TL;DR
- 20% of enterprise devices lack working cybersecurity protection at any given time
- This equals 76 days per year of increased vulnerability exposure
- 24% of endpoint vulnerability management platforms are non-compliant, up from 20% last year
- 10% of enterprise endpoints are permanently unpatched — creating vulnerabilities that can never be fixed
- Windows critical updates are delayed by 127 days on average
The 20% Reality: Your Security Isn't Always Running
Absolute Security's 2026 Resilience Risk Index reveals a uncomfortable truth: endpoint cybersecurity software fails to protect one in five enterprise devices [1]. This protection gap means organizations face the equivalent of 76 days per year where their security tools aren't working — giving cybercriminals increased access to their networks.
Th
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →The business impact: When security software fails, it's not just a gap in protection — it's an open door. Attackers actively search for these gaps using automated tools that scan thousands of targets per hour. A single unprotected endpoint is the beachhead for full network compromise.
Related: Why Every SMB Needs an Incident Response Plan in 2026
Why Security Software Fails: It's Not One Thing
No single issue causes the 20% protection gap. Instead, it's the growing complexity of enterprise IT environments [1]. Multiple factors contribute:
- Software conflicts between different security tools fighting for the same resources
- Incomplete deployments where security agents never properly install across all devices
- Configuration drift where settings change over time and break protection
- Resource exhaustion on older devices that can't run modern security software
- Update failures where security tools themselves aren't kept current
- License expirations that silently disable protection without alerting administrators
The SMB challenge: Smaller organizations rarely have dedicated security operations teams to monitor tool health. When security software fails silently, no one notices until after a breach.
The Patch Management Crisis: 127 Days for Critical Updates
The most alarming finding from Absolute Security's report: delays in applying security patches and software updates remain common, with almost a quarter (24%) of endpoint vulnerability management platforms classed as operating outside of compliance [1]. This is up from 20% the previous year.
What this means:
- A growing share of enterprise endpoints are running software with known vulnerabilities that can be exploited
- The exploitation window for attackers is widening — more time to find and attack unpatched systems
- Organizations are investing in vulnerability management tools but not following through on remediation
The patching problem gets worse at the operating system level. According to Absolute's analysis, critical updates for Microsoft Windows were delayed by an average of 127 days [1]. That's over four months of exposure to publicly disclosed vulnerabilities.
Why this matters: When a critical vulnerability is disclosed, exploit code is often available within days or even hours. Delaying patches by 127 days gives attackers months of opportunity to weaponize the vulnerability.
The Permanently Unpatched: 10% You Can Never Fix
Perhaps the most concerning statistic: nearly 10% of enterprise endpoints are now permanently unpatched [1]. These are vulnerabilities that organizations may never be able to remediate.
Why systems become permanently unpatched:
- End-of-support software like Windows 10, which reached end of life in October 2025
- Legacy applications that vendors no longer support
- Custom software that breaks when updated
- Hardware constraints where newer software won't run on older devices
- Compatibility dependencies where updating one system breaks another
The business risk: Permanently unpatched systems are permanent vulnerabilities. Attackers maintain databases of these systems and actively target them. You cannot defend what you cannot fix.
The Windows 10 problem: Microsoft ended support for Windows 10 in October 2025. Organizations still running Windows 10 devices are in that permanently unpatched category — no new security updates, no vulnerability fixes, no protection against newly discovered threats [1].
Related: Patch Smarter, Not Harder: The 1% Rule for SMB Cybersecurity
The Compliance Paradox: Tools Without Outcomes
Here's the paradox: Organizations are deploying more vulnerability management tools, but compliance is getting worse. Non-compliance rose from 20% to 24% year-over-year [1].
Why more tools don't mean better security:
- Tool sprawl without integration — each tool operates in isolation
- Alert fatigue — too many warnings mean teams ignore all of them
- False positives — repeated false alarms train teams to treat alerts as noise
- Lack of automation — manual remediation can't keep pace with vulnerability disclosure
- Missing accountability — no clear owner for patching decisions and execution
Christy Wyatt, president and CEO of Absolute Security, framed the problem: "Cyber-attacks are inevitable, downtime is optional." [1] The cybersecurity industry has rushed to provide innovations that detect and prevent threats, but it's lagging when it comes to ensuring tools remain operational when needed most.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The Business Impact: 76 Days of Exposure
Absolute Security calculated that the 20% protection gap equals 76 days per year where organizations are providing cybercriminals with increased access to their networks [1]. Here's what that exposure means in business terms:
Increased Breach Probability
Every day of increased exposure is another roll of the dice. Attackers using automated exploitation don't need to target your organization specifically — they're casting nets across the internet. The more unprotected endpoints you have, the more likely you are to caught.
