top of page

Creating good cyber hygiene patterns with patches

Businesses are having to operate in an increasingly digital world, and as such, cyber security is something that should concern us all. One area of cyber security is something called ‘patching’. A patch is an update to software, including operating systems such as Android and iOS, that are designed to address security vulnerabilities and bugs that have been discovered. The patches could also add new features, fix performance issues or improve software stability.

How does a patch work?

As new vulnerabilities and exploits are discovered, software developers will create patches to address these issues and to prevent attackers from exploiting them. Patching ensures that your software is equipped with the latest security features, reducing the likelihood of a vulnerability being exploited.

So, if you don't patch your software, you are exposing your business or organisation to security risks. Hackers and cybercriminals look for vulnerabilities that can be exploited, and if they find one in your software then they will look to take advantage of this whether through stealing information, encrypting data, accessing accounts or deploying malware. These attacks can lead to financial losses, reputational damage, and loss of business continuity.

Software updates are essential

Over the last three UK Government Cyber Security Breaches Surveys, some areas of cyber hygiene have seen consistent declines among businesses, including having policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023). These trends mainly reflect shifts in the micro-business population and, to a lesser extent, small and medium businesses – large business results have not changed.

The WCRC and police cybercrime units in Wales recently got together at an event to hear from industry speakers, as well as listen to case studies of investigations. One account highlighted the importance of patching, where third-party IT support had neglected to take timely action after a patch had been released. This had left its client’s business exposed and resulted in a ransomware being successfully deployed. That business suffered significant financial damage and a loss of business continuity, as well as the personal stress associated with such an incident.

The National Cyber Security Centre (NCSC) advises paying particular attention to:

  • Operating systems (OS): Most operating systems support automatic updates but will need the feature to be enabled. It's normally enabled by default but could have been turned off

  • Web browser and extensions: Web browsers are particularly vulnerable, as they are very complex pieces of software and the sites you visit could potentially exploit flaws in them.

  • Third-party apps – especially office apps: Apps you install yourself will need to be kept up to date. Some apps will update themselves; some will update through your device’s app store, but some might need you to install updates yourself.

  • Anti-virus: If you use anti-virus, ensure these are updated regularly. Like other software, anti-virus updates include bug fixes and new features, but also include new signatures which can be used to detect new malware (malicious software) that's recently been detected.

Some other things to bear in mind are:

  1. Consider turning on automatic updates where available. Remember that automatic updates might only occur if the device is connected to Wi-Fi, connected to power, powered on at a specific time of day, has sufficient storage, and/or isn't too far out of date. Some updates might require the device to be manually restarted. If a device hasn't been restarted in a while, then the update might not be installed.

  2. Make sure you regularly backup your data - before you update is an ideal time to do this.

  3. If you have a large number of devices - you might want to test updates on a small number of them before updating all of them to make sure the apps you use continue to work after the updates. But don’t delay for too long - criminals can work out what the original vulnerabilities were and attack those that haven’t been patched.

  4. Install updates promptly when notified - ideally within a few days.

  5. Check occasionally that your device is keeping itself up to date - automatic updates can sometimes break (e.g. if you have low storage on your device).

You can get more information on applying updates by refering to the NCSC's guidance on Vulnerability Management.

The WCRC offers vulnerability assessment services which search for known weaknesses and security issues in your system. Typically, these include looking for vulnerabilities through being outdated when a patch is available.

Information on keeping software up to date for individual platforms can be found on the various manufacturer websites:

Platform Updates guidance


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page