Security breach numbers rise during 2019 despite increased protection spend

ServiceNow has released the results of its second sponsored study on cyber security vulnerability and patch management which was conducted alongside The Ponemon Institute. The study, entitled ‘Costs and Consequences of Gaps in Vulnerability Response’, found that, despite a 24% average increase in annual spending on prevention, detection and remediation in 2019 compared with 2018, patching is delayed by an average of 12 days due to data silos and poor organisational co-ordination. Looking specifically at the most critical vulnerabilities, the average timeline to patch is 16 days. 

At the same time, the risk is increasing. According to the study findings, there was a 17% increase in cyber attacks over the past year and 60% of breaches were linked to a vulnerability where a patch was available, but not applied.

The study surveyed almost 3,000 security professionals in nine countries to understand how organisations are responding to vulnerabilities. In this report, ServiceNow presents the consolidated findings and comparisons to its 2018 study, ‘Today’s State of Vulnerability Response: Patch Work Requires Attention’.

Effective and efficient management

The survey results reinforce a need for organisations to prioritise more effective and efficient security vulnerability management:

*34% increase in weekly costs spent on patching compared to 2018

*30% more downtime versus 2018 due to delays in patching vulnerabilities

*69% of respondents plan to hire an average of five staff members dedicated to patching in the next year at an average cost of $650,000 annually for each organisation

*88% of respondents said they must engage with other departments across their organisations, which results in co-ordination issues that delay patching by an average of 12 days

Cyber crime environment

The findings also indicate a persistent cyber criminal environment, underscoring the need to act quickly:

*17% increase in the volume of cyber attacks in the last 12 months compared to the same timeframe in 2018

*Nearly a 27% increase in cyber attack severity compared to 2018

The report points to other factors beyond staffing that contribute to delays in vulnerability patching:

*76% of respondents noted the lack of a common view of applications and assets across security and IT teams

*74% of respondents said they cannot take critical applications and systems offline to patch them quickly

*72% of respondents said it’s difficult to prioritise what needs to be patched

Responding to vulnerabilities

According to the findings, automation delivers a significant pay-off in terms of being able to respond quickly and effectively to vulnerabilities. Four-in-five (80%) of respondents who employ automation techniques say they respond to vulnerabilities in a shorter timeframe through automation.

“This study shows the vulnerability gap that has been a growing pain point for CIOs and CISOs,” said Jordi Ferrer, vice-president and general manager for the UK and Ireland at ServiceNow. “Companies witnessed a 30% increase in downtime due to patching of vulnerabilities which hurts customers, employees and brands. Many organisations have the motivation to address this challenge, but struggle to effectively leverage their resources for more impactful vulnerability management. Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organisations.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts