igor - Fotolia
A study of 2,100 organisations reveals a global divide in how organisations assess cyber risk, with less than half using strategic vulnerability assessments.
Only 48% of organisations polled use mature or moderately mature programs that include targeted and tailored scanning of computer resources based on business criticality as a foundational element of their cyber defence and risk reduction strategies, according to Tenable’s Cyber defender strategies report.
The report uses data science and real-world telemetry data to analyse how organisations are assessing their exposure to vulnerabilities to improve their cyber security posture.
Of those organisations using strategic vulnerability assessments, the study found that only 5% display the highest degree of maturity, with comprehensive asset coverage a cornerstone of their programs.
The “diligent” approach represents the highest level of maturity, achieving near-continuous visibility into where an asset is secure or exposed and to what extent through high assessment frequency.
On the other end of the spectrum, 33% of organisations take a “minimalist” approach to vulnerability assessments, doing the “bare minimum” as required by compliance mandates, thereby increasing the risk of a business-impacting cyber event, the report said. This group represents a lot of enterprises which are exposed to risk and still have some work to do, with critical decisions to make on which key performance indicators to improve first.
A previous study by Tenable revealed that cyber attackers generally have a median seven-day window of opportunity to exploit a known vulnerability, before defenders have even determined they are vulnerable.
The real-world gap is directly related to how enterprises are conducting vulnerability assessments, with smaller gaps and lower risk associated with more strategic and mature approaches, the latest report said.
“In the not too distant future, organisation will either fall into the category of those that rise to the challenge of reducing cyber risk or the category of those who fail to adapt to a constantly evolving and accelerating threat landscape in modern computing environments,” said Tom Parsons, senior director of product management, Tenable.
“This research is a call to action for our industry to get serious about giving the advantage back to cyber defenders, starting with the rigorous and disciplined assessment of vulnerabilities as the basis for mature vulnerability management and ultimately, cyber exposure.”
The research analysed telemetry data for over three months from organisations in more than 60 different countries to identify distinct security maturity styles and strategic insights which can help organisations.
Other strategies of vulnerability assessment
In addition to the “diligent” and “minimalist” approaches, the study identified two other strategies of vulnerability assessment.
The “surveyor” approach is characterised by frequent broad-scope vulnerability assessments, but with little authentication and customisation of scan templates. Of those organisations reviewed, 19% follow this approach, placing them at a low to medium maturity.
The “investigator” approach is characterised by the execution of vulnerability assessments with a high maturity, but assesses only selective assets. Of the organisations reviewed, 45% follow this approach, indicating a solid strategy based on a good scan cadence, targeted scan templates, broad asset authentication and prioritisation.
“Considering the challenges involved in managing vulnerabilities, securing buy-in from management, cooperating with disparate business units such as IT operations, maintaining staff and skills, and the complexities of scale, this is a great achievement and provides a solid foundation upon which to mature further,” the report said.
Across all levels of maturity, the report said organisations benefit from avoiding a “scattershot approach” to vulnerability assessment and instead making strategic decisions and employing more mature tactics such as frequent, authenticated scans to improve the efficacy of vulnerability assessment programs.