Though companies are making significant progress in their overallpatching practices, nearly seven out of 10 business systems currentlyremain vulnerable to exploits and attacks, according to research fromQualys Inc.At the same time, almost half of the most prevalent and criticalvulnerabilities are replaced by new vulnerabilities annually, accordingto the research, which was released Tuesday during a keynote address atthe Computer Security Institute conference.Qualys, a Redwood Shores, Calif.-based provider of managed securityservices, has been conducting a study of the vulnerability and patchmanagement strategies of its clients — including its Fortune 500customers — since 2002. Each year, the company releases a synopsis ofits findings that highlight key trends in both areas.This year’s findings are based on a study of more than 32 millionvulnerability assessment scans within its customer base, said GerhardEschelbeck, chief technology officer at Qualys. The research shows that on average, companies take about 19 days to fix50 percent of their Internet-facing systems that might be exposed to acritical vulnerability. In contrast, last year the companies Qualysstudied needed 21 days to protect half of their Internet-facing systemsand 30 days to do so in 2003.Patching behaviors are getting pretty good, Eschelbeck said, notingthat many software vendors now have scheduled patch releases ratherthan offering them on an ad hoc basis. When you have pre-defined patchreleases, people tend to apply patches faster than they would withirregular [schedules]. Even so, companies appear to be having less success when it comes topatching internal systems. On average, they take 48 days to patch 50percent of the internal systems that could be exposed to a criticalvulnerability. That number, while lower than the 62 days thosebusinesses once needed, is not fast enough to mitigate the risks posedby today’s fast-moving worms and viruses, Eschelbeck said.In fact, almost 80 percent of exploits and attacks targeting newsoftware vulnerabilities surface in the time it takes companies topatch their systems, with most of the damage being done within thefirst 15 days of an exploit release, he said.The research also showed that 90 percent of the vulnerability exposurethat companies face comes from just 10 percent of criticalvulnerabilities at any given time. By making it a priority to find andfix just those vulnerabilities first, businesses can greatly reducetheir overall exposure, Eschelbeck said.By Jaikumar Vijayan – Computerworld (US online) Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe