Report: Organizations Are Open for Exploit By Taking Too Long to Patch
New research from the Ponemon Institute uncovers a troubling trend when it comes to risk management. That is, organizations are simply not patching software vulnerabilities fast enough to keep up with the demand for remediation. This can lead to cybersecurity attacks that could spell trouble for businesses as they try to ward off incidents that result in significant damage to their operations.
More than half of the 634 IT and security leaders (57%) who responded to a survey by Ponemon Institute, and sponsored by Rezilion, rated their organization’s ability to patch vulnerabilities in a timely manner as low or medium. The report, titled The State of Vulnerability Management in DevSecOps, is free and available to download today.
More than half (58%) of the respondents noted that once a critical or high-risk vulnerability is detected, it takes their organization six weeks or longer on average to patch the bug. About one third said it takes longer than eight weeks on average to patch. On the flip side, only 17% of the organizations are patching detected vulnerabilities within three weeks or less.
Clearly, most organization are not patching bugs in a timely manner, leaving the attack window open for weeks and perhaps months. The failure to remediate software vulnerabilities in a timely manner is giving cyber criminals and other bad actors way too much time to exploit such vulnerabilities, and is putting these organizations—and potentially their business partners—at great risk.
Organizations are leaving the attack window open much more than they should be, especially given the ability of bad actors to move quickly once they know about a vulnerability.
The Ponemon research revealed that a number of factors are contributing to remediation taking so long at many organizations. These include an inability to easily track whether vulnerabilities are being patched in a timely manner (cited by 51%); inability to take critical applications and systems offline so they can be patched (49%); silo and turf issues between security and other divisions (45%); and the lack of a common view of applications and assets across security and IT teams.
Other reasons are insufficient resources to keep up with the volume patches (43%); the organization’s belief that an attacker will not exploit its vulnerabilities (37%); human error (32%) and a lack of tolerance for the downtime required for patching (28%).
Some of these factors are organizational and cultural issues that need to be addressed by management. Others are technical issues. Regardless, organizations can go a long way toward reducing the time it takes to remediate vulnerabilities by using automation tools.
A majority of respondents (56%) said they use automation to help with vulnerability remediation. Of these, 59% said their organizations automate patching, 47% automated prioritization and 41% automate reporting. When asked how automation has affected the time it takes to fix vulnerabilities, 43% said there was a significantly shorter time to respond.
By deploying solutions such as automation, organizations can address software vulnerabilities more quickly and therefore more rapidly close the attack window before bad actors have a chance to exploit these software flaws.
Get more insights into The State of Vulnerability Management in DevSecOps and download the report today.