Digging Deeper on Vulnerability Management: Why Do Some Industries Fare Better Than Others?
Share with Your Network
When it comes to cybersecurity, there’s a lot of conventional wisdom.
Finance companies have a big target on their backs. Tech companies have the skills to get the job done. Manufacturing firms are insulated from danger with lots of custom and rare applications that few hackers would bother to develop exploits for. And the healthcare industry? Well, the conventional wisdom says that it’s crammed full of tech, but hacks aren’t easy to monetize.
But how does the conventional wisdom stack up against data that tracks and measures cyber risk? And what does that wisdom translate to practices?
Over the years, we’ve worked with the Cyentia Institute to research and improve the state of vulnerability management at the enterprise level. That groundbreaking research, which has appeared in our Prioritization to Prediction series, has provided vital contributions to the industry.
But the research tended to focus on enterprise cybersecurity as a whole. In other words, every company in our data set was lumped into one big category. Now, we’re working with Cyentia to drill deeper, providing key statistics in these four key verticals.
What we found might surprise you.
Manufacturing firms tend to take twice as long to fix vulnerabilities than other firms, and also tend to have twice the number of vulnerabilities per asset – a figure that includes printers, computers, servers, and other IT devices. But not all vulnerabilities are especially dangerous. In fact, just 5 percent of vulnerabilities fall into the “high-risk” category indicating that they could be weaponized in some way. Manufacturing companies are able to patch 8 out of every 10 high risk vulnerabilities, placing them in the top sectors. Individual companies lag however. About 4 in ten firms end each month with more high risk vulnerabilities than they started with. The other six either break even or gain ground.
Tech companies tend to have far fewer vulnerabilities per asset than other sectors. For every vulnerability at a tech organization, there are five in a non-tech company (such as finance and manufacturing). And tech companies fix new or open vulnerabilities very quickly. A typical company – across all sectors – closes about 25 percent of its vulnerabilities in 19 days, and 75 percent of its vulnerabilities in 202 days. Tech companies, however, close half of all vulnerabilities in 17 days and they close 75 percent of vulnerabilities in 67 days.
This speed translates to a greater coverage of high-risk vulnerabilities. Tech companies close about 90 percent of them, while 8 out of 10 individual companies are either holding their ground or fixing more vulnerabilities in a month than they add to their tally.
Now let’s get to finance. Most criminal hackers are motivated by money, and finance has a lot of it. Even with a target on its back and the resources to mount massive cybersecurity programs, it still falls behind tech in a few key measures. It tends to have four times the number of vulnerabilities per asset than other sectors. Financial firms traditionally have a large digital footprint incorporating numerous software and services and that translates to more vulnerabilities. More assets inherently means more strife for vulnerability management programs.
Finance companies tend to remediate half of their vulnerabilities in 44 days, while all other companies do it in 34 days. This variation is fairly impressive considering the whopping number of vulnerabilities that finance companies have to contend with. But, at the end of the day, finance firms tend to do well when focusing on high-risk vulnerabilities. They close 85 percent of the most dangerous vulnerabilities. About 7 in 10 finance firms either hold ground or close more vulnerabilities than hit their books every month.
The typical healthcare organization has about 34 vulnerabilities per asset – while all other industries average about 7. That’s a remarkable number. That massive vulnerability density does not translate into paralysis. Healthcare organizations tend to patch about half of the vulnerabilities in about 50 days. While that’s slower than the typical organization’s remediation velocity, it’s impressive considering the density that healthcare organizations see. Healthcare organizations are highly efficient at finding and patching high risk vulnerabilities. On average, they tend to close about 75 percent of them. That’s an admirable result, but in terms of comparisons to other sectors, it seems that healthcare lags. Of the 14 sectors we tracked in all, more than half do better. In all, the sector as a whole is gaining ground on its vulnerability debt, with 75 percent of organizations either holding ground or closing more vulnerabilities by the end of the month than they started with.
Each of these industries has different challenges and operates in different IT contexts. It’s not surprising then, that we see that par is different for each vertical. For those responsible for vulnerability management in their organizations, what counts as an “average” or “really good” job depends.
One thing that doesn’t change across verticals is remediation capacity. The typical organization can only close one out of every ten vulnerabilities on their system. But if you are familiar with Kenna Security, this statistic should not be alarming. Just around 5 percent of vulnerabilities end up being exploited. The challenge is knowing which one.