I can tell you that Patch Management is high on the list of every IT Auditor and which does get checked quite often. Not patching your systems leaves them vulnerable for the prying eyes of attackers. Patching is required to be done, but it should also be tested before being pushed to production. The only mandatory patches you generally need to do are security patches. Regardless if the system is only LAN or WAN accessible (although WAN needs to be prioritized).

Now you can say "hey what's the risk? We haven't had any issues like that before!". Well in some countries, if you have a breach which leaked personal information and it is shown that you did not take appropriate measures to secure your environment (patch management being one of them) your company can be held legally liable for the breach. In Europe from next year, the new data protection legislation will make it even so that your superiors who are in charge of making policies on how to store this personal information can be personally held liable for this.


In my experience zero-day threats will often still find a way through to infect a system if a user is not careful to avoid clicking on banner ads or zip files attached to spam emails etc.

Even with corporate firewalls, patch management and up-to-date antivirus installed- a lot of zero-day malware cuts through all of that like a hot knife through butter. Typically the most at risk are less computer-literate users who are too click-happy.

Nevertheless, patch management does reduce the attack surface to some extent and, as far as legal ramifications are concerned: taking steps to reduce the attack surface will help to protect your career and even you personally from legal liability if you happen to live in Europe.

As far as practical benefits are concerned- I don't actually think you will see a noticeable difference in terms of reduced virus infections if you use patch management. The biggest factors are your users and their browsing habits combined with up-to-date antivirus with (hopefully) a relatively good detection rate.

At a corporate environment I worked at which spent $10K a year on Numara patch management, virus infections on their network of 200 computers were not uncommon (we had 10-20 serious malware infections a year).

At another location which I have been supporting in my free time for 5 years now (just 25 workstations), they have not had a single virus for 3+ years. All I have done was set Windows update to install updates daily automatically, and installed Adblock Plus in all web browsers (IE allows the script to be used in lieu of the add-on). By preventing almost all banner ads (and other ads such as Youtube ads) I have been able to drastically reduce the attack surface used by a lot of today's malware, as well as improve the users' browsing experience. If you can take banner ads out of the equation, you don't give malware that relies on that as a vector to infect systems a fighting chance.

It seems to me as though there is too much focus on patch management (something which, on its own, can rarely be relied upon to stop malware anyway) and systems admins forget there are other highly effective ways to reduce the attack surface which don't cost a dime to implement.

It's all well and good doing something that reduces your chances of being sued, but you also need to remember that it should actually work as well.


As you apparently do have automatic updates enabled in your environment, the responses are nearly right. There would not be any gain in security unless the automatic update process is broken or you have packages which do not auto-update, are a potential security risk and would be covered by the patch management solution to be.

"Patch management" is not much of a security solution now that nearly every software package comes with an autoupdate service. It is more about uptime and availability as it supports the relevant QA workflow for your environment (e.g. publish patches to a lab environment first, to a small group of "beta" users second and to everybody at last). If you are not concerned by the prospect of a breakdown due to a bad system, program or virus definition update and do not run software which has no working auto-update process, then a patch management solution is probably not your most urgent need.

Now where you have a security-related problem is the 4/5 of your devices where users do have "full control" over the autoupdate configuration. Not so much because they have the ability to disable automatic updates - if the computers are within a domain or covered by a NAP solution you could enforce re-activation easily. But because it means that the users probably are local administrators - which would massively widen attack surfaces and the possible impact of an attack. You should focus on changing that.