Here's something most business owners don't think about: the software that runs your website is made up of dozens (sometimes hundreds) of smaller pieces of code called dependencies. And every single one of them can become a security hole if it's not kept up to date.
This isn't a theoretical risk. 87% of commercial software contains at least one known vulnerability. And thanks to AI, the people exploiting those vulnerabilities are moving faster than ever.
What Are Dependencies (And Why Should You Care)?
Think of your website like a house. You didn't build every brick yourself. The framework, the contact form, the payment processing, the image handling, the security layers: most of these come from open-source libraries that thousands of developers contribute to.
That's a good thing. It means your site is built on battle-tested code rather than everything being written from scratch. But it also means you're relying on other people's code. And when a vulnerability is found in one of those libraries, you need to update it. Fast.
AI Has Changed the Game for Attackers
This is where it gets serious. A few years ago, when a vulnerability was discovered in a piece of software, attackers might take weeks or months to figure out how to exploit it. That gave you time to update.
Not any more. AI tools can now generate working exploit code in as little as 15 minutes. The average time from a vulnerability being disclosed to it being actively exploited has collapsed from 745 days in 2020 to just 5 days now. Nearly a third of exploited vulnerabilities are weaponised within 24 hours of being made public.
Put simply: the window between "a fix is available" and "someone's trying to break in" has gone from months to hours.
What Attackers Are Actually Doing
It's not just faster exploitation. AI is enabling entirely new attack patterns:
- Automated scanning of thousands of websites simultaneously, looking for known vulnerabilities
- AI-generated phishing emails that are significantly harder to spot than the old "Nigerian prince" attempts
- Shape-shifting malware that regenerates itself hourly, making traditional antivirus tools ineffective
- Supply chain attacks where attackers compromise a widely-used library, affecting every site that uses it
Vulnerability exploitation is now the leading cause of cyber attacks, accounting for 40% of all incidents according to IBM's latest threat report.
Real-World Examples
This isn't abstract. Here are some of the biggest breaches caused by outdated dependencies:
Equifax (2017)
Equifax failed to apply a security patch to Apache Struts, a widely-used web framework. The patch was available in March. They were breached months later. 143 million people's personal data was exposed. The fix was free. They just didn't apply it. Cost: over $700 million in settlements.
Log4j (2021)
A critical vulnerability was discovered in Log4j, a Java logging library used in millions of systems worldwide. The bug had existed unnoticed for eight years. Within 24 hours of disclosure, over 60 exploit variants were circulating. It affected everything from iCloud to Minecraft. One small, overlooked library put hundreds of millions of devices at risk.
MOVEit (2023)
A vulnerability in MOVEit, a file transfer tool, was exploited by a ransomware gang. Over 2,700 organisations were compromised, including the BBC, British Airways, and Boots. 93 million individuals had their data exposed. Many of the affected organisations didn't even use MOVEit directly; their suppliers did.
Why This Matters for Small Businesses
You might be thinking "we're too small to be a target." Unfortunately, that's not how it works. 81% of all UK businesses that suffer a cyber attack are small or medium-sized. Attackers use automated tools that scan the entire internet for vulnerabilities. They don't care how big you are; they care how easy you are to break into.
The numbers for UK SMEs are sobering:
- 43% of UK businesses reported a cyber breach in the past year
- The average cost of a breach for a UK SME is now around £6,400-£8,000
- Supply chain attacks on small businesses doubled year-on-year (from 9% to 18%)
- 60% of small businesses close within six months of a significant cyber attack
If you're a charity, you're not exempt either. 30% of UK charities experienced cybersecurity breaches last year, and the ICO has reported a 51% increase in charity data incidents since 2020.
The Regulatory Side
Beyond the direct damage, there's a regulatory risk. Under UK GDPR, you're required to implement "appropriate technical measures" to protect personal data. Running software with known, unpatched vulnerabilities can be considered a failure to meet that obligation.
The ICO is actively enforcing this. In March 2025, they fined Advanced Computer Software Group £3.1 million after a ransomware attack on their NHS software. The ICO specifically cited inadequate patch management as a key failing. That was the first time a data processor (not just the data controller) was fined under UK GDPR, setting a precedent that your software suppliers can be held liable too.
Maximum penalties under UK GDPR can reach £17.5 million or 4% of annual worldwide turnover. For most small businesses, even a fraction of that would be devastating.
What You Should Actually Do
The good news is that keeping things up to date isn't complicated or expensive. Here's what it looks like in practice:
Understand the Types of Updates
Software updates follow a numbering system (like version 2.4.1). The numbers mean different things:
- Patch updates (2.4.1 to 2.4.2): Security fixes. Low risk. Apply these as quickly as possible.
- Minor updates (2.4.x to 2.5.0): New features, backwards-compatible. Generally safe. Review monthly.
- Major updates (2.x to 3.0): Significant changes that might need code adjustments. Plan these carefully.
Automate Where Possible
If your site's code is hosted on GitHub (which it should be), tools like Dependabot and Renovate can automatically flag when dependencies have known vulnerabilities and even prepare the updates for you. This takes the "remembering to check" out of the equation entirely.
Have a Maintenance Agreement
If you've got a developer or agency looking after your site, make sure dependency updates are explicitly part of the agreement. Not "we'll fix things when they break" but "we proactively check and apply security patches on a regular schedule."
The UK's National Cyber Security Centre recommends organisations "put in place a policy to update by default" and apply updates as soon as possible, ideally automatically.
Don't Wait for the Breach
The pattern in every major breach is the same: a fix existed, but nobody applied it in time. With AI shrinking the exploitation window to hours, "we'll get to it eventually" isn't good enough any more.
If you're not sure whether your website's dependencies are up to date, or if you don't have a process for keeping them current, that's worth sorting out sooner rather than later. We offer maintenance plans that include regular dependency updates, security monitoring, and proactive patching. Get in touch and we'll take a look at where things stand.