Bad Cyber Hygiene: 60 Percent Of Breaches Tied to Unpatched Vulnerabilities


ad cyber hygiene is a one-way ticket to getting pwned. Recently published research shows that unpatched vulnerabilities are directly responsible for up to 60 percent of all data breaches. In a surprising number of cases, organizations were actively scanning for vulnerabilities, but their patch management solutions were simply sub-par. Cybersecurity is one of the top “problematic shortage” areas in information technology, and this shortage affects every industry from finance to education.

A staggering majority of CIOs and CISOs even say that they delay putting security patches through to avoid interrupting business growth – and 25 percent say that they are certain their organization is not compliant with data security legislation. Automating and streamlining processes like patch management is becoming an increasingly important solution for organizations looking to improve their cyber hygiene and make their organization a smaller target.

Cyber Hygiene Fail: Unpatched Vulnerabilities Drive Data Breaches

Research from Dark Reading finds that unpatched vulnerabilities are a primary driver of data breaches. In their report, 60 percent of organizations that experienced a data breach cited a known, unpatched vulnerability as the cause.

The number of security professionals who forgo patching vulnerabilities to avoid disrupting the workplace is staggeringly high: Over 80 percent say they've postponed a patch for this very reason at least once.

Another 80 percent of CIOs and CISOs say that they have been shocked to discover that a patch or update they thought had been deployed across their entire network had not actually updated all devices – leaving multiple endpoints vulnerable.

As Tech Radar reports, Tripwire also recently surveyed infosecurity professionals from an array of global organizations. According to the report, 88 percent of those surveyed said they conducted vulnerability scans, with 63 percent saying they used authenticated scans as part of their assessment. Even so, respondents named unpatched vulnerabilities as a key contributor to data breaches within their organizations.

What companies do with the information discovered by vulnerability scans varies, and techniques for managing vulnerabilities can vary widely.

With a one-in-four chance that one of your vulnerabilities may be exploited before you get around to patching it, it may not be worth the risk. The average cost of a data breach in 2018 was a cool $3.86 million, and data breaches are becoming more costly every year.

Bad cyber hygiene is kind of like having bad hygiene in real life: You can only get away without brushing your teeth for so long before you get a cavity. And some cavities are a lot more painful than others.

Why Aren't People Patching?

Survey data from Tanium's Global Resilience Gap study suggests that a staggering number of security professionals simply opt to do nothing. Patch management is a complex process that can take time, especially if you're doing it manually. Some 81 percent of CIOs and CISOs say they elect to delay putting patches through to avoid interrupting the flow of business. Most also say they've postponed a patch on more than one occasion.

Another 94 percent of IT professionals say they have to make “compromises” in how they protect their organization from cyber-threats. According to SC Magazine, a lot of these issues are due to trouble with maintaining visibility over endpoints, containers and servers. Some 24 percent of respondents said poor visibility over endpoints was inhibiting network security. Those surveyed also said they struggled to detect threats in real-time and the growing complexity of their organization.

Lack of visibility is so prominent that over 80 percent of CIOs and CISOs surveyed said “they found critical updates or patches they thought had been deployed had not actually updated all devices, leaving the business exposed as a result.”

In other words, poor visibility over endpoints is a major problem, even for top-tier security professionals. Eight out of every ten security leaders are saying that their patches are not actually deploying across their company's entire network – and they may not know about this failure until after it's already too late.

Tech professionals say they must also contend with other business units who may not understand the importance and necessity of patching vulnerabilities. Ultimately, this all leads to delayed patch management – and gaping holes in your cyber hygiene regimen.

Automating Cyber Hygiene

Automated patch management systems can help IT professionals streamline patch deployment, increase endpoint visibility, and can even allow users to see their patch vulnerability status in real-time. Through real-time updating and automation, status reporting is made easier than ever. More to the point, automated patch management can help any company become a smaller target seamlessly.

Paul Norris, senior systems engineer EMEA at Tripwire, told SC Magazine UK, “Organizations should understand that compromising on security may be a cost-effective choice in the short term, but could lead to much more serious business disruptions than those caused by maintaining a consistent patching routine.”

Cyber hygiene should be a top priority for every business. While the field of cybersecurity may be considered “new,” the art of hacking is not. If you don't keep your nose clean, a hacker will pick it for you.


Jay, Jay. 2019. "81% of CIOs & CISOs delaying security patches to ensure uninterrupted business operations." SC Media. April 15, 2019.

Spadafora, Anthony. 2019. "Failure to patch is leaving companies open to attack." June 3, 2019.

IBM. 2019. "2018 Cost of a Data Breach Study by Ponemon."

Jackson Higgins, Kelly. 2018. "Unpatched Vulnerabilities the Source of Most Data Breaches." April 5, 2018.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

More posts like this:

Patch ManagementData Breaches
# of endpoints

15-day free trial. No credit card required.

By submitting this form you agree to our terms of service.

Already have an account?