What are the risks of unpatched software vulnerabilities?

Meredith Kreisa headshot
Meredith Kreisa|March 26, 2024
Laptop computer with padlock over it on orange background
Laptop computer with padlock over it on orange background

If you’ve been in IT for more than 30 seconds, you’ve hopefully figured out that patch management is important. Ridiculously important, actually. But even seasoned IT experts might not know all the risks of unpatched software vulnerabilities. We’ll break down the top concerns so that you can make a stronger case to leadership for dedicating the necessary time to vulnerability patching.

Outdated software, including the much-feared legacy systems, poses unique risks. Once software is unsupported, it no longer receives security patches. That means that even if you are on top of your patch management, your environment is at a heightened risk of a security breach. 


Malware is one of the top cybersecurity threats. For instance, a ransomware attack can effectively shut down your business until you either pay up or use your backups to get back up and running. Either way, it’s not an ideal scenario for anyone but masochists. 

So how does this relate to patching, you ask? Thank you for that question. I wouldn’t know how to transition without you. Well, a malware attack might exploit a known vulnerability. And many do. 

In 2022, 76% of ransomware attacks exploited known vulnerabilities announced between 2010 and 2019. Malicious actors continue to exploit older vulnerabilities because why change what works? 

However, Mandiant suggests security vulnerability exploitation is most likely to occur by the end of the first month after the patch is released. And that also tracks. After all, to a threat actor, a patch release basically shines a spotlight on new opportunities that many organizations won’t have shored up yet. 

In May 2017, the WannaCry ransomware attack hit hundreds of thousands of computers around the world, halting routine business operations of some affected organizations. The malicious attacks exploited a vulnerability that Microsoft had released a patch for two months prior.

Data breaches 

Data breaches are the stuff of nightmares. They can expose client data, potentially putting them at risk of identity theft. They can also expose the company’s sensitive information, spilling your trade secrets and intellectual property all over the internet.

According to IBM’s Cost of a Data Breach Report 2023, 5% of the breaches studied exploited unpatched vulnerabilities, resulting in an average cost of $4.17 million. But a study by the Ponemon Institute provides a far more cringe-inducing statistic, noting that 60% of data breach victims cite an unpatched vulnerability.

The famous 2017 Equifax data breach was attributed to the company’s failure to patch a known vulnerability in the open-source framework Apache Struts. According to the FTC, the incident exposed personal data related to 147 million people and resulted in a settlement of up to $425 million.

Compliance issues

If you’re subject to regulatory requirements, then cybersecurity compliance is a major concern. Many cybersecurity regulations call for robust data protection, which in turn calls for regular patching. Failing to do so can result in hefty fines, penalties, and disapproving glares from your CFO.

Here are just a few of the most common standards that relate to patching:

Remember that Equifax data breach? Well, the company was subject to several regulations and standards related to the protection of personal information. The FTC reports that the company settled with U.S. states, the FTC, and the Consumer Financial Protection Bureau (CFPB) to pay at least $575 million. The United Kingdom’s Financial Conduct Authority (FCA) also got in on the act, fining Equifax another $13 million.

Downtime and reduced productivity 

Beyond exposing you to cyber risk, skipping an important software update could jeopardize business operations. While some patches address security vulnerabilities, others fix bugs that impact performance and functionality.

That means an unpatched system may be more susceptible to performance issues and crashes — and those crashes will interrupt work. Failure to install necessary patches can result in downtime and performance issues related to infrastructure, applications, and the operating system.

That said, according to Veeam’s 2024 Data Protection Trends report, cybersecurity events remain the most common cause of outages. And the resulting downtime can have far-reaching ramifications.

When the British National Health System was hit by the WannaCry ransomware attack in 2017, downtime forced the cancelation of 19,000 appointments and operations.

Financial and reputational loss 

The financial costs of unpatched vulnerabilities can be quite steep, particularly if you experience a data breach, malware, or compliance issues. In addition to facing expenses related to investigation and remediation, you could face legal fees; regulatory fines and penalties; and expenses related to notifying clients, compensating affected parties, and upping your PR efforts.

And don’t even get us started on the reputational damage. If malicious actors access your systems, customers may lose trust in your business. It’s difficult to calculate the true value of reputation, but studies estimate that it accounts for 25% to 63% of a company’s market value. Additionally, IBM’s Cost of a Data Breach Report 2023 suggests that the average data breach also results in $1.3 million in lost business, which reputational loss undoubtedly contributes to. That’s nothing to sneeze at.

In 2020, just three years after the incident, the Atlanta Business Chronicle estimated that the Equifax breach had already cost the company over $2 billion. But we may never know the true cost since some types of damage, such as reputational loss and overwhelming public humiliation, are difficult to quantify.

Unpatched software vulnerability FAQs 

How is using outdated software a security issue? 

Using outdated software puts you at risk of data breach, malware, and other cybersecurity risks. Outdated software may lack necessary security patches and the latest defenses, making your systems easier targets for hackers. And since end-of-life (EOL) and end-of-support (EOS) products no longer receive updates or support, they are inherently vulnerable.

What happens if I don’t patch?

If you routinely don’t apply patches, you are accepting a high degree of risk. Threat actors could exploit known vulnerabilities to gain unauthorized access, steal data, disrupt business operations, or install malware. Any of these scenarios could cause significant financial and reputational damage.

What are the risks of patch management?

Installing untested patches could lead to compatibility issues or other unexpected consequences that affect business operations. That’s why it’s important to test patches with a smaller group of systems from different departments before rolling patches out to the rest of your environment.

Patching vulnerabilities is one of the easiest ways to avert disaster and the subsequent period of crying under your desk. And with PDQ, software vulnerability management has never been simpler. Make attackers rue the day they tried to mess with your environment. Try PDQ for free. 

Meredith Kreisa headshot
Meredith Kreisa

Meredith gets her kicks diving into the depths of IT lore and checking her internet speed incessantly. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.

Related articles