Patch Management for Indian SMBs: Fix Vulnerabilities Fast

Patch management is the process of identifying, prioritizing, testing, and deploying software updates to fix known security vulnerabilities. For Indian SMBs, unpatched software is the single most preventable breach vector: attackers routinely scan the internet for systems running vulnerable versions and exploit them within days of a public CVE disclosure. A structured patch management program — even a lightweight one — dramatically reduces your attack surface, supports compliance under India's IT Act and the DPDP Act 2023, and keeps your business running.

$4.88MGlobal average cost of a data breach (IBM Cost of a Data Breach 2024)

80%+Share of CISA KEV entries that had a vendor patch available before exploitation began (CISA 2024)

Why Unpatched Software Keeps Breaching Indian Businesses

Every CVE represents a documented weakness with a known fix. Once published, security researchers, defenders, and attackers all have the same information. The race begins: can you patch faster than an attacker can weaponize the finding?

For most Indian SMBs, the answer has historically been no — no dedicated IT staff, fear of breaking production systems, unclear patch ownership, or the assumption that "we're too small to be targeted." None of these hold up against automated exploitation infrastructure that scans millions of IP addresses daily.

The CISA Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) tracks CVEs actively exploited in the wild. Its entries include software in every Indian office: Windows, Apache, Cisco, VMware. These are not edge cases.

🚨

DANGER

"We're too small to be a target" is the most dangerous assumption in SMB security. Automated exploit kits do not select targets by size — they scan for vulnerable versions and attack anything that responds. An unpatched public-facing server is a target regardless of your company's revenue or headcount.

The Patch Management Lifecycle

A repeatable patch management process removes the guesswork. Here is the end-to-end lifecycle every Indian SMB should implement, scaled to available resources.

graph TD
    A[CVE Published / Vendor Advisory] --> B[Inventory Check
Is affected software in environment?]
    B -->|No| C[Log and Close
Document decision]
    B -->|Yes| D[Assess Severity
CVSS Score + EPSS + KEV Status]
    D --> E{SLA Decision
Critical High Medium Low}
    E -->|Critical - 24h| F[Emergency Patch
Deploy to prod directly]
    E -->|High - 7 days| G[Test in Staging
Deploy within SLA]
    E -->|Medium - 30 days| G
    E -->|Low - 90 days| H[Schedule Next Maintenance Window]
    F --> I[Verify Patch Applied
Rescan or version check]
    G --> I
    H --> G
    I -->|Pass| J[Close Ticket
Update CMDB]
    I -->|Fail| K[Escalate
Apply Workaround or Mitigation]
    K --> G

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style J fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style K fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

Step 1: Maintain a Software Inventory

You cannot patch what you do not know exists. A current asset inventory — servers, endpoints, network devices, cloud instances, SaaS integrations — is the non-negotiable foundation. For most SMBs, a spreadsheet updated monthly is enough to start; graduate to a CMDB as you grow.

Track: software name, version, vendor, end-of-life (EOL) date, internet-exposed (yes/no), and the responsible owner.

Step 2: Prioritize Using CVSS, EPSS, and KEV Status

Not all CVEs are equal. CVSS scores from NIST (https://nvd.nist.gov/) rate technical severity from 0 to 10. But a CVSS 9.8 in software you do not run is irrelevant, while a CVSS 6.5 in your internet-facing payment gateway may be your top actual risk.

Two additional signals sharpen prioritization:

EPSS (Exploit Prediction Scoring System): Published by FIRST (https://www.first.org/epss/), EPSS estimates the probability a CVE will be exploited within 30 days. EPSS 0.92 means act immediately; EPSS 0.01 can wait for the next maintenance window.

CISA KEV Status: A CVE in the CISA KEV catalog means real attackers are exploiting it now. This overrides all other signals — treat any KEV entry as an emergency regardless of CVSS score.

💡

TIP

Before your next patch cycle, cross-reference your software inventory against the CISA KEV list. It takes under an hour and immediately identifies your most urgent exposure. The list is public, free, and updated frequently at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

Step 3: Define and Enforce Patch SLAs

A patch SLA (Service Level Agreement) is a commitment: "we will apply patches of this severity within this many days." Without a written SLA, patches drift indefinitely. With one, you have a measurable standard and an audit trail for compliance conversations.

