Patching Could Have Stopped Most Breaches, Study Finds | eWeek

Software Patches Could Prevent Most Breaches, Study Finds

breach
Écrit par
Rob Lemos
Rob Lemos
Mar 14, 2017
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Approximately 80 percent of companies that had either a breach or a failed audit could have prevented the issue with a software patch or a configuration change, according to a security-automation survey of 318 firms.

The survey, conducted by research firm Voke Media in late 2016, found that 27 percent of companies reported a failed audit in the prior 18 months, of which 81 percent could have been prevented with a patch or configuration change. Similarly, 26 percent reported a breach, of which 79 percent could have been prevented with those two measures.

Nearly half—46 percent—of companies took longer than 10 days to remediate vulnerabilities and apply patches. Those patch or configuration-change backlogs are a critical issue for businesses, said Theresa Lanowitz, the founder and CEO of Voke.

“These companies could prevent these breaches from happening, especially due to vulnerabilities that have patches that have been sitting in the backlog,” she said. “There has to be an effective management of the patch backlog—if there is, you can improve your audit readiness, you can reduce that window of risk, and you can reduce those vulnerabilities.”

The problem underscores the workload issues posed by operational security, Lanowitz said. Companies are increasingly looking to automation and machine learning to help reduce the workload of keeping their business secure.

A significant problem is that most companies have conflicting priorities between the two groups responsible for securing their information technology and data. The IT operations team is usually focused on enabling business users to be productive and only considers security when there is an incident. Meanwhile, the IT security team focuses on finding vulnerabilities and signs of breaches, but does not give much thought to how those issues impact operations, Lanowitz said.

“You have two disparate teams—the IT ops team and the IT security team—and they have conflicting priorities, but they are both responsible for protecting the IT infrastructure,” she said. “If you had these two teams working together, using some of the newer tools in the market and focused on security-operations automation, you can have much better outcomes.”

The survey found that many, but not the majority, of companies used a variety of automation to secure their products and infrastructure. Nearly half of all companies had used security architects to ensure that security was designed into their IT infrastructure. Forty-two percent used a production-equivalent environment to test and verify patches. And, more than a third of companies took four other measures: designing products with security in mind, automating patch deployment, focusing on security requirements for applications, and using source-code analysis tools to scan products.

Focusing more on automation is critical to keep ahead of the risks facing companies, Lanowitz said.

“Invest in the tools and training needed to operationalize security,” she said. “Getting the teams to work together in operationalizing security and having an executive mandate is critical.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.