Despite increased emphasis on cybersecurity from authorities and high-profile breaches, critical gaps in vulnerability management within organizations are being overlooked by executive leadership teams, according to Action1. These gaps leave organizations vulnerable to cyber threats.
Key findings
Low cybersecurity awareness among employees
According to the survey, the time required to combat low cybersecurity awareness among employees has increased over the past year. This worrying trend makes organizations more vulnerable to phishing and other cyber-attacks.
Breaches due to known vulnerabilities
The survey found that 10% of organizations suffered a breach over the past 12 months, with 47% resulting from known security vulnerabilities. Phishing was the most common attack vector reported by 49% of respondents, and 54% of victims had their data encrypted by ransomware.
Lack of support from the executive team for cybersecurity initiatives
IT teams ranked the lack of support from the executive team for cybersecurity initiatives as a critical threat to cyber resilience. Many IT teams also face operational issues that leave no time for cybersecurity.
Slow vulnerability detection, poor prioritization, and faulty remediation
30% of organizations take more than a month to detect known vulnerabilities. 38% of organizations fail to prioritize security flaws, while 40% take over a month to remediate known vulnerabilities (of them, 24% take more than 3 months). On average, 20% of endpoints remain continuously unpatched due to laptop shutdowns or update errors.
“The gaps in the detection and prioritization stages of vulnerability management suggest the actual proportion of unpatched endpoints could be much higher. Organizations must ensure effective communication on all levels to eliminate these gaps, implement automation, and build cyber resilience,” said Alex Vovk, CEO of Action1. “Otherwise, we risk another year of costly breaches.”
Avoid legacy security vulnerabilities representing the most considerable risk
The most common root cause of breaches is known vulnerabilities, for which proof-of-concept exploit code is publicly available and is broadly leveraged by attackers. That is why any delays in patching publicly known security flaws put the company at significant risk.
Organizations must ensure that methods and processes across their fleet of remote and in-office endpoints enable them to detect unpatched security vulnerabilities, prioritize them effectively, and remediate them before they are exploited.
Consider leveraging automation to reduce costs
Justifying the need for cybersecurity investment to the executive team may be challenging for tech leaders. Compared to other business functions, the return from investing in IT security could be more apparent to executives.
However, the importance of investing in a strong security posture becomes more evident when compared to the damage from data breaches and ransomware attacks. By highlighting savings in terms of improved quality of execution of cybersecurity policies and improved IT productivity through automation, it becomes easier to articulate the value of cybersecurity initiatives to the executive team.
Take cybersecurity awareness to the next level
Modern social engineering attacks often use a combination of communication channels such as email, phone calls, SMS, and messengers. With the recent theft of terabytes of data, attackers are increasingly using this information to personalize their messaging and pose as trusted organizations.
In this context, organizations can no longer rely on a passive approach to cybersecurity awareness training. Low cybersecurity awareness among employees is not an option anymore. All employees must not only know how to identify phishing, but also follow the principle of verifying requests before trusting them.
This can be done by using methods other than the initial contact and assuming that any data received may have already been leaked and is now being used for hacking purposes.