Most enterprises prioritize their security patches by which applications they use most. If most of the users in the enterprise are running Microsoft Word, for example, then that application will move to the head of the line for patching.

In a blog and whitepaper issued this week, however, researchers at Secunia suggested that enterprises could achieve significant security improvements if they prioritize their patches by the severity of the vulnerability instead of the prevalence of the application.

"Many organizations prioritize their patches by selecting the most prevalent or most attacked applications," says Thomas Kristensen, CTO of Secunia. "This is a flawed approach. You should look at criticality and number of vulnerabilities, and use that as your filter."

Research reveals that an 80 percent reduction in risk can be achieved by patching and identifying either the 12 most risky programs or the 37 most prevalent programs, the whitepaper says.

Most organizations still take too long to patch their applications, according to Secunia. "There is a lot of talk about zero-day attacks, but the truth is that most cybercriminals don’t need a zero-day attack in order to penetrate enterprise defenses, because there is a significant amount of time available to do an exploit between the disclosure of the vulnerability and the deployment of the patch," Kristensen observes.

"Organizations hold the power to patch 65 percent of vulnerabilities on the day of disclosure firmly in their hands," the whitepaper says.

Cybercriminals are less interested in attacking widely used applications from Microsoft than they used to be because Microsoft has become faster in identifying vulnerabilities and quicker to deploy patches for its applications, Kristensen says. "Now, non-Microsoft programs that are patched with less frequency and deployed more slowly are a more attractive target," he says.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.