1 in 3 Breaches are Caused by Unpatched Vulnerabilities

 In 2020, cyber threats and attacks are on the rise for healthcare, IT and telecom, finance, and construction organizations. Many of these threats are a direct result of vulnerabilities in organizations’ networks. Threat actors or ransomware attacks can exploit system vulnerabilities to gain access to industrial networks for financial gain, intellectual property, or interrupt operations.

Unpatched software vulnerabilities are one of the most accessible areas to secure, and they are everywhere. One in three cyber breaches is caused by unpatched vulnerabilities, according to IT security professionals. For example, browser add-on programs like Adobe Flash and Java and programs like Microsoft Excel and Word all require regular updates. When new security patches are available for applications, SMBs and their teams must run those updates as soon as possible. We now live and work in a very data-centric world where hyperconnectivity is the norm. A single unpatched vulnerability in one endpoint (i.e., laptop or smartphone) can carry significant consequences by creating an opening for more hackers.

Software vendors continuously release new patches to fix issues with their software products. However, the mere existence of hardware and software patches isn’t a cure-all. It’s up to the software’s end-users to apply the released patches or risk leaving their organization open to cyberattacks due to backdoors being left open. According to Security Boulevard, in the last year, 60% of breaches involved vulnerabilities for which a patch was available but not applied. 


(free download!)



As many of us have experienced, the steady increase of device endpoint connecting to company networks has increased by cyberattack points. While implementing vulnerability patches across organizations is critical to help avoid cyber threats, there are inevitable challenges for organizations and their IT teams, which include:

  • Business continuity. Due to various factors, including time, disruption, and associated costs, organizations opt to postpone or do away with vulnerability patching altogether to avoid downtime.
  • Prioritizing vulnerabilities. According to ESG Research, 34% of cybersecurity professionals feel this is a leading challenge for implementing vulnerability patches. To prioritize necessary vulnerability patches, organizations need to conduct a cyber health assessment that includes comprehensive risk scoring beyond Common Vulnerabilities and Exposures (CVE).
  • Tracking inventory. During a time when many organizations are working in a remote capacity, company infrastructure continues to expand. With this expansion, IT teams must maintain an updated inventory of individual systems and software applications.


A notable example of a real-world cyberattack caused by unpatched software is the 2017 WannaCry ransomware attack. The WannaCry attack targeted Britain’s National Health Service, some of Spain’s largest companies, including Telefónica, computers across Russia, Ukraine, and Taiwan. Developers of the WannaCry ransomware utilized a tool created by the NSA called EternalBlue, which exploited Microsoft Windows XP vulnerabilities. At the time, Microsoft had released a vulnerability fix; however, many organizations had not updated their systems.

Notably, the devastating attack cost the National Health Service £100m and disrupted patient care by canceling 19,000 appointments. WannaCry demonstrated the destructive potential of an unpatched vulnerability and how it can spread globally with disastrous results.


Both hackers and malware seek vulnerabilities in software as an attack vector because it requires minimal end-user involvement. Hackers will seek unpatched software, compromise them, progress to internal targets, or target users to open fake emails or visit malicious websites (phishing attacks) to exploit an unpatched vulnerability. A couple of critical areas to focus on to protect your assets and your business include:

  • Concentrate on the highest risk software programs on your highest risk systems, which ties back to our above point on prioritizing vulnerabilities. Prioritizing will strengthen your vulnerability patching efficiency.
  • To maintain a strong network security defense, you must monitor and support your patch management program. Keeping a robust security defense weaves into prioritizing your highest risk programs to ensure efficient deployment across the organization. It’s vital to know your highest risk programs and what programs are likely to exploit your business the most.

Software vulnerabilities are inevitable. The key is doing your part to avoid becoming 1-in-3-cyber-breaches-caused-from-unpatched-software organizations. Talk to us about security device management with our Managed Security Services ensure your security devices are always up and running, up-to-date, and secure.