Guess which two pieces of unpatched software provide points of entry for most security breaches. (Hint: They're not Windows) Last week I talked about the single best thing you can do to prevent malicious attacks on your network: whitelisting. Unfortunately, a lot of people simply can’t adopt whitelisting due to politics, operational needs, or both. I understand that.So here’s the second best thing you can do to reduce security risk: perfect patching.[ Tune in to 5 true tales of (mostly) white-hat hacking. | InfoWorld’s expert contributors show you how to secure your Web browsers in a free PDF guide. Download it today! | Learn how to protect your systems with InfoWorld’s Security Central newsletter. ]Most of today’s malware works by exploiting holes in unpatched software. Specifically, most malicious attacks involve exploiting unpatched Internet-related software, including add-ins, browser helper objects, and so on. Unpatched Java is easily the most exploited vulnerability, accounting for 50 percent or more of all successful attacks — and has held that leadership position since 2012. Prior to that, Java was No. 2 two behind Adobe Acrobat Reader. It used to be that unpatched operating system vulnerabilities, specifically Microsoft Windows, led the way. Today, Windows isn’t even in the top 10 of most exploited programs. One popular antimalware vendor has said that Windows and Internet Explorer together accounted for just 3 percent of all exploits last year, while Java and Acrobat Reader accounted for 78 percent. Does that stat shock you? It shouldn’t. It’s been that way for many years.Think of how earth-shaking this should be for your company and your IT security processes. If you stay up to date on your patching for two measly programs, Java and Acrobat Reader, you can eliminate 78 percent of your risk — amazing but true! What’s even more astonishing is that nearly every company I audit says it has patching under control — but I’ve never audited a single computer or device that was fully patched. Yes, most of the time it is unpatched Java and Acrobat on client workstations and sometimes on servers. On servers, I often find outdated versions of server management software (which, incidentally, is often running Web server software). Routers and other network equipment are rarely patched. BIOSes are never up to date. Every appliance I touch is unpatched. Worse, it can be impossible to get up-to-date patches for appliances. It makes you wonder what an appliance is, anyway — just software running on hardware that is harder to update?When clients tell me they have everything patched, they mean that most of their Windows software is patched because Microsoft has been including autopatching mechanisms for more than a decade.If you want to significantly reduce your computer security risk, become a better patcher. Patch all software with critical security patches within one week of the patch’s release — or quicker if there’s an active, wormable exploit in the wild or if you fear an adversary might use it sooner. In general, more than 80 percent of all publicly known exploits have patches available on the day of the vulnerability’s public disclosure.To be honest, the fact that most computers have been exploited via unpatched software has held true for years. I have no idea why more companies aren’t dropping every project on the books to tackle this problem. Instead, they blindly claim they’re doing “good patching,” then wonder why they keep getting exploited.Stop whatever else you’re doing. Check the patch status of your most critical computers. Check everything! Personally, I manually audit because I always find stuff left uncovered by automated tools. Granted, automated tools are great, especially when you’re trying to get a general picture of your entire environment; they can certainly tell you how well Java and Acrobat are patched. But they tend to miss the less popular software, especially server management tools. To check your patching status, use a combination of automated and manual methods.Work up your courage and pay a visit to you CIO. Ask the exec, “Did you know we could stop nearly 80 percent of attacks just by patching Java and Acrobat?” If he or she replies, “Yeah, I knew that,” you can casually mention that those two pieces of software have not been patched consistently. If the CIO is unaware but commissions an action plan, you’re a hero. If nothing happens either way, you can’t say you didn’t warn ’em. This story, “Stop 80 percent of malicious attacks now,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe