Your Security Software Is Broken 76 Days a Year

Your security software is broken 76 days a year. That is not a guess. That is telemetry from tens of millions of enterprise endpoints.

Absolute Security dropped its 2026 Resilience Risk Index this week at RSA Conference, and the headline number is brutal: endpoint security software fails to protect devices nearly 21 percent of the time. That means the average enterprise PC spends 76 days per year with its defenses down — patches missing, agents crashed, policies unenforced.

Let that sink in. If you are a small business running CrowdStrike or SentinelOne and assuming you are covered, there is a one-in-five chance that right now, on at least one of your machines, the software is not actually working.

This is the kind of finding that should change how you think about security. Not as a product you buy, but as a process you verify.

This Week in Getting Hacked

March 2026 has been relentless. Here is what happened while your endpoint agent was maybe-possibly running:

Medusa ransomware shut down 35 hospital clinics. The gang hit University of Mississippi Medical Center on February 19, and the fallout lasted over a week. Thirty-five clinics closed across the state. Elective surgeries canceled. Imaging appointments suspended. Staff reverted to handwritten charts. The Epic electronic health record system went dark for nine days. Medusa claimed to have stolen over 1 TB of patient data and demanded $800,000. They hit Passaic County, New Jersey the same week — disrupting services for 600,000 residents.

Iran-backed hackers wiped 200,000 Stryker devices. The group Handala, linked to Iran's Ministry of Intelligence, compromised admin credentials for Stryker's Microsoft Intune console and issued a remote wipe command across 79 countries. Two hundred thousand devices. A medical technology company. The credentials were likely stolen through infostealer malware — the kind that quietly harvests passwords from browsers and credential stores.

Microsoft patched 79 vulnerabilities, including two zero-days. March Patch Tuesday addressed flaws across Windows, Office, Azure, SQL Server, and .NET. Two were already being exploited in the wild: a SQL Server privilege escalation (CVE-2026-21262) that lets attackers reach SQLAdmin, and a .NET denial-of-service bug (CVE-2026-26127). Three more were rated Critical, including two Office remote code execution flaws.

A security scanner became a weapon. In the most sophisticated CI/CD supply chain attack documented to date, a threat actor called TeamPCP compromised Aqua Security's Trivy vulnerability scanner and Checkmarx's KICS scanner through a single stolen GitHub token. They force-pushed malicious code to 110+ version tags across four GitHub Actions repositories, turning the security tools that developers trust to find vulnerabilities into three-stage credential stealers. The attack cascaded across Docker Hub, npm (66+ packages), and VS Code extensions. If you ran Trivy or KICS in your CI pipeline between March 19-23, your secrets may have been exfiltrated.

LeakBase went down. Law enforcement shut down the cybercrime forum with 140,000 users that had been trafficking stolen credentials since 2021. Good news, but the credentials that already leaked are still out there.

The Pattern Nobody Talks About

Look at these incidents together and a pattern emerges that most security vendors will not tell you about:

Credentials are the new perimeter. Stryker was not breached through a firewall exploit or a zero-day. Attackers got admin credentials — probably from an infostealer — and used a legitimate management tool to wipe devices. The "breach" was someone logging in with the right password.

Ransomware groups target the unable, not the unwilling. Medusa did not hit UMMC because hospitals have bad security teams. They hit them because healthcare organizations run complex environments with legacy systems, shared workstations, and clinical workflows that make patching painful. The 21 percent failure rate from the Absolute Security report? In healthcare, it is almost certainly higher.

Your security tools can be turned against you. The TeamPCP attack is genuinely terrifying because it weaponized the tools developers use to check for vulnerabilities. Trivy is one of the most popular open-source security scanners in the world. Thousands of organizations run it automatically in every CI/CD pipeline. When the attackers poisoned those version tags, every pipeline that ran became a credential exfiltration machine — and the developers had no idea because the tool still looked like it was doing its job.

Patching is not optional, but it is not sufficient either. Microsoft patched 79 flaws this month. That is great. But the SQL Server zero-day (CVE-2026-21262) was already being exploited before the patch dropped. If your security strategy is "patch and pray," you are already behind the people who are exploiting the gap between disclosure and deployment.

What Small Businesses Should Actually Do

If you are running a business with 10 to 200 employees, here is what this week's news means for you:

Verify your tools are running. Do not assume your endpoint protection is working. Check it. The Absolute Security report found that 21 percent of the time, it is not. Run a monthly check: is the agent installed, is it updated, is it actually reporting? If you cannot answer those three questions for every machine, you have a gap.

Assume credentials are compromised. After the Stryker incident, this should be obvious. Enable multi-factor authentication everywhere — especially on admin consoles for device management, email, and cloud services. If an attacker gets a password, MFA is the difference between "they logged in" and "they wiped 200,000 devices."

Patch within 72 hours for Critical and High. The window between a vulnerability being disclosed and being exploited is shrinking. For the March Patch Tuesday zero-days, that window was zero — they were already being exploited. Have a process. Test patches in a staging environment if you can, but do not let "testing" become an excuse for "never deploying."

Pin your GitHub Actions to commit hashes. If you use GitHub Actions in your CI/CD pipeline, stop referencing actions by version tag. Tags can be force-pushed — that is exactly how the TeamPCP attack worked. Instead, pin to the full commit SHA. Change uses: aquasecurity/trivy-action@v0.69 to uses: aquasecurity/trivy-action@a1c055e. It takes five minutes and it would have completely prevented the Trivy supply chain attack from affecting your pipelines.

Get a security assessment. Not a sales pitch from a vendor. An actual assessment of your environment — what is exposed, what is misconfigured, what would an attacker see. The Stryker breach started with compromised credentials and an Intune misconfiguration. Those are exactly the kinds of things a competent assessment finds before an attacker does.

The Bottom Line

Your security software fails one day out of every five. Ransomware groups are shutting down hospitals. Nation-state actors are wiping hundreds of thousands of devices through legitimate admin tools. And Microsoft just patched two vulnerabilities that attackers were already using.

None of this is new. What is new is the scale, the speed, and the sophistication. The groups doing this are running professional operations with defined playbooks and revenue targets.

The question is not whether your organization is a target. The question is whether your defenses are actually working right now — not just installed, but verified, updated, and monitored.

If you are not sure, that is exactly the problem.