More than 1 billion records were compromised in data breaches in 2014 speaking to the ongoing problems organizations face in managing information security risk. In particular, security vulnerabilities that go unaddressed remain one of the most common root causes of data breaches today. Despite the best detection technology and improved intelligence sharing among industries, hackers continue to take advantage of weaknesses across the IT environment. This is hardly a surprise when looking at just the financial services industry, unquestionably the most targeted by cybercrime, and the average time it takes to remediate a vulnerability: 176 days.
When it comes to the effectiveness of traditional vulnerability risk management programs, the challenges are often rooted in the process itself. Simply put, there are many manual steps (and often missteps), and given the labor-intensive list of to dos, many organizations have resorted to vulnerability risk management merely as a means to help document system compliance with industry or government regulations.
Many other challenges exist that are crippling organizations from making the move from vulnerability detection to remediation faster. Perhaps most notable, IT teams are overwhelmed with data and lack context to efficiently prioritize the most critical threats. Vulnerabilities are ranked according to the industry standard CVSS base score, but this alone does not reflect true risk. It fails to factor in additional context such as the business impact of a breach on the asset data, the exploitability of the vulnerability through publicly available exploits, the presence of active malware using the detected vulnerability, or the popularity of the vulnerability in social media. Improving prioritization of vulnerability risk can potentially serve to reduce the time to remediation.
This report will explore the current state of vulnerability risk management across multiple industries with real-world insight on security vulnerabilities per asset, most vulnerable platforms, and average remediation time of critical threats. In addition, the relationship between social media and security vulnerabilities will be examined to demonstrate the impact of additional context in improving prioritization.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program