Patch Management for Australian Businesses: How to Keep Systems Secure Without the Headache
Patching is one of those IT tasks that sits permanently on the to-do list. Everyone knows it should be done, and yet it is consistently the security control that gets delayed, skipped, or handled inconsistently. The restart prompts get dismissed. The server patches get pushed to next month. The firewall firmware last updated two years ago is just left alone because "it's working fine."
That gap between knowing and doing is exactly where cybercriminals operate. The majority of successful cyber attacks against Australian businesses exploit vulnerabilities that had fixes available long before the attack occurred. The attackers do not need exotic zero-day exploits — they scan the internet for known, unpatched systems and walk straight through the front door.
This article covers what patch management actually involves, what the ACSC Essential Eight requires, how to prioritise and automate the process, and what a realistic programme looks like for an Australian SMB.
Why Patching Is the Unsexy Security Control That Matters Most
Security vendors love to sell next-generation threat detection, AI-powered behavioural analytics, and zero-trust architecture. Patching, by comparison, is thoroughly unglamorous. It causes system restarts at inconvenient times. It occasionally breaks a business-critical application. It requires coordination across endpoints, servers, and network devices — all of which may be managed by different people, or no one in particular.
So it gets delayed. A patch is noted, a busy week passes, then another. The vulnerability is superseded in the news cycle by something newer and scarier. The unpatched system hums along, visibly working, apparently fine — until it is not.
The Australian Cyber Security Centre (ACSC) consistently identifies the exploitation of known, unpatched vulnerabilities as one of the top attack vectors in Australian cyber incidents. Ransomware operators routinely scan for Australian organisations running unpatched VPN appliances, remote desktop software, or web-facing applications. Once they identify a target, exploitation can take minutes.
The inconvenient truth is that patching — done consistently, at the right cadence, across the right systems — prevents more incidents than almost any other security control. It is not exciting. But it works.
What Patch Management Actually Is
Patch management is the process of identifying, testing, and applying updates to software, operating systems, firmware, and applications to fix security vulnerabilities, bugs, and stability issues. A vendor identifies a vulnerability, develops a fix, and releases it as a patch. Patch management is everything your organisation does to ensure that fix is actually applied.
The process encompasses several distinct steps.
Asset inventory — knowing what software and hardware exists in your environment. You cannot patch what you do not know about, and shadow IT is a common source of unpatched exposure.
Vulnerability monitoring — tracking new patch releases and vulnerability disclosures from vendors, the ACSC, and international bodies. Microsoft issues security updates on Patch Tuesday (the second Tuesday of each month); other vendors have their own schedules, and critical patches can appear at any time.
Prioritisation — determining which patches to apply first. A critical vulnerability in an internet-facing system needs to be addressed within hours. A low-severity bug in a non-critical internal application can wait for the next maintenance window.
Testing — verifying that a patch does not break existing functionality before deploying broadly. For servers and business-critical applications, an untested patch can create more disruption than the vulnerability it fixes.
Deployment — applying patches to endpoints, servers, network devices, and other in-scope systems, including scheduling restarts and communicating planned downtime.
Verification — confirming patches were successfully applied. A patch that appears applied but has not taken effect — because the required restart never happened — is as dangerous as an unpatched system.
Documentation — recording what was patched, when, and by whom. Essential for compliance, audit purposes, and Essential Eight adherence.
What Needs to Be Patched — The Full Scope
Most SMBs patch Windows and, if they are diligent, Microsoft 365 desktop applications. The reality of what needs to be in scope is considerably broader.
| System category | Examples | Commonly missed? |
|---|---|---|
| Operating systems | Windows, macOS, Linux | No — usually patched |
| Business applications | Microsoft 365, Adobe Acrobat, Chrome, Firefox | Sometimes |
| Security tools | Antivirus, VPN clients, endpoint detection and response | Often missed |
| Network devices | Routers, firewalls, switches, Wi-Fi access points | Often missed |
| Servers | On-premise file servers, application servers, print servers | Often missed |
| Firmware | BIOS/UEFI, device firmware | Often missed |
| IoT and building devices | Access control, CCTV, environmental sensors | Usually not patched |
The category most likely to create serious exposure is network devices. Routers, firewalls, and VPN appliances are directly reachable from the internet. When a vulnerability is found in a widely-used appliance — Fortinet, Cisco, or Palo Alto products, for example — it is typically weaponised within days. Australian organisations have been directly impacted by exploited VPN vulnerabilities that were unpatched despite patches being available for months.
Security tools are another frequently overlooked category. An endpoint detection and response agent or antivirus client that has not been updated in six months may have degraded detection capability or contain its own exploitable vulnerabilities. Keeping your security tooling patched is as important as patching the systems it protects.
Firmware is the silent one. A business might replace its server hardware and meticulously configure Windows Server, while the BIOS/UEFI firmware installed at the factory never receives an update for the lifetime of the device. Firmware vulnerabilities are difficult to exploit but can be severe — some allow attackers to persist on a device even after an operating system reinstall.
The ACSC Essential Eight Patching Requirements
The ACSC's Essential Eight is a set of eight mitigation strategies forming the baseline for cybersecurity in Australia. Two controls relate specifically to patching.
Patch Applications (Mitigation Strategy 5) addresses the patching of software applications — browsers, productivity tools, PDF readers, and similar. Patch Operating Systems (Mitigation Strategy 6) addresses OS patches separately. They are distinct controls because the risk profile and patching mechanism differ.
At Maturity Level 1, the requirement is to patch internet-facing services within two weeks and non-internet-facing systems within one month. This is achievable with a monthly patching cadence and a standing process for internet-facing systems on a shorter cycle.
At Maturity Level 2, internet-facing systems with known exploits must be patched within 48 hours of a patch becoming available. This requires active vulnerability monitoring and the ability to deploy patches rapidly — not a quarterly maintenance schedule.
At Maturity Level 3, the 48-hour requirement extends to all systems with critical or high-severity vulnerabilities, regardless of whether they are internet-facing, demanding mature tooling, automation, and a dedicated process.
The Essential Eight also treats end-of-life software — applications or operating systems that can no longer receive security patches — as a critical risk. Running Windows Server 2012 or Windows 10 past its end-of-support date is not a minor housekeeping matter; it is a compliance failure and an ongoing exposure.
Prioritising Patches — Not All Vulnerabilities Are Equal
Not all patches carry equal risk. A prioritisation framework based on vulnerability severity helps you allocate effort where it matters most rather than defaulting to applying everything immediately or deferring everything to the next scheduled window.
The Common Vulnerability Scoring System (CVSS) is the standard for measuring vulnerability severity. CVSS scores run from 0 to 10, with the following bands.
| CVSS score | Severity | Recommended response |
|---|---|---|
| 9.0–10.0 | Critical | Patch within 24–48 hours — actively exploited or trivially exploitable with severe impact |
| 7.0–8.9 | High | Patch within 2 weeks for internet-facing systems |
| 4.0–6.9 | Medium | Patch within one month |
| 0.1–3.9 | Low | Patch in the next scheduled maintenance window |
Each publicly known vulnerability is assigned a CVE (Common Vulnerabilities and Exposures) identifier — a standardised reference number such as CVE-2024-12345 — allowing vendors, tools, and researchers to refer to it consistently. When a patch addresses a specific CVE, the associated CVSS score tells you how severe it is.
CVSS score alone is not always sufficient. The CISA Known Exploited Vulnerabilities (KEV) catalogue lists vulnerabilities actively being exploited in the wild. If a vulnerability appears on the KEV list, treat it as Critical regardless of its CVSS score — active exploitation in real attacks overrides theoretical severity.
Additional factors worth weighting include whether the system is internet-facing, whether exploit code is publicly available, and what data would be compromised — giving higher priority to systems handling customer data or financial records.
Ransomware prevention frequently comes down to exactly this kind of prioritisation. Most ransomware operators exploit high and critical vulnerabilities in internet-facing systems within weeks of their public disclosure, making rapid patching of those systems one of the highest-return security investments available to an SMB.
Building a Patch Management Process
A patch management process does not need to be complex to be effective. The following six-step approach is practical for an Australian SMB and provides the foundation for Essential Eight compliance documentation.
Step 1: Build and maintain an asset inventory. Document every device and application — endpoints, servers, network devices, software titles, and versions. A spreadsheet is a start, but an IT asset management tool or RMM platform will give you a continuously updated view. Everything else in the process depends on knowing what you have.
Step 2: Run regular vulnerability scans. Use a tool to identify which systems have unpatched vulnerabilities. Microsoft Defender Vulnerability Management (included in Microsoft 365 Business Premium) provides this for Windows endpoints managed through Intune. Tenable Nessus Essentials offers a free tier suitable for smaller environments. Most RMM platforms include patch status reporting as a built-in function. Scans should run at least weekly.
Step 3: Establish a patch schedule and a separate emergency process. A monthly cadence, aligned with Microsoft's Patch Tuesday, is a sensible baseline for low-urgency patches. Maintenance windows should be scheduled outside business hours and documented. Define a separate emergency process for Critical and High CVEs on internet-facing systems — these cannot wait for the monthly window. The emergency process should specify who is notified, who approves, and the required deployment timeframe.
Step 4: Test before deploying broadly. For server and critical application patches, test on a non-production system or deploy in stages. For endpoints, most organisations can proceed once the patch has been in circulation for a day or two without widespread issue reports. Testing does not need to be lengthy, but it should be a defined step.
Step 5: Deploy and verify. Apply patches through your chosen tooling and confirm successful application — including that any required restarts have completed. A patch is not active until the restart is done. Verify through your vulnerability scanning or patch management tool, not just the deployment log.
Step 6: Document everything. Maintain a record of what was patched, on which systems, on what date, and by whom. Record any deferred patches and the reason for deferral. This is your evidence for Essential Eight compliance, cyber insurance audits, and post-incident investigations.
Automating Patch Management
Manual patching is unreliable at scale. With more than a handful of devices, checking for updates and confirming completion by hand is too slow, too inconsistent, and too dependent on no one forgetting a device. Automation is the only way to achieve consistent patching across a real environment.
Windows Update for Business and Microsoft Intune provide native patch management for Windows endpoints. Update rings can be configured to automatically install updates during defined maintenance windows, with deferral policies applied to different device groups. For Microsoft 365 Business Premium customers, this is already available at no additional cost and is the right starting point for endpoint patching.
RMM (Remote Monitoring and Management) platforms are the tools that managed IT services providers use to manage client environments at scale. Platforms such as NinjaRMM, ConnectWise Automate, and N-able include patch management as a core function — scheduling patches, pushing them to all managed endpoints and servers, and reporting on compliance status. For an SMB working with a managed IT provider, this is typically how patching is handled. If your MSP cannot show you a patch compliance report, that is a gap worth raising. See our guide on how to choose a managed IT provider for what to look for.
Microsoft Defender Vulnerability Management provides continuous visibility into unpatched vulnerabilities across your Microsoft environment and integrates with Intune to recommend and trigger remediation. It is not a deployment tool on its own but is a valuable monitoring layer that tracks vulnerability closure over time.
Third-party application patching requires separate attention. Windows Update handles Windows and Microsoft product updates but does not patch third-party applications such as Chrome, Firefox, Adobe Acrobat, and Zoom. RMM platforms typically handle this for managed environments. For organisations without a managed provider, tools such as Chocolatey or winget on Windows, or Munki on macOS, can automate third-party updates at no additional software cost.
Network device patching requires vendor-specific processes. Routers, firewalls, and switches each have their own firmware management interfaces. Firmware versions should be documented and compared against vendor advisories regularly — this should not be left to whoever set up the device at installation.
Common Patch Management Mistakes
Most patch management failures come from process gaps and human decisions rather than technical limitations. The following are the most common mistakes in SMB environments.
