Patching Still Tells You a Lot About How Seriously an Organisation Takes Security

A recent report found that more than 511,000 end-of-life Microsoft IIS instances are still exposed online.

Now if that’s not a warning sign, I don’t know what is.

For all the attention given to AI threats, ransomware and sophisticated attack techniques, we’re still looking at a large number of organisations that don’t have the basics covered (and that’s just in this instance).

Patching is still one of the biggest tests.

If an internet-facing system is out of support, you’re looking at an issue that’s much bigger than technical debt but becomes a whole new chapter as a cybersecurity risk.

It tells you something important:

• Asset visibility may be weak
• Ownership may be unclear
• Legacy systems may be lingering without a real plan
• Avoidable risk may be getting normalised

That’s the bigger problem.

I’ve said this in the past: target size doesn’t matter to the attackers, they’re just looking for an easy way in, i.e. for an organisation to fall behind on the fundamentals. Unsupported, exposed system fit the bill.

Yes, AI-supported cyberattacks or those like the recent Stryker case turning your own tools (Microsoft Intune) against you via a compromised admin account are gaining more media coverage and are one problem – patching is another. I understand it’s not particularly exciting and certainly doesn’t get as much publicity as a major breach. But it’s still one of the clearest indicators of cyber maturity.

Because once a system reaches end of life, patching is no longer the answer.

At that point, you’re left trying to contain the risk through segmentation, restricted access, compensating controls, or complete replacement. But even that doesn’t remove the problem.

The fact stands that many security failures still start in very ordinary places:
an unpatched server, an unsupported system, a public-facing asset nobody properly owned. Even an offline endpoint is not 100% safe because you still require procedures to bring data into that environment – and they can be compromised: from shadow IT to unused but connected peripherals.

So, the lesson is simple.

If a system is exposed to the internet, staying on top of patching is not optional.
And if it’s already out of support, the conversation should move quickly from delay to removal.

The basics still matter.
In many cases, they matter most.

I understand that most businesses’ IT teams already have their hands full with in-house projects, so they really don’t need another task to stay on top of. With recent National Insurance changes and general state of the economy, more businesses are tightening their purse strings over staff decisions, which of course also affects the IT team. However, technological progress won’t stop, and the emergency of vulnerabilities is only accelerating (thanks to AI and vibe coding…) – and with the manifold disciplines within IT itself, it does make sense to let someone take care of it who does it on a daily basis. For us, it’s second nature. That’s why we’re supporting our customers’ in-house IT teams.

How is your organisation handling end-of-life internet-facing systems before they become a security problem?