The WannaCry ransomware attack in 2017 compromised over 300,000 computers across 150 countries. Microsoft had released the patch that would have prevented it two months earlier. The businesses that got hit hadn't applied it.
Patching is not glamorous work. There's no incident to respond to, no visible threat to defend against. But a large proportion of successful cyberattacks exploit vulnerabilities for which patches have been available for months. The businesses that think they're doing "everything right" on security, but aren't patching consistently, have a genuine gap they're probably not aware of.
What patching actually covers, and what gets missed
Most IT providers handle Windows Update reasonably well. Microsoft releases security patches on the second Tuesday of each month, and automated deployment of those patches is standard practice. That covers Windows, but Windows is only part of the picture.
Third-party application patching is where the gap usually is. Browsers, PDF readers, Adobe products, Java, and other commonly installed software are frequent attack vectors, and Windows Update doesn't cover any of them. They require separate patch management tooling. Many IT providers have it configured; many don't actually run it consistently.
Server and network device firmware is another area that gets neglected. Firewalls, switches, and routers have firmware that contains exploitable vulnerabilities. Network device firmware in small business environments is frequently years out of date. It's unglamorous to patch and, unlike a server, nobody notices until it matters.
End-of-life software is the third category: operating systems and applications that no longer receive patches, regardless of how many vulnerabilities are discovered. Windows 10 reached end of support in October 2025. Any machine that can't run Windows 11 is now accumulating unpatched vulnerabilities with no remedy available beyond replacing the hardware.
Your IT provider's patch report probably means nothing
"We have patching enabled" is not patch management. The number that matters is patch compliance: the percentage of your devices that are fully patched against known critical vulnerabilities. Anything below 90% is worth a conversation.
Ask your provider for a patch compliance report. It should break down Windows, third-party applications, and servers separately. It should show percentage compliance over the last 30 days, with exceptions tracked. Remote working devices are often poorly patched because they're off the corporate network and miss deployment windows. If you have home workers on company equipment, ask specifically how they're handled.
If your provider can't or won't produce a compliance report, patching is being done on good intentions rather than evidence.