Software Patching Statistics: Common Practices and Vulnerabilities
How Often and Fast Do Companies Really Apply Updates? How Dangerous (or Not) Are the Common Software Patching Behaviors?
This post is also available in: Danish
Wondering about software patching statistics and what the current state of affairs on updates is? This is where you will find all the relevant data as soon as experts reveal it.
Without a question, difficulties and delays in applying software patching are still one of the biggest threats for companies today. Apps and software lacking the latest update are some of the easiest targets for any hacker who wants to infiltrate an organization.
Experts keep saying it over and over, but people have a hard time getting to those never-ending software updates. It’s both a matter of prioritization and a matter of difficulty (in the absence of a tool that can successfully automate software patching).
Why Software Patching is Important, in Statistics and Data:
- Microsoft reports that most of its customers are breached via vulnerabilities that had patches released years ago – Microsoft’s Security Intelligence Report, 2015.
- 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.
- Upon a breach or failed audit, nearly half of companies (46%) took longer than 10 days to remedy the situation and apply patches, because deploying updates in the entire organization can be difficult – Voke Media survey, 2016.
- Devastating malware and ransomware which could have been prevented by patching software on time: WannaCry, NotPetya, SamSam.
- 58% of organizations run on ‘legacy systems’ – platforms that are no longer supported with patches but which would still be too expensive to replace in the near future – 0patch Survey Report, 2017.
- 20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.
- The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 days – Edgescan Stats Report, 2018.
- 18% of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc. – Edgescan Stats Report, 2018.
- 37% of organizations admitted that they don’t even scan for vulnerabilities – Ponemon Report, 2018.
- 64% of organizations say that they plan to hire more people on the vulnerability response team, although the average headcount is already 28, representing about 29% of all security human resources – Ponemon State of Vulnerability Report, 2018.
- Still, this is something known in the industry as the ‘patching paradox’ – hiring more people will not make software vulnerabilities easier to handle – Ponemon State of Vulnerability Report, 2018.
- Since 2002, the total number of software vulnerabilities has grown year by year by the thousands. The peak year seems to have been 2018 for now, but the figures keep rising – ENISA report for 2018.
- In 2019, only 42% of the respondents of a study made by Kaseya said that they automated or planned to automate patch management.
- 47% of the 2019 Kaseya study respondents said that they regularly scan all their servers and workstations for third-party software patches, and 42% said that they apply the critical patches “within 30 days of release.”
Why Is Software Patching So Difficult?
The main reason why patching is difficult is that manual updates (or coordinating the updates manually) take a gruesome amount of time.
According to the Ponemon Institute study for 2018:
- More than half of all companies (55%) say that when it comes to patching, they spend more time manually navigating the various processes involved than actually patching vulnerabilities;
- On average it takes 12 days for teams to coordinate for applying a patch across all devices;
- Most companies (61%) feel that they are disadvantages for relying on manual processes for applying software patches;
- Nearly two-thirds of all companies (65%) say that it is currently too difficult for them to decide correctly on the priority level of each software patch (aka which update is of critical importance and should be applied first).
Considering that it doesn’t make sense for most organizations to have really well-trained security experts on their payroll, it makes sense to have difficulties when prioritizing patches. In the best scenario, security and IT professionals define priorities simply by following the CVSS scoring.
While that scoring for patch importance is reliable, the organizations which implement automation of software patches are still better off both in terms of security and time spent.
Why Do Companies Choose to Delay Applying Software Patches and Updates?
It’s not just that it’s difficult. Some managers don’t want to apply the patches.
Organizations are not just late in applying patches because it takes time; some managers are reluctant to apply the patches for other reasons. According to the 0patch Survey Report, 2017:
- 88% say they would apply patches faster if they had the option to quickly un-patch if needed;
- 79% say decoupling security patches from functional ones would help them apply security patches faster;
- 72% of managers are afraid to apply security patches right away because they could ‘break stuff’;
- 52% of managers say they don’t want the functionality changes which come with security patching.
Even more worrying is that not everyone is aware of how dangerous it can be to delay. One of the most baffling software patching statistics of the past year comes from the Ponemon Institute report for 2019, again. According to them, only 39% of organizations are aware that actual breaches are linked to known vulnerabilities.
Of course, not wanting the hassle of updating software or system is a legitimate attitude, albeit a very dangerous one. But it’s only a hassle if you plan on updating it alone, manually.
Take Patch Management to the Next Level
Take Patch Management to the Next LevelFind out more 30-day Free Trial. Offer valid only for companies.
What about the Last Couple of Years, Though?
- In the revolutionary year of 2020, three of four data breaches were caused by missing or misconfigured patches, and enterprises found it even more difficult to manage patches right due to remote offices, the high mobility of employees, and the lack of endpoints visibility.
- Remote working made the surveyed participants be even less confident about the cyber hygiene of their endpoints – which suggests that they still rely mostly on manual patching or tools that cannot be effective in remote or cloud environments.
- The 2021 TuxCare report showed that most (76%) of their respondents (sysadmins, DevOps professionals, network administrators, IT security managers, Chief Information Officers) finally turned towards automated patch management.
- The same study also showed what are the most important features that a patch management tool should have: “fast response to new CVEs”, “live patching of all components without downtime”, “complete reporting”, “automated reporting”.
- Another improved aspect revealed by the 2021 TuxCare report is that patching procedures took up less than two hours per week in most industries – banking, financial, agriculture, education, transport, logistics, healthcare, professional services.
As a report from Market Data Forecast says, “the global patch management market size is expected to grow USD 1084 million by 2026 from USD 652 million in 2021, growing at a CAGR of 10.7% between 2021 to 2026”. This is incredible news, showing a clear direction and interest in closing vulnerabilities and securing endpoints.
Our Own Software Patching Statistics:
We have hundreds of thousands of enterprise endpoints that are kept secure and up to date through our patch management automation solution, Heimdal™ Patch & Asset Management. While our fast response and implementation times allow us to keep them all updated at a much higher rate compared to industry benchmarks, there are still interesting insights to be gleaned from our data.
This is what we can boast:
- A new patch reaches the endpoints secured with our patch management system within 4 hours since it was launched (if the endpoint is available to receive it);
- By automatically applying the patches, the Heimdal™ Patch & Asset Management technology effectively closes all possible system vulnerabilities in an enterprise environment, taking away about 85% of all possible attack vectors;
- At the moment, the Heimdal™ Patch & Asset Management patch management system covers more than 140 of the most common software and apps, with several apps and software being added to the list every year.
Heimdal Patch & Asset Management Software
If there’s one thing that the latest software patching statistics reflect, it’s that the field can be very non-homogenous. Some organizations react fast(er) to patches but take a long time applying them or apply them in the incorrect order. Others have complicated assigning procedures but once a patch is set to be applied, it goes fast and smooth. Some apply only critical system updates and completely reject other patches to avoid functionality changes, even if it puts them at some risk.
The bottom line is that whatever is your organization’s unique flavor, we know patches can be overwhelming in one way or another. That’s why we leverage the scaling power of technology to help keep our customers covered with all software patches and zero inconveniences.
Our Heimdal™ Patch & Asset Management will handle all software updates and patches within 4 hours since their launch, silently, in the background, with no interruptions.
You can set it and forget it, as we like to say, or set a few preferences (like the right to exclude updates from one app or category, or to be asked before applying a patch on all endpoints within your organization, or the possibility to deploy and patch your own custom software through the platform). Make sure you request a demo and give it a try!