The financial costs of data breaches continue to rise, as reported by Open Security. According to the latest Cost of a Data Breach Report, the average impact per incident reached $4.88 million in 2024, setting a new historical high. In this context, cybersecurity company ESET emphasizes the importance of proactive vulnerability management as a fundamental measure to prevent such incidents, many of which could have been avoided.
“What we see both in Spain and other countries is that many breaches are not due to highly sophisticated or unknown attacks, but rather to vulnerabilities that have already been identified and have available solutions, yet they are not corrected in time,” warns Josep Albors, Director of Research and Awareness at ESET Spain. According to the expert, the real challenge is not only detecting emerging threats but also applying existing patches quickly enough to close any entry points as soon as possible.
The challenge of known vulnerabilities
Although public attention often focuses on new types of malware or unknown exploits, the reality is that the vast majority of attacks rely on documented vulnerabilities. According to ESET, by the end of 2024, the Common Vulnerabilities and Exposures (CVE) database had recorded a record of over 40,000 entries. Yet, many companies still lack effective patching protocols, opening the door to attacks such as ransomware, data theft, or silent intrusions that remain hidden for months.
“In many past incidents, subsequent analyses revealed that the initial point of entry was a CVE that had already been publicly disclosed and had a patch available. This should serve as a warning, as organizations do not need to anticipate all future threats to protect themselves effectively, but rather to address the known ones efficiently,” explains Albors.
Scanning more doesn’t always mean being better protected
More and more organizations are conducting periodic security assessments: in 2024, 24% of them performed more than four vulnerability scans, up from 15% in 2023. However, ESET warns that a higher number of scans does not guarantee better results unless accompanied by a risk-based prioritization strategy.
“Security teams are often overwhelmed by reports listing hundreds or even thousands of potential vulnerabilities, with little guidance on which ones pose the greatest risk to the organization,” the expert comments. Therefore, ESET advocates that factors such as exploitability ease, the importance of the affected asset, or active campaigns exploiting the vulnerability should guide decisions on which patches to apply first.
A critical investment for business continuity
Relying solely on traditional endpoint security solutions is no longer enough. According to ESET, many incidents originate in unpatched software. Vulnerability and patch management tools, such as ESET Vulnerability & Patch Management, allow the automation of updates and significantly reduce the attack surface. “With an average cost close to five million dollars per breach, vulnerability management is now an essential part of business continuity. In Spain, where SMEs account for over 95% of the business fabric, this step is critical to preempt cybercriminals and protect data and reputation,” concludes Josep Albors.