For years, the usual answer to “how do attackers get into a business” was some version of “someone clicked a bad link” or “someone reused a weak password.” That held true for a long time. It is not the top answer anymore.
In its 2026 report analyzing more than 22,000 confirmed breaches, Verizon found that exploiting a software vulnerability is now the single most common way attackers gain their first foothold, at 31 percent of cases. That is up from 20 percent the year before, and it is the first time in the report’s 19-year history that vulnerability exploitation has passed stolen credentials for the top spot.
Here is the part worth sitting with. In the large majority of those cases, the vulnerability being exploited was already known, and a fix was already available. The attacker did not uncover a secret flaw. They walked through a door the software vendor had already shipped a lock for, on machines where nobody had gotten around to installing it.
That gap, between “a patch exists” and “the patch is actually on every device that needs it,” is what patch management is about. It is unglamorous work. It is also one of the highest-leverage things a small business can do to stay off the wrong end of a breach report.
What patch management actually is
Strip away the jargon and it is simple to describe. Software has flaws. Some of those flaws are security holes. When a vendor finds one, they release an update, a patch, that closes it. Patch management is the ongoing practice of getting those updates onto every device that needs them, in a reasonable amount of time, and confirming they landed.
The “ongoing” part matters. This is not a project you finish. Microsoft ships security updates on the second Tuesday of every month, plus out of band when something is urgent. Google, Adobe, Zoom, your browser, your line of business apps, your firewalls and network gear all push their own fixes on their own schedules. A modern small business runs dozens of pieces of software, and every one of them is a stream of updates that never stops.
Three things need patching, and businesses tend to remember the first and forget the rest:
- Operating systems (Windows, macOS). Most people picture this when they think of updates.
- Third-party applications (browsers, PDF readers, conferencing tools, plugins). A large share of real-world risk lives here, and it is the piece that most often gets skipped.
- Firmware and network devices (routers, firewalls, VPN appliances). Attackers have leaned hard into these lately, because they sit at the edge of the network and often go years without an update.
If your patching covers Windows and nothing else, you have handled one slice of the problem and left the rest open.
Why it matters more than it used to
A few things have shifted that make this more urgent than it was even a couple of years ago.
The window is shrinking. When a vulnerability becomes public, attackers move to weaponize it fast, sometimes within hours. The old assumption that you have weeks to get around to patching does not hold.
The volume is brutal, and everyone is behind. This is the hard part, and it is worth being straight about. That same Verizon report found the median time for organizations to fully remediate a known exploited vulnerability has stretched to 43 days, up from 32 the year before. Only 26 percent of the vulnerabilities on the government’s Known Exploited Vulnerabilities list were fully remediated by the organizations studied, down from 38 percent. Seven days after a serious vulnerability is identified, somewhere between 60 and 70 percent of them are still open, and that stayed true regardless of how large or well resourced the organization was. The count of vulnerabilities being disclosed has grown roughly eightfold in a few years. Teams are on a treadmill that keeps speeding up.
None of that is a reason to throw up your hands. It is a reason to stop treating patching as something you do when you remember, and start treating it as a system that runs whether you remember or not.
Two breaches that were just missed patches
It helps to make this concrete, because “apply your updates” sounds obvious until you see what happens when it does not get done.
Equifax, 2017. That March, a critical flaw in a widely used web framework called Apache Struts was disclosed, and a patch went out the same day. Equifax knew about it. An internal notice told administrators to apply it. A scan meant to find vulnerable systems missed some of them, and the patch never made it onto one internet-facing server. Roughly two months later, attackers used that exact unpatched flaw to get in, and they stayed for more than two months before anyone noticed. The personal data of about 147 million people was exposed. The fix had been sitting on the shelf the whole time.
WannaCry, 2017. In March, Microsoft released a patch for a serious flaw in an old Windows file-sharing protocol. Two months later, in May, ransomware called WannaCry tore through more than 200,000 systems across roughly 150 countries, using that same flaw to spread from machine to machine on its own. It hit hospitals hard, including the UK’s National Health Service, where it took down access to systems and forced appointments and procedures to be cancelled. Every organization that had applied the March update was fine. The ones that had not were the story.
Neither of these was a case of attackers being brilliant. Both were cases of a fix existing and not being installed. That is the whole lesson, and it has not aged a day.
