Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out

---

There are two kinds of businesses when a new vulnerability drops.​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​‌‌‌​​​​‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The first kind tries to patch everything immediately, burns out their IT team, misses the critical ones in the noise, and wonders why they're still getting compromised.

The second kind runs a simple filter: Is this being actively exploited? Does it affect something we actually use? They patch those first, fast, and move on.​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​‌‌‌​​​​‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

According to new research, only the second approach actually works.

What Is the 1% Vulnerability Rule — and Why Does It Matter for Your Business?

The 2026 VulnCheck Exploit Intelligence Report analysed over 500 data sources and tracked every security flaw reported in 2025 [1]. The headline finding is striking: of the 48,000 CVEs (Common Vulnerabilities and Exposures) published in 2025, only 1% were actually exploited in real-world attacks by the end of the year.

That means 99% of the security notifications flooding your inbox, your IT dashboard, and your vendor alerts — for flaws that nobody is actively using against real businesses.

VulnCheck CTO Jacob Baines made the implications clear: "Those vulnerabilities are being weaponised faster and at greater scal

e" [1]. The problem is not the volume of CVEs — it's that when attackers do pick a flaw, they move with extraordinary speed. According to CrowdStrike's 2026 Global Threat Report, the average time for an attacker to move from initial access to broader network compromise (breakout time) has dropped to 29 minutes [4].

This creates a clear strategic priority for SMBs: don't patch everything — patch the right things immediately.

Related: 1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today

Which Vulnerabilities Are Actually Being Exploited Right Now?

Two research bodies independently confirmed that attackers are highly selective about which flaws they weaponise — and predictable in their preferences.

VulnCheck's "Routinely Targeted Vulnerabilities" list for 2025 identified 50 CVEs with elevated, multi-dimensional threat profiles [1]. These are flaws that meet three criteria: widely deployed software, easy to exploit, and actively attacked. The top of that list includes flaws in Microsoft SharePoint (CVE-2025-53770) and SAP NetWeaver (CVE-2025-31324), software used by hundreds of thousands of businesses worldwide.

IBM's 2026 X-Force Threat Intelligence Index adds important context: 44% of attacks that began with exploiting public-facing applications involved missing authentication controls [2]. In plain terms, the most-attacked flaws are ones where attackers can walk in without even needing a username and password.

A critical data point from VulnCheck: 56.4% of ransomware-linked vulnerabilities were first identified through zero-day exploitation — meaning businesses were hit before a patch even existed [1]. And one-third of 2025 ransomware vulnerabilities still had no public fix available at the start of 2026.

This shifts the calculus. The question is not just "which CVEs are patched?" but "which critical systems have no patch yet — and how do we reduce our exposure to them in the meantime?"

What CISA's Known Exploited Vulnerabilities List Does for Your Patch Strategy

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes and maintains a Known Exploited Vulnerabilities (KEV) catalogue — a continuously updated list of flaws that have confirmed evidence of real-world exploitation [3]. It is free, public, and updated as new exploits are confirmed.

VulnCheck added 884 vulnerabilities to its equivalent KEV dataset in 2025, with nearly half (47.7%) being brand-new CVEs disclosed that same year [1]. This reinforces what CISA has been telling federal agencies: the gap between vulnerability disclosure and active exploitation is shrinking.

CISA demonstrated exactly this on February 26, 2026, when it issued an emergency directive ordering all federal agencies to patch Cisco Catalyst SD-WAN systems by end of business February 27 [5]. The directive was triggered because "forensic analysis" demonstrated the ease of exploiting these vulnerabilities required immediate action — an unauthenticated remote attacker could bypass authentication entirely and gain administrative control [6].

While that directive applies to federal agencies, the Cisco SD-WAN vulnerability (and CISA's response to it) is a masterclass in what "urgently exploitable" looks like — and why any business using Cisco SD-WAN should be patching now, not waiting for their next maintenance window.

Related: AI Let One Hacker Breach 600 Firewalls in 5 Weeks

How Does IBM's 2026 X-Force Report Change What SMBs Should Do?

IBM X-Force's 2026 Threat Intelligence Index — based on real incident response data from thousands of cases globally — offers a sobering but instructive picture [2]:

• Vulnerability exploitation is now the #1 initial access method, accounting for 40% of all incidents observed. Phishing and credential theft remain significant but have been overtaken.
• Active ransomware and extortion groups surged 49% year-over-year, with IBM identifying 109 distinct extortion groups in 2025 — up from 73 in 2024.
• Supply chain compromises quadrupled since 2020, as attackers increasingly exploit the trust between businesses and their software vendors.
• 300,000+ ChatGPT credentials were advertised on dark web markets in 2025, stolen by infostealer malware — demonstrating that AI tools now carry the same credential risk as any other enterprise software.
• Manufacturing was the most targeted sector for the fifth consecutive year, accounting for 27.7% of all X-Force incidents.

