Patches fix holes in the vendor’s software and keep hackers from being able to walk through the back door of your system. Applying patches is important. Security vendors want you to apply the patch immediately in case the hackers are pounding on your door right now. Every minute you wait is a minute of exposure.

But most of us don’t apply the patches immediately. It takes your IT shop a few days of testing to make sure the patch won’t break something else and to tweak the network so everything runs properly again. With so many companies ignoring the vendors, why haven’t we had a catastrophic zero-day attack yet?

The truth is that most responsible IT departments use a layered approach to security. They have tools and policies that will generally keep out the malicious software for long enough for IT to complete the tests and apply the patches in an orderly fashion.

So who does get hacked? According to a recent Verizon report, nine out of ten data breaches could have been prevented if the company had taken reasonable security measures, most often applying patches that had been available for years. As Brenner points out, why should a hacker bother to write a complicated new virus to exploit the latest hole when you can still make money walking through holes that should have been patched four years ago?

If you have a solid approach to computer security, you can take the time to test the latest patches properly. On the other hand, if you don’t have a dedicated IT team, you probably also don’t have the staff to conduct the testing so you should set the patches to automatically update themselves.

Of course, if you’re not guarding your infrastructure with the basics (strong passwords, current anti-virus and anti-spyware, firewalls, up-to-date on patches even if not up-to-the-minute, etc.), you need to start now.