Too Fast and Too Frivolous - Cyber Attacks Speed Ahead By 15x, While Companies Stall In Addressing Vulnerabilities According to SecurityScorecard Research
Only 10% of vulnerabilities remediated each month; Only 60% of companies improving security postures; Nearly a quarter facing more than 1000 vulnerabilities according to global study with The Cyentia Institute
NEW YORK – June 6, 2022 – New research from SecurityScorecard, the global leader in cybersecurity ratings, and The Cyentia Institute, an independent cybersecurity research firm, revealed only 60% of organizations have improved their security posture despite a 15-fold increase in cyber-attacks over the last three years. The joint research sought to measure the speed of vulnerability remediation from 2019 - 2022 and revealed only modest progress in the area of vulnerability remediation. The research found that 53% of the 1.6 million organizations assessed had at least one exposed vulnerability to the internet, while 22% of organizations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organizations’ critical assets.
“The speed of vulnerability remediation is a top indicator of an organization's cybersecurity health, and we are in a race to help these organizations shore up defenses and better assess the risks from the growing array of third-party software,” said Aleksandr Yampolskiy, co-founder and CEO, SecurityScorecard. “This confirms that in today’s rapidly evolving threat landscape, organizations must take swift action to reduce vulnerabilities faster. The time to act is now.”
The findings are explained in SecurityScorecard’s report, The Fast and Frivolous: Pacing Remediation of Web-Facing Vulnerabilities.
Only 10% of Vulnerabilities are remediated each month
To measure the speed and progress of remediation, SecurityScorecard’s research examined how quickly issues were addressed and how long they persisted across assets. The research showed the financial sector to be among the slowest remediation rates (median to fix 50%=426 days), while utilities ranked among the fastest (median=270 days). Somewhat surprisingly, despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organizations in this sector fixed exploited flaws faster. Regardless of how many total vulnerabilities existed across their domain(s), organizations typically fixed about 10% of weaknesses each month.
“Vulnerabilities likely exist with vendors and service providers, which necessitates the need for continuous visibility into the entire ecosystem,” said Wade Baker, partner and co-founder at The Cyentia Institute. “With greater visibility, organizations can prioritize risks and remediation based on data. This is key to effectively addressing cyber vulnerabilities.”
Where the vulnerabilities exist
The research shows the “Information” sector (62.6%) and “Public” sector (61.6%) had the highest prevalence of open vulnerabilities. The “Financial” sector(48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors, in terms of industries with the most open vulnerabilities.The analysis revealed that it typically takes organizations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure. When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.
SecurityScorecard collects and analyzes global threat signals that give organizations instant visibility into the security posture of vendors and business partners as well as the capability to do a self-assessment of their own security posture. The technology continuously monitors 10 groups of risk factors to instantly deliver an easy-to-understand A-F rating. Additionally, SecurityScorecard Ratings with Attack Surface Intelligence provides visibility into IP, network, domain, or vendor’s attack surface risk data, all in one pane of glass. This actionable, deep threat intelligence helps customers identify all of an organization’s connected assets, expose previously unknown threats, conduct investigations at scale, and prioritize vendor remediation.
For more information on the SecurityScorecard cybersecurity ratings platform or to request a demo, visit www.securityscorecard.com.
Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.
# # #