Higher Remediation Costs
When breaches occur through unprotected endpoints, they're typically more severe. Attackers have more time to move laterally, establish persistence, and exfiltrate data. The average cost of a data breach increases significantly when dwell time extends beyond the median.
Regulatory and Compliance Risk
Many regulations (GDPR, HIPAA, PCI-DSS, Australia's Privacy Act) require reasonable security measures. A 20% protection gap could be argued as negligence in the event of a breach, potentially increasing fines and legal liability.
Operational Disruption
When security tools fail, breaches are detected later, if at all. This extends downtime, increases recovery complexity, and creates longer business interruptions.
What SMBs Can Do: Closing the Protection Gap
The 20% protection gap isn't inevitable. Here's how SMBs can ensure their security tools actually work:
1. Monitor Tool Health, Not Just Threats
Most security dashboards show threats detected, alerts fired, and malware blocked. What they rarely show: is the security agent actually running?
Action items:
- Implement monitoring for security software health and status
- Set alerts for when protection is disabled or outdated
- Regularly audit devices to confirm all agents are active
- Track compliance metrics across your endpoint fleet
The goal: Know within hours when a device loses protection, not months later during a breach investigation.
2. Automate Patch Management
Manual patching cannot keep pace with modern vulnerability disclosure rates. 127-day delays are a choice, not a necessity [1].
Action items:
- Deploy automated patch management tools
- Prioritize critical and high-severity patches (within 48-72 hours)
- Establish a regular patching cadence (weekly for critical systems)
- Test patches in a non-production environment before broad deployment
- Maintain an inventory of all software and systems requiring updates
The ROI: Automated patching reduces the exploitation window, lowers administrative overhead, and provides auditable evidence of security diligence.
3. Plan for End-of-Life Transitions
Permanently unpatched systems exist because organizations didn't plan for software end-of-life. Windows 10 reached end of support in October 2025 — the transition deadline was known years in advance [1].
Action items:
- Maintain a software lifecycle inventory with end-of-support dates
- Budget for replacements and migrations 12-18 months before EOL
- Phase out legacy applications that depend on unsupported platforms
- Isolate systems that cannot be patched from network access
- Document business justification for any permanently unpatched systems
The reality: You cannot securely run software that vendors no longer support. The cost of migration is always less than the cost of a breach through an unsupported platform.
4. Consolidate Security Tools
More tools don't mean better protection. Tool sprawl creates integration gaps, configuration conflicts, and visibility blind spots.
Action items:
- Audit all security tools and eliminate overlap
- Prioritize integrated platforms over point solutions
- Ensure tools share telemetry and can correlate alerts
- Reduce the number of agents and consoles security teams must manage
- Focus on tool effectiveness, not feature count
The benefit: Fewer tools means better integration, simpler management, and fewer opportunities for silent failures.
5. Establish Patch SLAs and Ownership
The 24% non-compliance rate for vulnerability management platforms suggests a governance problem [1]. Tools are deployed, but no one is accountable for their operation.
Action items:
- Define service level agreements (SLAs) for patch deployment
- Assign clear ownership for different system categories
- Create exception processes for systems that cannot be patched
- Report patch compliance metrics to leadership regularly
- Tie compliance to performance evaluations where appropriate
The message: Patch management isn't a technical task — it's a business process with business accountability.
6. Test Your Defenses Regularly
You can't assume your security tools are working. You have to prove it.
Action items:
- Conduct quarterly vulnerability scans to find unpatched systems
- Perform annual penetration tests to validate defense effectiveness
- Run table exercises to test incident response procedures
- Audit security logs to confirm tools are detecting and blocking threats
- Use breach and attack simulation (BAS) tools to automate validation
The outcome: Regular testing converts assumptions about security into verified facts about resilience.
The Strategic Shift: Resilience Over Perfection
Absolute Security's CEO captured the new reality: "Cyber-attacks are inevitable, downtime is optional." [1] This framing acknowledges that perfect prevention is impossible — the goal is rapid detection, effective containment, and efficient recovery.
For SMBs, this means:
- Accept that some attacks will succeed — design security with failure in mind
- Focus on containment and recovery — limit blast radius, restore operations quickly
- Invest in detection and response — find breaches fast, not prevent every breach
- Build redundancy and backups — ensure business continuity even during incidents
- Practice incident response — test recovery procedures before you need them
The 20% protection gap is a symptom of a deeper problem: organizations treating cybersecurity as a technical problem to be solved with tools, rather than a business process to be managed with discipline, governance, and continuous improvement.
