A pair of new reports illustrate the cybersecurity paradoxes facing large organizations, like health and pharma companies.
Wikimedia Commons image courtesy All About Apple museum. Image has been stylized.
A pair of new reports illustrate a couple of alarming trends: First, that the volume of cybersecurity vulnerabilities is on the rise, and second, that companies may not be able to patch or hire their way to safety.
This week, software provider Flexera released its Vulnerability Review 2018. Surveying over 55,000 enterprise applications, it found the number of reported system vulnerabilities had risen by 14% from 2016 to 2017, numbering nearly 20,000 now.
“There’s no question based on this year’s results, the risks remain high,” Kasper Lindgaard, Director of Research and Security at Flexera, said in a statement. “As the potential for breaches expands, the pressure is on executives to increase vigilance through better operational processes — instead of reacting to risks that hit media headlines and cause disruption. The Equifax breach and WannaCry attacks taught us that.”
The good news is, 86% of the vulnerabilities had patches available on disclosure day, and zero-day vulnerabilities—or weaknesses that are exploited before the software makers notice them—are extremely rare. The report found only a little more than a dozen of them.
The bad news comes from a second report, also released this week. The problem lives right in its title: “Today’s State of Vulnerability Response: Patch Work Demands Attention.”
That study, commissioned by enterprise software company ServiceNow, surveyed almost 3,000 security professionals across 6 industries, including healthcare and pharmaceuticals. It found that organizations aren’t particularly great at frequently scanning for vulnerabilities or efficiently applying patches.
Half of all health and pharma security workers polled reported that their organization had suffered at least 1 cyberattack in the last 2 years. They actually were the least likely to report that their organization didn’t scan for vulnerabilities, though that’s nothing for the industry to hang its hat on: An alarming 28% reported that their organization didn’t scan. That was the most frequent response, followed by those who said their organization scanned weekly.
When critical or high priority vulnerabilities are detected, 76% of industry experts said they patched within 2 weeks. But when a vulnerability was considered medium or low priority, 43% said it took them 7 months or more.
“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” said Sean Convery, vice president and general manager, ServiceNow Security and Risk. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”
Healthcare and pharma IT pros agreed with those sentiments. 58% answered either “Agree” or “Strongly Agree” to the idea that “attackers are outpacing enterprises with technology such as machine learning/artificial intelligence,” and 52% gave 1 of those 2 answers to “Our organization is at a disadvantage in responding to vulnerabilities because we use manual processes.”
To fight these trends, Convery said that organizations need to look into automating their patching functions. And healthcare IT staffs would likely welcome that: 39% reported that their IT security staff consisted of less than 10 people. Compare that to IT workers from financial services firms: Despite reporting similar organization sizes to their counterparts in health, 94% of them answered that they had 20 or more security staff in their company.