A recent survey carried out by the Ponemon Institute for ServiceNow has unveiled that healthcare and pharmaceutical companies are not keeping up to date on patching. Weaknesses are not being patched quickly leaving organizations susceptible to attack.
The survey was sent to 3,000 security workers from groups with more than 1,000 staff members across a broad range of industry sectors and countries. The outcomes of the survey were included in the report: Today’s State of Vulnerability Response: Patch Work Demands Attention.
The report showed 57% of those that took the survey respondents had suffered at least one data breach where access to the network was gained by exploiting a weakness for which a patch had previously been issued. A third of respondents answered that they were aware that the vulnerability existed and a patch was available before the breach. More worrying was two third of groups did not know they were susceptible to attack.
Even though there is a major risk of weaknesses being exploited, 37% of respondents said they do not scan for dangers and therefore cannot be sure all vulnerabilities are identified and tackled. The healthcare and pharmaceutical sectors were slightly better than average, although 28% of IT security workers from those industries said vulnerability scanning was not completed.
65% of cybersecurity workers said they find it difficult to prioritize patching and ascertain what software should be patched first. 61% said manual processes were putting them in danger when patching weaknesses, and an average of 12 days were being lost coordinating patching activities across teams.
More than three quarters of IT security workers felt the delay in patching vulnerabilities was due to a lack of qualified staff. They simply did not have enough staff members to keep on top of patching. On average, 321 hours a week are being spent on vulnerability management, but even so, medium to low priority patches are still taking eight weeks or longer to be installed.
60% of respondents saying they were hiring more staff in the next year to help speed up the patching of flaws. On average, groups are looking to employ four new employees solely for vulnerability response.
Deciding to bring in more staff is one thing. Recruiting staff is a separate issue. There is a lack of skilled IT staff and the problem is getting worse. According to a recent survey carried out by the advocacy group ISACA, by 2019 there will be 2 million vacant cybersecurity positions.
Even if staff can be hired, there is no guarantee that security posture can be significantly enhanced. While more staff could certainly help some companies, the report implies there is a patching paradox – hiring more staff does not mean better security.
ServiceNow Security and Risk Vice President and General Manager Sean Convery said : “Adding more talent alone won’t address the core issue plaguing today’s security teams. Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”
The Ponemon Institute/ServiceNow study offers five approvals that can help groups develop a roadmap to an improved security posture.
- Recrod an unbiased inventory of weakness response capabilities.
- Speed up time-to-benefit by addressing low-hanging fruit first.
- Break down data obstacles between security and IT to regain lost time spend coordinating between the two
- Define and prioritize end-to-end vulnerability response processes and then automate as much as you can within reason.
- Ensure retention of talent by focusing on culture and work environment.