The Cost of Inaction: What 76 Days of Exposure Really Means
Let's make the business case concrete. The IBM Cost of a Data Breach Report 2025 found the average breach costs $4.88 million globally [2]. The longer attackers have access, the higher the cost.
If a 20% protection gap increases breach probability by even 20%:
- A $4.88M breach becomes a 1-in-5 risk instead of 1-in-10 over 5 years
- Over 5 years, expected breach cost increases from $488K to $976K
- That's $488K in preventable risk from a tool health monitoring gap
The ROI of fixing the protection gap:
- Tool health monitoring and automation: $10K-$50K annually for most SMBs
- Expected loss reduction: $100K-$500K depending on industry and breach risk
- Payback period: Often less than 6 months
The question isn't whether you can afford to fix the protection gap. It's whether you can afford not to.
FAQ
Absolute Security's 2026 Resilience Risk Index found that endpoint cybersecurity software fails to protect 20% of enterprise devices at any given time [1]. This protection gap means organizations face the equivalent of 76 days per year where security tools aren't working properly.
According to Absolute Security's analysis, critical updates for Microsoft Windows were delayed by an average of 127 days in 2025 [1]. This four-month delay gives attackers months of opportunity to exploit publicly disclosed vulnerabilities.
Nearly 10% of enterprise endpoints are now permanently unpatched [1]. These are systems running end-of-life software (like Windows 10, which lost support in October 2025) or legacy applications that vendors no longer support. They cannot be patched and create permanent vulnerabilities.
24% of endpoint vulnerability management platforms are non-compliant, up from 20% the previous year [1]. This increase reflects growing IT complexity, alert fatigue, tool sprawl without integration, and lack of automated remediation. Organizations are buying tools but not executing on patching.
The 20% protection gap equals 76 days per year where organizations have increased vulnerability to cyberattacks [1]. This extended exposure window significantly increases breach probability, remediation costs, regulatory risk, and operational disruption.
References
[1] Absolute Security, "2026 Resilience Risk Index," Absolute Security, March 2026. [Online]. Available: https://www.absolute.com
[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[3] Infosecurity Magazine, "Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security," Infosecurity Magazine, March 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/
[4] Mandiant Google Cloud, "M-Trends 2026: A Report on Threat Landscape and Tactics," Mandiant, March 2026. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[5] Kaspersky Security Services, "Anatomy of a Cyber World Global Report 2026," Kaspersky Securelist, March 2026. [Online]. Available: https://securelist.com/global-report-security-services-2026/119233/
[6] PwC, "Annual Threat Dynamics 2026," PwC, March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html
[7] N-able, "State of the SOC Report 2026," N-able, March 2026. [Online]. Available: https://www.n-able.com/resources/state-of-the-soc-report-2026
[8] Industrial Cyber, "M-Trends 2026 reveals threat landscape shaped by faster, coordinated, and industrialized cyberattacks," Industrial Cyber, March 2026. [Online]. Available: https://industrialcyber.co/reports/m-trends-2026-reveals-threat-landscape-shaped-by-faster-coordinated-and-industrialized-cyberattacks/
Your security tools are only as good as their ability to protect you when it matters. At lil.business, we help SMBs implement cybersecurity that actually works — not just tools on paper, but protection in practice. Get a free consultation and close your protection gap.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- 1 in 5 computers has security software that isn't working properly
- This leaves businesses unprotected for 76 days per year
- 24% of patch management systems aren't keeping software up to date
- 10% of business computers can never be updated — they're permanently vulnerable
- Important Windows updates are delayed by 127 days on average
The Broken Lock: What 20% Failure Means
Imagine if the lock on your front door worked only 4 out of 5 times. That would be pretty scary, right? Someone could walk right in and you wouldn't know until it was too late.
That's exactly what's happening with computer security software. A new report found that 20% of business computers have security software that isn't working properly [1]. That's 1 in 5 computers.
What this means in real life:
- Businesses are unprotected for 76 days per year — that's over 2 months!
- Hackers can break in through these unprotected computers
- The security tools you paid for aren't actually protecting you
It's like paying for a security guard who falls asleep one day out of every work week.
Why Security Software Stops Working
You might think: "But we bought good security software! Why isn't it working?"
Here's the thing: It's not usually about buying bad software. It's about the software not running properly or not being kept up to date [1]. Think of it like this:
Your security software might fail because:
- It crashed and no one restarted it (like your phone freezing)
- It needs an update but hasn't been updated in months
- It's fighting with other security software and both stopped working
- It's installed on old computers that can't run it properly
- Someone turned it off to install something else and forgot to turn it back on
The problem: These failures happen silently. Your computer still works fine, so you don't know your protection is gone until a hacker breaks in.
