Despite the efforts to defend against software vulnerabilities, businesses are still being compromised through known security issues. HP Security Research just released its 2015 Cyber Risk Report, which revealed a majority of bugs exploited in 2014 took advantage of code written years ago, and 44% of known breaches came from vulnerabilities that are two to four years old.

“Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager of enterprise security products at HP. “We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver-bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”

The reason companies keep getting attacked is the lack of sufficient patching of the vulnerabilities that exist, as well as misconfiguration of the technologies they are using, according to Gilliland.

Some of HP’s recommendations to warding off attacks include:

  • Employing a comprehensive and timely patching strategy
  • Identifying issues through regular penetration testing and verification of configurations
  • Understanding new avenues of attack before they are exploited
  • Collaborating with the security industry to gain insight into adversarial tactics
  • Adopting complementary protection strategies

The report also found that server misconfigurations were the No. 1 vulnerability of 2014, with access to unnecessary files and directories also being high on the list.

“The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed,” the report stated.

Other key findings included an increase of attack avenues due to new connected devices, and that most vulnerabilities stem from defects, bugs and logic flaws.

The full report can be found here.