Companies worldwide have mustered the motivation to address the most common cybersecurity challenges, but are hampered by technological and procedural lapses, new research shows.
Cyber risk has become a board room topic in recent years, but many hurdles associated with cybersecurity tools and processes have yet to be resolved. For example, unpatched software vulnerabilities – one of the most common attack vectors for cybercriminals – remains a huge problem for organizations everywhere.
Despite a 24% average increase in annual spending on prevention, detection and remediation, data silos and poor organizational coordination delay the patching of known flaws by an average of 12 days, according to a study conducted by Ponemon Institute for ServiceNow. The average timeline to patch the most critical vulnerabilities is even longer – 16 days.
Surveyors polled 3,000 security professionals in nine countries and learned that cyberattacks increased 17% over the past year and their severity rose 27% compared to 2018 – no small numbers by any measure. However, key to these findings was that 60% of breaches were linked to a vulnerability where a patch was available, but not applied, reminiscent of the Equifax mega breach in late 2017, and other high-profile security incidents. Other key findings include:
- 34% increase in weekly costs for patching compared to 2018
- 30% more downtime, due to delays in patching vulnerabilities
- 69% of respondents plan to hire an average of five staff members dedicated to patching in the next year, at an average cost of $650,000 annually for each organization
- 88% said they must engage with other departments across their organizations, which results in coordination issues that delay patching by an average of 12 days
- 76% noted the lack of a common view of applications and assets across security and IT teams
- 74% said they cannot take critical applications and systems offline to patch them quickly
- 72% reported difficulty in prioritizing what needs to be patched
Factors beyond staffing that contribute to delays in vulnerability patching show that organizations are in dire need of automated patch management in an ever-expending cybercriminal landscape. The results also underscore the need for organizations to act sooner rather than later.