Though companies are making significant progress in their overall patching practices, nearly seven out of 10 business systems currently remain vulnerable to exploits and attacks, according to research from Qualys Inc.At the same time, almost half of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities annually, according to the research, which was released today during a keynote address at the Computer Security Institute conference in Washington. D.C. Qualys, a Redwood Shores, Calif.-based provider of managed security services, has been conducting a study of the vulnerability and patch management strategies of its clients — including its Fortune 500 customers — since 2002. Each year, the company releases a synopsis of its findings that highlight key trends in both areas. This year’s findings are based on a study of more than 32 million vulnerability assessment scans within its customer base, said Gerhard Eschelbeck, chief technology officer at Qualys. The research shows that on average, companies take about 19 days to fix 50 percent of their Internet-facing systems that might be exposed to a critical vulnerability. In contrast, last year the companies Qualys studied needed 21 days to protect half of their Internet-facing systems and 30 days to do so in 2003. “Patching behaviors are getting pretty good,” Eschelbeck said, noting that many software vendors now have scheduled patch releases rather than offering them on an ad hoc basis. “When you have pre-defined patch releases, people tend to apply patches faster than they would with irregular [schedules].” Even so, companies appear to be having less success when it comes to patching internal systems. On average, they take 48 days to patch 50 percent of the internal systems that could be exposed to a critical vulnerability. That number, while lower than the 62 days those businesses once needed, is not fast enough to mitigate the risks posed by today’s fast-moving worms and viruses, Eschelbeck said. In fact, almost 80 percent of exploits and attacks targeting new software vulnerabilities surface in the time it takes companies to patch their systems, with most of the damage being done within the first 15 days of an exploit release, he said. The research also showed that 90 percent of the vulnerability exposure that companies face comes from just 10 percent of critical vulnerabilities at any given time. By making it a priority to find and fix just those vulnerabilities first, businesses can greatly reduce their overall exposure, Eschelbeck said. By Jaikumar Vijayan, Computerworld Related content opinion The Importance of Identity Management in Security By Charles Pelton Nov 28, 2023 5 mins Cybercrime Artificial Intelligence Data Management brandpost Sponsored by Rocket Software Why data virtualization is critical for business success Data is your most valuable resource—but only if you can access it fast enough to address present challenges. Data virtualization is the key. By Milan Shetti, CEO of Rocket Software Nov 28, 2023 4 mins Digital Transformation brandpost Sponsored by Rocket Software The hybrid approach: Get the best of both mainframe and cloud Cloud computing and modernization often go hand in hand, but that doesn’t mean the mainframe should be left behind. A hybrid approach offers the most value, enabling businesses to get the best of both worlds. By Milan Shetti, CEO Rocket Software Nov 28, 2023 4 mins Digital Transformation brandpost Sponsored by Rimini Street Dear Oracle Cloud…I need my own space Access results from a recent Rimini Street survey about why enterprises are rethinking their Oracle relationship and cloud strategy. By Tanya O'Hara Nov 28, 2023 5 mins Cloud Computing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe