Owner security

Only 10% of vulnerabilities are patched each month

A study by SecurityScorecard and the Cyentia Institute found that only 60% of organizations improved their security posture despite a 15-fold increase in cyberattacks over the past three years.

The joint research aimed to measure vulnerability remediation speed from 2019 to 2022 and found only modest progress in the area of ​​vulnerability remediation. The research found that 53% of the 1.6 million organizations assessed had at least one vulnerability exposed to the internet, while 22% of organizations accumulated more than 1,000 vulnerabilities each, confirming that more progress is needed to protect assets criticism of organizations.

“Vulnerability remediation speed is a major indicator of an organization’s cybersecurity health, and we’re in a race to help these organizations strengthen their defenses and better assess the risks associated with the growing range of third-party software “, said Aleksandr Yampolskiy, CEO. , SecurityScorecard. “It confirms that in today’s rapidly changing threat landscape, organizations need to take quick action to reduce vulnerabilities faster. It’s time to act.”

The speed of fixing vulnerabilities

To measure the speed and progress of remediation, Sthe research looked at how quickly issues were resolved and how long they persisted on assets. The research showed that the financial sector had among the slowest rates of remediation (median to repair 50% = 426 days), while utilities ranked among the fastest (median = 270 days).

Somewhat surprisingly, despite a 15-fold increase in vulnerability exploit activity with released exploit code, there was little evidence that organizations in this industry were fixing exploited vulnerabilities any faster. Regardless of the total number of vulnerabilities that exist in their domain(s), companies typically patch around 10% of weaknesses each month.

“Vulnerabilities likely exist with vendors and service providers, which requires ongoing visibility across the entire ecosystem,” said Cyentia Institute Partner Wade Baker. “With greater visibility, organizations can prioritize risks and remediation actions based on data. This is essential to effectively deal with cyber vulnerabilities.

Where vulnerabilities exist

The research shows that the information sector (62.6%) and the public sector (61.6%) had the highest prevalence of open vulnerabilities. The financial sector (48.6%) had the lowest proportion of open vulnerabilities; however, there is less than 10% difference between this sector and others in terms of which industries have the most open vulnerabilities.

The analysis found that it typically takes organizations 12 months to fix half of the vulnerabilities in their Internet infrastructure. When companies have less than 10 open vulnerabilities, it can take about a month to close only half of them, but when the list is in the hundreds, it can take up to a year to get halfway there.