Cybersecurity Awareness Series: Endpoint attack surface grows as vulnerabilities remain unaddressed

This series is meant to empower organizations with key indicators on the current state of cybersecurity. As the only security provider embedded in the firmware of more than 600 million devices, Absolute’s unique position enables a more complete picture – and a single-source-of-truth intelligence to empower IT and security teams to eliminate potential blind spots and minimize risk exposure.   

Leveraging millions of anonymized data points adapted from a global customer base, this series will feature insights into device and application health, device mobility, sensitive data exposure, and more – with detailed views by vertical, region, and organization size.  

The endpoint attack surface grows as vulnerabilities remain unaddressed

In 2022, 20,265 new software vulnerabilities have been identified and reported on thus far. This is up from 20,171 in the entire year of 2021, and 18,325 in 2019. That is no small amount, considering the steps required for IT and security teams to acknowledge each of these vulnerabilities and push updates to every single endpoint owned or maintained by an organization.  

When it comes to Windows 10 devices, new updates emerge every month on Microsoft’s Patch Tuesday. It can become cumbersome for organizations to keep Windows devices up to date with the latest patches. But in failing to do so, they are opening themselves up to potential compromise.  

Absolute’s analysis found the average Windows 10 Enterprise device to be 59 days behind on patching, with government and retail reporting the longest delays in Enterprise (83 and 77 days, respectively). When Education is brought into the fold, the patching lag gets even more severe with those devices found to be 115 days behind, on average.

Looking at the total number of vulnerabilities addressed on Patch Tuesday in July and August alone, it shows that these devices are susceptible to more than 200 vulnerabilities that have a fix available – including 21 deemed critical and one already being exploited.

Critical vulnerabilities are defined as those CVEs with a publicly available mechanism to exploit them. This means hackers on the Web have published code open to them to exploit organizations’ devices, if that vulnerability hasn’t been patched. They are in other words, free to be attacked with extremely low effort. 

Knowing this, one would think the urgency would be high to deploy vulnerability patches. That being said, potentially due to monotony or a simple lack of resources and time, organizations’ devices go unpatched for lengthy periods of time.  

While, the most interesting trend Absolute’s data uncovered was that smaller organizations - with fewer devices - saw longer delays.

The takeaway

This analysis goes to show that a considerable number of endpoints are currently out of date when it comes to patching and are therefore vulnerable to exploitation and attack. This is the case across highly regulated industries like Government, Professional Services, and Education. These organizations are held accountable for ensuring their data and endpoints remain secure. 

Visibility is always the first step in rectifying an issue like this. Knowing how many devices are out of date and the risk this presents, allows for IT admins to take steps to ensure patches are deployed (and that devices can’t operate without these steps being taken). 

Absolute Resilience gives IT teams a simple fix. The solution not only presents a real-time view in terms of endpoints requiring patching, but it can push updates to devices without any required end user action. This eliminates the manual efforts required by IT teams and ensures all software on the device is up to date, reducing their vulnerability. 

With Absolute the health of every application is consistently monitored and rectified, if necessary, thanks to its intelligent self-healing capabilities. To learn more, book a demo with one of our specialists today.

Analysis Methodology

To develop this analysis, anonymized data was analyzed from various subsets of more than 14 million Absolute-enabled devices - active across nearly 21,000 global customers - over a 2-week period in August 2022. Data and information has also been sourced from trusted third-party sources, as cited.