Windows 11 Update Delays: A Hidden Cyber Resilience Risk | Ready.Set.Midmarket!
Microsoft is giving Windows 11 users more control over when, or if, updates are installed. For many IT teams, that flexibility sounds appealing.
But according to new data from Absolute Security, delaying OS updates may be creating a much larger cyber resilience problem — especially for midmarket organizations with lean IT teams and aging infrastructure.
In this episode of Ready.Set.Midmarket!, MES Computing sits down with Andy Ward, SVP International at Absolute Security, to unpack why patching is no longer routine maintenance — it’s now a critical factor in an organization’s ability to withstand and recover from cyber incidents.
Ward breaks down findings from Absolute’s Cyber Resilience Risk Index, including why Windows 10 and 11 devices are now, on average, 256 days behind on critical patches, why unsupported Windows 10 endpoints create lasting weaknesses, and how patch delays directly impact recovery turnaround after ransomware and outages.
This conversation is essential listening for CIOs, CISOs, and IT leaders navigating Windows 11, endpoint management, and cyber resilience in 2026.
Topics covered:
• Windows 11 update delays and risk
• Patch management vs cyber resilience
• Why unpatched endpoints slow recovery
• What midmarket IT leaders should do next
The full episode can be watched on YouTube and heard on Spotify and Apple Podcasts.
Previous RSM! episodes are here.
Transcript
Samara Lynn
Welcome to Ready.Set.Midmarket! It is the podcast for midmarket IT executives navigating today’s real-time IT issues Today we’re talking about why delaying Windows updates has become a cyber resilience risk for midmarket organizations And I just want to make a note I’m usually joined by my co-host Adam Dennison who is the vice president of midsize enterprise services He couldn’t join us on this episode. We’ll see him the next episode, but I am delighted to introduce Andy Ward. He is the Senior Vice President International of Absolute Security. Andy, thank you so much for joining us.
Andy
Pleasure. Thank you. Thanks very much for the invite.
Samara Lynn
Awesome. And as I mentioned, we’re basing this conversation around some data that Absolute Security just released, which is its 2026 Resilience Risk Index. And what the report really focused on was why enterprise performance is really contingent now on cyber resiliency.
What I found so intriguing about the report was this one nugget It seems like there’s a lot of exposure now by delaying updates. You want to talk a little about talk about a little bit about Absolute Security’s reason for the report
Andy
Yeah, sure. So, Absolute Security, we’re a leader in the endpoint security market. We’re unique, we actually sit in the firmware of devices. So it’s a privileged position, effectively, because we start before even the operating system kicks in. So we have a unique view through the entire stack, and also allows us to do many things. So the resilience report that we recently issued, that one you’re referring to, is a critical report that...really shows the importance of resilience. And obviously we’re inundated across the news continuously around ransomware, it almost becomes white noise because it’s happening so much, but it’s a very, very real threat. So now the concept of, talk five, 10 years ago, even longer than that, we used to talk about stopping the attackers right before they could even get into your organization. Unfortunately, it’s now when they get into the organization as well. What can we do to really mitigate the fallout and really shorten that recovery time. Make sure that you really can get your business up and running. You know exactly where your data is and you minimize that risk. that’s the kind of resilience piece that is we’re referring to in the report.
Samara Lynn
It’s you know, it showed that, some of the data showed that Windows 10 and Windows 11 devices are now 256 days behind on their critical operating system patches. That’s up from 56 days a year earlier. So what’s going on? What’s changing?
Andy
Yeah, staggering, isn’t it? In this day and age that we’re having this conversation, right? You would imagine by now we would be in a much better shape, but unfortunately the data proves otherwise, right? I think a lot of users either push off patches, gets delayed, you sometimes get a knock on effect with patches. They get corrupted with one another and then stops the patch being effectively deployed. But the upshot is that a lot of organizations are nowhere near as well patched as they need to be.
And resilience is only good as these patches to be deployed because a patch in isolation may look okay. But the challenge is even a minor patch that they snowball that they tend to knock on effects, a domino effect. And obviously the knock on effect of these patches means that some of your critical updates aren’t applied, which leaves you exceptionally vulnerable.
Samara Lynn
And just as far as the report goes, when you’re about patches, are you mostly specifically talking about Windows or these other software and apps within organizations?
