It is the responsibility of the board of directors to make sure that companies have the best protection possible. According to BitSight, the leading firm monitoring cyber-attacks and corporate responsiveness, most successful attacks occur when bad guys exploit "known vulnerabilities," which are vulnerabilities for which a patch exists but it has not been downloaded. When corporate IT staff does not update their systems in a timely fashion, it is disastrous risk management.