According to a recent analysis, financial firms can take up to 176 days to remediate a known security vulnerability – a significant time lag compared to other industry verticals.
Conducted by New York-based security company NopSec, the 2015 State of Vulnerability Risk Management (PDF) study revealed that the typical organization continues to face remediation challenges.
While cloud service providers appeared to respond to threats the fastest (50 days), healthcare organizations averaged 97 days, with the financial and education sector both averaging nearly six months to patch a security flaw.
“When faced with the average time it takes a hacker to build a successful exploit at seven days, and the case of zero-day exploits, [this indicates that remediation effort are clearly lagging far behind exploit time,” read the report.
When looking closer into the average time tickets remained open, the analysis also found that organizations are taking one to six months to close the loop on remediation.
Once again, the financial industry sector was the most alarming, with more than 30 percent of vulnerabilities lasting more than a year to fix from the time they were detected.
“Organizations are still very vulnerable to exploitation,” explained Michaelangelo Sidagni, NopSec Chief Technology Officer. “Although businesses have been alerted of the potential risks, system vulnerabilities and misconfigurations continue to be the root causes for costly security breaches.”
“Detection is simply not enough in today’s threat landscape of sophisticated attacks; organization need to focus on threat prioritization.”
Sidagni added that the highly regulated nature of financial firms could be a potential reason for the threat remediation lag across the industry.
The regulatory culture, which has resulted in formal detailed procedures, combined with the large number of assets that financial firms need to product may very well be slowing the industry’s response rate to imminent threats, said Sidagni.
“They have so many hurdles to go through when they fix vulnerabilities. They need to get approval, they have to do it in cycles – sometimes, they have to do fixed in specific maintenance windows,” he said.
Other key findings from the study are detailed in the infographic below: