Lock the Front Door: Patch your Apps

Application patching means applying software updates to close known security flaws in apps attackers target first—browsers, Office, email clients, PDF readers, and security products.

Henry Oliver

08 Sep 2025 — 6 min read

Application patching means applying software updates to close known security flaws in apps attackers target first—browsers, Office, email clients, PDF readers, and security products. Aim to patch within two weeks, and fast‑track to 48 hours when vendors mark vulnerabilities critical or exploits are circulating. Turn on auto‑updates, verify weekly that patches applied, remove unsupported apps, and subscribe to advisories. These steps map to the ACSC Essential Eight and can be started today with built‑in tools and minimal cost.[3][1][2]

Australian SME scenario (based on typical incidents)

A Brisbane property management agency (12 staff) postponed a Chrome and PDF reader update in May because “restart later” kept the team working; a phishing link then exploited a known browser flaw, leading to mailbox rules, invoice tampering, and $22,000 in misdirected rent before detection over 72 hours. The firm engaged an MSP, enabled forced browser/Office auto‑updates, removed the legacy PDF tool, and added a weekly 10‑minute patch check. Within 30 days, patch compliance exceeded 95%, and no repeat incidents occurred. This aligns with ACSC patterns where commonly targeted apps left unpatched are a frequent root cause.^[1]^[3]^[4]

Why patch applications

Attackers rapidly weaponise disclosed flaws—sometimes within 24–48 hours—so delayed updates materially increase breach risk. ^[3]
Essential Eight maturity guidance sets clear deadlines: commonly targeted apps patched within two weeks, or 48 hours when critical/exploited; other apps within a month at higher maturity. ^[7]^[2]
Verification matters: patches can fail or wait on reboots; add scanning or manual checks to confirm completion. ^[8]

Examples and workflows

Solo operator

Turn on auto‑updates for browser, Office, PDF reader, and endpoint security; set a weekly 5‑minute calendar reminder to check and reboot. ^[4]^[1]
When a vendor flags a critical fix, patch within 48 hours.^[2]^[3]
Quarterly, remove unsupported apps and extensions.^[8]^[1]

5‑person team

Nominate a “patch captain” to confirm updates every Monday and prompt restarts by EOD.^[8]^[4]
Keep a one‑page register: device, key apps, last update date, reboot status. ^[4]^[8]
Subscribe to ACSC/vendor advisories; trigger a 48‑hour fast‑track when critical alerts land. ^[5]^[3]

20‑person team

Standardise app list; use management tools (e.g., Microsoft 365/Intune or Google Admin) to deploy within two weeks, and critical within 48 hours.^[6]^[7]
Run weekly vulnerability scans and fortnightly asset discovery to catch missing patches and shadow apps. ^[6]^[8]
Remove end‑of‑support software; document any temporary exceptions with mitigations. ^[1]^[8]

Low tech basics

Turn on auto‑updates, and schedule a weekly reboot to finish installs.^[1]
Use a single page or spreadsheet to track device/app update status.^[4]
Subscribe to ACSC small business updates and vendor alerts for fast‑track decisions.^[5]

Top psychological barriers (with ACSC counter‑statistics)

Barrier	ACSC counter‑stat/fact	What it means
“Updates might break things.”	ACSC/ASD expects patches within two weeks or 48 hours when critical/exploited due to rapid weaponisation; exploitation risk outweighs rare breakage. ^[2]^[3]	Use update rings and prompt reboots to manage stability while meeting timelines. ^[7]
“Auto‑update is enough.”	ACSC warns patches can fail or await reboot; add scans/manual checks to verify. ^[8]	Trust but verify; a 5–10 minute weekly check closes the gap. ^[8]
“We’re too small to target.”	Essential Eight is a baseline for all orgs; ACSC issues SME‑specific guidance due to frequent small business impacts. ^[2]^[5]	Size doesn’t protect; simple routines cut risk fast. ^[5]

3 common mistakes with dollar/time consequences

Assuming auto‑update finished: pending reboots leave gaps; incidents can cost five figures and multi‑day recovery.^[3]^[8]
Keeping unsupported apps/plugins: legacy PDF or extensions widen attack surface; removal is free vs costly response.^[8]^[1]
Ignoring the 48‑hour window on critical flaws: known‑exploited issues drive credential theft and BEC losses.^[2]^[3]

Decision tree

STEP 1: Do you use browsers, Office/email, PDF readers, or security products? → YES: Go to Step 2A / NO: Go to Step 2B.^[2]^[1]
STEP 2A: Are auto‑updates enabled and verified monthly? → YES: Go to Step 3A / NO: Enable and verify, then Go to Step 3A.^[1]^[8]
STEP 3A: Do you fast‑track critical patches within 48 hours? → YES: Go to Step 4A / NO: Create a 48‑hour rule and alerting.^[3]^[2]
STEP 4A: Do you run a weekly check or scan to confirm patches applied/reboots done? → YES: Mature process / NO: Add a weekly 5–10 minute check.^[8]^[4]
STEP 2B: For other business apps, can you patch within one month and remove unsupported versions? → YES: Go to Step 3B / NO: Standardise and set Monthly Patch Day.^[7]^[8]
STEP 3B: Do you do fortnightly asset discovery to catch shadow apps? → YES: Mature process / NO: Add a device/app inventory cadence.^[6]^[8]

Actionable takeaways

5‑min health check (Yes/No)	Basic fix	If this, then that (troubleshooting)
Auto‑updates ON for browser/Office/PDF/security? ^[1]	Enable auto‑update and schedule a weekly reboot. ^[1]	If updates show “pending,” reboot today and confirm status after. ^[8]
Critical patches installed within 48 hours? ^[3]	Set a “critical = 48h” rule and shared alert channel. ^[3]	If no alerts, subscribe to ACSC and vendor advisories. ^[5]
Unsupported/legacy apps removed? ^[1]	Uninstall EoS apps; replace with supported versions. ^[1]	If unsure, run a quick inventory and check vendor support pages. ^[8]

Start today

Three 15‑minute actions

Turn on auto‑updates for key apps; reboot all devices to complete installs.^[1]^[8]
Create a weekly “Patch Monday” 10‑minute calendar reminder to verify updates and reboots.^[4]^[8]
Subscribe to ACSC small business updates and vendor bulletins for critical alerts.^[5]^[3]

90‑day timeline

Days 1–14: Enable auto‑updates, remove unsupported apps, and enforce a 48‑hour fast‑track for critical patches.^[3]^[1]
Days 15–45: Standardise the app list; add weekly verification, and fortnightly asset discovery or light scanning.^[6]^[8]
Days 46–90: Document the patch process, test a critical‑patch drill, and review against Essential Eight maturity goals.^[7]^[2]

Australian references to use

ACSC Patching Applications and Operating Systems: timeframes, risks, and scanning guidance. ^[3]^[8]
Essential Eight maturity model and Blueprint: definitions and maturity‑level timing, with “core applications” listed.^[7]^[2]
ACSC Small Business and Act Now. Stay Secure updates for step‑by‑step actions.^[5]^[4]

Quality check

A non‑technical business owner can enable auto‑updates, schedule reboots, set a weekly check, subscribe to alerts, and remove unsupported apps immediately, with a clear 48‑hour rule for critical patches—achieving meaningful progress within 48 hours and a stable routine within 90 days. ^[8]^[1]^[3]