Severity	CVSS Range	EPSS / KEV Trigger	Patch SLA	Action
Critical	9.0–10.0	KEV listed or EPSS > 0.8	24 hours	Emergency deployment, may skip full staging cycle
High	7.0–8.9	EPSS > 0.3	7 days	Test in staging, deploy within SLA
Medium	4.0–6.9	Standard queue	30 days	Next scheduled maintenance window
Low	0.1–3.9	Low EPSS	90 days	Bundle with quarterly updates
Informational	—	—	Best effort	Document, review quarterly

These SLAs align with NIST SP 800-40. Adapt the numbers to your risk tolerance — fintechs handling payment data should tighten each SLA by at least half.

xychart-beta
    title "Patch SLA Targets by Severity (Days)"
    x-axis ["Critical", "High", "Medium", "Low"]
    y-axis "Days to Patch" 0 --> 100
    bar [1, 7, 30, 90]

Step 4: Test Before Deploying to Production

For Critical/emergency patches, the risk of NOT patching exceeds the risk of skipping the test cycle. For everything else, a staging environment is worth the effort. Testing catches:

Patches that break application dependencies
Vendor patches that introduce new bugs
Configuration drift that amplifies the patch's footprint

If a dedicated staging environment is not feasible, test on a single non-critical host first and roll forward to the fleet only after confirming stability.

Step 5: Deploy and Verify

Deployment without verification is checkbox compliance theater. Actively confirm the patched version is running — re-run your vulnerability scanner, check the installed version via CLI, or use endpoint telemetry. For any Critical or High patch, verification is mandatory before closing the ticket.

⚠️

WARNING

A failed silent patch deployment — where the patch appeared to apply but the vulnerable version persists due to a service restart being missed — is a known failure mode. Always verify version post-patch, especially for web application servers and database engines that require a full restart to load updated binaries.

Handling Legacy and EOL Systems

End-of-life (EOL) software — older Windows Server versions, outdated PHP, aging CMS installations — is common in Indian SMBs that built infrastructure years ago and have not had budget to modernize. EOL systems cannot be patched because vendors no longer release security updates.

For EOL systems:

Document them explicitly as EOL with risk accepted in writing.
Isolate them from internet exposure using network segmentation.
Apply compensating controls: WAF, host-based intrusion detection, enhanced logging.
Plan and fund migration — treating EOL as permanent converts manageable debt into a breach waiting to happen.

🛡️

SECURITY

Any EOL system with direct internet exposure is a critical risk regardless of compensating controls. Network segmentation reduces blast radius — it does not fix the absence of security patches. Budget for migration, not just mitigation.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

CVE Patching and CERT-In Compliance for Indian SMBs

India's CERT-In (Computer Emergency Response Team — India) issues advisories on actively exploited vulnerabilities affecting commonly used products. These advisories are publicly available and represent an authoritative signal for Indian organizations about which CVEs carry the highest domestic risk.

Beyond advisories, Indian SMBs handling personal data are subject to the DPDP Act 2023. The obligation to implement "reasonable security safeguards" is active — timely patching is universally recognized as a baseline control. Falling behind on known, patchable CVEs is difficult to defend if a breach triggers enforcement. The IT Act 2000 similarly holds organizations liable for inadequate security practices.

A free VAPT scan gives you a structured starting point: a current view of which CVEs affect your internet-facing assets, prioritized by severity.

Building a Lightweight Patch Program for Resource-Constrained SMBs

Most Indian SMBs do not have a dedicated security team. The program below is designed for a single person managing IT for a 10–200 person organization.

