Patching
A Patching guide

The Defensive Dozen.

The twelve most critical technical and organisational controls that Patching recommend implementing as early as budgets allow. Derived from zero trust principles and the frameworks that buyers, insurers, and regulators already expect — mapped into plain English, in the order that matters.

Zero trust

Assume breach. Verify everything.

Cyber Essentials Plus

The UK baseline.

ISO 27001

The international standard.

NIST

The American framework.

The controls outlined.

Review these controls and think about your own business to get an idea of your gaps.

01

Govern

Executive risk oversight

Cybersecurity is a business risk, not just an IT problem. Without clear ownership from the top, security investments stall and accountability evaporates. Someone senior has to own the risk — and be visibly seen to own it.

What good looks like

  • Named executive owner — Founder in smaller businesses, Chair in professionalised Boards.
  • Risk on the leadership agenda, reviewed at a regular cadence.
  • Top-down tone: security is a priority, not a paperwork exercise.
02

Identity

Identity & access management

Modern attackers don't hack in — they log in. Centralised identity is the single highest-leverage control you can put in place. Every authentication decision evaluated against who, from where, on what device, and how risky the sign-in looks.

What good looks like

  • Single sign-on across every business-critical system.
  • Conditional access rules evaluate user, device, location and risk.
  • Least-privilege access — people only get what they need for their role.
03

Identity

Passwords, passkeys & secrets

Reused passwords and pasted-into-notes secrets are how most small breaches start. The fix is unglamorous: unique credentials, stored in a secure password manager or vault, with passkeys restricted to devices or password managers you trust.

What good looks like

  • Every password unique, complex and stored in a corporate-controlled encrypted vault.
  • Passkeys restricted by AAGUID to known devices, hardware keys or authorised password managers.
  • API keys and service secrets held in the vault — never in code repositories.
04

Endpoint

Device & application management

If corporate data ends up on an unmanaged laptop or in a personal app, your policies don't reach it. Manage the device, or manage the app — but do not let sensitive data off-leash onto surfaces you can't control.

What good looks like

  • Corporate data only accessible on corporate-managed devices.
  • Managed applications on personal devices where BYOD is unavoidable.
  • Third-party sharing controls that technically mitigate exfiltration risk.
05

Endpoint

Software update management

Known vulnerabilities get exploited at industrial scale within days of disclosure. Patching is not interesting work — but it is the single most boring control with the biggest payoff. Do it fast, do it everywhere, do it automatically.

What good looks like

  • Operating systems and applications patched within 14 days of vendor release.
  • Server and infrastructure patching held to the same standard — no exceptions.
  • Automated where possible; audited where it is not.
06

Network

Network & device firewalls

Zero-trust says assume breach — and you should. But the perimeter still exists, still gets probed, and still keeps out a vast amount of automated noise. Update it, configure it correctly, and get the basics right.

What good looks like

  • Network, server and device firewalls fully updated and correctly configured.
  • Default-deny posture: only the traffic you need, only between the places that need it.
  • Assume-breach thinking layered on top — not instead of — perimeter hygiene.
07

People

Staff training

Your people are the most targeted surface in the business. Training isn't about making everyone a security expert — it's about building a culture of healthy paranoia, so a suspicious email triggers a pause instead of a click.

What good looks like

  • Mandatory cybersecurity training for every employee, on joining and annually.
  • Regular phishing simulations — with coaching, not blame, for those who click.
  • A culture where reporting something weird is rewarded, not ignored.
08

Detect

Extended detection & response

Signature-based antivirus is a museum piece. Modern EDR/XDR tooling watches behaviour across devices, data, servers and communications — and can act on its own when something crosses a line, rather than waiting for a human.

What good looks like

  • Automated malware detection across every device, store, server and comms system.
  • Built-in automated remediation — kill processes, isolate hosts, revoke tokens.
  • A single pane of glass, not a stack of disconnected consoles.
09

Detect

24/7 log monitoring

Attackers don't keep office hours — they prefer the times you don't. Tooling alone generates noise; eyes on glass turn that noise into timely action. You need a human reading the signal at 3am, not a dashboard no one is watching.

What good looks like

  • Round-the-clock human monitoring of security telemetry.
  • Defined response SLAs — detection without action is not detection.
  • Every anomaly investigated thoroughly, not just acknowledged and closed.
10

Emerging

Controlled AI

Your staff are using AI whether you sanction it or not. The market is moving faster than any block-list can keep up with. The pragmatic answer is to give people an approved tool, so sensitive data stays inside a perimeter you can see.

What good looks like

  • Provide an authorised corporate AI tool — pre-empt shadow usage.
  • Enterprise-grade terms that exclude your data from training sets.
  • Acceptable-use guidance that treats AI as a tool, not a threat.
11

Respond

Incident management

A severe incident is a matter of when, not if. The time to think through your response is not at 2am on a Sunday with the press calling. Write the plan, identify the roles, and ideally rehearse it — so the first real incident isn't the first rehearsal.

What good looks like

  • A documented incident response plan with named roles and contacts.
  • Tabletop exercises so the plan is tested before it is needed.
  • Pre-agreed comms lines — legal, insurance, PR, regulator — on standby.
12

Recover

Ransomware-proof backups

Backups are only useful if attackers cannot reach them. The same goes for the much more common scenario — someone accidentally deleting something important. Immutable, tested, restorable: anything less is theatre.

What good looks like

  • Backups technically isolated from the primary environment — immutable or air-gapped.
  • Coverage of everything critical, not just the obvious file servers.
  • Restores tested regularly. An untested backup is a hope, not a control.

The value is in the gap analysis.

If they are honest with themselves most companies won't have all twelve controls comprehensively implemented; indeed many will have severe gaps. What separates the well-defended from the exposed is those who put in the work to identify where the gaps are, rigourously work to close them, and then establish ongoing governance to keep them closed over time.

Get in touch

Let's talk about your business.

Whether you're looking for help fixing a particular issue, or structured ongoing support — tell us what's on your mind and we'll work out what makes sense.

PE & Startup experienced · AI-native.
Senior-level engagement from day one
No junior proxies or account management layers

Patching Company Ltd needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.