Why Fixing Security Vulnerabilities Sooner, Rather Than Later, is Important

Getting your education takes a long time. Securing a home loan tends to be a longer process, as well. Both make sense and are commonly referred to as “the way it is.”

What doesn’t make sense is the information that was revealed in NopSec’s 2015 State of Vulnerability Risk Management. Summed up: Remediation issues are creating major security risks. While visibility and detection are at an all-time high, the typical organization takes too long to fix a security vulnerability.

The major findings concluded that:

  • The average time to remediate a security vulnerability is 103 days.
  • Financial services companies and education organizations take a shocking 176 days to make a fix.

What does this mean? Your bank, or an education institution, is exposed for six months. Even more so if it is a network vulnerability, which are left untouched for an average 182 days, compared to application issues that are usually fixed within 20 days.

Why is it happening? Regulation could be one piece to the puzzle. Sectors like financial services are highly regulated and thus follow strict guidelines when addressing vulnerabilities. Another factor could be lack of bandwidth inside the organization to address the issues.

There’s one primary motivation for a company to fix vulnerability as soon as possible, other than the obvious one (you know, that whole thing about protecting the bottom line and securing data that we’re also talking about). The reason is, as the old saying goes: When it rains, it pours.

Hackers are skilled at exploiting vulnerabilities and then turning them into more trouble. Many breaches don’t focus on “hitting the jackpot” all at once. Instead, hackers focus on finding the weakest entry point, getting inside and then doing the most damage possible.

It’s understandably frustrating for IT departments when they are constantly reacting to vulnerabilities. If you’re one of the frustrated, our recommendation is to re-read our blog about playing offense and not defense in cyber security.