Why Clients Shouldn’t Rely on Software Patching Alone

Back to Blog
Patch written with wooden cubes

Why Clients Shouldn’t Rely on Software Patching Alone

Software vulnerability exploitation ranked as 2020’s top attack method for cybercriminals, according to a report conducted by 2021 X-Force Threat Intelligence Index. Hackers love scanning networks, looking for software weaknesses that haven’t been patched. Once a vulnerability is found, it’s easy infiltration.

Software vulnerabilities are a prevalent threat, and their numbers proliferate with each passing year: 1998 ended with 319 reported vulnerabilities. They continued to rise with the turning of the calendar to 2020, which saw 18,362.

Many of those vulnerabilities are high-risk. Edgescan’s 2020 Vulnerability Statistics Report found that more than 25% of external-facing web application and at least 40% of internal application vulnerabilities are deemed high-risk. CVE Details reported that more than 13% of vulnerabilities bear a critical score.

Staying current on vulnerability patches is critical to an organization’s cyber security. But MSPs should encourage their clients to not rely solely on patching. Patching is never perfect.

With such high occurrence numbers, there is no guarantee that every vulnerability is–or can be–detected. Some are bound to slip through. For patching to work, the threat must first be detected. In 2019, a 20-year-old vulnerability that affected Simple Network Management Protocol version 2 (SNMPv2) was discovered. The bug allowed unauthorized SNMP through a guessed community string.

Twenty years is an extreme case, of course, but according to Check Point Cyber Cyber Attack Trends: 2020 Mid-Year Report, 80% of attacks in the first half of 2020 were at least two years old.

And then there’s a chance that a patch won’t fix all the weaknesses or will fix them on some platforms, but not on others. For example, a nasty code packet, christened ‘Slammer,’ infected millions of systems at lightning speed – six months after Microsoft had developed a vulnerability patch to prevent such an attack.

With so many vulnerabilities prevailing that warrant so many combinations of patches, software vendors simply cannot keep up. MSPs should educate their clients on patching’s fallibility and encourage them to supplement regular patching updates with vulnerability scanning.

A comprehensive cyber security program includes security automation with vulnerability scanning. It can be one of your most powerful tools. This proactive approach detects risks before they become incidents. Not only will regular vulnerability scans generate recurring income, but the problems they uncover can expand your revenue and your worth to your client when you perform the fix.

To find more about how you can use vulnerability scanning to secure your clients, visit us and request a demo.


  1. Top 10 Cybersecurity Vulnerabilities of 2020, Security Intelligence, 2021
  2. 25+ Cybersecurity Vulnerability Statistics and Facts of 2021, 2021
  3. Why Software Patches Don’t Fix Everything, Forbes, 2019