Technology

SMB Patching Delays: 39 Days to Patch 10% of Systems – Acronis Report

by Anika Shah - Technology
0 comments

Patching Delays Depart Systems Vulnerable: A Deep Dive into SMB Security Risks

Small and midsize businesses (SMBs) face a critical challenge in maintaining cybersecurity: the timely application of software patches. A recent analysis reveals significant delays in patching, leaving systems exposed to known vulnerabilities for extended periods. While many organizations address updates within a week, a substantial minority lag behind, creating a “tail risk” that attackers actively exploit.

The Patching Gap: A Tale of Two Speeds

According to telemetry data analyzed in the second half of 2025, the median installation time for Microsoft patches globally is 185 hours (7.7 days). Yet, the slowest 10% of deployments can take as long as 926 hours (38.6 days) to complete. Third-party application updates are generally faster, with a median of 136 hours (5.7 days), but still exhibit a significant delay in the slowest 10% of deployments, reaching 597 hours (24.9 days).

Acronis distinguishes between the typical patching experience (median) and the “laggards” (90th percentile) who create the largest exposure window. These delays often stem from endpoints missing maintenance windows, remaining offline, or failing to complete necessary reboots.

The State of Patch Status: A Concerning Distribution

The telemetry data paints a concerning picture of patch status. Globally, Microsoft patches are most often found in a “New / Pending” state (49.6%) or marked as “Obsolete” (44.9%). Only a small fraction (3.6%) are “Installed,” with 1.1% requiring a reboot, and 0.7% having “Failed.”

Third-party updates show a similar distribution: 51.9% are “New / Pending,” and 43.2% are “Obsolete,” while 4.0% are installed. The high percentage of “Obsolete” patches can indicate periodic catch-up efforts rather than consistent patching.

Implications for SMBs and MSPs

The report highlights the challenges faced by SMBs and the Managed Service Providers (MSPs) who manage their endpoints. Patch management remains a crucial security control, but it often clashes with uptime requirements and potential user disruption. Line-of-business applications can as well restrict update schedules, and devices outside the network (e.g., laptops) can further extend deployment times.

Acronis notes that slow patch cycles lead to reactive work for MSPs, including escalations during high-profile vulnerability disclosures and after-hours remediation. A proactive approach, including staged rollouts and planned maintenance windows, is recommended.

Geographical Variations in Patching Speed

Median patch times vary significantly across countries, ranging from approximately four days to nearly 15 days for Microsoft updates. The size of the “tail” – the delay experienced by laggard endpoints – also differs considerably. Some regions demonstrate a tighter distribution, with even slow endpoints completing updates within a few weeks, while others show 90th-percentile values measured in months.

Mexico, Germany, the United Kingdom, and Spain were among the fastest median performers for Microsoft patch deployment. Faster medians often correlate with standardized fleets and clearly defined maintenance windows, and preventing endpoints from remaining unpatched for extended periods is crucial.

Operational Friction: The Root of the Problem

Third-party patching is typically faster than Microsoft patching, potentially indicating that organizations identify it easier to update applications without disrupting operating systems or navigating complex approval processes. However, Acronis cautions that application vulnerabilities are a common entry point for attackers and should be tracked alongside operating system updates.

The report emphasizes that technical failures are not the primary bottleneck. Instead, scheduling issues, deferred restarts, and unreachable devices contribute most to patching delays.

Key Takeaways

  • The median time to install Microsoft patches is 7.7 days, but the slowest 10% take over a month.
  • Third-party patches install faster on average, but still exhibit significant delays in some cases.
  • Patching delays create a “tail risk” that attackers exploit.
  • SMBs and MSPs need to prioritize proactive patch management strategies.
  • Operational factors, such as scheduling and reboots, are the primary bottlenecks.

Related Posts

Vera C. Rubin Observatory Discovers 11,000 New Asteroids

Xbox Game Pass: A Subscription in Uncharted Territory

Eternal Headphones: 2026 Green Powered Challenge

What Will Apple’s New AI Siri Look Like?

Blind Descent: First Story Trailer for Sci-fi Survival...

Spotify Premium Price Hike: Rising Costs Drive Potential...

OpenAI loses three senior executives as it pivots...

Escape From Tarkov New Patch: Release Date and...

Trump Optimistic About Iran Deal

Insta360 Luna Ultra: New 12x Zoom Camera Previewed...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.