A third of European organisations suffered breaches due to unpatched vulnerabilities
Threats / A third of European organisations suffered breaches due to unpatched vulnerabilities
3 June 2019
As many as 34 percent of European organisations have suffered data breaches as a result of unpatched vulnerabilities in their software or hardware, says a survey from Tripwire which also found that 27 percent of global organisations suffered a similar fate for the same reason.
Reasons behind over one in four global organisations and one in three European organisations suffering data breaches as a result of unpatched vulnerabilities in their installed hardware and software systems are many, but principal among them are inability of IT security teams to carry out weekly scans to discover vulnerabilities, and their inability to detect new hardware and software added to their organisations’ systems quickly.
Vulnerability management programmes at a majority of organisations not optimal
A survey of 340 information security professionals at global organisations by Tripwire found that while 59 percent of organisations globally are able to detect newly-installed software and hardware in their systems within minutes or hours, 7 percent of them take weeks to do so and 21 percent need several days to identify new software and hardware introduced by other departments at their organisations.
Worryingly, IT security professionals at 11 percent of organisations across the globe do not have processes in place to detect new hardware and software in their IT systems, thereby leaving large security holes within their systems for hackers to actively exploit. A prolonged delay in identifying new hardware and software assets also significantly delays the identification and fixing of unpatched vulnerabilities.
Only 18 percent of information security professionals confirmed that their organisations could discover new hardware and software assets automatically. Less than a quarter of global organisations are able to discover less than 50% of new software assets, 11 percent can only detect less than 10 percent of new assets automatically, and 13 percent of organisations don’t use automatic discovery solutions at all.
“Finding vulnerabilities is just a part of an effective vulnerability management programme. It’s important for organisations to focus on building a programmr instead of deploying a tool. Vulnerability management has to include asset discovery, prioritisation, and remediation workflows in order to be effective at reducing risk,” said Tim Erlin, vice president of product management and strategy at Tripwire.
“How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk. If you are not doing authenticated vulnerability scans, or not using an agent, then you are only giving yourself a partial picture of the vulnerability risk in your environment. And if you’re not scanning for vulnerabilities frequently enough, you’re missing new vulnerabilities that have been discovered, and you may miss assets that tend to go on and off the network, like traveling laptops,” he added.
According to Tripwire’s 2019 Vulnerability Management Survey, while 88 percent of organisations are running vulnerability scans, 86 percent of them are carrying out automated scans, 63 percent are carrying out authenticated scans, and 75 percent of them are carrying out port scans to identify existing and emerging vulnerabilities.
Majority of organisations cannot fix all unpatched vulnerabilities
While it is heartening to note that a vast majority of organisations are scanning their hardware and software assets for flaws, what’s disappointing about the statistic is that 16 percent of organisations are doing so only to meet compliance and other requirements and only in 19 percent of organisations is vulnerability management a strategic part of their company-wide approach to risk management.
According to 13 percent of IT security professionals, extensive vulnerability management programmes are only limited to certain departments that prioritise it, and a staggering 50 percent of them said that even though they do carry out vulnerability scans, they have the bandwidth only to focus on identifying and fixing high severity vulnerabilities.
The survey found that while 65 percent of organisations are unable to address all vulnerabilities due to budget constraints, 41 percent are unable to due so due to the technology they have, and 78 percent are unable to address all vulnerabilities due to the processes in place.
As a result, only 37 percent of organisations are able to fix identified vulnerabilities inside fifteen days with a similar number taking as long as a month to fix them. Only 49 percent of organisations are also able to deploy security patches in their environments within a week and 65 percent of them are unable to do so within two weeks.