Software Patches Could Prevent Most Breaches, Study Finds

An analyst firm surveys 318 companies and finds that more than 80 percent of discovered breaches occurred due to patches pending for more than 10 days and even up to a year.


Approximately 80 percent of companies that had either a breach or a failed audit could have prevented the issue with a software patch or a configuration change, according to a security-automation survey of 318 firms.

The survey, conducted by research firm Voke Media in late 2016, found that 27 percent of companies reported a failed audit in the prior 18 months, of which 81 percent could have been prevented with a patch or configuration change. Similarly, 26 percent reported a breach, of which 79 percent could have been prevented with those two measures.

Nearly half—46 percent—of companies took longer than 10 days to remediate vulnerabilities and apply patches. Those patch or configuration-change backlogs are a critical issue for businesses, said Theresa Lanowitz, the founder and CEO of Voke.

“These companies could prevent these breaches from happening, especially due to vulnerabilities that have patches that have been sitting in the backlog,” she said. “There has to be an effective management of the patch backlog—if there is, you can improve your audit readiness, you can reduce that window of risk, and you can reduce those vulnerabilities.”

The problem underscores the workload issues posed by operational security, Lanowitz said. Companies are increasingly looking to automation and machine learning to help reduce the workload of keeping their business secure.

A significant problem is that most companies have conflicting priorities between the two groups responsible for securing their information technology and data. The IT operations team is usually focused on enabling business users to be productive and only considers security when there is an incident. Meanwhile, the IT security team focuses on finding vulnerabilities and signs of breaches, but does not give much thought to how those issues impact operations, Lanowitz said.

“You have two disparate teams—the IT ops team and the IT security team—and they have conflicting priorities, but they are both responsible for protecting the IT infrastructure,” she said. “If you had these two teams working together, using some of the newer tools in the market and focused on security-operations automation, you can have much better outcomes.”

The survey found that many, but not the majority, of companies used a variety of automation to secure their products and infrastructure. Nearly half of all companies had used security architects to ensure that security was designed into their IT infrastructure. Forty-two percent used a production-equivalent environment to test and verify patches. And, more than a third of companies took four other measures: designing products with security in mind, automating patch deployment, focusing on security requirements for applications, and using source-code analysis tools to scan products.

Focusing more on automation is critical to keep ahead of the risks facing companies, Lanowitz said.

“Invest in the tools and training needed to operationalize security,” she said. “Getting the teams to work together in operationalizing security and having an executive mandate is critical.”