Nearly 70 percent of systems are vulnerable to malicious attack, although organizations improved patching processes by 23 percent in the past three years, said Gerhard Eschelbeck, chief technology officer and vice president of engineering for Qualys.
Eschelbeck said, commenting on his "Laws of Vulnerabilities" study, that companies are improving their methods of deciding what are their most prominent threats.
"People have had to look at what is their priority," said Eschelbeck, who drew his conclusions from a study of 21 million critical vulnerabilities collected from 32 million live network scans. "Ninety percent of the problems are caused by 10 percent of the vulnerabilities. The key question is: Which ones of those threats are the 10 percent?"
Eschelbeck also said the study showed that companies using a regular patch cycle repair vulnerabilities faster than counterparts using irregular cycles.
"Based on the statistics, regular posting has allowed people to patch 18 percent faster," he said. "You can respond to regular patching in a more coordinated fashion."
The study also points out that 85 percent of damage from automated attacks takes place in the first two weeks, a point not lost on former presidential cyber security advisor Howard A. Schmidt.
"With automated attacks creating 85 percent of their damage within the first 15 days, it is even more critical that organizations act quickly to identify and remediate threats," he said in a statement. "These laws help organizations understand exactly how vulnerable their systems are and where priorities should be placed."