Automation can’t fix broken security basics

Most enterprises continue to fall short on basic practices such as patching, access control, and vendor oversight, according to Swimlane’s Cracks in the Foundation: Why Basic Security Still Fails report. Leadership often focuses on broad resilience goals while the day-to-day work that supports them remains inconsistent and underfunded.

The human factor remains the weak spot

More than half of respondents said their biggest obstacle involves the human element of security, including training, awareness, and follow-through. Employees remain a steady source of vulnerability through weak passwords, careless email use, or ignoring policies.

67% of organizations rganizations review user privileges only quarterly or less often, leaving long periods when dormant accounts or excessive permissions can persist. 64% admit they do not continuously assess vendor or supplier security after onboarding. These lapses create quiet opportunities for misuse, insider threats, or third-party compromise.

These problems persist because the processes are not routine. Until access reviews and vendor assessments become continuous and automated, they will keep falling behind, especially in complex environments with hundreds of accounts and partners.

Leadership attention is elsewhere

Only 32% of respondents say cyber hygiene and resilience rank among their C-suite’s top priorities. By contrast, 43% list cyber threats and crisis response as major concerns.

Many leaders still view cybersecurity as a reaction to attacks rather than a preventive discipline. Crisis management often draws more attention because it feels urgent, while hygiene work looks routine and less strategic.

When executives focus on response instead of prevention, teams struggle to justify investments in the basics. That leads to a recurring cycle of avoidable incidents followed by brief periods of attention.

Slow patching keeps risk windows open

Patch management continues to expose a core weakness in enterprise security. 73% of organizations take longer than 24 hours to apply critical updates. About one in four take between 8 and 30 days. Each day of delay gives attackers more time to exploit known vulnerabilities.

This issue often stems from process friction, not lack of awareness. Security teams identify vulnerabilities quickly, but patching requires coordination across departments. Operations teams worry about uptime, IT teams juggle other tickets, and security waits for confirmation that fixes are applied.

Automation could help close this gap, yet many organizations still depend on manual approvals and change windows that slow response. Treating patching as a shared responsibility, supported by workflow automation, could shorten the exposure period.

Most incidents could have been avoided

Despite years of investment, two-thirds of organizations reported at least one security incident in the past year. Among those, 92% said stronger cyber hygiene could have prevented it. The true figure may be higher, since many incidents go undetected or unreported.

Even so, only 15% of respondents describe their hygiene programs as “leading.” The rest say their efforts are still developing or advancing, which shows that many view their basic practices as immature.

Even good tools fail if they are not used consistently. Without automation, human follow-up becomes the limiting factor, and essential tasks often slip during busy periods.

Automation is helping close the gap

Most respondents agree that AI and automation are improving hygiene. 84% say these technologies enhance basic security practices, and 64% report that automation has increased their organization’s focus on fundamentals.

When asked which change would most improve their hygiene programs, the top answer was expanding AI usage and expertise. Only 21% of respondents felt that emerging technologies distract from basic security work.

Automation reduces manual workloads and removes the need to schedule routine tasks. Access reviews, patch rollouts, and log monitoring can run on predictable cycles. With repetitive work handled automatically, teams can focus on analysis and risk management.

“The fundamentals of security shouldn’t be the hardest part, but they remain the weakest link,” said Michael Lyborg, CISO at Swimlane. “Too many teams treat hygiene as a checklist instead of a living process. Intelligent automation makes it continuous, measurable, and built-in, turning resilience from a goal into a deliverable outcome.”

Back to basics webinar: The ecosystem of CIS Security best practices