Content, Content

Organizations Fix Only 1 in 10 Vulnerabilities Monthly

Credit: Getty Images

New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.

That’s not good. The research, which sought to measure how long it took the 1.6 million organizations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:

  • 53% had at least one exposed vulnerability to the internet, while 22% of organizations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organizations’ critical assets.
  • The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).
  • Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organizations in the financial sector fixed exploited flaws faster.
  • The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.
  • The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.
  • It typically takes organizations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.
  • When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.

“The speed of vulnerability remediation is a top indicator of an organization's cybersecurity health, and we are in a race to help these organizations shore up defenses and better assess the risks from the growing array of third-party software,” said Aleksandr Yampolskiy, SecurityScorecard co-founder and chief executive. “This confirms that in today’s rapidly evolving threat landscape, organizations must take swift action to reduce vulnerabilities faster. The time to act is now.”

SecurityScorecard collects and analyzes global threat signals that give organizations visibility into the security posture of vendors and business partners as well as the capability to do a self-assessment of their own security posture. The technology continuously monitors 10 groups of risk factors to instantly deliver an A-F rating.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.