One fourth of global organisations faced breaches because of unpatched vulnerabilities

I can understand the “if it ain’t broke” mindset towards patching but, given the impact of having unpatched vulnerabilities, everyone should examine the comparative risks associated with keeping up to date vs. delayed (or non-existent) patch regimes…:

Close to 40 percent of organisations failed to do vulnerability scanning weekly – or more often – as recommended by industry standards.

The International Data Corporation (IDC) last year estimated that the worldwide spending on security-related hardware, software, and services would touch US$ 120.7 billion (£95 billion) in 2021. According to the IDC, the expenditure has been growing at an annual rate of 10 percent from the year 2016. However, this hardly resulted in preventing breaches, says a survey.

More than one in four (27 percent) organisations globally have faced security breaches as a result of unpatched vulnerabilities, according to a survey among 340 info-security professionals worldwide by security and compliance solutions provider Tripwire. The rate is even higher in Europe, at 34 percent, said the survey.

Vulnerability management starts with visibility of the attack surface, and Tripwire’s report found that 59 percent of global organisations are able to detect new hardware and software on their networks within minutes or hours. In assessing the attack surface for vulnerabilities, 88 percent of infosecurity professionals interviewed said they run vulnerability scans.

However, the research found that organisations the degrees of effectiveness of these vulnerability scans varied noticeably from company to company. Almost half (47 percent) of the respondents said that less than half of their assets are discovered automatically, including 13 percent who don’t even use automatic discovery solutions.

[…]

Original article here