Cyberattacks continue to present a clear danger to businesses. Two-thirds of executives consider cybercrime their most significant threat in the coming year.
Often, headlines focus on the use of sophisticated technology to trick victims. In 2019, an executive was convinced to transfer more than $200,000 to a fraudulent account by bad actors using artificial intelligence to impersonate his global boss. More recently, a deep fake of Sam Bankman-Fried, the former CEO of cryptocurrency exchange FTX, has been circulating to scam investors affected by the exchange’s bankruptcy.
Looking for easy ways in
Yet it is more common for attacks to exploit areas that have been overlooked rather than outwit their victims. In the same way that an open downstairs window is an inviting target for domestic burglars, cybercriminals are also looking for easy ways in.
Vulnerabilities in corporate software programs offer one opportunity. In 2021, there were more than 18,000 new vulnerabilities discovered. This is unsurprising when we consider how rapidly the attack surface grows as enterprises of all sizes add more digital tools to their networks.
Of course, this wouldn’t necessarily be an issue if those vulnerabilities were fixed quickly. Yet, according to data from Orange Cyberdefense, even those classed as critical take around six months to resolve on average. Nearly three-quarters (72%) are not patched within 30 days, with 52% taking 90 days or more to patch.
Patch management delays
But what’s taking businesses so long to fix these issues?
First, the modern enterprise is complex. The demand for digital experiences has convinced organizations to invest heavily in various digital tools, all delivered in different ways, using multiple environments. On top of that is the increasingly decentralized nature of work today, with endpoints accessing data and applications from outside corporate networks.
This hampers the visibility of the software assets everything runs on. Central IT teams struggle to know what’s running on what, when it needs updating, and don’t have a clear view of every vulnerability at any time. No wonder, then, that 75% of executives report too much complexity in their organizations, leading to “concerning” cyber risks.
In addition, enterprises are subject to a barrage of vendor communication on vulnerabilities. How the information is presented, where it is sent to and when it is distributed varies from vendor to vendor. It makes it challenging for businesses to accurately identify what is relevant to them and what they need to do. That’s if they understand what’s being sent to them; with talent in short supply, many businesses lack the full array of technical skills to address vulnerabilities on top of everything else their IT teams have responsibility for.
This lack of knowledge and limited asset visibility can make it hard to know what to prioritize. That’s before businesses consider the current threat landscape, which attacks are likely to pose the greatest threat to their operations, and how that influences the patches needed.
Underpinning all of this is an issue previously alluded to: recruitment challenges. More than half (57%) of organizations have been affected by the ongoing cybersecurity skills crisis. Not acquiring the right skills hampers organizations’ abilities to operate effectively. From a cyber security perspective, that covers everything from dealing with sophisticated threats to running a comprehensive vulnerability management program.
Time to change your vulnerability management approach
How do businesses address these issues to improve their vulnerability management programs?
It begins by accepting that no company can patch everything. The scale of the challenge is just too large, and the continued growth of vulnerabilities makes it an exercise in futility.
Instead, enterprises need to focus on what and where the risks actually are. To do this, they must first identify what they need to protect. Drawing on internal data, they can create a picture of their attack surface and see where mission and business-critical services are exposed.
This needs to be combined with a view of the external threat landscape and the likelihood of the vulnerability being targeted. Through this, they can start understanding the implications of any attack exploiting unpatched vulnerabilities on critical assets. Enterprises can then assess and grade the risk profile of gaps and see where they need to focus their efforts.
But this isn’t an exercise that only happens once. Everything in the modern enterprise is evolving, as new tools are added, software updates are deployed, and external threats keep changing. So, any vulnerability management program needs to be in constant motion as well. As each iteration ends, it can be evaluated, with learnings incorporated into ongoing efforts that constantly reassess and identify new priorities.
You can’t patch everything
No organization can effectively patch every vulnerability. At the same time, not every vulnerability will be exploited, so efforts need to be focused on those with the highest risk levels. Identifying, assessing and acting quickly with a risk-based approach will help neutralize potential exploitation before it can wreak havoc.
To support businesses implementing a risk-based vulnerability management approach, Orange Cyberdefense has developed Managed Vulnerability Intelligence. Find out more here.
I am a technology writer with a decade of experience in business, technology and logistics. From starting off my career writing questions for a TV quiz show, I’m now spending my time looking at how the world of business is going digital and transforming a variety of sectors and industries.