More than a quarter (27%) of enterprise IT departments in the US are forced to wait at least a month before installing vital security updates, due to budgetary restraints and overly complex infrastructures. That’s according to Kollective’s new ‘State of Software Delivery’ report that examines the software testing and distribution bottlenecks throughout large organizations.

The report incorporates research from 260 IT managers, leaders and decision makers and highlights how the network security of US businesses is failing to meet industry expectations. These failings are especially common among large organizations – with 45% of those with more than 100,000 computer terminals waiting at least a month before installing vital security updates.

The failure to rapidly deploy and install security updates is placing businesses at greater risk of a targeted cyberattack, as hackers look to exploit the vulnerabilities of outdated systems. Kollective’s report also found that 37% of IT managers list ‘a failure to install updates’ as the biggest security threat of 2018. This makes outdated software a bigger threat than password vulnerabilities (33%), BYOA / BYOD (22%) and unsecured USB sticks (9%).

Even more startling, 13% of large businesses have given up on actively managing software distribution, and are, instead, passively asking employees to update their own systems.

Kollective blames the failure to install updates on a combination of slow testing procedures and an inability to distribute updates automatically at scale. As Dan Vetras, CEO of Kollective explains: “Following numerous corporate cyberattacks over the last 12 months, today’s businesses are spending more than ever before on enhancing and improving their security systems. But, this investment is wasted if they aren’t keeping their systems up-to-date.

“While it’s obviously important for IT teams to spend time testing new software and updates before rolling them out, our research has found that many of the delays in software distribution aren’t because of testing, but rather a lack of infrastructure. Poorly constructed networks mean that, even those companies that have made a significant investment in security software, are still leaving their organizations vulnerable to attack. With a growing number of applications being left out of date, today’s businesses are creating their own backdoors for hackers, botnets and malware to attack.”