Over the past 12 months, many organizations have become slightly faster at applying operating system patches on endpoint systems despite the challenges associated with maintaining remote devices, a new report from Absolute Software shows.

Even so, the length of time that enterprise endpoints were out-of-date with available OS patches remained relatively high at 80 days.

"Surprisingly, given the challenges of maintaining remote devices, we actually saw a decrease in the length of time that endpoints were behind in applying the latest OS patches available," says Steven Spadaccini, vice president of global sales engineering at Absolute Software.

Over the past year, even the most sophisticated organizations had a hard time supporting and securing remote workforces. A lack of visibility and control over their entire endpoint environment exacerbated the security challenge for many organizations, he says.

"While a lag of two-plus months is certainly still cause for concern, it is encouraging to see that organizations worked to improve fundamental security hygiene practices even with employees out of the building and off the corporate network," Spadaccini says.

For the report, Absolute analyzed anonymized data from some 5 million devices running the company's software across 13,000 customer sites in North America and Europe. One key takeaway from the analysis was the large proportion of endpoint devices with sensitive data on them. Also of note was the overall increase in the volume of sensitive data on these systems.

Seventy-three percent of the systems overall that Absolute analyzed had at least some sensitive data on them, such as personally identifiable information and protected health information. Devices in the financial services and professional service sectors tended to have substantially more sensitive data on them than in other sectors like government and healthcare.

Absolute discovered substantial increases in endpoint data volumes as well. For example, 30% of devices in the financial services sector contained more than 500 instances of sensitive data — a 15% increase from pre-COVID days. Similarly, 15% of healthcare endpoints contained more than 500 instances of sensitive data — up 12% from before the pandemic began.

Spadaccini attributes the increased data volumes to the shift to remote work in recent months.

"With more employees working remotely over the past year, we saw more sensitive information stored locally on endpoint devices, likely due to the difficulties many experienced with connecting to and accessing corporate systems and data while off the corporate network," he says.

The growing volume of sensitive data on endpoint devices presents a heightened risk for organizations, especially since nearly one in four (23%) of the devices containing such data have weak or ineffective encryption controls, Spadaccini says.

Another takeaway from the Absolute report is the increase in the number of applications installed on enterprise endpoint devices and the number of security controls in place to protect the devices. On average, Absolute discovered 96 unique applications per device and 11.7 security controls, such as antivirus, encryption, endpoint management, identity and access management, and endpoint detection and response tools.

The problem for organizations with having too many security controls in place is increased complexity and vulnerability to attack, Spadaccini says. Some of the most common vulnerabilities that attackers exploited last year in ransomware attacks involved virtual private networks and other security applications, he adds. In fact, almost any application deployed on the endpoint carries the potential of opening a security gap and expanding an organization’s attack surface, he says.

Windows 10 Adoption Increases
Absolute's analysis shows that adoption of Windows 10 increased substantially over the past year. Windows 10 adoption was highest among organizations in the professional services sector (98%), government (94%), financial services (92%), and retail (92%).

Somewhat troublingly, though, more than four in 10 of the Windows 10 systems that Absolute analyzed were running version 1909 — a November 2019 version of the operating system associated with over 1,000 known vulnerabilities. Earlier this month, Microsoft announced it would no longer issue monthly security patches and quality updates for the Home and Pro editions of Windows 10, version 1909, and all server editions of the software as well.

The healthcare industry lagged other sectors in Windows 10 adoption with some 10% of organizations still on Windows 7, a version of the operating system that Microsoft stopped supporting in January 2020. Spadaccini says. One likely reason that organizations in some sectors lag others is that the core applications they rely on may not be compatible with current OS releases. In these situations, organizations are taking a calculated risk by remaining on outdated and unsupported operating systems, he says.