SMB Patching Delays: 39 Days to Update 10% of Devices – Acronis Report

Small and midsize businesses (SMBs) often take days, and sometimes weeks, to install critical software updates, leaving their systems vulnerable to exploitation after a security flaw becomes public. Fresh data from Acronis highlights a significant gap between typical patching behavior and a concerning “tail risk” – a subset of endpoints that remain unpatched for extended periods, creating a prolonged window of exposure for attackers. This unhurried patching cycle isn’t necessarily due to technical failures, but rather operational friction related to scheduling, reboots, and devices that are frequently offline.

Analysis by the Acronis Threat Research Unit, based on telemetry collected during the second half of 2025, revealed a global median installation time of 185 hours (7.7 days) for Microsoft patches. However, the slowest 10% of deployments languished for a staggering 926 hours (38.6 days). Even as third-party application updates generally installed faster, with a median of 136 hours (5.7 days), the same long tail of delayed deployments persisted, reaching 597 hours (24.9 days) for the 90th percentile. This disparity underscores the challenges organizations face in maintaining a consistent and timely patching cadence across their entire infrastructure.

Patch Status: A Snapshot of the Problem

The Acronis telemetry provides a detailed look at patch status across endpoints. Globally, Microsoft patches were most frequently found to be “New / Pending” (49.6%) or “Obsolete” (44.9%). A mere 3.6% were “Installed,” with 1.1% awaiting a reboot and 0.7% having “Failed” installation. Third-party updates showed a similar pattern: 51.9% were “New / Pending” and 43.2% were “Obsolete,” while 4.0% were successfully installed. The high percentage of “Obsolete” patches doesn’t necessarily indicate negligence; it can reflect organizations catching up on updates in waves, as older updates are superseded by newer versions.

The Impact on SMBs and Managed Service Providers

The report specifically focuses on SMB environments and the managed service providers (MSPs) who often manage their IT infrastructure. Patch management is widely recognized as one of the most effective security controls, but it frequently clashes with the need for system uptime and minimizing disruption to users. Line-of-business applications can also impose constraints on update schedules. Devices that aren’t consistently connected to the network, such as laptops used remotely, further complicate and extend deployment times. Acronis Ultimate 365, launched in February 2025, aims to address these challenges by providing a unified platform for Microsoft 365 protection, including backup, extended detection and response (XDR), and security features.

Acronis notes that slow patch cycles often lead to reactive work for MSPs, including emergency escalations when high-profile vulnerabilities are exploited and after-hours remediation efforts. This contrasts sharply with more proactive approaches, such as staged rollouts and planned maintenance windows, which can significantly reduce the risk of successful attacks. The company emphasizes that a predictable patching process is more efficient and cost-effective than constantly responding to security incidents.

Geographical Variations in Patching Speed

Patching speeds varied considerably across different countries. Median patch times for Microsoft updates ranged from approximately four days to nearly 15 days. However, the size of the “tail” – the percentage of endpoints with significantly delayed patching – proved to be a key differentiator. Some regions exhibited a tighter distribution, with even the slowest endpoints completing updates within a few weeks. Others showed 90th-percentile values stretching into months, suggesting that standard patching processes aren’t reaching a substantial portion of devices. Mexico, Germany, the United Kingdom, and Spain were among the fastest median performers for Microsoft patch deployment, often correlating with standardized IT fleets and clearly defined maintenance windows.

Diagnosing Operational Friction

Interestingly, third-party patching was generally faster than Microsoft patching in the Acronis telemetry. The company suggests this difference can be a valuable diagnostic tool. Organizations may discover it easier to update applications discreetly, but struggle with the disruption caused by operating system updates, the need for administrative approvals, or coordinating reboots. It’s crucial to remember that vulnerabilities in third-party applications are also a common entry point for attackers and should be tracked alongside operating system updates. DCIG recognized Acronis Cyber Protect Cloud as a TOP 5 Microsoft 365 SaaS backup solution for MSPs, highlighting its integrated approach to security and data protection.

The report emphasizes that failed installations were relatively rare, suggesting that most endpoints *can* patch successfully when deployments are attempted. The primary bottlenecks are instead related to scheduling, deferred restarts, and unreachable devices. This points to the need for improved operational processes rather than solely focusing on technical solutions.

Beyond the Numbers: Understanding the Risks

The extended patching windows identified by Acronis create a significant risk for SMBs. Attackers often move quickly to exploit newly disclosed vulnerabilities, and the longer a system remains unpatched, the greater the chance of a successful attack. This is particularly concerning for smaller organizations, which may lack the resources and expertise to effectively defend against sophisticated cyber threats. The delay isn’t just about the vulnerability itself; it’s about the window of opportunity it provides to malicious actors. A vulnerability disclosed on Monday, with a patch available, isn’t the same risk as a vulnerability disclosed on Monday that isn’t addressed until the following month.

What Comes Next: Improving Patching Throughput

Addressing this issue requires a shift in focus from simply identifying vulnerabilities to improving the *throughput* of the patching process. Organizations should prioritize streamlining update schedules, automating reboots where possible, and ensuring that all devices are regularly connected to the network. Staged rollouts, where updates are deployed to a small group of test devices before being rolled out to the entire organization, can facilitate identify and resolve any compatibility issues before they impact a large number of users. Acronis experienced significant industry recognition in 2025, including accolades for its Microsoft 365 backup solutions.

For MSPs, this means investing in tools and processes that enable them to efficiently manage patching across multiple clients. Centralized patch management platforms, automated deployment tools, and proactive monitoring can all help reduce the risk of delayed patching and improve overall security posture. A proactive and well-managed patching process is essential for protecting SMBs from the ever-evolving threat landscape.