UnHacked 82: Is Your IT Company Actually Protecting You — Or Just Cashing Your Check?

What Business Owners Must Know About Patch and Vulnerability Management

There's a conversation happening right now in IT companies across the country — and it's not about your security. It's about the flood of support tickets, client calls, and fires that need to be put out before lunch. Your patch management? It's sitting in the queue. Again.

In Episode 82 of UnHacked, Phoenix IT Advisors CEO Justin Shelley flies solo for the first time in six years of podcasting (broken leg and all) to tackle one of the most critical — and most neglected — areas of business cybersecurity: patching and vulnerability management.

If you've ever told yourself, "We have an IT company, we're covered" — this episode is specifically for you.

The Scale of the Problem Is Staggering

Most business owners have no idea how many new cybersecurity vulnerabilities are discovered and published every single day. The answer is more than 130. Every. Single. Day.

In 2025 alone, nearly 50,000 new vulnerabilities were identified and added to the CVE — the Common Vulnerabilities and Exposures database, a publicly maintained list of known security weaknesses across software platforms like Microsoft, Adobe, and hundreds of others. The total list now stands at over 326,000 entries, and it's not slowing down. Thanks to AI tools that help bad actors scan for weaknesses faster than ever before, the threat landscape is growing exponentially.

This isn't a niche IT problem. This is your problem — because every unpatched vulnerability in your business's software, operating systems, browsers, or firewall is an open door.

So What Is Patching, Exactly?

A vulnerability is simply an exposure — a weakness in software that could allow an attacker to get in. A patch is the fix that the software developer releases to close that hole. Patch management is the process of identifying, prioritizing, applying, and verifying those fixes across every device and system in your business.

And a zero-day vulnerability? That's the scariest kind — one that the bad guys already know about, but that the developers haven't fixed yet. There's no patch available. There's no defense other than vigilance and having the right systems in place.

The math is simple and sobering: 130+ new vulnerabilities per day means your IT team needs to be triaging, applying, and verifying 130+ fixes — every single day — just to keep pace.

Why Your IT Company Is Probably Falling Behind (And Why It's Not Entirely Their Fault)

Here's the part of the episode that every business owner needs to hear — and that very few IT companies will ever admit publicly.

Justin calls it the reactive spiral of death.

Your IT company wakes up every morning to a backlog of support tickets, client emergencies, and urgent requests. They're reactive by nature because the entire structure of most IT service businesses rewards firefighting over proactive work. Patch management — reviewing what's new, prioritizing what's critical, applying fixes, verifying reboots, and auditing the results — requires dedicated time, documented processes, and accountability. In the chaos of a busy MSP, that structured time almost never exists.

The result? When Justin's team runs a security assessment on a new client, patching failures are the first thing they see. Every time. Not buried in the data — jumping off the page.

This isn't a condemnation of every IT company. It's a structural problem that affects most of them. The question is whether yours has built the processes to overcome it.

The Obstacles That Make Patching Even Harder

Even when an IT team is trying to stay on top of patching, several obstacles make it genuinely difficult:

The Reboot Problem

• Many critical patches require a full system reboot to take effect. But rebooting a  user's computer in the middle of their workday is disruptive — and most users, given the option, will defer it indefinitely. Justin's team has had to remove the user's ability to decline reboots, schedule them overnight, and hope that employees didn't shut their machines off before leaving. It sounds simple. It isn't.

Patches That Break Things

• Sometimes a patch fixes one problem and creates another. A server patch applied overnight could mean employees can't access their files in the morning. IT teams have to understand what each patch does, what it might affect, and sequence the rollout carefully — all while managing 130+ new items per day.

Legacy Systems

• If your business is running Windows 10 (officially end-of-life), outdated versions of Microsoft Office, or specialty software that hasn't been updated in years, you may have systems that cannot be fully patched — no matter how attentive your IT team is. This is particularly common in manufacturing and healthcare. Unpatched legacy systems are among the most common entry points for ransomware and data breaches.

Blind Spots

• Windows updates are just the beginning. Browsers, Microsoft Office, third-party applications, and firewall firmware all require separate patching — and they're frequently ignored. Justin describes visiting firewalls actively throwing out security alerts about needed firmware updates, with nobody paying attention. These aren't exotic edge cases. They're happening in businesses like yours right now.

A Story That Changes Everything

Justin shares the experience that fundamentally shifted his perspective — from being a general IT repair technician to becoming a cybersecurity-focused advisor.

A client of his was breached. The attack vector? An outdated, unpatched version of Microsoft Office. The business was down for three weeks. It nearly destroyed the company. The client relationship ended. And even though the client had refused to update their software despite Justin's recommendations, the breach still reflected on him as their IT provider.

That story is a reminder that the stakes here are not abstract. A single unpatched vulnerability, in a piece of software that has been sitting on someone's computer for years, can be the beginning of a catastrophic business event.

What You Should Do Right Now: Two Questions That Could Save Your Business

You don't need to understand every technical detail in this episode to act on it. Justin gives business owners a clear, practical framework — and it comes down to two questions you need to ask your IT company.

Before you ask them, you need to commit to actually having this meeting. Justin hears constantly from peers in the industry that the number one complaint MSPs have about their clients is that business owners simply won't meet with them. A quarterly business review — a QBR — is standard practice at responsible IT firms. If you've been skipping it, that stops now.

When you sit down with your IT team, say this:

"I know there are 130+ new vulnerabilities identified every day. Show me your process for protecting my company."

Then stop talking. Listen. If they can't describe a clear, documented process — that's your answer.

If they can show you the process, follow up with:

"Show me the vulnerability and patching reports from my company."

You shouldn't expect perfection. Nobody patches 130 vulnerabilities per day in real time. But you should see a high percentage completion rate, documented timelines, and evidence that the process they described is actually being followed.

If they can't produce that? You now know something critically important — and you know it before you suffer a breach instead of after.

The Bottom Line: Trust, But Verify

The most dangerous position a business owner can be in isn't being uninformed about cybersecurity. It's being falsely confident that someone else is handling it.

Writing a check to an IT company is not a cybersecurity strategy. It is the beginning of one — and only if you stay engaged, ask hard questions, and hold your team accountable to a documented, verifiable process.

The good news? Justin has laid out exactly what that looks like in this episode. In less than 30 minutes, you'll walk away with the vocabulary, the context, and the two questions you need to start protecting yourself immediately.

🎯 Ready to Find Out What's Actually Happening in Your Business?

Phoenix IT Advisors offers a free cybersecurity risk assessment for businesses of all sizes — and it doesn't matter where you're located. Justin and his team conduct these remotely and will give you an honest, thorough picture of where you stand.

If your current IT company is doing everything right, you'll have confirmation and peace of mind. If they're not — you'll know before a breach forces you to find out the hard way.

👉 Schedule your free assessment at unhackmybusiness.com

Download the show notes, watch the full video, or simply fill out the form and someone from the team will reach out. No hard sell. No obligation. Just the truth about your security posture — delivered by people who do this every day.

Episode 82 | Cybersecurity Basics Series — Part 8 of 12

Topics: Patch Management, Vulnerability Management, CVE, Zero-Day Exploits, MSP Accountability, Legacy Systems, Endpoint Security