On Wednesday morning, the operations manager sent a short email to the IT provider. Just one line. "Are we up to date after yesterday's Microsoft patches?"
The reply came back within the hour. Yes. Everything applied overnight. All green.
The email thread closed. The team got on with its week.
Somewhere on the network, a laptop was showing a green tick in its security dashboard. The icon was telling the truth as it understood it. The problem was that the truth had changed that morning, and nobody in the building knew yet.
What actually happened on 14 April
Patch Tuesday is Microsoft's monthly release of security fixes. Every second Tuesday, Microsoft ships a bundle of patches for flaws that have been found in its software. Most months, the list is long but routine.
April was not a routine month.
Microsoft fixed 165 separate vulnerabilities in one release. That is the second-largest Patch Tuesday in the company's history.
One of those flaws lived inside SharePoint Server, and attackers were already using it before Microsoft shipped the fix. The US government's cybersecurity agency, CISA, gave every federal agency fourteen days to patch it. The deadline is 28 April.
A second flaw, inside Windows Defender itself, had been public for eleven days before the patch arrived. Eleven days in which every Defender-protected machine on the planet was a known, documented target.
That is the part of the story most business owners have now heard, if they have heard anything at all.
- April 2026 Patch Tuesday shipped 165 fixes, the second-largest in Microsoft's history
- A SharePoint Server flaw was already being exploited before the patch landed
- CISA ordered every US federal agency to patch it within fourteen days
- A Windows Defender flaw had been public for eleven days before a fix was available
The part nobody is telling small businesses
Two more flaws in Windows Defender went public in the same fortnight. They are called RedSun and UnDefend. They are being actively exploited in real attacks right now, against real businesses.
Neither of them has been patched.
The next Microsoft patch window is 12 May. That is three weeks away.
Here is what the attack looks like in plain English. A hacker gets hold of a staff member's VPN password, which happens to small businesses every week through phishing emails, leaked password databases, and old logins nobody remembered to turn off. Once inside the network, the attacker uses UnDefend to silently stop Defender from receiving its security updates. The management dashboard keeps showing a green tick. Then RedSun is used to promote a normal user account to full administrator control of the laptop. From there, the attacker harvests passwords, reads emails, copies files, and moves sideways through the network.
The whole chain takes one sitting. Defender does not stop it, because Defender has been blindfolded by the attacker, using a flaw inside Defender. Your security software has become the weapon pointed at your business.
- Two further Windows Defender zero-days, RedSun and UnDefend, are being exploited right now with no patch available
- The next Microsoft patch window is 12 May, leaving roughly three weeks of open exposure
- Attackers only need a stolen VPN password, the kind obtained through phishing and leaked credentials, to start the chain
- UnDefend blindfolds Defender. RedSun promotes the attacker to full administrator. The dashboard stays green throughout
What this looks like from the operations manager's desk
Nothing looks wrong.
The ticket board is quiet. The security dashboard shows green. The weekly IT report says all systems are patched and healthy. The IT provider is responsive and pleasant on the phone. If you asked them on Thursday whether the business was secure, they would answer yes, and they would mean it.
Meanwhile, somebody has full administrator access to a laptop in your finance team. They are copying the client list. They are reading the owner's email. They are quietly trying the same password on the accounting software. The first sign that something is wrong will be when something visible finally breaks, which could be next week or next month.
This is the gap between what a patching service can tell you and what a security partner would tell you. Most small businesses have never been told the gap exists.
- A compromised network does not look broken. The dashboards, tickets, and reports all stay green
- While everything appears normal, an attacker with admin rights can harvest data, read email, and pivot to other systems for weeks
- The first visible sign is usually the last stage of the attack, not the first
The question patching cannot answer
Patching is necessary. That is not in dispute. A business that does not apply Microsoft's monthly fixes is in a worse position than a business that does.
But patching is not the question. It is the easy bit.
The harder question is what your IT provider does in between Patch Tuesdays. The month when a flaw is quietly being exploited but has not been found yet. The eleven days between a flaw going public and a fix arriving. The weeks after a fix lands, when two more flaws drop, and it turns out the first fix was only part of the picture.
That is where security actually lives or dies. And that is the part your IT bill is probably not covering.
If your provider's entire answer to this month's news is "we applied the patches", they are not a security partner. They are a patching service. Those are different things. A patching service is a useful thing, and worth paying for. It is just not, on its own, enough to keep a modern small business safe.
You are not foolish for not knowing this. You were sold a support contract. You were told it covered IT and security. For most of the last decade, that was roughly true, because the threats were slower and the attack tools were cruder. That world has ended. The people attacking small businesses are faster, better funded, and now, in the case of RedSun and UnDefend, armed with exploit code they downloaded for free last week.
- Patching matters, but it only addresses the flaws Microsoft already knows about and has already fixed
- The risk lives in the gaps: unknown flaws, unpatched zero-days, and the period between disclosure and a fix
- A patching service and a security partner are not the same thing, and most small businesses are paying for the first while assuming they have the second
Three questions to ask your IT provider this week
You do not need to become a security expert to find out where you stand. You need three questions and the patience to listen to the answers.
One. On average, how many days pass between a Microsoft patch release and you applying it to our systems?
A good answer is a number. Three days. Seven days. Same day for critical flaws, fourteen for the rest. A bad answer is "we apply them promptly" or "as soon as possible." Those phrases mean the provider has no measured process and is hoping you do not press further.
Two. What are you doing right now about the two Windows Defender zero-days that are being exploited in the wild but have no patch yet?
If the answer is "what zero-days", you have your answer. If the answer is "we are monitoring for the behaviours associated with them and have additional detection in place until the patch arrives", that is a real answer from a real security partner.
Three. If a standard user account on one of our laptops became a full administrator tonight, silently, without anyone clicking anything suspicious, how would we find out?
If the answer relies on the antivirus console or Defender, the answer is you would not find out. The whole point of this month's attack chain is that those tools are the thing being fooled. A serious provider will talk about behaviour monitoring, log review, and alerting outside the compromised machine. A properly tested environment is one where someone has actually tried to do this and watched to see whether the alerts fire.
Screenshot those three questions. Send them to the person who looks after your IT. Their answers, and how long it takes them to produce those answers, will tell you more about your actual security posture than any certificate on their website.
- Ask for a number on patch lag. Vague phrases like "promptly" mean there is no measured process
- Ask specifically about the two unpatched Defender zero-days. A real security partner will know what you mean
- Ask how a silent privilege escalation would be detected. If the answer is "the antivirus", the answer is "it would not"
Would your business have beaten the US government?
CISA gave every US federal agency fourteen days to patch the SharePoint flaw. Most federal agencies will hit the 28 April deadline. They have dedicated security teams, mandatory reporting, and budgets your business will never see.
Your business does not need to be faster than the US federal government. But ask yourself, honestly, whether you would have finished before them. Most small businesses in London would not. Most do not know they would not. That is the gap this piece has been about.
- US federal agencies have fourteen days, dedicated security teams, and mandatory reporting, and most of them will still only just make the deadline
- The honest question for your business is not whether you are faster than them, but whether you are even close
- Most London SMBs would not finish in time. Most do not know they would not. That is the gap worth closing
If you want an honest answer to where you actually stand, we can help.
Book a free strategy call and the first thing we will do is audit your current patch posture, tell you plainly what is covered, what is not, and what the realistic gap looks like between your current setup and what a business of your size actually needs in April 2026. If it turns out you need more than patching, we can walk you through what a real security and technology review looks like.
No sales pitch. No jargon. A straight answer to the question your IT provider should already be answering.
