Security debt continues to pile up, with 42% of organizations attributing remediation backlogs to a breach, a new study shows.
Most businesses can’t keep up with the influx of vulnerabilities affecting their software and infrastructure: every six months the average firm fails to patch 28% of the vulnerabilities in their hardware and software, leading to a backlog of more than 57,000 unfixed security issues, a new study found.
Such a security “debt” leaves companies vulnerable, according to the Ponemon Institute study released today, which was commissioned by IBM. More than half of organizations suffered a security breach in the past year, and 42% of those respondents blame the breach on a known but unpatched security vulnerability. In addition, most companies — 57% — have not identified which vulnerabilities pose a highest risk, and only a quarter of firms are prioritizing vulnerabilities based on business impact.
The underlying problem is that once vulnerabilities have been identified by automated systems, the prioritization and patching process is mostly manual, which slows an organization’s response, says Charles Henderson, global managing partner and head of IBM’s cybersecurity services team, X-Force Red.
Patching continues to be a significant problem for most companies. Only 21% of organizations patch vulnerabilities in a timely manner, the survey found. More than half of companies cannot easily track how efficiently vulnerabilities are being patched, have enough resources to patch the volume of issues, nor have a common way of viewing assets and applications across the company. In addition, most organizations do not have the ability to tolerate the necessary downtime.
Overall, most companies face significant challenges in patching software vulnerabilities, according to the survey of 1,848 IT and IT professionals by the Ponemon Institute.
“I think it comes down to the fact that we have an issue with level-setting expectations within the organizations, understanding the processes, and a breakdown in communication between those responsible for keeping things patched and those response for keeping the systems running,” says Henderson. “They are not necessarily aligned in terms of goals.”
The average company in the study identified nearly 780,000 vulnerabilities over a six-month period, and failed to mitigate more than 57,000, or 28%, of the issues. Organizations are increasingly using agile development methodologies, and the signs of that are in the report: About a third of the companies scan applications and systems at least daily for vulnerabilities.
With that many vulnerabilities, however, companies need a way to cull down the herd of security issues to a manageable level. More than a third of firm (38%) prioritize the results based on the Common Vulnerability Scoring System (CVSS) score, which prior research has proven to be a less-than-reliable method of prioritization. A slightly lower number, 37%, of companies are prioritizing based on what vulnerabilities have been weaponized by attackers, the report found. A quarter of organizations prioritize based on the assets most important to the business and which vulnerabilities affect those critical resources.
“Prioritization is the weak spot,” Henderson says. “We think a blend of asset enrichment along with a model that focuses on exploitability, commonality, and marketability of vulnerabilities is key.”
Marketability includes the likelihood that an exploit will end up in an automated hacking tool or exploit kit, he explains.
In addition to prioritization, the study found that companies were missing some key infrastructure components in their security efforts.
Lemos, Robert. “Firms still struggle to prioritize security vulnerabilities” Interop Digital News August 2020
___________________________________________________________________________________________________
The truth is it’s easy to skip software updates because they can take up a few minutes of our time, and may not seem that important. But this is a mistake that keeps the door open for hackers to access your private information, putting you at risk for identity theft, loss of money, credit, and more.
Our ActivSurveillanceTM IT Support Services are not only designed to keep your systems running at peak efficiency, but also to put your company in the best position to mitigate new risks from outside threats.
Our services comprise three tiers of expertly handled, scalable managed services to complement or supplement your internal technical support team: monitoring, remediation, and management.
We take our role in your company seriously and feel strongly that these services are required for all businesses due to the increasing proliferation of threats from the Internet.
Give us a call at 732.780.8615 or email us at [email protected] if you would like more information on how we can help you take the next step in prioritizing the security of your IT Environment.