Report reveals global struggles in vulnerability response
A recent report by Intigriti, titled "Sharpening SLAs for Vulnerability Management," reveals significant insights into global cybersecurity practices.
The report, based on a survey of 250 infosecurity professionals from the UK and the US, highlights several critical areas where firms are struggling and excelling in managing vulnerabilities.
The research indicates that a staggering 75% of companies globally fail to respond to critical vulnerabilities within a 24-hour window. This delay in response can lead to severe consequences, including customer dissatisfaction, loss of business, and damage to the company's reputation.
Specifically, only 29% of UK firms and 20% of US firms manage to respond within this timeframe.
However, the report shows that UK firms tend to mitigate these vulnerabilities more effectively within a set period. About 82% of UK organisations manage to resolve critical to exceptional vulnerabilities within 15 days, compared to 69% in the US. This suggests that UK firms may have more efficient response strategies. The UK also leads in the speed of disclosure, with 73% disclosing a vulnerability within 15 days, compared to 66% in the US.
Despite this, the US appears to embrace a more strategic approach to vulnerability management. Approximately 65% of US organisations regularly perform cost-benefit analyses to weigh the expenses of vulnerability remediation against the potential costs of a data breach. In contrast, only 47% of UK firms conduct similar analyses. Regular cost-benefit analysis is deemed crucial for justifying cybersecurity investments and ensuring company safety.
One of the major concerns highlighted in the report is the lack of stakeholder consultation when assessing critical vulnerabilities. Over half of the surveyed companies (52%) do not involve their executive leadership, and only 44% consult their legal and risk management teams. This oversight could lead to regulatory non-compliance. Furthermore, 36% of companies do not consult their IT infrastructure teams, which includes network engineers, system administrators, and application developers who could expedite the mitigation process.
The report also points out significant differences in how companies handle supply chain relationships and reporting. About 66% of US respondents automate tracking and reporting on compliance with disclosure SLAs (Service-Level Agreements) for contracted vendors, whereas only 32% of UK respondents do the same. Nearly half (49%) of UK respondents rely on manual reporting, which can be less efficient and more error-prone compared to automated processes.
On a more positive note, 88% of respondents share their SLAs, with 66% sharing them with external stakeholders. The remaining 12% cite reasons such as compliance concerns (6%), minimising PR issues (5%), and withholding knowledge from competitors (4%) for not sharing their SLAs. According to Intigriti CEO and Founder Stijn Jans, "Taking a more proactive cybersecurity stance is itself a competitive advantage and fosters trust with customers and new business prospects."
Jans added, "At Intigriti, we understand the immense pressure on cybersecurity leaders to defend against a rapidly evolving threat landscape with limited resources. Still, failing to plan is planning to fail, which is why SLAs are so crucial for protecting against cyber threats. Our report provides clear and actionable standards for performance and accountability, giving businesses a competitive edge in the process."
Cybersecurity budgets are expected to grow, with Gartner predicting a 14.3% rise in global security and risk management spending. This reflects the need to address expanding attack surfaces and comply with new regulations. The Intigriti report outlines several key takeaways: the need for a more urgent initial response to vulnerability reports, the importance of structured and measurable actions to protect against evolving cyber threats, the value of ethical hackers in detecting vulnerabilities faster, and the necessity for dynamic and robust protective measures against cyber criminals.