In the first edition of our Benchmarks for CIOs, we argued there’s a dire need for more clarity in our industry. After reviewing the latest round of reporting, our opinion hasn’t changed.
The troubling trends we highlighted in May pertaining to security, ITAM, SAM, and GenAI readiness have remained consistent. Where notable changes occurred, they were almost always in the wrong direction.
But don’t just take our word for it – let’s see what the data has to say.
Welcome Back to Block 64’s Benchmarks for CIOs
For the second edition of Benchmarks for CIOs, we surveyed a new batch of 210,000 endpoints across 350 organizations in North America. The data, collected in the weeks leading up to June 19, 2024, originates from Block 64 customers using our Discovery & Insights platform to measure, manage, and modernize their IT environments.
So, what did we find out?
Security: Businesses are Over-Exposed and Under-Protected
The security landscape continues to display significant vulnerabilities and gaps:
- 60% of endpoints are exposed to critical vulnerabilities: This alarming finding shows 60% of endpoints operate with a vulnerability score above 9 out of 10 on the Common Vulnerability Scoring System (CVSS). This score nearly triples the 22% reported in our first Benchmarks article, which was based on data collected in April 2024. On an organizational perspective, 63% of all businesses surveyed had at least one critical vulnerability in their environment.
- Critical exposures across Windows and SQL servers: Our study shows nearly half or more of Windows and SQL servers are at risk. Specifically, 44% of organizations are running unsupported SQL servers, and 53% are managing unsupported Windows Server versions. On an endpoint basis, 23% of SQL server installs and 14% of all Windows Server installs are unsupported.
- 59% of businesses have antivirus gaps: Despite seeming small, the 2.65% of endpoints without antivirus software, up from 1.25% in the previous report, represents a significant security risk. When viewed organizationally, 59% of businesses have at least one endpoint missing antivirus protection, a slight increase from the previous report.
ITAM: Stagnant Hardware and Resource Management
Hardware and resource management show no significant improvement – continuing to drain resources and threaten productivity:
- 44% of devices are out of warranty: This persistent figure suggests a widespread deficiency in lifecycle management, with 100% of businesses surveyed running at least one out-of-warranty device. Our previous report showed the exact same percentages, meaning no change.
- 97% of servers use less than 25% of available resources: An increase from 92% in the May 2024 report, this statistic indicates significant overprovisioning is getting worse, with 60% of North American businesses having at least one server that is severely underutilizing resources. Those businesses are likely paying for cooling, power and floorspace to maintain those redundancies.
SAM Challenges: Java Licensing Risks and Compliance Concerns
Licensing complexities continue to affect software asset management – and pose heavy financial burdens and risks.
- 63% of businesses face Java licensing risk: Changes in Oracle’s Java licensing have forced many companies to reassess their software usage and licensing strategies, potentially increasing expenses by up to 90%. Our findings show an improvement, with 56% of customers now using a commercial version of Java, down from 63%. Those customers must assess their current licensing position and investigate alternative options to avoid drastic audit risks, as outlined in our article here.
Gen AI Readiness: Microsoft 365 Underutilization
Usage of Microsoft 365 remains critical for workplace modernization and the implementation of next-gen tools such as Copilot. Unfortunately, adoption of the full suite of Microsoft 365 tools appears to remain low:
- 67% of Microsoft 365 users aren’t using Teams: With 45% of users not leveraging the full capabilities of their Microsoft 365 tools, there’s significant room for improvement. Notably, 67% are not using Teams and 57% are not using Outlook. These percentages are moving in the wrong direction, with at least 20% drops in usage for Teams and Outlook compared to the May 2024 report.
Related: Read our guide to getting ready for M365 Copilot adoption
Getting Specific: Top Critical Vulnerabilities
After seeing that more than half of all businesses were running software with a critical vulnerability, we wanted to know more. So, we updated our reports to figure out which software was most impacted and what exactly were the risks to the business. Here’s what we found:
- Browsers: Chrome and Microsoft Edge: As the majority of work now occurs on the browser, keeping it safe is paramount. Unfortunately, significant security risks appeared on 16% of endpoints using outdated versions of Chrome and Microsoft Edge. These legacy versions of Chromium-based browsers are susceptible to a 9.6 severity buffer overflow attack, which can lead to system crashes or allow malicious code execution. Patches for these vulnerabilities were released in November 2022, indicating these risks are from overlooked or ignored updates. (Learn more)
- Software Development Tools: .NET, PowerShell, Docker: Critical vulnerabilities were identified across essential software development tools. In the .NET suite, 1,900 installations of PowerShell and numerous installations of .NET Framework are exposed to a new 9.8 severity vulnerability, patched in January 2024. (Learn more) Similarly, 100% of customers we surveyed using Docker are behind on updates for a separate 9.8 CVSS score vulnerability, emphasizing the need for immediate patch management and update compliance. (Learn more)
- Media Players: VLC, Shockwave, and Apple QuickTime: Our survey revealed that more than 1,600 installations of legacy VLC media players across 36 customers are at risk due to an “out-of-bounds write vulnerability,” patched in late 2023. (Learn more) Shockwave and Apple QuickTime also present significant risks with obsolete versions susceptible to exploits that have been known since before 2019. The continued use of these outdated media players highlights severe oversight in maintaining current software defenses.
- Apple Operating Systems: iTunes, iCloud: Vulnerabilities in Apple’s ecosystem, particularly affecting older versions of OS, iTunes, and iCloud, are also concerning. More than 1,600 installations of legacy iCloud versions were found across various endpoints, all within a single customer’s network. This old vulnerability, patched back in 2020, poses risks of buffer overflow attacks that could compromise system integrity and data security. (Learn more)
What should you do?
The numbers we saw back in May were disheartening. By the end of June, many of the risks to ITAM, SAM, and security have only gotten worse.
So, what should a business leader do?
The persistent issues highlighted in our report underscore the urgent need for strategic revisions in IT security and asset management. The first step is getting the insights to determine your current state. You can’t act if you don’t know where the gaps are.
Block 64 helps illuminate IT blind spots, enabling you to manage risks and optimize resources efficiently. Contact us for a demo or sign up for a free trial to start mastering your IT environment.
Subscribe to our newsletter on LinkedIn
Thought this was interesting? There’s plenty more research, news and advice for IT professionals on our LinkedIn newsletter. Sign up today.