Though companies are making significant progress in their overall patching practices, nearly seven out of 10 business systems currently remain vulnerable to exploits and attacks, according to research from Qualys Inc.At the same time, almost half of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities annually, according to the research, which was released today during a keynote address at the Computer Security Institute conference in Washington. D.C. Qualys, a Redwood Shores, Calif.-based provider of managed security services, has been conducting a study of the vulnerability and patch management strategies of its clients — including its Fortune 500 customers — since 2002. Each year, the company releases a synopsis of its findings that highlight key trends in both areas. This year’s findings are based on a study of more than 32 million vulnerability assessment scans within its customer base, said Gerhard Eschelbeck, chief technology officer at Qualys. The research shows that on average, companies take about 19 days to fix 50 percent of their Internet-facing systems that might be exposed to a critical vulnerability. In contrast, last year the companies Qualys studied needed 21 days to protect half of their Internet-facing systems and 30 days to do so in 2003. “Patching behaviors are getting pretty good,” Eschelbeck said, noting that many software vendors now have scheduled patch releases rather than offering them on an ad hoc basis. “When you have pre-defined patch releases, people tend to apply patches faster than they would with irregular [schedules].” Even so, companies appear to be having less success when it comes to patching internal systems. On average, they take 48 days to patch 50 percent of the internal systems that could be exposed to a critical vulnerability. That number, while lower than the 62 days those businesses once needed, is not fast enough to mitigate the risks posed by today’s fast-moving worms and viruses, Eschelbeck said. In fact, almost 80 percent of exploits and attacks targeting new software vulnerabilities surface in the time it takes companies to patch their systems, with most of the damage being done within the first 15 days of an exploit release, he said. The research also showed that 90 percent of the vulnerability exposure that companies face comes from just 10 percent of critical vulnerabilities at any given time. By making it a priority to find and fix just those vulnerabilities first, businesses can greatly reduce their overall exposure, Eschelbeck said. By Jaikumar Vijayan, Computerworld Related content BrandPost How Infosys and Tennis Australia are harnessing technology for good By Veronica Lew Mar 26, 2023 6 mins Infosys BrandPost Retail innovation playbook: Fast, economical transformation on Microsoft Cloud For retailers, tight integration of data and systems is the antidote to a challenging economy. By Tata Consultancy Services Mar 24, 2023 3 mins Retail Industry Digital Transformation BrandPost How retailers are empowering business transformation with TCS and Microsoft Cloud AI-powered omnichannel integration and a strong, secure digital core lets retailers innovate across four primary areas while staying compliant, maintaining security and preventing fraud. By Tata Consultancy Services Mar 24, 2023 4 mins Retail Industry Cloud Computing BrandPost How to Build ROI from Cloud Migration This whitepaper and webcast can help you calculate the ROI and create a business case for modernizing your legacy applications to the Microsoft Cloud. By Tata Consultancy Services Mar 24, 2023 1 min Retail Industry Cloud Computing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe