Eschelbeck unveiled his research Wednesday at the Black Hat Briefings in Las Vegas.
The findings, drawn from a statistical analysis of mostly global enterprise networks, shows that there is a lot of room for improvement on how companies handle vulnerabilities on their internal networks, he said.
In order to reduce the window of exposure to internal systems, companies need to become more aware of critical vulnerabilities, prioritize vulnerabilities by focusing on what's more important in their business context, and consider an automated system for remediating vulnerabilities.
Eschelbeck credited increased awareness to shortening the time it takes companies to patch systems connected directly to the internet. Last year, it took 30 days compared to 21 this year.
Qualys also released a top 10 list of most prevalent and critical vulnerabilities for both external systems connected directly to the internet and internal systems. The lists are available at www.qualys.com