Research from Google’s Project Zero and Mandiant has shown that many critical vulnerabilities are now being actively exploited within 72 hours of public disclosure. That is three days. If your business runs on a monthly patching cycle, you could be left exposed for up to four weeks after a serious vulnerability becomes known and attackers start using it.
For most London businesses, monthly patching feels like a sensible cadence. It is predictable, manageable, and fits neatly into a calendar. But the threat landscape has shifted significantly, and the gap between a vulnerability being published and it being exploited has compressed to the point where monthly cycles alone are no longer adequate for the most serious risks.
According to the UK Government’s Cyber Security Breaches Survey 2025, only a minority of UK businesses have a formal patch management process in place at all. For organisations without one, the exposure window is not weeks. It is indefinite.
If your organisation relies on a managed business it support services provider to keep your systems current, understanding how their patching approach works, and whether it specifically accounts for critical vulnerabilities, is one of the most important questions you can ask.
How Quickly Are Vulnerabilities Being Exploited?
The exploitation timeline for critical vulnerabilities has shortened dramatically over the past five years, and the trend is continuing in one direction.
When the ProxyLogon vulnerability in Microsoft Exchange was disclosed in March 2021, attackers were exploiting it within hours of the patches being made public. The Log4Shell vulnerability in December 2021 was being actively exploited within 12 hours of disclosure. More recently, vulnerabilities in widely used VPN appliances, firewall management interfaces, and remote access tools have been weaponised within 24 to 48 hours of their CVE numbers being published.
A 2024 Mandiant report found that the median time from vulnerability disclosure to active exploitation in the wild had dropped to under five days for the most critical vulnerabilities. For those affecting perimeter-facing devices, the window is frequently shorter still.
The 72-hour benchmark reflects the realistic upper limit for how long you have before attackers are likely to be actively using a critical exploit in campaigns. For some vulnerabilities, that figure is optimistic.
Our post on common network vulnerabilities and how to fix them explains what the most frequently exploited vulnerability classes look like and why they remain so persistent across UK business environments.
What Patch Tuesday Actually Covers
Microsoft releases security updates on the second Tuesday of every month, a cycle widely known as Patch Tuesday. This has been the standard rhythm for most Windows-focused IT environments for over two decades, and it works well as a baseline.
The problem is that Patch Tuesday covers Microsoft products only, and it operates on a fixed schedule regardless of when vulnerabilities are discovered. If a critical zero-day is published on the Wednesday after Patch Tuesday, your Windows systems may not receive a formal update for another 27 days unless Microsoft issues an emergency out-of-band patch.
Beyond Microsoft, your environment includes third-party applications, network devices, cloud services, and potentially dozens of other products with their own patching schedules. Adobe, Google Chrome, Citrix, VMware, Cisco, and many other vendors release critical patches outside any fixed monthly window.
A patching strategy that relies solely on Patch Tuesday is equivalent to checking the locks on your front door once a month while leaving the back windows open indefinitely in between.
Our post on endpoint hardening steps that reduce real-world attacks explains how a broader patching approach, covering both operating systems and third-party software, forms part of a practical hardening strategy for business environments.
The Real Cost of Slow Patching for UK Businesses
The consequences of slow patching are well documented in UK-specific cases.
The 2017 WannaCry ransomware attack, which affected NHS Trusts across England and caused estimated damages of around £92 million according to the National Audit Office, exploited a vulnerability that Microsoft had patched two months earlier. The organisations affected had simply not applied the available update in time.
More recently, several high-profile UK data breaches have involved attackers entering through unpatched perimeter devices, particularly VPN appliances and firewall management interfaces. In most of these cases, the vendor had already released a patch before the attack occurred. The organisations were not caught by a zero-day. They were caught by a known, fixable vulnerability that had not been addressed.
IBM’s 2024 Cost of a Data Breach Report puts the average cost of a UK data breach at approximately £3.08 million for larger organisations. Smaller businesses face proportionally significant losses in downtime, customer impact, and potential regulatory exposure under GDPR.
Our post on how to protect your business from ransomware covers the attack lifecycle in practical terms, and our small business ransomware guide explains what steps UK businesses should have in place to reduce their exposure to these kinds of incidents.
A Risk-Based Approach to Patch Management
The answer is not to patch everything within hours of every release, which is operationally impractical for most businesses. The answer is a risk-based approach that matches the speed of remediation to the severity of the vulnerability and the exposure of the affected system.
A well-structured patch management programme divides vulnerabilities into priority tiers and assigns realistic target remediation timeframes to each.
Critical vulnerabilities affecting internet-facing systems
These need to be patched within 24 to 72 hours of the patch being available. They include vulnerabilities in perimeter devices such as VPNs, firewalls, and remote access tools, as well as critical operating system vulnerabilities that allow unauthenticated remote code execution.
High-severity vulnerabilities affecting internal systems
These should be addressed within seven days. They include vulnerabilities that could be exploited by an attacker who already has a foothold inside your network, or those that allow privilege escalation to administrator level.
Medium-severity vulnerabilities
These should be addressed within 30 days, in line with your regular patching cycle. They include vulnerabilities that require specific conditions to exploit and those affecting systems with limited internal exposure.
Low-severity vulnerabilities and configuration improvements
These can be addressed within a standard quarterly review cycle, provided you maintain a documented log of what has been deferred and why.
Our post on why IT compliance matters explains how a structured patching policy supports wider compliance obligations, and our guide on why your business should become Cyber Essentials accredited covers the specific patching requirements within the Cyber Essentials framework, which currently mandates that critical patches be applied within 14 days of release.
Patching Priority Framework
| Severity Level | Typical Examples | Target Patch Window | Risk of Delay |
|---|---|---|---|
| Critical, internet-facing | VPN exploits, unauthenticated RCE, zero-days | 24 to 72 hours | Immediate compromise, ransomware deployment |
| High, internal systems | Privilege escalation, lateral movement exploits | 7 days | Attacker expansion within network |
| Medium | Authenticated exploits, limited reach | 30 days | Elevated risk when combined with other gaps |
| Low | Low exploitability, unlikely in practice | 90 days | Minimal if other controls are in place |
| End-of-life systems | No patch available or forthcoming | Immediate isolation or replacement | Permanent unaddressed exposure |
The framework above reflects what a competent managed business it support services provider should be working to as a minimum. If your current IT support partner cannot tell you what their target patch window is for each severity tier, that is a meaningful gap in your security posture.
What Good Patch Management Looks Like in Practice
A robust patch management programme has several components that go well beyond simply applying updates when they arrive.
Continuous vulnerability scanning
Rather than discovering vulnerabilities manually or waiting for vendor notifications, continuous scanning tools monitor your environment and flag new issues as they are disclosed. This is distinct from an annual penetration test, which is a point-in-time assessment. Our comparison of penetration testing vs vulnerability scanning explains the difference and when each is appropriate. Our post on network penetration testing explained and our guide on how often to run penetration testing explain how regular assessments fit into an ongoing security programme alongside continuous scanning.
An accurate and current asset inventory
You cannot patch what you do not know exists on your network. An up-to-date inventory of every device, operating system, and application in your environment is a non-negotiable prerequisite for effective patch management. Our post on IT service management explained covers how asset management fits within a broader ITSM framework.
Patch testing before wide deployment
Patches occasionally cause compatibility issues, particularly in environments running older or bespoke software. A sound patch management process includes testing critical patches in a staging environment before broad deployment, reducing the risk of a patch causing more disruption than the vulnerability it addresses.
An out-of-band patching capability
When a critical vulnerability emerges mid-cycle, your IT team needs to be able to respond outside of the normal scheduled window. This requires a documented process, clear escalation paths, and the authority to act quickly when the situation demands it. Our post on the hidden costs of reactive IT makes the financial case for having these processes established before you need them.
Endpoint detection and response as a safety net
Even with excellent patch management, zero-day vulnerabilities cannot be patched until a patch exists. EDR tools provide a detection layer that can identify exploitation attempts and contain them before they spread through your environment. Our posts on EDR vs antivirus vs XDR, why EDR matters more than ever, and the crucial role of EDR in modern IT security explain how these tools function as a complement to patching rather than a replacement for it.
Backup and recovery readiness
If a vulnerability is exploited before a patch can be applied, the speed and completeness of your recovery depends entirely on your backup posture. Our posts on Microsoft 365 backup, cloud-to-cloud backup explained, and common cloud-to-cloud backup mistakes explain what a solid backup strategy should include and what gaps to watch out for. Your microsoft 365 support services london provider should include backup as a core part of their service, not an optional add-on.
Dark Web Monitoring and Phishing as Part of the Picture
Patching addresses one half of the exposure. The other half is monitoring for signs that your systems have already been compromised during any window where patches were not yet applied.
