Global organisations are taking nearly two months to address and remediate critical risk vulnerabilities, with the average time taken to fix issues across a full stack set reaching to 60 days.
The findings are part of a new Vulnerability Statistics Report 2022, published by smart vulnerability management firm, Edgescan, which explores the state of IT weaknesses in organisational management at a global level.
The findings in the report are based on the data collected from tens of thousands of individual assets. The analysed sample included over 40,000 web application and API assessments, 3 million Network Endpoint assessments, and around 1,000 penetration tests delivered in 2021 by the Edgescan team.
The latest research took a deep-dive into trends by industry and provides details on which of the known, patchable vulnerabilities are currently being exploited by threat actors.
High rates of “known” (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups are not uncommon. Remote access exposures across the attack surface are a worrying trend and accounted for 5% of total attack surface exposures in 2021.
Crucially, 57% of all observed vulnerabilities are more than two years old, with as many as 17% being more than five years old. These are all vulnerabilities that have working exploits in the wild, used by known nation state and cybercriminal groups. Experts also observed a concerning 1.5% of known, unpatched vulnerabilities that are over 20 years old, dating back to 1999.
While the size of an organisation bears little weight on average mean time to remediate (MTTR) significant differences across industries were noted: Healthcare organisations, despite the extreme pressure they endured in the past two years, came out on top, with an MTTR of just 44 days. At the opposite end of the spectrum, the public administration sector took an average of 92 days to remediate known vulnerabilities - a month longer than the cross-industry average.
Eoin Keary, CEO and cofounder of Edgescan, said:
“Patching and maintenance are still a challenge, and so is detection. Attack surface management and visibility is paramount, and with our report we aim inform enterprises of the most common exposures”