NCSC’s guide: Update is key – don’t get caught off guard

The National Cyber Security Centre (NCSC) has issued guidance on vulnerability management, emphasising the importance of updating software by default. The guidance recommends that organisations have a policy in place to apply software updates as soon as possible, ideally automatically. The NCSC advises organisations to test updates on their own systems and consider phased rollouts. It also suggests that internet-facing services and software should be updated within five days, while operating system and application updates should be completed within a week. The NCSC stresses the need for asset discovery and management, configuration audits, regular vulnerability assessments, and scanning as part of a company’s security practices. While the agency encourages organisations to update by default, it acknowledges that there may be situations where updates are not feasible or necessary, such as when a system is about to be decommissioned or compatibility issues arise. Ultimately, the NCSC emphasises that the business should own the risk and decision-making process surrounding software updates, rather than relying solely on the security team.