A concerning 81% of chief information security officers (CISOs) and chief information officers (CIOs) are routinely delaying security patches in order to avoid disruption to day-to-day business operations, according to research published today.

The Global Resilience Gap study by Tanium looked at organisations in the UK, Japan and the US, and sounds serious alarm bells about cybersecurity practices among businesses.

It also found that 94% of CIOs and CISOs were making other compromises related to protecting their IT systems from cyberattacks and other security issues, indicating that despite growing awareness around cybersecurity businesses are still not adequately prioritising the issue.

Security patches vs productivity

Delays in installing security patches are particularly concerning as these often include vital updates to protect against active cybersecurity threats – meaning that businesses are leaving themselves exposed by failing to apply them immediately.

This also has potential implications for GDPR, as in some cases failing to apply security patches puts businesses at increased risk of a data breach.

“We have long been told that businesses and individuals alike need to be planning ahead of hacks and the ensuing data breaches, but with hackers becoming more creative it seems our cybersecurity needs to be improved across all industries,” said Paolo Sartori, managing director of TransWorldCom.

“Businesses simply cannot risk cutting corners when it comes to data and cybersecurity protection. CIOs and CISOs may think that halting business in order to ensure that a company’s security is up to date and robust will result in a loss of productivity. However, it will be minimal compared to the potential loss of productivity following a data breach or cyberattack.”

Such decisions also highlight the ongoing need for cybersecurity education – even at senior levels.

“While companies normally have excellent and secure cyber security, it is only as strong as the security measures of individual employees, as malicious emails can penetrate even the most robust protection measures. In terms of ensuring that data is safe and secure for the future, there needs to be a concerted effort to educate individuals against the full scope of data threat,” added Sartori.

“Personal and professional cybersecurity go hand-in-hand, a chain is only is strong as its weakest link, and information officers putting off security patches for example leave us all exposed.”

Read more: Lack of board-level cybersecurity awareness “alarming”