Weekly (30 minutes):

Review CISA KEV additions from the past week
Check CERT-In advisories at cert-in.org.in
Cross-reference against your software inventory
Patch or schedule any Critical/High findings

Monthly (2–3 hours):

Run a vulnerability scan against internet-facing assets
Apply all Medium-severity patches
Update your asset inventory for any new software introduced
Document any patches deferred and the business reason

Quarterly (half-day):

Review Low-severity and informational findings
Audit EOL software status and migration progress
Update patch SLA policy if risk posture has changed
Produce a brief patch compliance report for management

This cadence does not require specialized tooling to start. A well-maintained spreadsheet, free scanners (OpenVAS/Greenbone, Nessus Essentials for up to 16 IPs), and CISA/CERT-In as reference feeds can cover most SMB environments. Wazuh provides open-source SIEM with CVE correlation for teams ready to step up.

Bachao.AI, built by Dhisattva AI Pvt Ltd, automates the vulnerability discovery layer — running continuous scans against your internet-facing assets and mapping findings to CVSS scores and remediation guidance, so your team spends time patching rather than manually tracking exposures. Browse the Bachao.AI blog for more guides on building security programs for Indian organizations.

The Cost of Inaction

Deferring patches is not a neutral decision — it is an active choice to accept increasing risk. The longer a known vulnerability goes unpatched, the more likely it is that exploit code becomes publicly available, enters commodity attack kits, and is used against your system before you act.

The IBM Cost of a Data Breach 2024 report put the global average breach cost at $4.88 million. Indian SMBs face lower absolute numbers but proportionally devastating impacts: lost contracts, regulatory exposure under the DPDP Act, and the reputational damage of a public breach far outweigh the cost of a patch management program.

Time-to-patch is measurable, and regulators, insurers, and enterprise customers increasingly ask for it. A documented patch program is among the highest-ROI security investments available.

🎯Key Takeaway

Patch management is not optional infrastructure hygiene — it is your primary defense against the most common breach vector. An SMB that maintains a current asset inventory, prioritizes CVEs using CVSS + EPSS + CISA KEV status, and enforces written patch SLAs eliminates the majority of its preventable risk exposure. Start with Critical and High findings on internet-facing systems this week. The tools are free. The risk of inaction is not.

Frequently Asked Questions

What is patch management and why does it matter for SMBs?

Patch management is the process of identifying CVEs, prioritizing them by severity and exploitability, testing fixes, and deploying them within defined time windows. It matters because unpatched software is the most common breach entry point — automated scanners find and exploit known vulnerabilities in hours, not days.

How do I prioritize which patches to apply first?

Use three signals together: CVSS score (technical severity from NIST), EPSS score (probability of exploitation from FIRST at https://www.first.org/epss/), and KEV status (whether CISA has confirmed active exploitation at https://www.cisa.gov/known-exploited-vulnerabilities-catalog). Any KEV-listed vulnerability is an emergency regardless of CVSS. High EPSS with a CVSS above 7.0 comes next. This approach ensures you address actual risk rather than theoretical severity.

What patch SLA should Indian SMBs follow?

A practical baseline: Critical vulnerabilities within 24 hours, High within 7 days, Medium within 30 days, and Low within 90 days. These align with NIST SP 800-40 guidance. Organizations handling payment data, health records, or operating under SEBI/RBI oversight should tighten these SLAs given their regulatory exposure under the IT Act and DPDP Act 2023.

How does patch management relate to CERT-In compliance in India?

CERT-In issues advisories on actively exploited CVEs. Failing to patch known vulnerabilities — especially CERT-In-highlighted ones — weakens your position under the IT Act 2000 and the DPDP Act 2023's "reasonable security safeguards" obligation. A documented patch program is your primary evidence of due diligence.

What should I do about software that is end-of-life and cannot be patched?

Document EOL systems in your asset inventory, isolate them from internet exposure, apply compensating controls (WAF, IDS, enhanced logging), and fund a migration plan. Treating isolation as a permanent substitute for patching is not defensible under the IT Act or DPDP Act if a breach occurs.

How does EPSS differ from CVSS, and which should I trust more?

CVSS measures the technical characteristics of a vulnerability — how severe it could be if exploited. EPSS measures the real-world probability that it will be exploited within 30 days based on threat intelligence. Neither is superior alone: a Critical CVSS with low EPSS may sit safely in your 30-day queue, while a Medium CVSS with high EPSS needs immediate action. Use both together for accurate prioritization.

Patch Management for Indian SMBs: Fix Vulnerabilities Fast

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.