When I started with my current employer three years ago, we deployed new systems with a virus scanner installed and the automatic updates set to run without user intervention. We figured that the machines would just update themselves as configured, and that would adequately provide the level of security patch management that was expected of us. Then, a virus broke out that was downloaded from several legitimate web sites as people visited them. It took advantage of a weakness in code of internet information services. The same virus then used any machines that were active on the same local area network to propagate. To my surprise, our security patch management plan had not worked as expected, because machines that should have had the patches in place to prevent this virus from spreading were not present on a large percentage of machines.
Upon examination of our security patch management scheme by upper management, we were asked to identify what went wrong. Apparently, our firewall was not allowing successful communication to the external update site. Suffice it to say, our security patch management plan was a total failure, and our department did not look good as a result. We have since built an internal update server, which does have access to security patch management updates and can download them for internal distribution. Our security patch management policy now states that all machines must report to our internal server and be patched weekly.
Thanks to the reporting features of the security patch management software we use, we can now verify that the connected clients are being updated as expected. Those same security patch management reports can be presented to upper management, which we now do on a monthly basis so they can keep better track of security to prevent an outbreak from ever happening again. Although always a possibility, we are now far less susceptible to outbreaks and hopefully an outbreak like we had will never be repeated.