:
1. Check on first launch each month
2. Enable notifications for updates
3. Add to monthly checklist
Tools like Ninite (free for personal, paid for business) can update common applications automatically.
Handling Problem Updates
Before Updating
- Know your rollback options (Windows has "Go back to previous version")
- For critical systems, test on one machine first
- Check online for reports of problems with the update
If an Update Causes Problems
Windows:
1. Settings → Windows Update → Update history → Uninstall updates
2. Find problematic update, uninstall
3. Pause updates temporarily
4. Report issue and monitor for fix
macOS:
1. Boot to Recovery (Command-R at startup)
2. Restore from Time Machine backup
3. Or reinstall macOS (preserves files)
Documenting Issues
Keep simple records:
- Date of update
- What broke
- How you fixed it
- How long to resolve
This helps identify patterns and prepares you for future updates.
Urgent/Zero-Day Updates
Sometimes updates can't wait. Signs you need to act immediately:
- Microsoft releases "out of band" update (not on Patch Tuesday)
- NCSC issues alert about active exploitation
- Security news reports attacks in the wild
- Vulnerability has CVSS score of 9.0+ and is being exploited
Action: Apply these updates within 24-48 hours, even if it disrupts normal schedule.
Tools to Help
Free Options
Windows Update (built-in): Handles OS and Microsoft products
Microsoft Update Catalog: Manual download of specific patches
Ninite: Updates common applications (free for basic use)
Patch My PC (home version): Free for personal use
Business Tools
Microsoft Intune: Included with M365 Business Premium, manages Windows/Mac/mobile
Patch My PC (business): From £2/device/year, automates third-party updates
PDQ Deploy: From £500/year, powerful Windows patching
ManageEngine Patch Manager Plus: From £200/year, cross-platform
NinjaOne: MSP-focused, includes patching
For Macs
Jamf Pro: Enterprise Mac management
Kandji: Modern Mac MDM with auto-patching
Mosyle: Good for smaller Mac fleets
Building a Patch Policy
Document your approach:
> [Company Name] Patch Management Policy
>
> Scope: All company computers, servers, and managed devices
>
> Routine Updates:
> - Operating systems: Within 7 days of release, tested first where practical
> - Browsers: Automatic updates enabled, verified weekly
> - Business applications: Monthly, after vendor testing
>
> Emergency Updates:
> - Critical/exploited vulnerabilities: Within 48 hours
> - Authorised disruption to apply if necessary
>
> Exceptions:
> - [Legacy system X] updates require [manager] approval and testing
> - Production servers: Weekend maintenance window only
>
> Responsibility: [Name/Role] monitors patches and coordinates updates
>
> Review: This policy reviewed annually
Authority Resources
- NCSC Patching Guidance: ncsc.gov.uk/guidance/vulnerability-management - UK government patching recommendations
- NCSC Early Warning Service: ncsc.gov.uk/information/early-warning-service - Free alerts for UK organisations
- Microsoft Security Update Guide: msrc.microsoft.com/update-guide - Official patch information
- CISA Known Exploited Vulnerabilities: cisa.gov/known-exploited-vulnerabilities-catalog - Vulnerabilities being actively exploited
Monthly Patch Calendar
| Week | Focus | Tasks |
|---|---|---|
| Week 1 (After Patch Tuesday) | Planning | Review patches, prioritise, schedule |
| Week 2 | Windows/macOS | Apply OS updates, test |
| Week 3 | Applications | Update business apps, Office, Adobe |
| Week 4 | Review | Verify all updated, catch stragglers |
| Ongoing | Monitoring | Watch for zero-days, auto-update checks |
Getting Started This Week
Day 1: Audit—check update status on all computers (Settings → Windows Update)
Day 2: Enable automatic browser updates, verify they're current
Day 3: Configure Windows Update active hours on all machines
Day 4: Create simple monthly checklist (spreadsheet or document)
Day 5: Set calendar reminder for post-Patch Tuesday review
Ongoing: Follow the monthly routine
Patching isn't glamorous, but it's one of the most effective security measures you can take. A few hours per month prevents vulnerabilities that attackers actively exploit. The routine becomes easy once established—the hardest part is starting.