The Update Problem: 127 Days Too Late
Here's another scary number: Important Windows updates are delayed by 127 days on average [1]. That's over 4 months!
Think of it like this: A safety recall is issued for your car. It's dangerous to drive it. But instead of fixing it right away, you wait 4 months. During those 4 months, you're driving a dangerous car every day.
With computers, here's what happens:
- Microsoft discovers a security problem in Windows
- They create a fix (called a "patch") and release it
- Businesses should install the fix immediately
- But many businesses wait 127 days — over 4 months!
During those 4 months:
- Hackers know about the security problem
- Hackers create tools to break in through that problem
- Your business computers are still vulnerable
It's like leaving your house key under the mat for 4 months after the police warned everyone that thieves know about that trick.
The Permanently Broken: 10% You Can Never Fix
The most worrying part: 10% of business computers can never be updated [1]. They're permanently vulnerable.
Why can't they be updated?
- They're running old software that companies don't support anymore (like Windows 10)
- They're too old to run new software
- They have special programs that break if you update them
Think of it this way: It's like having a car that's so old the company doesn't make parts for it anymore. If something breaks, you can't fix it. You just have to hope nothing goes wrong.
The problem: Hackers know which computers are old and unsupported. They specifically target these computers because they know they can't be protected.
Why Compliance Is Getting Worse, Not Better
Here's something strange: Businesses are buying more security tools than ever, but security is getting worse, not better.
The report found that 24% of patch management systems aren't working properly — that's up from 20% last year [1].
Why more tools = worse security:
- Too many tools — Each tool does something different, but they don't work together
- Alert fatigue — Security teams get so many warnings that they ignore them all
- No one is in charge — Everyone thinks someone else is handling it
- Tools without plans — Buying tools is easy; using them properly is hard
Think of it like this: If you buy 10 different fitness trackers but never exercise, you're not going to get fit. Security tools are the same — you have to actually use them properly.
What This Means for Your Business
Let's make this real. If your security software fails 20% of the time:
Increased risk:
- Hackers have more chances to break in
- When they do break in, they stay hidden longer
- By the time you catch them, they've done more damage
Higher costs:
- Cleaning up after a breach costs more if hackers had months of access
- You might lose customer data or business secrets
- Your reputation could be damaged
Legal problems:
- Some laws require you to have good security
- If you're breached because you didn't update your software, you could be in trouble
- Fines and lawsuits can cost more than fixing the problem would have
What You Can Do: Simple Steps to Fix the Gap
The good news: You don't need to spend millions to fix this problem. Here are practical steps that actually work:
1. Check If Your Security Is Actually Running
Most businesses have security software, but they never check if it's actually working.
What to do:
- Check regularly that security software is running on all computers
- Set up alerts if protection stops working
- Make a list of all your computers and check them monthly
- Test your security by trying to access things you shouldn't be able to
Simple example: It's like checking that you actually locked the door before you leave the house. Not assuming you locked it — actually checking.
2. Update Software Automatically (Within 48 Hours)
Remember the 127-day delay problem? You can fix this by automating updates.
What to do:
- Turn on automatic updates for Windows and other software
- Set a schedule: Check for updates every week
- Install important updates within 48 hours (2 days)
- Test updates first on one computer before putting them on all computers
Why this matters: Most hackers break in through old problems that already have fixes. If you install fixes quickly, you close the doors they're trying to open.
3. Plan for Old Software Before It Becomes a Problem
Windows 10 stopped being supported in October 2025. This was announced years in advance [1].
What to do:
- Make a list of all software you use
- Find out when each one will stop being supported
- Plan to replace software 1-2 years before it stops being supported
- Budget for replacements — old computers and software cost more to keep than to replace
The car analogy: Don't wait until your car breaks down on the highway to think about replacing it. Replace it before it becomes a problem.
4. Use Fewer Tools That Work Together
Instead of buying 10 different security tools that don't talk to each other, buy 2-3 that work together.
What to do:
- Audit what security tools you have
- Get rid of tools that overlap or don't work
- Choose tools that integrate with each other
- Make sure one person is in charge of each tool
Think of it like a toolbox: You don't need 10 different hammers. You need a few good tools that work well together.
5. Make Someone Responsible
The 24% non-compliance problem exists because no one is actually accountable [1].
What to do:
- Assign one person to be in charge of security updates
- Give them the authority to schedule updates and restarts
- Create a simple checklist: Update, verify, report
- Review security monthly as part of regular business operations
Why this works: When everyone is responsible, no one is responsible. When one person is responsible, things actually get done.
