Why Most Australian Businesses Are One Patch Behind a Breach

In the ACSC's annual cyber threat report, one finding appears year after year: the majority of successful cyber attacks on Australian businesses exploited vulnerabilities that had patches available. Not zero-day attacks. Not sophisticated state-sponsored intrusions. Known vulnerabilities with published fixes.

This means the question isn't whether Australian SMBs have vulnerabilities — they do. The question is whether those vulnerabilities are being closed in time. And for most businesses, the answer is no.

Why patches don't get applied

It's not that businesses don't know patching matters. It's that the way most businesses patch creates the very disruption they're trying to avoid:

✗IT applies patches during business hours — staff machines restart mid-presentation

✗A patch breaks a critical application — staff can't work, rollback takes hours

✗Patches are applied inconsistently — some machines updated, others missed

✗No one knows what's actually patched — no reporting, no visibility

✗Remote workers' machines never get patched — no one's checking

The result: businesses delay patching to avoid disruption. The delay creates risk. A vulnerability stays open for weeks or months. When an incident happens, the patch that would have prevented it was available the whole time.

What zero-downtime patch management actually means

Proper patch management, using Microsoft Intune, eliminates the disruption problem entirely. Here is what it looks like in practice:

→Staged ring deployment: patches deploy to a test group first, then broader rollout 48 hours later if no issues

→Out-of-hours scheduling: all patches deploy between 10pm–4am or on weekends

→Automatic rollback: if a patch causes a critical failure, Intune detects it and rolls back automatically

→Remote workers covered: Intune patches devices over the internet regardless of location

→Third-party app patching: browsers, Office apps, Adobe Reader and other common software included

→Monthly compliance report: every device, every patch, compliance percentage — full visibility

The Essential Eight connection

Two of the eight Essential Eight controls relate directly to patching: Patch Applications and Patch Operating Systems. At ML1, patches must be applied within one month. At ML2, the requirement is 48 hours for internet-facing services and two weeks for everything else.

If your business is applying for cyber insurance, the insurer will ask about your patch management process. 'We do it when we can' is not an acceptable answer. A documented, automated patch management programme with compliance reporting is.

What you should know about your current patch status

Most businesses don't know their actual patch status. They assume devices are roughly up to date. When we run a first compliance report, the reality is usually different:

✗15–30% of devices are typically more than 30 days behind on OS patches

✗50–60% of devices have at least one third-party application more than 30 days out of date

✗Remote worker devices are usually significantly further behind than office devices

✗Some devices haven't been patched in 6+ months but no one has noticed

A baseline patch compliance assessment takes one day. If you don't know your current status, that's the right place to start.

// NOT SURE WHERE YOU STAND?

Get a free IT & security check.

We identify the gaps and tell you exactly what to fix first.

Book a Free Discovery Call →

RELATED SERVICES:

Patch Management Essential Eight Cybersecurity & Risk