Every week, dozens of vulnerabilities are discovered in software used by thousands of companies. Windows, VMware, firewalls, business applications. No one is spared. Patches are often available within a few days. And yet, in many small and medium-sized businesses in French-speaking Switzerland, it will never be applied. Not because of negligence, but because there are no rules about who does it, when and how.
This is exactly what a patch management policy is designed to solve. Let’s take the time to understand together through this article.
What we mean by patch management
A patch is a software fix. It can close a security hole, correct a bug, or improve system stability. Patch management is the process by which patches are identified, tested and deployed in a controlled manner across the entire IT estate.
Without a defined process, this is what happens in practice: the IT manager applies updates when he has time, some machines are forgotten, and nobody really knows which workstation is running on which version.
During an audit at a notary’s office in Nyon, it was discovered that two servers had not received security updates for nineteen months. The person in charge sincerely believed that the automatic updates were activated. They weren’t.
What a patch management policy contains
A policy is a short, operational document. Not a 40-page booklet. It answers four questions.
Which systems are covered? Workstations, servers, network equipment, cloud applications, business phones. If it’s not listed, it’s not managed.
Who’s responsible? A name, not a department. In an SME, it’s often the external outsourcer or an internal IT referent. This ambiguity of responsibility is the main reason why patches are not applied.
How soon? Critical patches, those that plug actively exploited vulnerabilities, deserve a 24 to 72-hour lead time. Standard updates can wait for a monthly cycle. This distinction is important: treating everything the same means not prioritizing anything.
How do you validate before deploying? On standard desktops, we often deploy directly. On production servers, we test first in a separate environment, or deploy outside working hours with a roll-back plan.
Why isn’t automatic updating enough?
This is the answer we hear most often: “We have automatic updates.” It’s reassuring. But it’s not enough.
Windows automatic updates do not cover third-party software, drivers, business applications or network devices. They can also be silently deactivated after a system incident, migration or third-party intervention. And they produce no reports: it’s impossible to know what’s been applied, what’s failed or what’s pending.
A policy of patch management provides centralized visibility that automatic updates do not. It’s the difference between “I think it’s up to date” and “I can show you the status of every machine this morning”.
The direct link to cybersecurity
The majority of ransomware attacks exploit vulnerabilities that have been known and patched for several months. This is not an opinion: it’s what post-incident reports show year after year, including those from ANSSI, NCSC and OFCS. Attackers don’t look for the most complex systems to compromise. They look for those that haven’t done the minimum.
An SME that keeps its installed base up to date mechanically reduces its attack surface. It’s not an absolute guarantee, but it’s one of the most effective measures for the effort it requires.
What we recommend at Infologo
At Infologo, we see two recurring errors.
The first is not to formalize anything at all, and to rely on automatic processes. The second: wanting to patch everything immediately on all systems without a test phase, which creates service interruptions and fosters mistrust of updates.
The right approach for SMEs is pragmatic: an up-to-date inventory of the installed base, a simple classification (workstations / servers / network), deadlines defined according to criticality, and a supervision tool that centralizes the status of updates.
To support this process, we chose Action1 as our reference solution. This is the platform we deploy for our outsourcing customers. It enables us to supervise the entire installed base from a single console, plan deployments by machine group, manage third-party software in the same way as Windows, and generate compliance reports that can be consulted at any time. Critical patches are processed within 48 hours, with no intervention required on the customer’s side.
What convinced us at Action1 was the console’s readability and the granularity of control: you can decide machine by machine, or by group, with configurable deployment windows so that you never intervene in production hours without having planned it.
It’s not the only solution on the market, but it’s the one that best matches the real constraints of the SMEs we support: rapid deployment, no heavy infrastructure, and remote control.
If you don’t know exactly what condition your fleet is in today, contact us for a no-obligation audit.
