Only 10% of vulnerabilities are remediated each month

A research from SecurityScorecard and The Cyentia Institute revealed only 60% of organizations have improved their security posture despite a 15-fold increase in cyber-attacks over the last three years.

vulnerability remediation speed

The joint research sought to measure the speed of vulnerability remediation from 2019 – 2022 and revealed only modest progress in the area of vulnerability remediation. The research found that 53% of the 1.6 million organizations assessed had at least one exposed vulnerability to the internet, while 22% of organizations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organizations’ critical assets.

“The speed of vulnerability remediation is a top indicator of an organization’s cybersecurity health, and we are in a race to help these organizations shore up defenses and better assess the risks from the growing array of third-party software,” said Aleksandr Yampolskiy, CEO, SecurityScorecard. “This confirms that in today’s rapidly evolving threat landscape, organizations must take swift action to reduce vulnerabilities faster. The time to act is now.”

The speed of vulnerability remediation

To measure the speed and progress of remediation, Sthe research examined how quickly issues were addressed and how long they persisted across assets. The research showed the financial sector to be among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).

Somewhat surprisingly, despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organizations in this sector fixed exploited flaws faster. Regardless of how many total vulnerabilities existed across their domain(s), organizations typically fixed about 10% of weaknesses each month.

“Vulnerabilities likely exist with vendors and service providers, which necessitates the need for continuous visibility into the entire ecosystem,” said Wade Baker, partner at the Cyentia Institute. “With greater visibility, organizations can prioritize risks and remediation based on data. This is key to effectively addressing cyber vulnerabilities.”

Where the vulnerabilities exist

The research shows the information sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities. The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.

The analysis revealed that it typically takes organizations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure. When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.




Share this