Software Patching Statistics for 2019: Common Practices and Vulnerabilities
How Often and Fast Do Companies Really Apply Updates? How Dangerous (or Not) Are the Common Software Patching Behaviors?
Wondering about software patching statistics and what the current state of affairs on updates is? This is where you will find all the relevant data as soon as experts reveal it, as well as stats based on our own customer data.
I will keep updating this list of software patching statistics periodically so it’s easier to see both the necessity of patching and how well companies worldwide do it (or not).
Without a question, difficulties and delays in applying software patching are still one of the biggest threats for companies today. Apps and software lacking the latest update are some of the easiest targets for any hacker who wants to infiltrate an organization.
Experts keep saying it over and over, but people have a hard time getting to those never-ending software updates. It’s both a matter of prioritization and a matter of difficulty (in the absence of a tool which can successfully automate software patching).
So, here are the most important truths about updates and how we apply them or not. I have broken down the software patching statistics of recent years in sections pertaining to the behavior or phenomena
Why Software Patching is Important, in Statistics and Data:
- 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.
- Upon a breach or failed audit, nearly half of companies (46%) took longer than 10 days to remedy the situation and apply patches, because deploying updates in the entire organization can be difficult – Voke Media survey, 2016.
- Devastating malware and ransomware which could have been prevented by patching software on time: WannaCry, NotPetya, SamSam.
- 20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.
- The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 days – Edgescan Stats Report, 2018.
- 18% of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc. – Edgescan Stats Report, 2018.
- 37% of organizations admitted that they don’t even scan for vulnerabilities – Ponemon Report, 2018.
- 58% of organizations run on ‘legacy systems’ – platforms which are no longer supported with patches but which would still be too expensive to replace in the near future – 0patch Survey Report, 2017.
- 64% of organizations say that they plan to hire more people on the vulnerability response team, although the average headcount is already 28, representing about 29% of all security human resources – Ponemon State of Vulnerability Report, 2018.
- Still, this is something known in the industry as the ‘patching paradox’ – hiring more people will not make software vulnerabilities easier to handle – Ponemon State of Vulnerability Report, 2018.
- Microsoft reports that most of its customers are breached via vulnerabilities that had patches released years ago – Microsoft’s Security Intelligence Report, 2015.
- Since 2002, the total number of software vulnerabilities has grown year by year by the thousands. The peak year seems to have been 2018 for now, but the figures keep rising – ENISA report for 2018.
Why Is Software Patching So Difficult?
The main reason why patching is difficult is that manual updates (or coordinating the updates manually) take a gruesome amount of time.
According to the Ponemon Institute study for 2018:
- More than half of all companies (55%) say that when it comes to spending more time manually navigating the various processes involved than actually patching vulnerabilities;
- On average it takes 12 days for teams to coordinate for applying a patch across all devices;
- Most companies (61%) feel that they are disadvantages for relying on manual processes for applying software patches;
- Nearly two-thirds of all companies (65%) say that it is currently too difficult for them to decide correctly on the priority level of each software patch (aka which update is of critical importance and should be applied first).
Considering that it doesn’t make sense for most organizations to have really well-trained security experts on their payroll, it makes sense to have difficulties when prioritizing patches. In the best scenario, security and IT professionals define priorities simply by following the CVSS scoring.
While that scoring for patch importance is reliable, the organizations which implement automation of software patches are still better off both in terms of security and time spent.
Why Do Companies Choose to Delay Applying Software Patches and Updates?
It’s not just that it’s difficult. Some managers don’t want to apply the patches.
Organizations are not just late in applying patches because it takes time; some managers are reluctant to apply the patches for other reasons. According to the 0patch Survey Report, 2017:
- 88% say they would apply patches faster if they had the option to quickly un-patch if needed;
- 79% say decoupling security patches from functional ones would help them apply security patches faster;
- 72% of managers are afraid to apply security patches right away because they could ‘break stuff’;
- 52% of managers say they don’t want the functionality changes which come with security patching.
Even more worrying is that not everyone is aware of how dangerous it can be to delay. One of the most baffling software patching statistics of the past year comes from the Ponemon Institute report for 2019, again. According to them, only 39% of organizations are aware that actual breaches are linked to known vulnerabilities.
Of course, not wanting the hassle of updating software or system is a legitimate attitude, albeit a very dangerous one. But it’s only a hassle if you plan on updating it alone, manually.
Our Own Software Patching Statistics:
We have hundreds of thousands of enterprise endpoints which are kept secure and up to date through our patch management automation solution, X-Ploit Resilience. While our fast response and implementation times allow us to keep them all updated at a much higher rate compared to industry benchmarks, there are still interesting insights to be gleaned from our data.
This is what we can boast:
- A new patch reaches the endpoints secured with our patch management system within 4 hours since it was launched (if the endpoint is available to receive it);
- By automatically applying the patches, the X-Ploit Resilience technology effectively closes all possible system vulnerabilities in an enterprise environment, effectively taking away about 85% of all possible attack vectors;
- At the moment, the X-Ploit Resilience patch management system covers 112 of the most common software and apps, with several apps and software being added to the list every year.
And this is what we and our customers need to work on together for an even better performance:
- During the last 3 months, our corporate customers took a while to apply the patches we made available through our system (this can be either for a lack of activity on the endpoints, or a conscious decision to delay), but still at a rate 4 times faster than the global average).
If there’s one thing that the latest software patching statistics reflect, it’s that the field can be very non-homogenous. Some organizations react fast(er) to patches but take a long time applying them or apply them in the incorrect order. Others have complicated assigning procedures but once a patch is set to be applied, it goes fast and smooth. Some apply only critical system updates and completely reject other patches to avoid functionality changes, even if it puts them at some risk.
The bottom line is that whatever is your organization’s unique flavor, we know patches can be overwhelming in one way or another. That’s why we leverage the scaling power of technology to help keep our customers covered with all software patches and zero inconveniences.
Our X-Ploit Resilience module will handle all software updates and patches within 4 hours since their launch, silently, in the background, with no interruptions. You can set it and forget it, as we like to say, or set a few preferences (like the right to exclude updates from one app or category, or to be asked before applying a patch on all endpoints within your organization, or the possibility to deploy and patch your own custom software through the platform).