This article is the first in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
Software is never finished. Every application in use across a business — web browsers, email clients, PDF readers, productivity suites — contains code written by humans, and human-written code contains flaws. Vendors discover these flaws, develop fixes, and release them as patches. The window between a patch being released and an attacker exploiting the underlying vulnerability is shrinking. In many cases, it is measured in hours.
Patching applications is the first of the ACSC’s Essential Eight mitigation strategies. It is also among the most consistently neglected.
What the Strategy Requires
The ACSC’s guidance is specific about both scope and timing. Applications considered critical — web browsers and their extensions, office productivity suites, email clients, PDF readers, and security tools — must be patched within defined timeframes based on risk exposure.
For internet-facing services, patches must be applied within two weeks of release, or within 48 hours if a working exploit is publicly known. For other frequently used applications, the outer limit is one month. Alongside patching, the ACSC requires regular vulnerability scanning — at least fortnightly at foundational maturity — to verify that the patch strategy is actually working and to identify gaps before attackers do.
Critically, unsupported or end-of-life software must be removed. An application that no longer receives vendor patches cannot be secured, regardless of how diligently everything else is managed.
Why Unpatched Applications Are High-Value Targets
Attackers do not need to develop novel techniques when known, unpatched vulnerabilities are available. Exploit code for disclosed vulnerabilities is frequently published within days of a patch release — sometimes within hours. An organisation that patches monthly is routinely exposed for weeks at a time to vulnerabilities that are actively being exploited in the wild.
The 2017 Equifax breach — which exposed the personal data of 147 million people — resulted from an unpatched vulnerability in a web application framework. A patch had been available for two months before the breach occurred. The vulnerability was known, the fix existed, and it was not applied.
This pattern recurs across breach investigations with near-monotonous regularity. Unpatched applications are not an edge case in the threat landscape — they are the primary vector for a significant proportion of successful attacks.
The Operational Challenge for SMBs
For small and medium businesses, the challenge is rarely awareness — it is execution. Maintaining an accurate inventory of all installed applications, tracking vendor patch releases across multiple products, testing patches before deployment, and verifying successful application across every device is operationally demanding without dedicated tooling or personnel.
Automated patch management platforms address much of this overhead, and several are accessible at low cost within existing Microsoft 365 or endpoint management deployments. The more difficult element is vulnerability scanning — confirming that the patch state of the environment matches what patch management reports, and identifying applications that have been missed.
Businesses working with a cyber security partner — rather than a general IT provider — will typically find that patch management is treated as a security discipline rather than a maintenance task, with the distinction that it is driven by threat intelligence about actively exploited vulnerabilities rather than a routine schedule.
Where This Fits in the Broader Picture
Patching applications does not prevent every attack. It eliminates a large category of avoidable ones — those that exploit known vulnerabilities in software that had available fixes. Combined with the remaining Essential Eight controls, it forms part of a layered posture in which each strategy compensates for the limitations of the others.
The ACSC recommends implementing all eight strategies at a consistent maturity level. An organisation that patches diligently but has no MFA, no application control, and no backups has addressed one vector while leaving several others open. The value of the Essential Eight lies in the combination.
This series continues with Essential Eight #2: Patch Operating Systems.
Further reading: ACSC Essential Eight, Luminol Cyber Hygiene Improvement
