Software Patching Statistics for 2019: Common Practices and Vulnerabilities

[harlan4096]

How Often and Fast Do Companies Really Apply Updates? How Dangerous (or Not) Are the Common Software Patching Behaviors?

Wondering about software patching statistics and what the current state of affairs on updates is? This is where you will find all the relevant data as soon as experts reveal it, as well as stats based on our own customer data.

I will keep updating this list of software patching statistics periodically so it’s easier to see both the necessity of patching and how well companies worldwide do it (or not).

Without a question, difficulties and delays in applying software patching are still one of the biggest threats for companies today. Apps and software lacking the latest update are some of the easiest targets for any hacker who wants to infiltrate an organization.

Experts keep saying it over and over, but people have a hard time getting to those never-ending software updates. It’s both a matter of prioritization and a matter of difficulty (in the absence of a tool which can successfully automate software patching).

So, here are the most important truths about updates and how we apply them or not. I have broken down the software patching statistics of recent years in sections pertaining to the behavior or phenomena

Why Software Patching is Important, in Statistics and Data:

* 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.

* Upon a breach or failed audit, nearly half of companies (46%) took longer than 10 days to remedy the situation and apply patches, because deploying updates in the entire organization can be difficult – Voke Media survey, 2016.

* Devastating malware and ransomware which could have been prevented by patching software on time: WannaCry, NotPetya, SamSam.

* 20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.

* The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 days – Edgescan Stats Report, 2018.

* 18% of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc. – Edgescan Stats Report, 2018.

* 37% of organizations admitted that they don’t even scan for vulnerabilities – Ponemon Report, 2018.

* 58% of organizations run on ‘legacy systems’ – platforms which are no longer supported with patches but which would still be too expensive to replace in the near future – 0patch Survey Report, 2017.

* 64% of organizations say that they plan to hire more people on the vulnerability response team, although the average headcount is already 28, representing about 29% of all security human resources – Ponemon State of Vulnerability Report, 2018.

* Still, this is something known in the industry as the ‘patching paradox’ – hiring more people will not make software vulnerabilities easier to handle – Ponemon State of Vulnerability Report, 2018.

* Microsoft reports that most of its customers are breached via vulnerabilities that had patches released years ago – Microsoft’s Security Intelligence Report, 2015.

* Since 2002, the total number of software vulnerabilities has grown year by year by the thousands. The peak year seems to have been 2018 for now, but the figures keep rising – ENISA report for 2018.

Why Is Software Patching So Difficult?

The main reason why patching is difficult is that manual updates (or coordinating the updates manually) take a gruesome amount of time.

According to the Ponemon Institute study for 2018:

* More than half of all companies (55%) say that when it comes to spending more time manually navigating the various processes involved than actually patching vulnerabilities;

* On average it takes 12 days for teams to coordinate for applying a patch across all devices;

* Most companies (61%) feel that they are disadvantages for relying on manual processes for applying software patches;

* Nearly two-thirds of all companies (65%) say that it is currently too difficult for them to decide correctly on the priority level of each software patch (aka which update is of critical importance and should be applied first).

Considering that it doesn’t make sense for most organizations to have really well-trained security experts on their payroll, it makes sense to have difficulties when prioritizing patches. In the best scenario, security and IT professionals define priorities simply by following the CVSS scoring.

While that scoring for patch importance is reliable, the organizations which implement automation of software patches are still better off both in terms of security and time spent.
...

Continue Reading