New Absolute Security Research Shows Top Endpoint Security Controls Fail 22% of the Time

June 4, 2025
  • Critical Patching for PCs Running Windows 10 and 11 is Delayed Nearly Two Months
  • 35% of PCs Lack Encryption, 26% are Unaccounted for, and 18% Store Sensitive Data
  • AI Use is Exploding, with Enterprise PCs Logging Thousands of Visits to DeepSeek

SEATTLE (June 4, 2025) – New research from Absolute Security shows that organizations allow their critical endpoint security controls to drop out of compliance with internal security and performance policies 22% of the time. This dangerous failure rate undermines their ability to defend their businesses against ransomware strikes, compromises, and complexity-driven disruptions. Based on anonymized telemetry from more than 15 million enterprise PCs, the Absolute Security Resilience Risk Index 2025 details how this finding and other silent risks are eroding enterprise security and threatening business continuity.

Security Tools Aren’t Holding the Line

Leading Endpoint Protection Platforms (EPP), Security Service Edge (SSE) solutions, and Vulnerability and Patch Management platforms fail to maintain compliance with internal security and performance policies 22% of the time. This increases the risk of ransomware infections, data breaches, and disruptive incidents across PCs where these tools are deployed.

High Performing Solutions are Increasing Concentrated Risk

This year, the data revealed a new issue the industry must face — Concentrated Risk. It emerges when organizations fail to recognize that even solutions with high compliance and performance rates can present significant risk when they are deployed across a substantial percentage of PCs. High performers may fail less often — but when they do, the impact can be catastrophic. This is why every control, regardless of performance rate, must be supported by resilience capabilities that can help organizations to withstand and recover from failure on a large scale.

Patching Delays Ignore Industry Best Practices

Organizations across all industries take nearly two months to patch vulnerabilities in PCs running Windows. Most organizations determine their own vulnerability scanning and patching schedules. However, this average defies guidance from leading authorities such as the Cybersecurity and Infrastructure Security Agency (CISA), which recommends that patches should not be delayed more than 30 days to avoid vulnerability-driven risks.

AI Use is Exploding, Frequently in Defiance of Usage Policies

Available data showed that enterprise PCs are logging millions of visits to popular generative AI platforms. Thousands of these visits are landing on DeepSeek, despite organizational and multi-government sanctions against this China-based site. The inability to control usage along with explosive growth is leaving organizations open to not only compliance violations but also the potential to download malicious content and to expose sensitive information to hostile adversaries.

Devices Are Missing Encryption, Unaccounted for, and Filled with Sensitive Data

35% of enterprise PCs are not encrypted, 26% are unaccounted for, and 18% store sensitive data. This dangerous combination creates blind spots that leave data and PCs without protection against cybercriminals. These lapses can also give unauthorized users access to corporate networks for prolonged periods, opening an opportunity for threats to expand laterally across systems and assets.

“This research shows that organizations are failing to maintain effective operational performance for leading endpoint security controls, unaware of risky behaviors taking place, and may not be able to keep as up to date on patching as they should. These are all factors that will eventually lead to a major security breach or extended and costly period of downtime,” said Christy Wyatt, CEO, Absolute Security. “To remain truly protected in today’s digital business environment, leaders need to think beyond legacy prevention and detection practices. They must enforce resilience as a core capability to ensure the visibility, control, and agility needed to keep their organizations secure, responsive, and always operational.”

For greater details on the resilience risks identified and to learn how to mitigate them with technologies that enforce resilience across your organization, download your complimentary copy of the Absolute Security Resilience Risk Index 2025.

About Absolute Security

Absolute Security is partnered with more than 28 of the world’s leading endpoint device manufacturers, embedded in the firmware of 600 million devices, trusted by thousands of global enterprise customers, and licensed across 16 million PC users. With the Absolute Security Cyber Resilience Platform integrated into their digital enterprise, customers ensure their mobile and hybrid workforces connect securely and seamlessly from anywhere in the world and that business operations recover quickly following cyber disruptions and attacks. Our award-winning capabilities have earned recognition and leadership status across multiple technology categories, including Zero Trust Network Access (ZTNA), Endpoint Security, Security Services Edge (SSE), Firmware-Embedded Persistence, Automated Security Control Assessment (ASCA), and Zero Trust Platforms. To learn more, visit www.absolute.com and follow us on LinkedIn, X, Facebook, and YouTube.

ABSOLUTE SECURITY, ABSOLUTE, the ABSOLUTE LOGO, AND NETMOTION are registered trademarks of Absolute Software Corporation ©2025, or its subsidiaries. All Rights Reserved. Other names or logos mentioned herein may be the trademarks of Absolute or their respective owners. The absence of the symbols ™ and ® in proximity to each trademark, or at all, herein is not a disclaimer of ownership of the related trademark.

For more information, please contact:

Media Relations
Joe Franscella
press@absolute.com