For SMBs, the IBM data points to three concrete actions: (1) prioritise patching public-facing applications — especially those that don't require authentication to access admin functions; (2) treat your AI tool credentials with the same security discipline as your banking passwords; and (3) audit your software supply chain, because attackers are increasingly getting in through your vendors, not you directly.

What Is the Smart Patch Priority Framework for Small Businesses?

Based on the research, here is a practical, four-tier framework for prioritising patches without burning out your team:

Tier 1 — Patch within 24 hours: Any vulnerability on CISA's KEV list that affects software you use. These have confirmed active exploitation. No exceptions, no waiting for maintenance windows [3].

Tier 2 — Patch within 7 days: Critical (CVSS 9.0+) vulnerabilities in internet-facing systems — your web apps, VPN gateways, email servers, firewall management interfaces. IBM X-Force found these are the most frequent initial access points [2].

Tier 3 — Patch in next scheduled maintenance window: High-severity (CVSS 7.0–8.9) vulnerabilities in internal systems. Important, but attackers need existing access to reach them — so they're not the first door they try.

Tier 4 — Monitor and schedule: Everything else. That's the other 99% of CVEs that don't get exploited. Document them, track them, but don't let them eat your team's capacity.

CrowdStrike's 2026 report emphasises that 82% of modern detections are malware-free attacks — meaning attackers increasingly log in using stolen credentials rather than deploying software [4]. This means patching alone is not enough: strong authentication (MFA, especially for admin accounts) is equally critical alongside your patch programme.

Practical Steps You Can Take Today

1. Bookmark the CISA KEV catalogue: Visit cisa.gov/known-exploited-vulnerabilities-catalog and subscribe to updates. If your organisation uses any listed software, prioritise immediately.

2. Check whether you're running Cisco Catalyst SD-WAN: If yes, patch now. The emergency directive issued February 26 is not limited to government — the underlying vulnerability allows unauthenticated admin access and is actively exploited [5, 6].

3. Enable MFA on every external-facing system: IBM X-Force found that many exploited vulnerabilities involved missing authentication controls [2]. MFA won't patch a software flaw, but it raises the cost of attack dramatically.

4. Run a quarterly inventory of public-facing applications: You cannot patch what you do not know you have. A simple spreadsheet of externally accessible apps, their vendor, version, and last patch date is a better investment than most expensive tools.

5. Subscribe your IT contact to VulnCheck's free community tier: Free access to their KEV dataset gives your team early warning on which new CVEs are actually being weaponised — before the mainstream security press picks them up [1].

---

FAQ

References

[1] VulnCheck, "2026 VulnCheck Exploit Intelligence Report," VulnCheck, Feb. 2026. [Online]. Available: https://www.vulncheck.com/blog/2026-vulncheck-exploit-intelligence-report

[2] IBM Security, "2026 X-Force Threat Intelligence Index," IBM, Feb. 25, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence

[3] CISA, "Known Exploited Vulnerabilities Catalog," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[4] CrowdStrike, "2026 CrowdStrike Global Threat Report," CrowdStrike, 2026. [Online]. Available: https://www.crowdstrike.com/en-us/global-threat-report/

[5] CISA, "Emergency Directive ED-26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems," CISA, Feb. 26, 2026. [Online]. Available: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems

[6] N. Andersen, quoted in "CISA gives agencies until Friday to patch critical cyber bug," Federal News Network, Feb. 26, 2026. [Online]. Available: https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-gives-agencies-until-friday-to-patch-critical-cyber-bug/

[7] Cisco, "Cisco Catalyst SD-WAN Manager and Controller Vulnerabilities," Cisco Security Advisory, Feb. 2026. [Online]. Available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

[8] J. Baines, "VulnCheck Routinely Targeted Vulnerabilities 2025," VulnCheck, Feb. 2026. [Online]. Available: https://www.vulncheck.com/2025-routinely-targeted-vulnerabilities

[9] Hackread, "Report Finds Just 1% of Security Flaws Drive Most Cyberattacks in 2025," Hackread, Feb. 27, 2026. [Online]. Available: https://hackread.com/1-security-flaws-drive-cyberattacks-2025-report/

[10] M. Hughes, "IBM 2026 X-Force Threat Intelligence Index press release," PR Newswire, Feb. 25, 2026. [Online]. Available: https://www.prnewswire.com/news-releases/ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed-302696274.html

---

Is your patch programme strategic or reactive? lilMONSTER helps SMBs build a vulnerability management process that focuses on real risk — not CVE anxiety. Book a free consult →