Various studies show that unpatched software vulnerabilities are a primary source of cyberattacks. A recent report from the Ponemon Institute found that unpatched vulnerabilities were directly responsible for 60 percent of all data breaches. Cybercriminals target known software security bugs in operating systems and applications and attack systems that haven’t been patched. Multiple vulnerabilities are often attacked simultaneously.
However, most organizations are struggling to keep their systems patched. According to a new report from Armis, organizations are failing to patch one-third of known vulnerabilities. Alarmingly, the most critical Common Vulnerabilities and Exposures (CVEs) have a patch rate of just 55 percent.
Unpatched systems increase the risk of costly downtime and compromised data. When organizations get too far behind with security patches, they risk running into security vulnerabilities the vendor does not support, a scenario that only makes the situation worse.
Why Organizations Struggle with Unpatched Vulnerabilities
Part of the problem is the sheer number of CVEs. According to the Armis report, more than 65,000 unique CVEs were reported in 2023 alone, most of which came with patches. Keeping up with new patches is typically too much for small in-house IT teams with limited resources.
IT teams are often overwhelmed by a constant deluge of security events. They get bogged down chasing false positives while dangerous vulnerabilities go unaddressed. Meanwhile, new patches are coming fast and furious. Because patches can be buggy and might not work in certain IT environments, they must be tested, which also takes time.
Many organizations lack an effective strategy for promptly applying software patches. The Armis report found that the average organization uses 11 different tools to manage network-connected assets. Almost half (44 percent) admit that they still track assets manually using spreadsheets. They lack the visibility needed to protect their environment against known threats.
Unsupported Systems Represent a Huge Threat
Legacy systems that are no longer supported represent another huge threat. When operating systems and applications reach end-of-support, the vendor no longer issues patches for security issues. Cybercriminals look for these systems because their attack surface is known.
Armis studied a wide range of assets, including IT, operational technology (OT) and Internet of Things (IoT) devices. Among IT devices, PCs were most likely to have unsupported operating systems and applications. Many IoT devices still use Server Message Block version 1, which was targeted in the Wannacry and NotPetya attacks in 2017.
Some organizations aren’t keeping their servers up to date — almost a quarter of servers had unsupported operating systems. Servers running older versions of Windows Server OS (2012 and earlier) were 77 percent more likely than newer systems to experience attack attempts.
How Managed Services Can Reduce the Risk
Outsourcing vulnerability patching to a managed services provider (MSP) can overcome these challenges and reduce the risk of business disruption and data breaches.
The first and most obvious advantage of managed services is speed. The MSP can prioritize patches, test them to ensure they work properly, and deploy them much more quickly than in-house teams. This shrinks the window between the time a vulnerability is identified and the deployment of the patch. The MSP can also use automated tools to deploy patches at a time of day that doesn’t affect operations.
The MSP will also help ensure that the IT environment stays up to date. Monitoring tools provide visibility into all network-connected assets, their patch status, and the age of their operating systems and applications. When systems reach end-of-support, the MSP can plan and complete upgrades to minimize business disruption.
Let Verteks Protect Your IT Assets
Through our managed services program, we can take vulnerability patching off your plate as part of a comprehensive strategy to enhance your overall security posture. Contact us today to schedule a confidential consultation.
