Forewarned is forearmed, yes? A new study by Tenable, a cyber exposure specialist, underscores that axiom, concluding that businesses worldwide have a ways to go before they’ve sufficiently assessed and lowered their vulnerability to a hack attack.
A mere five percent of organizations globally deploy fully mature cybersecurity risk assessment programs centered on comprehensive asset coverage, Tenable’s new study of 2,100 outfits found. The research was intended to identify differences in the maturity levels of risk assessment.
Tenable’s Cyber Defender Strategies Report analyzed data from 60 countries on how businesses take stock of their exposure to vulnerabilities -- in other words, how good or bad is it? The quick answer is it’s so-so. Nearly 50 percent said they deploy at least moderately mature programs featuring custom scanning and prioritized resources to reduce their risk of exposure to hackers.
In the macro sense, Tenable measures exposure by evaluating asset vulnerability -- the more mature is a company's assessment program, the less its risk of destructive hacking. By Tenable’s figuring, there are four distinct strategies by which company’s determine their vulnerability (more on that in a minute). In this study, 33 percent of organizations did the least to estimate their risk, the bare minimum as required by compliance regulations.
The study correlated with an earlier Tenable survey in which seven days was determined to be the median amount of time cyber attackers have to exploit a known vulnerability before defenders intervene. That time period apparently relates directly with how enterprises are conducting vulnerability assessments -- more mature approaches enable defenders to find an open door faster and deal with it.
The key findings identifies four categories of risk assessment: Minimalist, Surveyor, Investigator and Diligent, noted in ascending order:
- Minimalist: Executes bare minimum vulnerability assessments as required by compliance mandates. Thirty-three percent of organizations fall into this category, running limited assessments on only selected assets.
- Surveyor: Conducts frequent broad-scope vulnerability assessments but with little authentication and customization of scan templates. Nineteen percent of organizations follow the Surveying style, placing them at a low to medium maturity.
- Investigator: Executes vulnerability assessments with a high maturity, but only assesses selective assets. Forty-three percent follow the Investigative style.
- Diligent: Represents the highest level of maturity, achieving near-continuous visibility into where an asset is secure or exposed and to what extent through high assessment frequency. Only five percent of organizations fall into this category.
“In the not too distant future, there will be two types of organizations -- those who rise to the challenge of reducing cyber risk and those who fail to adapt to a constantly evolving and accelerating threat landscape in modern computing environments,” said Tom Parsons, Tenable’s senior director of product management. “This research is a call to action for our industry to get serious about giving the advantage back to cyber defenders, starting with the rigorous and disciplined assessment of vulnerabilities as the basis for mature vulnerability management and ultimately, cyber exposure,” he said.
