On the cusp of the one-year anniversary months for WannaCry and NotPetya cyberattacks, which inflicted major damage to organizations worldwide largely due to systems left unpatched, the lingering lesson remains: patching and updating software and applications isn’t a nice-to-have. It’s a requirement. But meeting that requirement has proven to be difficult for many.

Adam Janofsky reports in The Wall Street Journal that in the past year, several companies have racked up more than $100 million in lost revenue due to outdated software. As more IoT devices go online, and more sensors dot our surroundings, that issue is expected to become even more problematic.

Quoting Oracle’s co-CEO Mark Hurd at the CloudWorld event in February, Janofsky writes, “It takes our customers months to get our patches through their ecosystem. Why? It’s hard. They sit on different operating systems and different servers, there are different versions—I can go on and on.”

According to Hurd, companies are not investing what it takes to keep current with computers and applications. This runs counter to prevailing wisdom. “Cybersecurity experts say good patching programs require companies to invest heavily in monitoring systems and new computers and sometimes to painstakingly remove devices from the open internet. Even then, one mistake can have devastating consequences,” reports Janofsky.

To illustrate the fallout of ignoring calls to patch, Janofsky points to Reckitt Benckiser Group PLC, pharmaceutical firm, Merck & Co. and shipping giant, A.P. Moller-Maersk A/S. These firms lost approximately $130 million, $135 million and $300 million, respectively, when NotPetya struck. The sad reality is that these organizations could have avoided the disastrous consequences by applying the same patch that was issued ahead of WannaCry.

Get the full story at The Wall Street Journal.