A majority of breaches that occurred in the past year were linked to a vulnerability where a patch was available, but not applied, new research found.
In addition, despite a 24 percent average increase in annual spending on prevention, detection and remediation in 2019 compared with 2018, patching is delayed an average of 12 days due to data silos and poor organizational coordination. Looking specifically at the most critical vulnerabilities, the average timeline to patch is 16 days, according to research conducted by Ponemon Institute and sponsored by digital workflow provider, ServiceNow.
At the same time, the risk is increasing.
There was a 17 percent increase in cyberattacks over the past year, and 60 percent of breaches were linked to a vulnerability where a patch was available, but not applied, the study found. The study surveyed almost 3,000 security professionals in nine countries to understand how organizations are responding to vulnerabilities.
The issue of patching in the manufacturing industry continues to be a hot button. While the study reached multiple industries, the manufacturing industry faces issues where patching is often not immediately available where some users can go months, if not years, before they can shutdown and apply any kind of patch.
The survey results reinforce a need for organizations to prioritize more effective and efficient security vulnerability management:
• 34 percent increase in weekly costs spent on patching compared to 2018.
• 30 percent more downtime vs. 2018, due to delays in patching vulnerabilities.
• 69 percent of respondents plan to hire an average of five staff members dedicated to patching in the next year, at an average cost of $650,000 annually for each organization.
• 88 percent of respondents said they must engage with other departments across their organizations, which results in coordination issues that delay patching by an average of 12 days.
Findings also indicate a persistent cybercriminal environment, underscoring the need to act quickly:
• 17 percent increase in the volume of cyberattacks in the last 12 months compared to the same timeframe in 2018.
• Nearly 27 percent increase in cyberattack severity compared to 2018.
The report points to other factors beyond staffing that contribute to delays in vulnerability patching:
• 76 percent of respondents noted the lack of a common view of applications and assets across security and IT teams.
• 74 percent of respondents said they cannot take critical applications and systems offline to patch them quickly.
• 72 percent of respondents said it is difficult to prioritize what needs to be patched.
Automation delivers a significant payoff in terms of being able to respond quickly and effectively to vulnerabilities, the report said. Eighty percent of respondents who employ automation techniques said they respond to vulnerabilities in a shorter timeframe through automation.
“This study shows the vulnerability gap that has been a growing pain point for CIOs and CISOs,” said Sean Convery, general manager, ServiceNow Security and Risk. “Companies saw a 30 percent increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands. Many organizations have the motivation to address this challenge but struggle to effectively leverage their resources for more impactful vulnerability management. Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations.”
Click here to register for the report.