Skip to main content

Failure to patch is leaving companies open to attack

Image credit: Pixabay
(Image credit: Image Credit: Geralt / Pixabay )

One in four organizations have been breached because of unpatched vulnerabilities according to a new report from Tripwire on vulnerability management trends.

The firm surveyed 340 infosecurity professionals to reveal that 24 percent  of global organizations have been breached as a result of unpatched vulnerabilities with an even higher rate in Europe of 34 percent.

Vulnerability management begins with visibility of the attack surface and Tripwire's report found that 59 percent of global organizations are able to detect when new hardware and software are on their networks within minutes or hours.

However, this manual effort has proved difficult for many organizations and almost half (47%) report that less than half of their assets are discovered automatically including 13 percent who don't even use automatic discovery solutions.

Unpatched vulnerabilities

In order to assess the attack surface for vulnerabilities, 88 percent of those surveyed said they run vulnerability scans but Tripwire's research found that organizations address vulnerabilities with varying degrees of effectiveness.

The use of authenticated scans has improved compared with a past report and 63 percent now say they conduct authenticated scans as part of their vulnerability assessment. However, more than one third (39%) are still not scanning for the weekly as recommended by industry standards.

According to Tripwire's report, 16 percent of US organizations say they conduct vulnerability scans to meet compliance or other requirements though this rate was higher for European organizations at 21 percent.

Vice president of product management and strategy at Tripwire, Tim Erlin explained why organizations should be scanning for vulnerabilities more often, saying:

“How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk. If you are not doing authenticated vulnerability scans, or not using an agent, then you are only giving yourself a partial picture of the vulnerability risk in your environment. And if you’re not scanning for vulnerabilities frequently enough, you’re missing new vulnerabilities that have been discovered, and you may miss assets that tend to go on and off the network, like traveling laptops.”