Survey: Most security pros aim to patch vulnerabilities within 30 days

News by Grace Johansson

High-profile cyber-security incidents continue to appear due to the mistake of companies not applying patches to known vulnerabilities according to Tripwire research.

High-profile cyber-security incidents continue to appear due to the mistake of companies not applying patches to known vulnerabilities according to Tripwire research. To understand how organisations are keeping up with all the new vulnerabilities that are appearing, Tripwire partnered with Dimensional Research to survey 406 IT security professionals about their patching processes.

According to the survey, the majority (78 percent) fixed all vulnerabilities found within the network within 30 days of it being detected, and 40 percent even said it usually took less than 15 days. Of the IT security professionals questioned, 15 percent said it was unacceptable to wait to patch a vulnerability once it has been detected. Nearly half (46 percent) however, said that they would wait no more than seven days for a vulnerability to be patched.

Tim Erlin, vice president of product management and strategy at Tripwire commented in a press statement: “Attackers will always go for the low-hanging fruit, the proverbial ‘unlocked door,' over a more complex method of compromise. As long as these older vulnerabilities are present, they'll continue to be exploited. Organisations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible. Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data.”

The participants of the survey were split on whether there was more of a need to prioritise people or technology, with 54 percent saying that an investment in people is what is needed more whilst 46 percent believed that technology was more important.

Vulnerability management begins with asset discovery or creating an inventory of every software and hardware installed on a network, however, for large organisations this is very difficult to do. What was shocking according to Tripwire, was that only 17 percent of organisations have automated tools which enable them to identify the locations, department and other details about unauthorised hardware and software changes on their network.

Sarb Sembhi, CTO & CISO of Virtually Informed commented to SC Media UK: “Most IT and Security professionals in all organisations usually attempt to fix issues in the shortest time possible depending on knowing about the issue (vulnerability, breach, incident, etc). Unfortunately, not all have access to budgets that give them the right balance between more skilled people and more technology. Picking up all vulnerabilities requires all the right technology and the right staff who know how to prioritise between critical and non-critical for office based staff and the road warriors.

“The survey's last statistic illustrates clearly that many organisations don't have the right balance, which is going to different for each organisation; there is no rule that fits all, especially with different industry sectors, applications, business priorities, etc.

“This balance is made harder to achieve when users demand many more cloud-based applications whilst some users continue to insist on using older applications, meaning that IT has to support an ever increasing number of both legacy and new applications.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews