6 October 2025 Olivier Reuland
Working at Effect, we're committed to maintaining the highest standards of cybersecurity and we understand the critical importance of security patching.
The Verizon 2025 Data Breach Investigations Report (DBIR) reveals a significant shift in attack vectors, stating, "In a shift, vulnerability exploitation overtook phishing as the second most common initial access method in breaches. According to the report, 20% of breaches began with vulnerability exploitation, marking a 34% increase over the previous year."
The OWASP Top 10 had “Vulnerable and Outdated Components” climb to 6th place in their latest ranking. The 2025 version comes out in November, and we believe it will still be in the top 10 this year.
These vulnerabilities can exist in different places:
Our developers’ devices: The workstations they use to access our client code or production environment.
Custom code: The bespoke applications and websites we create and manage for our clients.
Third-party dependencies: Libraries, frameworks, and packages we rely on, such as Umbraco, but also .Net and JavaScript libraries, for example.
Hosting infrastructure: The backend infrastructure that powers our client websites and applications.
When left unaddressed, these vulnerabilities create potential entry points for cyberattacks, data breaches, and service disruptions. The consequences can be severe: compromised customer data, financial losses, and damaged reputation.
So, at Effect, we take a proactive approach to security patching across our devices, hosting environments, codebases, and third-party dependencies. And we make it our mission to ensure that our clients' digital infrastructures are strengthened against such threats. By implementing security patching protocols, we help safeguard our clients against potential breaches that could lead to significant financial and reputational damage.
We continuously monitor our workstations’ OS and applications for vulnerabilities. The key elements are OS, Office suite, browsers, and developer’s tools. While all our workstations have malware protection in place and our emails have phishing protection, we can’t be prudent enough.
Patching: We apply these patches monthly, or more quickly if anything is urgent.
We use tools to continuously monitor our code, dependencies, and sites for vulnerabilities (SAST, DAST, SCA, if you want some letters). We use a combination of Microsoft and 3rd-party tools for this. These tools allow us to identify vulnerabilities before they can be exploited, maintaining an accurate inventory of all software components and their security status.
Patching: We automatically raise tickets with our teams to triage and prioritse patching according to severity.
Our cloud infrastructure is mostly “serverless”, so there isn’t much to patch, or at least our cloud providers are doing this for us. But it’s not to say we are not doing anything. We run regular automated scans of our infrastructure to assess it against our security standards (more letters: CSPM).
Patching: Our teams monitor alerts, review reports, and improve our cloud security posture accordingly.
Security is not a one-time effort but a continuous process. Our security patching approach follows these key principles:
Proactive identification: We actively monitor for new vulnerabilities rather than waiting for exploits
Timely remediation: Critical vulnerabilities are addressed promptly according to defined timelines
Thorough testing: Updates are extensively tested before deployment to prevent disruption
Transparent communication: We keep clients informed about security updates and their importance
We continuously improve our security measures through regular review of our processes, staff training on the latest security threats, and participation in security communities to stay ahead of emerging risks.
By maintaining this vigilant approach to security patching, we help ensure that our clients' sites remain operational and their data protected, providing peace of mind and allowing them to focus on what they do best. At Effect, we prioritise your security, so you can prioritise your business.
Signup here if you want to keep up with our quarterly newletter