Andy
Yeah, it’s a great question. Obviously some of them are Windows ones. I’d like to say most of the mandatory ones that I think people are fairly good at. But a lot of the other patches of a software can be security software, ERP software. It’s a knock on. I every software vendor is continuously issuing patches. Some minor to be fair, so that you may leave them and group them into bigger updates. But again, you do get that compounding effect. Because the unique position that we sit across all of the endpoints in our customer base, we know exactly what’s patched at what time to the correct levels. And that gives us a unique insight into actually that the health, we say, of an organization. Particularly when someone starts using our software, they’re pretty shocked because they think they’re well protected, they think they’re fairly well patched. But when you get the data back, it tells you otherwise. So we help organizations with that self-healing to make sure that pretty much whatever you’ve deployed critically around some of those key security applications out there that you are deployed, you do have the latest patches, and most importantly is running because one of the first things, unfortunately, the bad actors tend to do is to get in there and start turning off and stopping some of these applications run, which obviously leaves you even more vulnerable.
Samara Lynn
what factor does patching delays play into how fast you can recover, organization recover from an incident, from a breach?
Andy
Yeah, it’s a great observation. What we tend to mean, the longer that devices have been patched, obviously not only are you increasing the threat profile of the endpoint, you know, getting compromised. And obviously once someone in, can go across the lateral, across the organization. But critically, the more of the unstate, the more devices out there that are unpatched, the harder it can be to remediate those devices. So it’s kind of a twofold thing, really, where you want to always make sure they’ve got the latest patches, the latest updates applied.
But critically, when it comes to the remediation and bringing those device back to a healthy state and a known state, you know, that’s where the patching also kicks in.
Samara Lynn
Right. Did the data also account for just hardware patches, switches, routers, access points? mean, sometimes those things are sometimes in back of mind.
Andy
Yeah, very, very much so. I mean, we tend to focus on predominantly on laptops and desktops. But those patches also can apply. mean, the same thing from, you know, if you look at the industrial devices or anything on your end point, effectively anything that needs to receive a patch can potentially be a back door into the organization. You know, one of the things that we see quite a lot of seeing now is third parties. So your organization can be well patched, well defended.
But you’re only then as good as your third parties. How must you trust them? What’s their patching architecture like? What’s their security posture like? Do they have a cyber resilience plan as well that dovetails into yours? These are the kinds of sort of best practice we organizations need to be looking at. Not just, yeah, great, you know, green tick, we’re in a good shape, but it’s also your vendors that you work with.
Samara Lynn
Yeah. yeah. [I] mean, the supply chain vulnerability, right? It’s like, you know, yeah, when I was a network administrator, the one, the first things I learned was you’re only as strong as your weakest link..
Andy
100%. On that point,is also one thing that we, is that you’ve got to be really careful about the devices actually accessing your networks. So, you know, if you’ve got a trusted network and you’ve got a trusted partner that comes in, but if it’s a bring your own device, ultimately, or they’re using their own devices, and again, you’ve had no visibility of their health, that also immediately opens the back door into your organization to undermining all the, maybe potentially all the good work that you’ve been doing.
Samara Lynn
Yeah.
But I just feel like we’ve had these conversations like in the early 2000s and like we’re still having them and just AI has made everything get at this like frenetic pace.
Andy
Yeah, great. Well, you know, I’d be remiss probably not to mention like the likes of Mythos, for example, which has caused a bit of a flurry in the industry and broader, right, around the fact that the need to obviously to identify these vulnerabilities, new vulnerabilities are potentially being coming forward. It just disenguates the need for the patching to be on top of it. And again, some of these patches maybe look minor, but it’s the knock on effect of
which you tend to not know, is it dependent on another third party that needed that patch to be there in order for maybe for a security application to work? And sometimes it’s that daisy chain of patches that catches you out.
Samara Lynn
You know, just quickly, you know, just regarding the Mythos, Mythos new project, you know, I don’t want to deviate from this important subject of patching, but as a security company, what is your take as an executive there? Is this something that’s good for the industry or something that’s terrifying?