Why small businesses are exposed in particular
If you run a small business, it is tempting to read those stories and file them under “problems that giant companies have.” The opposite is closer to the truth.
Ransomware crews have made a point of going after small and mid-sized businesses, because those are the organizations most likely to have gaps and least likely to have a full-time security team watching for them. “We are too small to be a target” was never a strong assumption. Automated attacks that scan the entire internet for one specific unpatched flaw do not check your headcount first.
The exposure is sharper in some fields:
- Medical and dental practices carry protected health information, and the HIPAA Security Rule expects a process for identifying and addressing technical vulnerabilities. A practice that cannot show it patches on a defined schedule has a hard time demonstrating it took reasonable steps if something goes wrong.
- Law firms hold client confidences and are increasingly held to a duty of technology competence. A breach traced back to a months-old unpatched flaw is a difficult conversation with a client, an insurer, and a bar association.
And here is the quiet trap that catches a lot of small businesses that think they have this covered. Turning on automatic updates on each machine feels like patch management. It is not the same thing. Automatic updates handle the operating system and usually stop there. They do not tell you which machines installed the update and which silently failed. They do not reach the third-party apps where much of the risk lives. They do not touch the laptop that has been in someone’s home office for three weeks and has not checked in. It feels done. Whether it is done is a separate question, and the gap between those two is exactly where breaches happen.
What good patch management looks like
So what does doing this well involve? A few things separate a real practice from crossed fingers.
You start with visibility. You cannot patch what you cannot see. The first job is a live, accurate picture of every device, what software is on it, and what updates each one is missing right now. Not a spreadsheet from last quarter. A current view you can pull up on demand.
You cover more than Windows. A serious approach patches the operating system and the third-party applications together, the browsers and readers and conferencing tools and plugins, because that is where a large share of the real openings are.
You reach devices wherever they are. Work does not happen in one building anymore. The laptop at a client site, the machine in a home office, the person traveling, all of them need to stay current without having to tunnel back through a VPN or come into the office first. Patching that only works when a device sits on the corporate network leaves your most mobile machines the least protected.
You test before you go wide. Patches occasionally break things. The answer is not to skip them, it is to roll them out to a small pilot group first, confirm nothing important broke, then release to everyone. A bad update inconveniences a handful of machines instead of the whole company.
You control the disruptive parts. Good patching schedules updates and reboots for off hours, warns people before their machine restarts, and does not surprise someone in the middle of a client call. Half the reason patching gets deferred is that it is disruptive, so the fix is to make it not disruptive.
You can undo a bad patch. On the rare occasion an update causes a problem, you want to pull it back off the affected machines quickly rather than scrambling.
And you verify. This is the one most people skip. It is not enough to push a patch and assume it took. You confirm it installed, and you keep a record of what was patched, when, and on which machines. That record is what turns “I think we are covered” into “here is proof we are covered,” which matters a great deal the day an auditor, an insurer, or a client asks.
The gap between “sent” and “installed”
Come back to WannaCry for a second, because it makes the point better than I can. Plenty of the organizations that got hit believed they were patched. Their dashboards said so. The update had been pushed. But the push had quietly failed on machines nobody was checking, or the vulnerable protocol was running on older gear the standard process never touched. The dashboard said “compliant.” Reality said otherwise. The space between those two is where the damage lived.
That is why the goal is not “we sent the patch.” The goal is “we can show this specific machine has this specific fix installed right now.” Assuming is not the same as knowing, and in security the difference between those two is usually the whole story.
The bottom line
Patch management will never be the exciting part of running a business. Nobody puts “we patch on a disciplined schedule” on a billboard. But it closes the single most common door attackers use, it is largely within your control, and doing it well costs a small fraction of what a breach costs.
You can absolutely run this in-house. It takes the right tooling and, more than anything, the discipline to keep it running every week without fail. That last part is what quietly falls apart at most small businesses once things get busy. If you have the time and the systems to hold that line, do it.
If you would rather not carry it yourself, this is exactly the kind of always-on, unglamorous work a managed IT partner exists to take off your plate. We treat patching as a system that runs on a schedule, covers the whole environment, and produces proof that it happened, so you are not finding out during an incident that a machine slipped through. Either way, the worst option is the common one: assuming it is handled because updates are switched on somewhere.
If you want a straight answer on where your business actually stands, contact Harmony MSP at (407) 720-6540.