The Rising Tide of Cyber Threats
Cybersecurity attacks were at an all-time high in 2018. Cyber incidents included malware compromising networks and data breaches exposing corporate vulnerabilities at such trusted brands as Facebook, Amazon, Saks, Panera and Under Armour, to name a few. Marriott is the latest victim, closing out the year with a widespread breach exposing 500 million of its guests' personal data. It comes as no surprise that a recent report by the World Economic Forum reveals that cyber risk is the number-one concern of executives in advanced economies. A recent article in the Harvard Business Review estimates that cyber crime costs more than $1 trillion annually. These escalating incidents underscore why patch management is important as part of a broader, day-to-day security program.
Summary
Patch management is critical because many successful cyber attacks exploit known, unpatched vulnerabilities, yet organizations often deprioritize it. A disciplined, proactive patching cadence—treated as a standard cost of doing business—reduces risk and makes outcomes more predictable. Complement patching with vulnerability scanning, penetration testing, and a proactive, multi-layered defense to stay ahead of evolving threats.
The “No News Is Good News” Fallacy
A general consensus and misnomer is no news is good news. Unfortunately, companies have made assumptions regarding the currency of their environment, leaving them vulnerable to a phishing exercise. In the case of Marriott, management took steps to shore up cybersecurity capabilities, including hiring a Chief Information Security Officer (CISO), as reported by Bloomberg. But like many, the most basic step is often overlooked which is maintaining a disciplined approach towards patch management and patch management best practices.
What Is Patch Management?
Patch management is a strategy—often formalized as a patch management strategy or software patch management program—for managing patches, or upgrades for software applications and technologies.
The Risk of Unpatched Systems
Approximately 70% of successful cyber attacks exploit known, unpatched vulnerabilities in systems where readily available patches have not been applied. For many organizations patching is not a priority. It becomes extra work that the infrastructure team performs after hours, or completed in a haphazard way because the team is stretched and does not have the capacity to focus on what has become a business critical routine. Establishing a clear patching cadence helps reduce this risk and makes outcomes more predictable.
Funding, Prioritization, and the Cost of Doing Business
Unfortunately, patch management often takes a backseat in terms of funding and prioritization until an organization is hacked. Companies need to be more proactive. No news is good news is not a suggested strategy in the world of cybersecurity. The simplest and most effective thing to do is to apply the known patches and follow a disciplined approach to keep all system patches current. There is a discipline, process and an investment required from each organization to stay current. This is a cost of doing business. Cyber threats are becoming more advanced and sophisticated.
Key Questions for Leaders
- What is your organization doing about the threat today?
- Are you current on your patching cadence, or are you at risk?
Go Beyond Patching: Proactive Security Measures
Instead of a wait-and-see strategy, you can proactively conduct vulnerability scanning or external penetration testing to get in front, assess your exposure and improve your security posture.
Expert Perspective
According to Alon Yavin, Head of Professional Services at HolistiCyber, Genesis10's cybersecurity partner:
"To tackle advanced and sophisticated cyber threats, organizations should think ahead in a preemptive manner, adopting elastic and dynamic methods. Like in a war, you cannot cope with these evolving multi-staged attacks only by securing your systems; rather, you should devise a proactive defense program consisting of advanced and sensitive detection elements, multi-faceted preventative countermeasures, intelligence and a well-defined response program."
Q&A
What is patch management, and why does it matter?
Answer: Patch management is the disciplined process of managing and applying patches or upgrades to software applications and technologies. It matters because many successful cyber attacks exploit known, unpatched vulnerabilities. A proactive, predictable patching cadence—treated as a standard cost of doing business—significantly reduces risk and makes security outcomes more reliable amid increasingly sophisticated threats.
How big is the risk of leaving systems unpatched?
Answer: It’s substantial. Approximately 70% of successful cyber attacks exploit known, unpatched vulnerabilities for which patches already exist. In a landscape where attacks and major breaches are surging, staying current on patches is one of the simplest, most effective defenses.
Why do organizations fall behind on patching, and how can they fix it?
Answer: Patching often gets deprioritized—seen as after-hours “extra work”—and is handled haphazardly by stretched infrastructure teams, with funding attention frequently arriving only after a breach. To fix this, organizations should formalize a patch management strategy, establish a clear patching cadence, dedicate resources, and maintain executive support so patching becomes a routine, business-critical process.
Is “no news is good news” a viable cybersecurity strategy?
Answer: No. Assuming systems are current without verification leads to blind spots and increased exposure to phishing and breaches. Instead, organizations should actively confirm patch currency and follow a disciplined, ongoing approach rather than waiting for problems to surface.
What should we do beyond patching to strengthen our security posture?
Answer: Complement patching with proactive measures: conduct vulnerability scanning and external penetration testing, and adopt a multi-layered, preemptive defense that includes advanced detection, preventative countermeasures, threat intelligence, and a well-defined response plan—an approach aligned with the guidance from HolistiCyber’s professional services leadership.