Major data breaches continue to be headline news, but the well-publicised incidents are only the tip of the iceberg. A significant number of organisations are still failing to protect themselves from threats, with new ServiceNow-commissioned research carried out with 3,000 IT security professionals finding that 48 percent of businesses have experienced a data breach in the last two years.
Worryingly, it's not the increased sophistication of hackers or their methods that are leaving organisations open to attack. Of the organisations that suffer a data breach, more than half (57 percent) did so because of a vulnerability for which a patch was already available. In fact, 34 percent were actually aware that they were vulnerable before being successfully targeted.
Timely patching is a highly effective way to avoid a security breach, so why are so many organisations failing in this process?
The patching paradox
Quite simply, firms struggle with patching because they use manual processes and they can't prioritise what needs to be patched first. The majority (64 percent) plan to hire in the next 12 months to improve their vulnerability response, yet cyber-security teams already spend an average of 321 hours a week managing the vulnerability response process — the equivalent of about eight full-time employees.
The result is a “patching paradox”, where hiring more talent does not mean better security. Our research shows that security professionals plan to hire an extra four people dedicated to vulnerability response – an increase of 50 percent over today's staffing levels.
Yet no amount of additional talent or resource will improve their security posture if they don't fix their underlying broken patching processes.
Why broken processes hurt
Existing security teams are under immense pressure and in a constant battle to mitigate the continually growing number of threats from cyber-criminals.
The ServiceNow study found that security teams lost an average of 11 days manually coordinating patching activities across teams — and that's just one task. Two-thirds of security professionals also say they find it difficult to prioritise what needs to be patched first and 61 percent agree that manual processes put them at a disadvantage when patching vulnerabilities.
All this amounts to over half (55 percent) of security teams spending more time navigating manual processes than focusing on fixing the vulnerabilities of their organisation.
The result is an extensive vulnerability backlog, with little insight into the tasks that should be dealt with first and by who. With only 61 percent of vulnerabilities fixed within a month, the rest are likely to be delayed, deferred, or never fixed at all.
Critical systems are left open to potential attackers and this puts many organisations in the position of accumulating security debt as time goes on, when resource could be much better applied.
Automation is the answer
The time to act is now. Breach rates are already extraordinarily high, with the volume increasing by 15 percent since last year and the severity by 23 percent. Emerging AI-fuelled threats are only set to increase the volume, speed and effectiveness of cyber-attacks even further.
Organisations can't rely solely on hiring amidst a talent shortage to get work done, while relying on the manual processes they use today. By automating routine processes and vulnerability priorities, organisations avoid the “patching paradox”, instead focusing their existing team on critical work that will dramatically reduce the likelihood of a breach.
In fact, Forrester's Top 10 Technology Trends To Watch: 2018 to 2020 “dawning trend” is that automated security intelligence and breach response will liberate security and risk. Security teams will be unshackled from repetitive manual tasks, enabling them to concentrate on new threats and the most impactful incidents.
To many organisations the security landscape seems dangerous and complex, but the good news is that changing the fundamentals of your security operations is not impossible. By automating routine processes and taking care of basic hygiene, security teams can significantly reduce the risk of a breach and improve security response, while freeing up their time.
With a pragmatic roadmap, these results are within reach of any organisation, offering a clear outlook for a more secure future.
Contributed by By Greg White, security operations at ServiceNow. *
Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.