While 48% of companies are practicing mature cybersecurity vulnerability assessments (VA), 52% of enterprises are not, according to a recent study from Tenable. The new study was inspired by Tenable’s previous research report, which found a seven-day gap between how long it takes for attackers to gain access to an exploit, and how long it takes companies to realize an attack has occurred, according to a Tenable blog post.

Tenable’s latest study focuses on how defenders are acting in the “discovery and assess phases of the Cyber Exposure Lifecycle,” according to the post. The report took five key performance indicators (KPIs) into account, which translated into four VA maturity styles: Diligent, Investigative, Surveying, and Minimalist, said the post.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

In order to determine the VA styles, Tenable said it used a machine learning algorithm to scan anonymized telemetry data from over 2,100 organizations in 66 countries. Through the scan, Tenable identified common idealized VA behaviors and assigned the companies to the archetypes they most closely reflected, said the post.

Here is the maturity level each VA style represents:

  • Diligent: High maturity level
  • Investigative: Medium to high maturity level
  • Surveying: Low to medium maturity level
  • Minimalist: Low maturity level

Only 5% of enterprises have a Diligent style, which means those companies have frequent vulnerability assessments and customized assessments for different business units and groups, said the post.

However, 33% of enterprises had a Minimalist VA style, conducting few assessments, according to Tenable. Most companies still have a lot of work to do to protect themselves in the event of a cyberattack.

“The ultimate objective – regardless of which style most closely aligns to your own – is to always keep evolving toward a higher level of maturity,” Tenable said in the blog post. Check out TechRepublic’s article for recommended approaches to preventing an attack.

The big takeaways for tech leaders:

  • The majority of companies are not practicing solid cybersecurity vulnerability assessments, leaving themselves more open to attack. — Tenable, 2018
  • Only 5% of enterprises have mature, developed vulnerability assessments, a staggeringly low percentage given how prevalent cyberattacks are. — Tenable, 2018