Every year, dozens of companies release security reports, telling us about how the sky is falling - mainly because the people sponsoring the reports are in the umbrella business. But I was recently reviewing a couple of reports and a piece of data in Verizon's Data Breach Investigations Report stood out. Unpatched vulnerabilities are still a massive opportunity for threat actors.
So, how big is that opportunity? Verizon's report looked at over 100,000 incidents with about 3% of those recognised as actual breaches. Almost every exploited vulnerability - a whopping 99.9% - took advantage of a reported CVE that had been patched at least a year ago.
The Verizon Data Breach Investigations Report (registration required to download the report) noted that's it's not just about patching but about ensuring you prioritise patching of your most critical and vulnerable systems.
That data should be a reminder to review your patching strategy and processes.