Q3 Cyberthreat Index: Most SMBs Slow in Applying Software Patches


Thought Leadership

Q3 Cyberthreat Index: Most SMBs Slow in Applying Software Patches

Scott Paul, Senior Director, Zix | AppRiver Microsoft Alliance


In terms of cybersecurity, installing a software update is probably the easiest and most basic protection available, especially for small businesses. Why then would Microsoft make such a big deal about moving its Windows operating system to the cloud as a security benefit of its Microsoft 365 service? Surely we’re all diligent about updating our systems as soon as the notification comes in, aren’t we?

Nope. Not even half of us, according to the Zix|AppRiver’s Q3 Cyberthreat Index for Business report. And that’s why my colleague, AppRiver cybersecurity analyst Troy Gill, says his team still catches exploits designed to attack vulnerabilities for which patches were deployed more than two years ago.

“The reason scammers are still sending this type of malware is because it still works,” Troy told me. “A lot of busy end users assume the updates are simply feature upgrades and don’t realize they often include critical patches as well.”

The numbers support Gill’s claim. While 79% of all SMB executives and IT decision makers say cyberthreats are a top-of-mind concern in their daily business, only 38% say they apply patches immediately as soon as they are made available.

Even in the industries where you’d think the leaders would know better, only a few are applying patches as soon as they should. In the technology sector, it’s 39% -- with a full third taking a week or longer. More than half (54%) in the government sector take over a week. And healthcare and pharmaceutical companies? 14% of them take more than a month.

In fact, among fourteen key verticals that participated in the Q3 Cyberthreat Index Survey, not a single one produced a majority of SMB decision makers who apply patches immediately. Only the financial services and insurance sector came close, at 49%. 

This begs the questions: are many SMBs not yet educated on security patches as a line of defense against potential cyberthreats? If so, we may need a full-blown public awareness campaign. Or are they actually ahead of their time, and see patches as a thing of the past? The latter is doubtful, at least until they are on a cloud-based operating system. 

In any event, here’s a prediction: Microsoft is already planning for the day when there will be no more patches for end users. Instead, Microsoft 365 will be continuously updated and protect us against our most troublesome weak point – ourselves.