Companies that do not effect any form of security patch management place themselves at risk every single day that any of the computers on their network are behind current patch levels. Unpatched computers are ticking time bombs, luck the only thing keeping them truly safe. Chances are there are already problems with the computers that are behind on their patches that have gone unnoticed, leaving these systems a risk for use. A computer without the latest security patches can be exploited by a number of viruses or worms, and even certain web sites might carry malicious code that takes advantage of security holes on a computer that has not bee updated by a security patch management process.
The concept of a security patch management is not based only on how patches are installed, but rather on the requirement that they be patched. The security patch management should be in writing and a legal policy within any corporate network. Alongside other security management bits and pieces, like virus scanners, the security patch management should be a requirement to follow. Users should clearly instructed that they are to do everything within their power to ensure that patches are installed by whatever means your security patch management utilizes. Often, the security patch management is enforced by software policies driven by the primary servers the end user machines log into.
These security patch management policies either restrict the ability of an end user to interfere with patch updates or their configuration settings, or push the patches to the computers completely from within an internal source for of the updates. This security patch management process caches updates as provided by the software manufacturer on in internal server, then deploys them to workstations by a push process that cannot be avoided or aborted. This is probably the most certain method of deploying updated software.