Nearly 27 percent of organizations worldwide have been breached as a result of an unpatched vulnerability, according to Tripwire’s 2019 Vulnerability Management Survey..
In Europe, companies fair worse with 34 percent of respondents reporting a breach due to the same cause.
Tripwire partnered with Dimensional Research to survey 340 infosecurity professionals on vulnerability management trends and found that companies also lack visibility of their attack surface.
The survey found that when asked how long does it take to detect new hardware and software added to your organization’s network, 37 percent of respondents said hours, 22 percent said minutes, 21 percent said days, 11 percent couldn’t detect new devices, 7 percent said weeks, and 3 percent said months or even longer.
When asked if their organization runs vulnerability scans, 88 percent said yes while 12 percent replied no. Then when asked what kind of vulnerability scanning is done, 86 percent said automated vulnerability scans, 75 percent port scans, 63 percent authenticated scans and 1 percent said none of the above.
Even the organizations that reported conducting vulnerability scans reported not doing them at the recommended frequency. Researchers also found only 39 percent ran the scans weekly, 23 percent said daily, 22 percent quarterly or less often, and 17 percent said monthly.
“If you’re not scanning for vulnerabilities frequently enough, you’re missing new vulnerabilities that have been discovered, and you may be miss assets that tend to go on and off the network, like traveling laptops,” Tim Erlin, vice president of product management and strategy at Tripwire said.
The study also found most organizations want more mature vulnerability management, but are constrained.
When asked which of the following statements best characterizes your approach to vulnerability management 50 percent said they “conduct vulnerability scans to reduce risk, but only have the bandwidth to focus on high severity vulnerabilities, 19 percent considered vulnerability management a strategic part of their company-wide approach to risk management, 16 percent conduct vulnerability scans only to meet compliance or other requirements .
In addition, 13 percent best identified with “we have an extensive vulnerability management program in the departments that prioritize it” while the remaining two percent identified with “non of these represent our approach.”
The study also found that despite some flaws, most organizations aim to fix their vulnerabilities within 30-days or less when spotted and most organizations recognize the need to prioritize vulnerabilities more effectively.