Patch management: The basics still matter

Patching is such a core part of MSP DNA that it’s easy to overlook. I’ve talked with many MSP owners who get pulled into the latest, most urgent cyberthreats—only to lose sight of the basics: patching.

Patching is the cybersecurity equivalent of brushing your teeth. It’s not glamorous or new, but it’s part of the essential to staying secure.

The reality is

The numbers make it clear why patching complacency is dangerous. Software vulnerabilities have now overtaken credential abuse as the number one initial access vector, accounting for nearly half of all incidents. With the help of AI, the time between vulnerability disclosure and active exploitation, organizations running monthly or quarterly patch cycles are increasingly exposed during that window.

The temptation, of course, is to patch everything at once. Marty Hitzeman, Director of Marketing at Empist, an IT services firm, tells SmarterMSP.com blog that this instinct actually backfires. “If everything is urgent, nothing is urgent,” he says, “and with too many teams involved, managing larger-scale risks mean other less critical ones will hide more important issues.” The answer, he argues, is building a framework ranked by actual risk rather than severity scores alone.

That means understanding what CVSS scores actually tell you, and what they don’t. “CVSS scores represent the conceptual gravity of a vulnerability,” Hitzeman explains, “and do not take into account how exposed your environment is, whether active exploits for that vulnerability are being used in the wild, or whether the affected system is critical to your infrastructure.” A high-severity vulnerability on an isolated, non-customer-facing system, he notes, simply does not represent the same risk as a medium-severity vulnerability on an internet-facing endpoint currently being exploited by attackers.

Setting the framework

Shankar Somasundaram, CEO at Asimily, an IoT and device security firm, lays out a four-question framework for getting the prioritization right.

1. Is there an actual attack path? “An internet-facing server with the vulnerable software open to the world is in a different position than the same software on a segmented internal device that never touches external traffic,” he says.
2. Are attackers actively exploiting the vulnerability? CISA’s Known Exploited Vulnerabilities (KEVs) catalog answers this directly: Anything listed there should jump the queue regardless of CVSS score. “A 9.8 with no observed exploitation can matter a lot less than a 7.2 that ransomware operators are using this week.”
3. What does the asset do, and what does it cost if it goes down?
4. When patching isn’t immediately possible, are there compensating controls?

Prioritize what matters

Lewis Berry, Principal Security Architect and Microsoft MVP at Inforcer, a Microsoft 365 policy management platform, frames the shift that’s needed simply: “The problem isn’t really that teams are slow, it’s that the model itself hasn’t kept up. Attackers aren’t waiting for your maintenance window anymore.” His approach: triage over volume. “When attackers exploit a vulnerability and expose it, it jumps the queue immediately. Everything else can wait. It’s a lot less about perfection and a lot more about reducing real-world risk quickly.”