A new Ponemon Institute survey of nearly 3,000 security professionals in nine countries found steep increases in cybersecurity spending yet corresponding rises in the number and scale of attacks.
Organizations in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom and the United States are particularly struggling with timely patches, according to the ServiceNow-sponsored survey, titled “Costs and Consequences of Gaps in Vulnerability Response.” Disorganization or unresponsive departments were the main cause behind the lag in patch time, which ballooned to 12 days and even 16 days for certain critical vulnerabilities.
“This study shows the vulnerability gap that has been a growing pain point for CIOs and CISOs,” said Sean Convery, general manager of ServiceNow Security and Risk. “Companies saw a 30% increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands.”
Nearly 90% of respondents said they were forced to deal with multiple departments within their organization in order to execute patches, which was part of the reason why it took an average of 12 days for most IT departments. Another 80% said they didn’t have a common view of applications and assets across security and IT teams.
Three out of every four people who spoke to Ponemon said they could not take certain applications and systems offline to patch them quickly. This was having a distinct effect on their ability to keep the enterprise safe from a constantly evolving threat landscape.
Respondents saw a 17% growth in cyberattack volume and a nearly 30% increase in attack severity. On average, organizations are now having to spend 34% more of their budget per week on patching alone compared to last year.
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)
According to the study, it takes an average of 43 days to see a cyberattack once a patch is released for a vulnerability, a seven day increase compared to 2018.
“Organizations’ patching process is under greater pressure because they have less time to patch a vulnerability before being attacked,” according to the Ponemon survey.
“Fifty percent of respondents say the window of time has decreased in the past two years. Only 20%of respondents say they have more time and 30% of respondents say there has been no improvement,” according to the survey.
Annual spending on vulnerability management activities increased to $1.4 million, an increase of an average of $282,750 from 2018.
This year also saw an increase in the number of companies affected by attacks. Nearly half of organizations in the survey had been hit by at least one cyberattack in the last two years. More than 60% of respondents said they were unaware their organizations were vulnerable before the breach while another 60% said the attacks were caused by a patch that was available for a known vulnerability but not applied.
Half of all respondents said their breaches had been primarily caused by human error, which was a stark departure from 2018 when most respondents said outside criminal efforts were the biggest culprits.
More than 50% of respondents from the Healthcare and Energy & Utilities industries said their enterprise experienced a breach while the Public Sector and Services had the least. According to the survey, the Public Sector and Industrial/Manufacturing were the industries best able to patch in a timely manner. Hospitality and Entertainment & Media were the least likely to patch in a timely manner.
One of the biggest problems security departments are dealing with involved automation, or lack thereof. Respondents told Ponemon cybercriminals were increasingly automating their attacks while security teams were not using all of the available AI and machine learning defense tools on the market.
Eighty percent of those who spoke to Ponemon said that with the help of automation they have been able to cut the amount of time it takes to respond to vulnerabilities.
Less than half of survey respondents said their organizations used automation to help with patching or security management. Too much time was spent manually working through arcane systems instead of addressing specific vulnerabilities, according to the report.
Unfortunately, nearly 60% of respondents said their enterprises were in the early or middle stages of building out their vulnerability management programs and just 40% had a comprehensive view of the full vulnerability management lifecycle.
But many of the people who spoke to Ponemon did say that their organization would take more concrete security measures if they were held fully liable for the consequences of breaches. Seventy percent of respondents said their enterprises would improve patch management if strict new data breach laws concerning customer information were passed.
Nearly 50% said their companies would adopt automation while 40% said they would hire more IT security staff. Yet without those laws, less than 40% said they had enough manpower to handle all of the patches. On the bright side, almost 70% said their companies planned to hire up to five more people to handle patching in the next 12 months.
“Many organizations have the motivation to address this challenge but struggle to effectively leverage their resources for more impactful vulnerability management,” Convery added.
“Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations.”