25% of software vulnerabilities remain unpatched for more than a year
While it may seem logical that larger organizations are better at handling patch management than small firms with limiter resources, new research by Kenna Security and the Cyentia Institute shows that the opposite is true. The report also highlights the poor state of patch management in general.
On average, organizations take 26 days to patch 25% of the security vulnerabilities affecting their systems, while after 100 days, or over 3 months, only half of flaws are fixed. Even more shocking is that on average, 25% of security flaws are still not patched after 392 days, which is around 13 months. Smaller organizations tend to patch faster, which according to the report has to do with “the compounding difficulty of managing larger IT environments.”