42% IT pros ignore critical security vulnerabilities, research reveals
News / 42% IT pros ignore critical security vulnerabilities
11 May 2018
A new report from vulnerability management solutions provider Outpost24 has revealed a few reasons why cyber criminals have been able to breach enterprise networks and exploit existing security vulnerabilities so successfully in the past few years.
The report, which was based on a survey of 155 security professionals at the RSA conference, revealed that over half (53%) of all vulnerabilities are not patched by organisations as soon as they are known. While only 16 percent of organisations patch vulnerabilities once in a month, only 5 percent of them patch vulnerabilities only once or twice in a year.
As many as 42 percent of IT security professionals also leave security vulnerabilities unpatched as they either have no idea of how to fix them or do not have the time to address them. This results in enterprise networks featuring old vulnerabilities that are routinely exploited by hackers either for financial gain or to cause reputational damage.
“Our survey results suggest that businesses are adding technology as a key element of their strategy but not preparing their security teams with the skills and resources to keep up. It’s vital that organisations have full awareness of all assets that the business relies on, and that they are constantly tuning for the lowest possible level of cyber security exposure,” said Bob Egner, vice president at outpost24.
Penetration testing isn’t the norm
What’s worse is that 85 percent of organisations do not run security testing to understand the assets on their network and their relative security posture, thereby exposing themselves to cyber criminals. At the same time, Only 67 percent of organizations have hired a penetration tester to assess the security of their network.
Of those organisations who did carry out penetration testing, 46 percent found a critical flaw which could have put their organization at risk. Despite the presence of so many flaws, 30 percent of security professionals still believe penetration testing won’t reveal any new risks.
“Outsourcing services like penetration testing can be an excellent way to get a holistic overview of the cyber security exposure across an organisation’s assets as well as expose threats within systems that may well have gone unnoticed.
“To maximize the value of testing investment, remediation action should be taken as close to the time of testing as possible. With the proliferation of connected technologies, the knowledge and resource gap continue to be key challenges. Security staff can easily become overwhelmed and lose focus on the remediation that can be most impactful to the business,” Egner added.
IT security professionals are also aware that many web applications, cloud services, and IoT devices used by their organisations are insecure, yet such devices and services are used widely in many organisations.
According to the survey, while 15 percent of IT professionals believe their web applications are least secure, 25 percent are most concerned about their cloud infrastructure and applications, 20 percent said their mobile devices are the most insecure, and 23 percent are most concerned about their IoT devices.
Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines