Critical risk weaknesses take organisations 60 days to patch

By GRC World Forums2022-03-09T17:02:00+00:00

No comments

Global organisations are taking nearly two months to address and remediate critical risk vulnerabilities, with the average time taken to fix issues across a full stack set reaching to 60 days.

risk weaknesses code

The findings are part of a new Vulnerability Statistics Report 2022, published by smart vulnerability management firm, Edgescan, which explores the state of IT weaknesses in organisational management at a global level.

The findings in the report are based on the data collected from tens of thousands of individual assets. The analysed sample included over 40,000 web application and API assessments, 3 million Network Endpoint assessments, and around 1,000 penetration tests delivered in 2021 by the Edgescan team.

The latest research took a deep-dive into trends by industry and provides details on which of the known, patchable vulnerabilities are currently being exploited by threat actors.

High rates of “known” (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups are not uncommon. Remote access exposures across the attack surface are a worrying trend and accounted for 5% of total attack surface exposures in 2021.

Crucially, 57% of all observed vulnerabilities are more than two years old, with as many as 17% being more than five years old. These are all vulnerabilities that have working exploits in the wild, used by known nation state and cybercriminal groups. Experts also observed a concerning 1.5% of known, unpatched vulnerabilities that are over 20 years old, dating back to 1999.

While the size of an organisation bears little weight on average mean time to remediate (MTTR) significant differences across industries were noted: Healthcare organisations, despite the extreme pressure they endured in the past two years, came out on top, with an MTTR of just 44 days. At the opposite end of the spectrum, the public administration sector took an average of 92 days to remediate known vulnerabilities - a month longer than the cross-industry average.

Eoin Keary, CEO and cofounder of Edgescan, said:

“Patching and maintenance are still a challenge, and so is detection. Attack surface management and visibility is paramount, and with our report we aim inform enterprises of the most common exposures”

No comments

Webinar
First 100 Days as the New DPO – Getting Off On the Right Foot

2023-11-08T10:00:00Z By GRC World Forums

Webinar produced by GRC World Forums in association with Sypher
Video
#RISK Founder Nick James in conversation with Adriano Bosoni, RANE Network

Adriano Bosoni is Director of Analysis at RANE Network.
Video
#RISK Founder Nick James in conversation with Courtney Holm, Capgemini

Courtney Holm is Vice President, Sustainable Futures at Capgemini.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from News & Insight

News
There’s nothing quite like face-to-face engagement!

2023-10-25T11:07:00Z

#RISK London 2023 took place on the 18 & 19 October and attracted over 4,000 senior decision makers from end user organisations.
News
58 arrested in Europe over alleged money laundering, fraud and drug trafficking

2023-10-18T15:51:00Z

Tax police in Italy have announced the arrest of 58 individuals suspected of money laundering, fraud and drug trade activities, allegedly supported by illicit currency brokers from China.
Opinion
Most multinationals unprepared for forthcoming ESG regulations

2023-10-17T10:53:00Z

A recent report reveals that up to three quarters of companies worldwide are ill-prepared to have their environmental, social, and governance (ESG) data externally audited, just months before new regulations are set to come into effect.