These software bugs are years old. But companies still don’t fix them

Almost two-thirds of vulnerabilities on corporate networks relate to flaws older than two years that have not been patched, although patches are available. This lack of patches exposes organizations to the risk of attacks that could often be easily avoided if security updates were applied.

Bitdefender’s analysis found that 64% of all unpatched vulnerabilities reported in the first half of 2020 involved known bugs from 2018 and previous years, meaning organizations are at risk from vulnerabilities that someone should have corrected long ago.

“The vast majority of organizations still have unpatched vulnerabilities that were identified anywhere between 2002 and 2018,” the report says.

SEE: Security awareness and training policy (TechRepublic Premium)

Applying patches can be tedious, tedious, and unrewarding work. For cybercriminals, unpatched vulnerabilities provide an easy way to deploy cyber attacks and malware. But while businesses and users are encouraged to apply security patches to operating systems and software as soon as possible, the figures from Bitdefender Business Threat Landscape Report 2020 suggests that some organizations are still slow to implement them.

“With companies with most of their workforce remotely, defining and deploying corrective policies has never been more critical. With six in 10 companies having machines with unpatched vulnerabilities that are older than 2018, the chances of having these vulnerabilities exploited by threat actors are higher than ever, ”the report warned.

In some cases, organizations do not apply security patches because they are worried that it will negatively impact the way they run their systems and hence run the risk of a cyber attack instead.

“Backward compatibility plays a critical role in deciding whether or not certain applications need to be patched. For example, patching or upgrading an application or service could break compatibility with other software that could be critical to the organization’s mission. In that case, not patching might be less of a security decision but more of a business decision, ”Liviu Arsene, global cybersecurity researcher at Bitdefender, told ZDNet.

By having a good understanding of what the network looks like and having a plan to apply patches, organizations can do a lot to protect against cyber attacks designed to take advantage of known vulnerabilities.

SEE: Mobile security: These seven malicious apps have been downloaded by 2.4 million Android and iPhone users

“Having a patch policy and deployment procedure in place is always the best way to address known vulnerabilities,” said Arsene.

“Critical systems that cannot be patched for backward compatibility or business continuity reasons must be isolated and their access tightly restricted,” he added.

LEARN MORE ABOUT CYBERSECURITY