Most companies remain vulnerable to remote data attacks despite increased efforts to improve security patching practices.
At this week’s Computer Security Institute conference in the US, Qualys, a provider of managed security services, released a study into the vulnerability and patch management practises of its customers.
Based on 32 million vulnerability assessment scans within its customer base, which include a large number of international companies, Qualys’ research showed that on average, companies take around 19 days to fix half of their internet-facing systems.
All these systems could face the risk of being exposed to critical vulnerabilities and remote attack.
Last year the patching response rate was 21 days to protect 50% of systems, compared with 30 days in 2003. But despite the gradual improvements, companies clearly weren’t reacting fast enough, said Qualys.
Qualys pointed out that almost 80% of exploits and attacks targeting new vulnerabilities took place once a patch had been issued, with most damage done within the first 15 days of an exploit being revealed.
Companies therefore have to aim well below this timeframe to protect their systems adequately .
Companies were even slower when it came to patching their internal IT systems. Qualys found that it took firms an average 48 days to patch 50% of internal systems.
This is lower than the 62 days it took to patch half of internal systems last year. But the propagation of new threats can now be much quicker, so firms had to do much more to react more quickly, said Qualys.