A dark web monitoring company london will alert you if credentials harvested from an unpatched system surface on underground forums. Our post on dark web monitoring explained covers how this works in practice, and our guide on what to do if your credentials appear on the dark web gives you a clear and practical response process.
Working with an anti phishing company new york or London-based provider also covers a related risk. Phishing attacks are frequently used to deliver payloads that exploit known vulnerabilities on target systems. An attacker who cannot exploit your environment directly may try to get an employee to run a file that does it for them.
Patching Across Multiple Countries
If your organisation operates internationally, patch management complexity increases significantly. Different offices may run different software versions and device types, managed by local IT teams working to different standards and schedules.
A multinational it support company can apply a consistent patch management framework across all your locations, ensuring a critical vulnerability is addressed everywhere within the same timeframe, not just at your head office. For European offices, european support services providers understand both the technical and regulatory context in which patching decisions are made, particularly under GDPR, where failure to apply available patches can contribute to a finding of insufficient technical measures following a breach.
If you are running different systems across different offices as a result of recent growth or acquisitions, a platform migration services provider can help you standardise your environment, which makes patch management significantly simpler and more consistent to manage.
Linking Patching Into Your Broader Security Posture
Patch management does not stand alone. Our posts on endpoint security for remote teams and endpoint security that pays off explain how endpoint controls complement a strong patching programme. Our post on the importance of penetration testing in cybersecurity explains how regular testing validates whether your patching is actually closing the gaps it should be, and our network penetration testing service can provide that validation on a scheduled basis.
Our security services overview covers the full range of protections available for businesses at different stages of their security maturity, and our IT consulting team can help you build a prioritised roadmap for improving your patch management approach.
If a patching failure or successful exploit escalated into a significant outage, your ability to recover would depend on having a business continuity plan ready. Our post on why your business needs a business continuity plan covers what that should look like.
And if you are considering bringing in external support to manage your patching programme more effectively, our post on the benefits of outsourcing your IT to an MSP explains why specialist managed support typically delivers faster response times and broader coverage than an internal team working alongside other responsibilities.
Frequently Asked Questions
Is monthly patching ever sufficient, or is it always a risk?
For low and medium severity vulnerabilities, monthly patching is an acceptable cadence. For critical vulnerabilities, particularly those affecting internet-facing systems, monthly patching leaves your business exposed for far too long. A risk-based approach with a 72-hour window for the most severe issues is a far stronger posture.
What is a zero-day vulnerability and how do you defend against something that cannot be patched?
A zero-day is a vulnerability being actively exploited before the vendor has released a fix. Since there is no patch available, other controls become essential: EDR tools to detect exploitation attempts, network segmentation to limit lateral movement, and monitoring to catch unusual behaviour quickly. Once a patch is released for a former zero-day, it should immediately become your highest patching priority.
How do we find out which vulnerabilities are being actively exploited right now?
The NCSC publishes alerts and advisories for vulnerabilities actively being exploited against UK organisations. The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities catalogue that is freely accessible. A good managed IT provider will subscribe to these sources and act on them proactively without waiting to be told.
Does Cyber Essentials address patch management?
Yes. Cyber Essentials requires that critical security updates be applied within 14 days of release. This is a reasonable minimum, but for the most critical vulnerabilities affecting internet-facing systems, we recommend tightening that window to 72 hours. Cyber Essentials Plus includes a technical audit that can verify whether your patching controls are working as intended.
What should we do if a critical patch is released and we have not had time to test it before applying it?
For truly critical vulnerabilities on internet-facing systems, the risk of not patching typically outweighs the risk of a compatibility issue. Apply the patch, ensure your backup is current before you do, and monitor closely for disruption. For internal systems where the risk is lower, a short testing window of 24 to 48 hours is usually feasible without meaningfully increasing your exposure.
Strengthen Your Patch Management Today
If your business is running on a monthly patching cycle with no defined process for critical vulnerabilities, the gap between when a patch is available and when you apply it is an open window for attackers.
Northern Star provides managed business it support services that include continuous vulnerability monitoring, prioritised patch management, and out-of-band response for critical issues, so you are never left waiting for the next scheduled update window when speed matters most.
Get in touch with our team today or call us on 0800 319 6032. You can also visit our Why Us page to learn more about how we support London businesses with proactive, structured IT security.
