Several companies are still finding it difficult to manage the high volumes of vulnerabilities affecting their software and hardware.
An average company fails to patch close to 30% of the vulnerabilities associated with its software and hardware every six months, according to the latest report from Ponemon Institute and IBM X-Force Red.
The report “The State of Vulnerability Management in the Cloud and On-Premises,” reveals that organizations have a backlog of 57,555 identified vulnerabilities. More than half of companies were victims of a security breach in 2019 and 42% of those respondents blame the breach on known but unpatched security vulnerability.
There are many firms that have not identified different types of vulnerabilities that pose the highest risk. Meanwhile, only a handful of them is classifying risks based on business impact. The report stresses the importance of automated, risk-based prioritization.
It also highlights that just 20% of enterprises patch vulnerabilities on time. Over 50% of companies cannot easily track how efficiently vulnerabilities are being patched. Also, they do not have enough resources to patch the volume of issues and have the ability to tolerate the necessary downtime.
A large number of enterprises face significant challenges in patching software vulnerabilities. They are increasingly using agile development methodologies since about a third of them scan applications and systems regularly for vulnerabilities.
As per the report, firms that have vulnerabilities in huge volumes need a way to reduce the range of security issues to a manageable level. Nearly 40% of them prioritize the results based on the Common Vulnerability Scoring System score, which is a less-than-reliable method of prioritization.
There are many organizations that miss some key infrastructure components in their security efforts. They are unable to conduct the same level of penetration testing against cloud applications as they are against their on-premises applications.
Since the cloud footprint is expanding rapidly, companies will need different governance structures and policies for security for cloud applications. They also need a balanced mix of programmatic penetration testing and an ongoing vulnerability management program in order to overcome the security uncertainty of applications and other assets in the cloud and on-premises.
Moreover, companies are more focused on meeting compliance requirements with vulnerability management instead of actually eliminating the vulnerabilities. Security leaders invest a lot of time prioritizing performance reviews and compliance reports; however, they are sidelining the company security in order to meet those marks.