Security Update Management: Staying Protected

Key Takeaways

Point	Summary
14-day rule	Apply high/critical severity patches within 14 days of release
Supported software only	Only use software that's still receiving vendor security updates
Enable auto-updates	Where possible, enable automatic updates for OS and applications
Remove unsupported	Remove any end-of-life software that no longer receives patches
All software in scope	OS, applications, browsers, plugins, firmware—everything needs to be patched

Quick Answer: Cyber Essentials requires applying high/critical patches within 14 days. Only use supported software that receives updates. Enable automatic updates where possible. Remove any unsupported or end-of-life software.

Why updates matter

Software vulnerabilities are discovered constantly. Once a vulnerability becomes known, there's a race between defenders applying patches and attackers exploiting the flaw.

Typical vulnerability timeline:

1. Vulnerability discovered
2. Vendor notified (responsible disclosure)
3. Patch developed
4. Patch released—your window to patch before exploitation begins
5. Exploit code developed (often within hours or days)
6. Mass exploitation begins
7. Your systems are vulnerable if still unpatched

The 14-day patching window exists because this timeline can be remarkably short for critical vulnerabilities.

What Cyber Essentials requires

Core requirements

Requirement	Details
Supported software	Only use licensed, vendor-supported software
Critical/high patches	Apply within 14 days of release
Remove unsupported	Uninstall end-of-life software
Automatic updates	Enable where possible

The 14-day rule

Cyber Essentials specifies that patches for vulnerabilities rated as 'Critical' or 'High' severity must be applied within 14 days:

Severity	Timeline
Critical	Within 14 days (as soon as practical)
High	Within 14 days
Medium	Reasonable timeframe
Low	Next maintenance window

What needs to be updated

Operating systems:

• Windows (Desktop and Server)
• macOS
• Linux distributions
• iOS and Android
• Any other OS in scope

Applications:

• Web browsers (Chrome, Firefox, Edge, Safari)
• Email clients
• Office suites
• PDF readers
• Media players
• Java runtime
• .NET framework
• Business applications
• Security software

Firmware:

• BIOS/UEFI
• Router firmware
• Firewall firmware
• Switch firmware
• IoT device firmware
• Network equipment

Implementing update management

Step 1: Software inventory

You can't update what you don't know you have:

Component	Information Needed
Operating systems	Type, version, device count
Applications	Name, version, install location
Firmware	Device, current version
Cloud services	Which aspects are your responsibility

Step 2: Determine support status

For each software item:

Status	Action
Actively supported	Keep updated
Extended support	Plan for migration
End of life	Remove or isolate immediately
Unknown	Research and determine

Step 3: Enable automatic updates

Where possible, automate updates:

Windows:

• Settings → Update & Security → Windows Update
• Enable automatic updates
• Configure active hours so updates don't disrupt work
• Consider Windows Update for Business for more control

macOS:

• System Preferences → Software Update
• Enable "Automatically keep my Mac up to date"
• Check all sub-options
• Consider MDM for enterprise management

Browsers:

• Chrome: Updates automatically
• Firefox: Settings → General → Firefox Updates → Auto
• Edge: Updates with Windows or automatically
• Safari: Updates with macOS

Mobile devices:

• iOS: Settings → General → Software Update → Auto
• Android: Settings → Software Update → Auto download
• Consider MDM for enterprise devices

Step 4: Manual update process

For systems that can't be automated, establish a regular process:

Weekly:

• Check vendor security bulletins
• Review vulnerability databases
• Identify applicable patches
• Prioritise by severity

Assessment:

• Review patch documentation
• Test in non-production if possible
• Plan deployment window
• Prepare rollback procedure

Deployment:

• Notify affected users if needed
• Apply patches
• Verify successful installation
• Document completion

Verification:

• Confirm system functionality
• Validate security improvement
• Update inventory records

Platform-specific guidance

Windows updates

Setting	Recommendation
Automatic updates	Enable
Update schedule	Configure active hours
Restart policy	Auto-restart outside working hours
Delivery optimization	Consider enabling for bandwidth efficiency
WSUS/SCCM	Consider for larger environments

Best practices:

• Don't defer security updates
• Allow feature updates after initial testing
• Monitor for failed updates
• Check Windows Update history regularly

macOS updates

Setting	Recommendation
Automatic updates	Enable all options
Check frequency	Daily (default)
App Store apps	Auto-update enabled
System data files	Auto-update enabled

Linux updates

Distribution	Update Command
Ubuntu/Debian	sudo apt update && sudo apt upgrade
RHEL/CentOS	sudo yum update or sudo dnf update
Fedora	sudo dnf update

Automation options:

• Unattended-upgrades (Debian/Ubuntu)
• dnf-automatic (Fedora/RHEL)
• Cron jobs
• Configuration management (Ansible, etc.)

Handling end-of-life software

Unsupported software receives no security patches, which creates significant risk.

What to do

Situation	Action
Unsupported OS	Migrate immediately
Unsupported application	Replace with supported alternative
No alternative exists	Isolate system, add compensating controls
Critical business function	Prioritise migration project

Common EOL concerns

Operating systems:

• Windows 7 reached end of life in January 2020
• Windows Server 2012 reached end of life in October 2023
• macOS versions typically have about 3 years of support
• Older Linux distributions

Applications:

• Old Office versions
• Outdated browsers (IE, old Firefox versions)
• Legacy business applications
• Unsupported third-party tools

Tracking and verification

Metrics to monitor

Metric	Target
Critical patch compliance (14 days)	100%
High patch compliance (14 days)	100%
Medium patch compliance (30 days)	95%+
End-of-life software instances	0
Automatic updates enabled	100% where possible

Verification methods

Method	Frequency
Vulnerability scans	Weekly or monthly
Manual version checks	Monthly
Update logs review	Weekly
Failed update investigation	As detected

Common challenges and solutions

Challenge	Solution
Update breaks application	Test first where possible, have rollback plan
Limited maintenance windows	Plan carefully, prioritise automation
Remote/disconnected devices	MDM, scheduled connections when on network
Legacy systems	Isolation, compensating controls
Bandwidth limitations	WSUS, local cache, scheduled downloads
User resistance	Education, policy, automation

When updates fail

Immediate actions:

• Investigate the failure cause
• Check system logs
• Retry the update
• Document the issue

If retry fails:

• Research the specific error
• Check vendor knowledge base
• Apply manual fix if available
• Open support ticket if needed

How Bastion can help

Keeping everything updated consistently is an ongoing challenge, especially as your environment grows.

Challenge	How We Help
Software inventory	We help discover and track what you have
Vulnerability awareness	We monitor for relevant security bulletins
Patch verification	We verify patches are applied successfully
EOL identification	We track software lifecycle dates
Reporting	We provide compliance visibility

Working with a managed service partner means you're not relying on ad-hoc processes or hoping automatic updates are working. We bring structure and oversight to ensure patching happens consistently and nothing falls through the cracks.

---

Need help managing your security updates? Talk to our team