BitSight, which specializes in security ratings, has released a new report titled, "A Growing Risk Ignored: Critical Updates," analyzing more than 35,000 companies from industries across the globe over the last year, to better understand the usage of outdated computer operating systems and Internet browsers, the time to it took to update operating systems once a new release was made available, and how these practices correlate to data breaches.
The data shows that there are large gaps in asset management programs across the globe. And this includes Macs.
Using evidence of security incidents from networks around the world, the BitSight Security Ratings Platform applies algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk.
To look at the spread of operating systems and Internet browsers, researchers studied over 1.5 billion observations over a period of eight months, focusing on operating systems from Apple and Microsoft, along with Internet browsers including Safari, Firefox, Chrome, and Internet Explorer. Key findings include:
- Over 2,000 organizations run more than 50% of their computers on outdated versions of an operating system, making them almost three times as likely to experience a publicly disclosed breach.
- Over 8,500 organizations have more than 50% of their computers running an out-of-date version of an Internet browser, doubling their chances of experiencing a publicly disclosed breach.
- More than 25% of the computers used in the government sector were running outdated macOS or Windows operating systems, with nearly 80% of these outdated systems comprised of macOS.
- In March of this year, two months before the WannaCry ransomware attack, nearly 20 percent of computers examined in this report that were running Windows were using Windows Vista or XP, both of which did not have a patch available and are no longer officially supported by Microsoft.
- A month after each macOS point release is announced, more than 35% of companies fail to upgrade to the latest version, potentially exposing the systems to vulnerabilities during that time.