Most security pros take up to 30 days to patch vulnerabilities

By Tripwire
Published: 12 January 2018

High-profile cybersecurity incidents continue to result from the simple mistake of leaving a known vulnerability unpatched. To understand how organisations are keeping up with vulnerabilities, Tripwire partnered with Dimensional Research to survey 406 IT security professionals about their patching processes.

Findings revealed that the majority (78%) fix all vulnerabilities detected on their network within 30 days of discovery, with 40% saying it usually takes less than 15 days. The survey also found that when a new vulnerability is discovered, only 15% believe it is unacceptable to wait any time at all for a patch to be installed on their systems once it has been released, while nearly half (46%) say they would be prepared to wait no more than seven days.

“Attackers will always go for the low-hanging fruit, the proverbial ‘unlocked door,’ over a more complex method of compromise. As long as these older vulnerabilities are present, they’ll continue to be exploited. Organisations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible,” said Tim Erlin, vice president of product management and strategy at Tripwire. “Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data.”

Survey respondents were split on the need to prioritise people vs. technology resources to mitigate today’s cyberattacks; 54% believe that an investment in people is needed most, while 46% said technology.

Vulnerability management begins with asset discovery, or creating an inventory of all known hardware and software installed on their networks. This is difficult to do manually at large organisations. However, the survey revealed that only 17% of organisations have automated tools which enable them to identify the locations, department and other critical details about unauthorised hardware and software changes on their network.

Erlin added: “If you don’t know what devices are on your network, you’re setting yourself up to fail in terms of securing it. For some organisations, doing this manually is just unrealistic and too challenging, which is why automated technology solutions exist to address this issue. Those who can identify these changes and additions to their networks within minutes will be in a much more comfortable position when it comes to security.”

For more information on Tripwire’s survey, please visit here