One fourth of global organisations faced breaches because of unpatched vulnerabilities

Close to 40 percent of organisations failed to do vulnerability scanning weekly - or more often - as recommended by industry standards

The International Data Corporation (IDC) last year estimated that the worldwide spending on security-related hardware, software, and services would touch US$ 120.7 billion (£95 billion) in 2021. According to the IDC, the expenditure has been growing at an annual rate of 10 percent from the year 2016. However, this hardly resulted in preventing breaches, says a survey.

More than one in four (27 percent) organisations globally have faced security breaches as a result of unpatched vulnerabilities, according to a survey among 340 info-security professionals worldwide by security and compliance solutions provider Tripwire. The rate is even higher in Europe, at 34 percent, said the survey.

Vulnerability management starts with visibility of the attack surface, and Tripwire’s report found that 59 percent of global organisations are able to detect new hardware and software on their networks within minutes or hours. In assessing the attack surface for vulnerabilities, 88 percent of infosecurity professionals interviewed said they run vulnerability scans.

However, the research found that organisations the degrees of effectiveness of these vulnerability scans varied noticeably from company to company. Almost half (47 percent) of the respondents said that less than half of their assets are discovered automatically, including 13 percent who don’t even use automatic discovery solutions.

The survey noted that the use of authenticated scans has improved when compared to the findings of their previous survey, with 63 percent saying they conduct authenticated scans as part of their vulnerability assessment. Despite this, more than one-third (39 percent) are still not scanning weekly – or more often – as recommended by industry standards.

"Finding vulnerabilities is just a part of an effective vulnerability management program," said Tim Erlin, vice president of product management and strategy at Tripwire. "It’s important for organisations to focus on building a program instead of deploying a tool. Vulnerability management has to include asset discovery, prioritisation, and remediation workflows in order to be effective at reducing risk."

This has happened despite national regulatory organisations issuing regular and updated cyber-security guidelines for businesses. The UK government in 2018 set out a series of minimum cyber-security standards, which were incorporated into the Government Functional Standard for Security, obliging government departments and suppliers to comply.

The FCA in March 2019 published a document on cyber-security industry insights after collating experienced and inputs from over 175 firms across different financial sectors. In the US, the Securities Industry and Financial Markets Association (SIFMA) is gearing up for its latest cyber-security simulation — called Quantum Dawn —  that mimicked a real attack.

The previous Quantum Dawn test conducted two years ago had more than 50 financial firms, government regulators and SIFMA itself taking part in it. "No single actor – not the federal government, nor any individual firm – has the resources to protect markets from cyber-threats on their own," said the assessment report of the 2017 test.

The Securities Exchange Commission, US, has a cyber-security guidance in place for the registered investment advisers it oversees. The Financial Industry Regulatory Authority, a private corporation that regulates broker-dealers, also has its own cyber-security guidance, including information for small businesses with less that 150 registered representatives.

"Meeting a regulation or compliance requirement does not necessarily mean you’ve effectively managed your security risk," said Erlin. "Compliance requirements are most often about protecting someone other than your organisation. That might be the consumer or credit card companies or another entity. Securing your business requires that you define an acceptable level of risk and manage to that target."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop