Businesses dangerously slow to react to vulnerabilities

Average time it takes an organisation to remediate a vulnerability: 176 days.

Average time it takes a cyber criminal to exploit a vulnerability: 7 days.

And that’s not taking zero-days into account.

NopSec’s 2015 State of Vulnerability Risk Management report examined the extent to which unaddressed security vulnerabilities are affecting the security of organisations across multiple industries.

According to the report, although most organisations have good vulnerability assessment processes in place, many are overwhelmed by the volume of data generated by vulnerability scans and are failing to respond appropriately, to the detriment of their security.

“Most organizations have mastered the art of vulnerability assessment,” the report notes, but the “practice of then having to validate and prioritize vulnerabilities only further adds time to an already difficult remediation process and further extends the window of opportunity for hackers.”

businessman with laptop in network server roomAverage time to react

NopSec found that the average time it took financial and education organisations to address vulnerabilities was 176 days. The healthcare industry took an average of 97 days and Cloud providers took 50 days. 32% of financial organisations took more than a year to address vulnerabilities.

Compare these figures with the time it takes criminals to act: it takes an average of seven days for hackers to build a successful exploit, and in the case of zero-day vulnerabilities criminals are already exploiting them by the time they are discovered by the public.

It’s therefore essential to keep your software updated and to install patches whenever they are released. Vulnerabilities common to off-the-shelf software, CMS platforms, applications and plugins are being discovered – and exploited – all the time by opportunistic criminal hackers who use automated scans to identify targets.

With the average cost of a data breach now £2.37 million in the UK according to IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: United Kingdom, it is clear that making sure you close security gaps and fix vulnerabilities as soon as they are known is essential to keeping your networks secure and your corporate information safe.

Using vulnerability testing wisely

IT Governance’s penetration testing services provide a prioritised set of results as standard, making the remediation process easier for clients, and reducing their long-term exposure to vulnerabilities. Vulnerabilities are presented in an easily comprehensible dashboard and ranked by importance according to the Common Vulnerability Scoring System (CVSS) – an industry standard. Critical vulnerabilities are reported to clients as soon as they are discovered and suggestions for remediation are provided so that clients can react in a timely and appropriate manner.

IT Governance is a CREST-accredited penetration testing service and a PCI QSA (Qualified Security Assessor), and is qualified to conduct vulnerability scans and penetration tests to ensure your compliance with standards including the PCI DSS and ISO 27001.

For more information on IT Governance’s penetration testing packages, please click here >>