Most small-business breaches start the same way: a known vulnerability, a patch that has been available for weeks, and no one tasked with installing it. Patching is rarely glamorous and rarely scheduled, which is why it slips.
You do not need enterprise tooling to stay current. You need a predictable rhythm and a single owner.
TL;DR
Pick a recurring monthly window, patch in a fixed order (servers and network gear, then workstations, then third-party apps), verify with a short checklist, and document what you skipped and why. That captures most of what enterprise patch management actually delivers.
Why patching falls off
The pattern is consistent. Updates appear at inconvenient times, someone defers them, and a quarter passes. When something does break, the fix is often a patch that was published months earlier.
The root causes are usually the same: no named owner, mid-day interruptions that users dismiss, and network gear and printers that are quietly forgotten because they appear to be working. Without a record of what was patched, the next time the question comes up, the answer is a guess.
A simple monthly rhythm
Patch Tuesday — the second Tuesday of the month — is when Microsoft and several other major vendors publish updates. Use it as your anchor and keep the same window each month so it lives on the calendar without negotiation.
A workable cadence: apply server, firewall, and network updates after hours on the second Wednesday; push workstation updates and reboots at end-of-day on the second Thursday; review third-party apps — browsers, PDF readers, accounting software, line-of-business tools — the following Monday morning.
What to actually patch
Workstation operating systems are the obvious target, but they are rarely where compromises begin. Build a short, durable list and stick to it.
The essentials: Windows and macOS (including drivers on travel laptops); Microsoft 365, browsers, Adobe Reader, Zoom, and Teams; servers, virtual machines, and the hypervisor; firewalls, switches, access points, and the office router; backup software and any backup appliance; and your line-of-business apps — accounting, scheduling, donor or member databases, point-of-sale.
Verify, do not assume
The most common patching failure is silent: the update downloaded, the reboot never happened, and no one noticed for months. A short verification step at the end of each cycle catches most of it.
Spot-check a handful of machines and confirm the build number changed. Open the firewall admin page and confirm the new firmware version. Run a backup test the same week to catch any update that broke a backup agent. Record anything you skipped on purpose, with a date to revisit.
When a patch breaks something
It happens. A printer driver update breaks printing. A firewall firmware bumps a VPN client. The answer is not to stop patching — it is to stage. Designate a small pilot group whose machines update a few days ahead of everyone else, and you will catch most regressions before they spread.
Emergencies are different
The monthly rhythm covers routine updates. Out-of-band advisories — and 2026 has produced plenty for firewalls, RMM platforms, and common business apps — do not wait for next month.
The rule we use: critical, internet-exposed, and actively exploited gets patched the same day; critical and internet-exposed but not yet exploited, within 48 hours; high-severity but internal-only, in the next monthly window. If you do not know which of your systems are internet-exposed, that inventory is the first thing to settle.
Make it routine on purpose
Patching should be the least interesting hour of the month: a fixed window, a named owner, a short checklist, a written record. Run it that way and it stops being a project and becomes a habit.
If you would like a second set of eyes on your current cadence, that is a normal part of our free 30-minute IT review.