6. Test Your Security Regularly
You can't assume your security works. You have to prove it.
What to do:
- Run a quarterly scan to find unpatched computers
- Try to break into your own systems (or hire someone to do it)
- Practice what you'll do if you get hacked
- Check security logs to see if your tools are actually detecting things
The fire drill analogy: You don't wait until there's a fire to figure out how the fire extinguisher works. You practice beforehand. Security is the same.
The New Mindset: Resilience Over Perfection
Here's the most important thing to understand: You cannot stop every attack. Even the biggest companies with the best security get hacked.
But here's what you CAN do:
- Detect attacks fast — catch them within hours, not months
- Have good backups — so you can recover without paying hackers
- Have a plan — know what to do when something happens
- Learn from mistakes — each incident makes you stronger
This is called cyber resilience, and it's what separates businesses that survive attacks from businesses that go under.
Think of it like car accidents:
- You can't prevent every accident
- But you wear a seatbelt
- You buy insurance
- You drive carefully
- If you do have an accident, you know what to do
Cybersecurity is the same. You can't prevent every problem, but you can protect your business so you survive when problems happen.
The Cost of Doing Nothing
Let's talk about money. The average data breach costs about $4.88 million [2]. That's a lot of money for most businesses.
If fixing your security gaps:
- Costs: $10,000 - $50,000 per year for most small businesses
- Prevents even one $4.88 million breach
- You save $4.83 million
The question isn't: Can we afford to fix our security? The real question is: Can we afford NOT to?
Think of it this way: Would you spend $10,000 to protect your business from losing $4.88 million? Most business owners would say yes.
Where to Start: A Simple Checklist
If all of this feels overwhelming, here's where to start:
This week:
- Check if your security software is actually running on all computers
- Turn on automatic updates for Windows
- Make a list of all software you use
This month:
- Update everything that's out of date
- Assign one person to be in charge of security
- Test your backups (make sure they actually work)
This quarter:
- Replace any software that's no longer supported
- Create a simple security plan
- Run a vulnerability scan to find problems
This year:
- Hire a security consultant to review your setup
- Train your employees on security basics
- Practice your incident response plan
Start small. Start somewhere. Just start.
FAQ
It means that 1 in 5 business computers has security software that isn't working properly [1]. The software might be turned off, outdated, crashed, or misconfigured. This leaves businesses unprotected for 76 days per year on average.
Important security updates should be installed within 48 hours (2 days) [1]. But the average business delays critical Windows updates by 127 days — over 4 months. During those 4 months, hackers can exploit the known vulnerabilities.
Permanently unpatched systems are computers that can never receive security updates [1]. This happens when software reaches "end of life" and vendors stop supporting it (like Windows 10 in October 2025), or when computers are too old to run new software.
Security is getting worse because businesses are buying tools but not managing them properly. 24% of patch management systems are non-compliant (up from 20% last year) [1]. More tools create complexity, alert fatigue, and integration gaps without improving actual protection.
Small businesses can fix the protection gap by: monitoring tool health (not just threats), automating patch updates, planning for end-of-life software transitions, consolidating security tools, establishing clear accountability, and testing defenses regularly. The key is process and discipline, not buying more tools.
References
[1] Absolute Security, "2026 Resilience Risk Index," Absolute Security, March 2026. [Online]. Available: https://www.absolute.com
[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[3] Infosecurity Magazine, "Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security," Infosecurity Magazine, March 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/
[4] Mandiant Google Cloud, "M-Trends 2026: A Report on Threat Landscape and Tactics," Mandiant, March 2026. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[5] Kaspersky Security Services, "Anatomy of a Cyber World Global Report 2026," Kaspersky Securelist, March 2026. [Online]. Available: https://securelist.com/global-report-security-services-2026/119233/
[6] PwC, "Annual Threat Dynamics 2026," PwC, March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html
[7] N-able, "State of the SOC Report 2026," N-able, March 2026. [Online]. Available: https://www.n-able.com/resources/state-of-the-soc-report-2026
[8] Industrial Cyber, "M-Trends 2026 reveals threat landscape shaped by faster, coordinated, and industrialized cyberattacks," Industrial Cyber, March 2026. [Online]. Available: https://industrialcyber.co/reports/m-trends-2026-reveals-threat-landscape-shaped-by-faster-coordinated-and-industrialized-cyberattacks/
Your security tools only protect you if they're actually working. At lil.business, we help small businesses implement cybersecurity that works in practice, not just on paper. Get a free consultation and close your protection gap.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.