Patching endpoints but not servers or network devices. Workstation patches are handled by IT, but the file server has not received a patch in eight months because "we can't afford the downtime." Servers are often where the most sensitive data lives and where the most damage occurs. They must be in scope.
Disabling automatic updates because of restart disruptions. An employee complains their computer restarted during a meeting. The IT manager disables automatic updates to prevent recurrence. The correct fix is to configure update windows to run outside business hours — not to disable updates entirely.
Treating a patch as applied before the restart has completed. Windows marks many updates as "installed" before the required restart. Until that restart occurs, the patch has not taken effect. Verify patch status after restarts are complete.
Patching without testing and breaking a business-critical application. A poorly tested patch can cause failures on servers running older software. The answer is not to skip patching — it is to establish a testing step. Stage patches to a test environment first, or deploy incrementally.
No asset inventory, leaving unknown devices unpatched. A managed set of 20 laptops receives patches. The personal laptops accessing business systems, the old workstation in the storage room, and the IP camera system are never patched because no one documented they exist.
Not patching firmware. Routers and switches are updated at installation and then left alone indefinitely. Firmware vulnerabilities in network devices are serious and underappreciated. Include firmware in your patch schedule and check vendor advisories regularly.
How Pickle Manages Patching for Australian SMBs
Pickle's managed IT services include automated patch management across endpoints, servers, and network devices as a standard component of ongoing support. Patches are scheduled during agreed maintenance windows, applied automatically, and verified for successful completion — with monthly reporting on patch compliance status provided to clients.
For businesses working towards ACSC Essential Eight Maturity Level 2 or above, Pickle documents and demonstrates patching cadence as part of a structured compliance programme, maintaining the evidence trails required to show tiered patching timelines for internet-facing and non-internet-facing systems.
If patching in your business is happening inconsistently, falling behind, or not happening at all for some device categories, that is a common starting point — and one with a straightforward fix.
Call 1300 688 588 or email [email protected] to talk through what a managed patching programme would look like for your environment.
Frequently Asked Questions
Q: How often should Australian businesses patch their systems?
A: It depends on the system and the vulnerability severity. Internet-facing systems should be patched within two weeks for high-severity vulnerabilities, and within 48 hours for critical vulnerabilities with known exploits. Non-internet-facing systems and lower-risk patches can follow a monthly maintenance cycle, aligned with ACSC Essential Eight Maturity Level 1 requirements. The key is a scheduled cadence for routine patches and a separate emergency process for critical issues.
Q: Is it safe to apply patches immediately when they are released?
A: For most endpoint patches from established vendors such as Microsoft, applying within a few days of release is generally safe. For server patches and business-critical applications, allowing 24 to 48 hours for widespread issues to surface before broad deployment is reasonable. Critical and high-severity patches on internet-facing systems should be applied as quickly as possible — the risk of delay outweighs the risk of disruption.
Q: Do I need to patch cloud software like Microsoft 365?
A: The cloud service itself is patched by the vendor — Microsoft manages updates to the underlying platform. Locally installed applications such as Word, Excel, Outlook, and Teams desktop clients do need to be patched through your standard endpoint update process. Security policies and authentication settings in your Microsoft 365 tenant should also be reviewed regularly, even though the underlying platform is maintained by Microsoft.
Q: What is the difference between a vulnerability scan and a patch?
A: A vulnerability scan is a diagnostic tool that examines your systems and identifies known vulnerabilities or outdated software. A patch is the fix released by the software vendor. The scan tells you what is wrong; the patch addresses it. Running scans without acting on the results provides information but does not reduce risk. Both are necessary components of a patch management process.
Q: What happens if we use software that is past its end-of-life?
A: End-of-life software no longer receives security patches from the vendor. Any new vulnerabilities discovered will never be fixed, meaning the number of known unpatched vulnerabilities accumulates over time — and attackers actively target organisations known to run legacy systems. Under the ACSC Essential Eight, end-of-life software is treated as a critical risk, and achieving Maturity Level 2 or above requires it to be replaced. If you are running software past its supported date, migrating off it should be a priority, not a future consideration.