The study, “Costs and Consequences of Gaps in Vulnerability Response,” found that despite a 24 percent average increase in spending on prevention, detection and remediation in 2019, compared with 2018, it takes an average of 12 days longer to patch due to data silos and poor organisational coordination. Looking specifically at the most critical vulnerabilities, the average timeline to patch is 16 days.
At the same time, the risk is increasing. According to the findings, in Singapore there was an 18 percent increase in cyberattacks over the past year, and 58 percent of breaches were linked to a vulnerability where a patch was available, but not applied. The study surveyed 3,000 security professionals in nine countries to understand how organisations are responding to vulnerabilities. In this report, ServiceNow presents the consolidated findings and comparisons to its 2018 study, Today’s State of Vulnerability Response: Patch Work Requires Attention.
The survey results reinforce the need for organisations to prioritise more effective and efficient security vulnerability management:
- Of all respondents globally, 34 percent increase in weekly costs spent on patching compared to 2018.
- 88 percent of respondents said they must engage with other departments across their organisations, which results in coordination issues that delay patching by an average of 12 days.
- 27 percent more downtime vs. 2018, due to delays in patching vulnerabilities.
- 72 percent of respondents plan to hire an average of five staff members dedicated to patching in the next year.
- On average, 10 days are lost coordinating with the responsible team before a patch is applied
The findings also indicate a relentless cybercriminal environment, underscoring the need to act quickly:
- 17 percent increase in the volume of cyberattacks in the last 12 months compared to the same timeframe in 2018.
- Nearly 27 percent increase in cyberattack severity compared to 2018.
- Interestingly, 59 percent of Singapore respondents agree that attackers are currently outpacing enterprises with technology such as machine learning/artificial intelligence
Although 88 percent of Singapore respondents believe they do not have enough resources to keep up with the volume of patches, the report points to other factors beyond staffing that contribute to delays in vulnerability patching:
- 67 percent of respondents noted the lack of a common view of applications and assets across security and IT teams
- 69 percent of respondents said they cannot take critical applications and systems offline to patch them quickly
- 45 percent of respondents said it is difficult to prioritise what needs to be patched
- 49 percent of respondents believe that organisations are at a disadvantage due to the heavy manual processes needed to patch vulnerabilities
According to the findings, automation delivers a significant payoff in terms of being able to respond quickly and effectively to vulnerabilities. 80 percent of respondents who employ automation techniques say they respond to vulnerabilities in a shorter timeframe through automation.
“This study confirms the vulnerability gap that has been a growing pain point for CIOs and CISOs,”said Sean Convery, general manager, ServiceNow Security and Risk. “Companies saw a 30 percent increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands. Many organisations have the motivation to address this challenge but struggle to effectively leverage their resources for more impactful vulnerability management. Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organisations.”
CLICK HERE FOR LATEST NEWS.
READ CURRENT AND PAST ISSUES OF IAA.
KEEP YOURSELF UPDATED, SUBSCRIBE TO IAA NOW!