How Often Should UK Businesses Patch Their Software?

The 14-day window reflects the typical timeframe between a vulnerability being publicly disclosed and attackers weaponising it at scale. Once a patch is released, the vulnerability details become public knowledge, giving criminals a roadmap to exploit unpatched systems. Cyber Essentials certified organisations are 92% less likely to claim on cyber insurance (IASME), and meeting the 14-day patching requirement is a core reason for that reduced risk.

If a patch cannot be applied — for example, due to compatibility with line-of-business software — the system should be isolated from the network or placed behind additional compensating controls. Unsupported software that no longer receives patches must be removed from scope entirely. 43% of UK businesses experienced a breach or attack (DSIT 2025), and unpatched systems remain one of the most exploited entry points for attackers.

Automation is strongly recommended for operating system and standard application patches. Manual oversight should be retained for critical line-of-business applications where patches need testing before deployment. A managed IT provider can handle both — automating routine updates whilst scheduling tested rollouts for sensitive systems. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025), and automated enforcement of security controls, including patching, closes these gaps consistently.