Andy
Well, think anything that helps customers have greater visibility on their environment and it helps them and encourages them to be better protected is I think is not a bad thing because ultimately these if you think about it, these vulnerabilities exist anyway. Maybe this particular AI is just exposing them faster and we’re becoming to light faster. So I think in the right in the right vein is healthy. I think because look, I’m sure there’ll be another AI platform that we’ll talk about in another six months will be even more powerful, maybe more disruptive. but I guess when you take a step back, equally a lot of good can be used by that. A lot of vendors can use this type of technology AI to obviously improve their own code, their own vulnerability. So I guess I think we just see it as a, as a, next phase of the AI journey that we’re all on really. But I think ultimately anything that helps customers be better protected, more aware of their environment can’t be a bad thing.
Samara Lynn
Gotcha, yeah, yeah, for sure. And you know, most of our audience, they’re midmarket teams, they’re lean, they’re resource constrained. What mind shift should they have when it comes to patching? Is there an issue with that in the midmarket that your company has seen?
Andy
I think clearly the 256 days points to we do have an issue. I think a lot of me, I know it’s challenging for mid-sized companies, right? Because they have all of the, you they can be just as target as the bigger companies that have maybe more access to resources and what have you. But the need to be protective has never been greater. So I think either obviously invest in cybersecurity in-house or choose best practice partners to provide that; patching infrastructure for you, security architecture for you to give you that best of breed, best practice, because it’s super important, right? And money does need to be invested and spent on it. you know, I think some of these things are very hard to do in-house, candidly, but there are a lot of good companies out there that you can look at and third-party companies that can provide this type of support. you know, we work with many MSPs, for example, managed service providers and they use our technology to support their extended customer base, many of which are mid-sized companies. So I definitely think, you you’re not alone and, you know, make sure you pick a really good partner to help you with this challenge.
Samara Lynn
Very well said. I want to be mindful of our time, but I still do want to ask you, what risks do you see midmarket IT leaders underestimating as far as how they’re treating, as far as if they’re treating delayed updating as low impact. Like, what’s at stake?
Andy
I mean, it’s huge because, you know, the reality is that the delays leaves them very vulnerable, number one. And if you think about the sophistication of attacks these days, they’re looking for the weakest link into an organization. So a simple laptop, you know, used by an admin person, maybe only working one or two days a week, you may think is a low threat, but ultimately it’s the easiest way in to an organization. If that’s not patched effectively, it kind of compounds.
And I think that kind of complacency will really come back to bite because you’ve got to treat every single endpoint as important and you’ve got to patch it. So, you know, if you think about it, you know, you’ve got to make sure that you really are locking down your environment. You’ve got, you’ve got the best patching, you’re completely updated. But the other thing I would say is also think about the resilience piece, which is key. Unfortunately, whatever the level of sophistication, maybe one day you’ll have an event.
So you want to role play that, work through that, do workshops. What would happen in that scenario? Test your business continuity plans. Most people have business continuity plans, dust them off. I guarantee most companies do not have that cyber resilience piece because you’ve got to make sure that the data set is that corrupted. If you think about again, in the worst case scenario with ransomware, what’s your clean state?
How do you ensure that you’ve even got a clean state to back up from? know, these are some of the best companies with the best testing plans still get caught out. So I think mid-sized companies need to role play this and critically have that resilience plan. And look at the shortest way, you know, the shortest possible way to get your business up and running, who needs critical access and your time to revenue. And I think start with that. It’s not just the, you know, the typical IT systems. You’ve got to think about end users. Because ultimately if you can’t log into those systems because you have a compromised device, a compromised laptop, what’s the plan? You you can’t wait for two, three days to maybe buy a device, FedEx it, build it remotely. I mean, days can kill your business when you think even it can cost you millions per hour, depending on the type of industry you’re in. So these are the types of things.
Samara Lynn
Yeah, absolutely for sure. Well, I think that’s some great advice and you know, cybersecurity is an ever-evolving battle in the midmarket for cybersecurity teams. Thank you so much for your great advice and your insight. And just so you know, we have coverage for Absolute Security. I think one of their latest, most recent news was integrating with ConnectWise ...
Andy
Indeed.
Samara Lynn
... as part of battling this ongoing cyber threat landscape. So you can check that on MES computing and we’ll put a link to get access to the Absolute security risk resilience report for 2026. And I wanna thank you, Andy, so much for your time and your insight today.
Andy
Perfect, thank you.