Ponemon Institute conducted a survey on behalf of ServiceNow to learn about the issues on patching that healthcare and pharmaceutical industries are struggling with. The study revealed that organizations are not patching vulnerabilities promptly hence leaving their network systems open to cyber attacks. The survey respondents included 3,000 security professionals from different industry organizations with over 1,000 employees. The survey results can be read in the report Today’s State of Vulnerability Response: Patch Work Demands Attention.
According to the report, 57% of respondents confirmed experiencing at least one data breach that involved access to the network because of a vulnerability for which there was a patch previously released. One-third of respondents admitted knowing about the vulnerability and the patch available before the breach occurred. But two-thirds did not know they were vulnerable to the cyber attack at all.
Although most people know about the risk of vulnerabilities being exploited, 37% of respondents admit that they do not scan for vulnerabilities and so they are not certain about existing vulnerabilities in their system not to mention fixing them. 28% of IT security professionals from the healthcare and pharmaceutical industries said that they do not perform scans.
Regarding the patching of vulnerabilities, 65% of cybersecurity professionals had difficulty prioritizing this task and identifying which software to patch first. 61% said that the manual patching of vulnerabilities is putting them at a disadvantage. About 12 days are wasted on coordinating the patching activities among the teams.
About 75% of IT security professionals believe that the lack of staff is causing the delay in patching. On average, vulnerability management takes about 321 hours per week. But even with that much time spent on the job, it still takes 8 weeks or more just to apply medium to low priority patches. 60% of respondents said they had plans of hiring more employees in the next 12 months to speed up work. On average, companies are likely to recruit four new employees just for vulnerability response.
The problem of skilled IT staff shortage is growing worse. The advocacy group ISACA conducted a survey which revealed that about 2 million cybersecurity positions will be unfilled by 2019. Filling the positions, however, does not guarantee a better security. Automating routine processes and prioritizing vulnerabilities are necessary. People must be focused on doing critical work to reduce the likelihood of a security breach.
The Ponemon Institute – ServiceNow report recommended five tasks that must be done to achieve better security posture.
- Have an honest evaluation of vulnerability response capabilities.
- Speed up time-to-benefit by dealing with low-hanging fruit first.
- Break down data gaps between security and IT to stop wasting time on coordinating between the two
- Define and optimize end-to-end vulnerability response processes and automate.
- Retain talent by focusing on culture and environment.