Otto  background

Bad Cyber Hygiene: 60 Percent Of Breaches Tied to Unpatched Vulnerabilities

Bad cyber hygiene is a one-way ticket to getting pwned. Recently published research shows that unpatched vulnerabilities are directly responsible for up to 60 percent of all data breaches. In a surprising number of cases, organizations were actively scanning for vulnerabilities, but their patch management solutions were simply sub-par. Cybersecurity is one of the top “problematic shortage” areas in information technology, and this shortage affects every industry from finance to education.

A staggering majority of CIOs and CISOs even say that they delay putting security patches through to avoid interrupting business growth – and 25 percent say that they are certain their organization is not compliant with data security legislation. Automating and streamlining processes like patch management is becoming an increasingly important solution for organizations looking to improve their cyber hygiene and make their organization a smaller target.

Cyber hygiene fail: Unpatched vulnerabilities drive data breaches

Research from Dark Reading finds that unpatched vulnerabilities are a primary driver of data breaches. In their report, 60 percent of organizations that experienced a data breach cited a known, unpatched vulnerability as the cause.

The number of security professionals who forgo patching vulnerabilities to avoid disrupting the workplace is staggeringly high: Over 80 percent say they've postponed a patch for this very reason at least once.

Another 80 percent of CIOs and CISOs say that they have been shocked to discover that a patch or update they thought had been deployed across their entire network had not actually updated all devices – leaving multiple endpoints vulnerable.

As Tech Radar reports, Tripwire also recently surveyed infosecurity professionals from an array of global organizations. According to the report, 88 percent of those surveyed said they conducted vulnerability scans, with 63 percent saying they used authenticated scans as part of their assessment. Even so, respondents named unpatched vulnerabilities as a key contributor to data breaches within their organizations.

What companies do with the information discovered by vulnerability scans varies, and techniques for managing vulnerabilities can vary widely.

With a one-in-four chance that one of your vulnerabilities may be exploited before you get around to patching it, it may not be worth the risk. The average cost of a data breach in 2018 was a cool $3.86 million, and data breaches are becoming more costly every year.

Bad cyber hygiene is kind of like having bad hygiene in real life: You can only get away without brushing your teeth for so long before you get a cavity. And some cavities are a lot more painful than others.

Why aren't people patching?

Survey data from Tanium's Global Resilience Gap study suggests that a staggering number of security professionals simply opt to do nothing. Patch management is a complex process that can take time, especially if you're doing it manually. Some 81 percent of CIOs and CISOs say they elect to delay putting patches through to avoid interrupting the flow of business. Most also say they've postponed a patch on more than one occasion.

Another 94 percent of IT professionals say they have to make “compromises” in how they protect their organization from cyber-threats. According to SC Magazine, a lot of these issues are due to trouble with maintaining visibility over endpoints, containers and servers. Some 24 percent of respondents said poor visibility over endpoints was inhibiting network security. Those surveyed also said they struggled to detect threats in real-time and the growing complexity of their organization.

Lack of visibility is so prominent that over 80 percent of CIOs and CISOs surveyed said “they found critical updates or patches they thought had been deployed had not actually updated all devices, leaving the business exposed as a result.”

In other words, poor visibility over endpoints is a major problem, even for top-tier security professionals. Eight out of every ten security leaders are saying that their patches are not actually deploying across their company's entire network – and they may not know about this failure until after it's already too late.

Tech professionals say they must also contend with other business units who may not understand the importance and necessity of patching vulnerabilities. Ultimately, this all leads to delayed patch management – and gaping holes in your cyber hygiene regimen.

Automating cyber hygiene

Automated patch management systems can help IT professionals streamline patch deployment, increase endpoint visibility, and can even allow users to see their patch vulnerability status in real time. Through real-time updating and automation, status reporting is made easier than ever. More to the point, automated patch management can help any company become a smaller target seamlessly.

Paul Norris, senior systems engineer EMEA at Tripwire, told SC Magazine UK, “Organizations should understand that compromising on security may be a cost-effective choice in the short term, but could lead to much more serious business disruptions than those caused by maintaining a consistent patching routine.”

Cyber hygiene should be a top priority for every business. While the field of cybersecurity may be considered “new,” the art of hacking is not. If you don't keep your nose clean, a hacker will pick it for you.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.


Jay, Jay. 2019. "81% of CIOs & CISOs delaying security patches to ensure uninterrupted business operations." SC Media. April 15, 2019.

Spadafora, Anthony. 2019. "Failure to patch is leaving companies open to attack." June 3, 2019.

IBM. 2019. "2018 Cost of a Data Breach Study by Ponemon."

Jackson Higgins, Kelly. 2018. "Unpatched Vulnerabilities the Source of Most Data Breaches." April 5, 2018.

Dive deeper into this topic