Singapore ranked second-highest out of the countries reporting that they did not have enough resources to keep up with the volume of patches (78% compared to 72% globally). Globally, organisations, including those in Singapore, plan to increase patching headcount by 50% in the next 12 months.
Cybersecurity teams already dedicate a significant proportion of their resources to patching. That number is set to rise:
· Nearly seven in 10 (68%) of Singapore respondents say they plan to hire more dedicated resources for patching over the next 12 months, compared to 64% globally.
· On average, global respondents plan to hire about four people dedicated to vulnerability response – an increase of 50% over today’s staffing levels.
However, the report also revealed security’s “patching paradox” – hiring more people does not equal better security. The problem is that firms will struggle with patching even with more people because of manual processes and an inability to prioritise what needs to be patched first. They may find it challenging to determine which systems are affected, which owners within the organisation to contact about applying the patch, and how to determine if the patch was applied to the correct system. If these processes are handled manually, much time can be lost. This aspect of patching becomes critical when timely patching is the most successful tactic companies employed in avoiding security breaches, according to the research.
“Most data breaches occur because of a failure to patch, yet many organisations struggle with the basic hygiene of patching,” Mitch Young, VP and GM, APJ, ServiceNow, said. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”
“Adding more talent alone won’t address the core issue plaguing today’s security teams,” Young added, pointing out that reported breaches are really only the
tip of the iceberg. “Automating routine processes and prioritising vulnerabilities helps organisations avoid the ‘patching paradox’, instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”
Adding cybersecurity talent may not be possible as well. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. Young shared that Indeed has found security job vacancy postings may not even receive a single view online.
The study also found that for Singapore:
 |
| Source: Today’s State of Vulnerability Response report. Globally, breached companies had more problems with detecting and patching vulnerabilities compared to unbreached companies. |
· Nearly six in 10 (58%) of Singapore respondents (compared to the global average of 53%) attributed the root cause of data breaches in their organisation to human error
· Following closely were breaches caused by external criminal attack (57%, compared to 55% globally). Young noted that Singapore is a popular target because of the high number of financial firms as well as oil and gas companies in the country.
· Security teams in Singapore lost an average of 10 days manually coordinating patching activities across teams.
· Six in 10 say that manual processes put them at a disadvantage when patching vulnerabilities, a sentiment echoed by global respondents (61%).
· Cyberattack volume increased by 14% last year (15% globally), and severity increased by 25% (23% globally).
Globally, the cost of an attack that involved 10,000 records was calculated to be US$2.8 million, according to a 2017 Ponemon Cost of Data Breach study.
· Security teams in Singapore lost an average of 10 days manually coordinating patching activities across teams.
· Six in 10 say that manual processes put them at a disadvantage when patching vulnerabilities, a sentiment echoed by global respondents (61%).
· Cyberattack volume increased by 14% last year (15% globally), and severity increased by 25% (23% globally).
Globally, the cost of an attack that involved 10,000 records was calculated to be US$2.8 million, according to a 2017 Ponemon Cost of Data Breach study.
Young said, "The race is on for the good guys to implement
the patch before the bad guys, the hackers, use that known
vulnerability to weaponise that exposure to the company."
Speed is of the essence when it comes to reducing the breach risk, ServiceNow said. Organisations that were breached in the last two years have struggled with vulnerability response processes:
· Nearly half (45%) of organisations in Singapore have suffered a data breach in the last two years.
· Of these, 57% acknowledged they were breached because of a known vulnerability – a software security flaw for which a patch was already available.
· Almost one-third (32%) of Singapore organisations were aware that they were vulnerable before they were breached, highlighting the overwhelming need effective vulnerability response to close down the attack vectors before hackers strike.
 |
| Petersen (left) and Young (right). |
ServiceNow, which offers a platform with automated processes that help with key security operations such as asset management and patching, provides five recommendations to improve security posture:
· Take an unbiased inventory of vulnerability response capabilities.
· Accelerate time-to-benefit by tackling low-hanging fruit first.
· Regain time lost coordinating by breaking down data barriers between security and IT.
· Define and optimise end-to-end vulnerability response processes, and then automate as much as you can.
· Retain talent by focusing on culture and environment.
While some companies may not want to patch anything because they cannot afford to take their systems down while doing it, the alternative could be worse, with new legislation coming online that makes the penalties of a breach much heavier.
"It needs to be a risk-based conversation," noted Paul Petersen, Regional Director-APJ, Office of the CISO, ServiceNow about prioritisation of which assets to patch first, especially assets which are mission-critical. "We need to get that quantified risk up to the appropriate level so (decision makers) can say 'yes, we can have that downtime'. There is no secure system that's running unless it's completely air-gapped."
Explore:
Read the ServiceNow report by Ponemon Institute: Today’s State of Vulnerability Response, Patch Work Demands Attention
View the associated infographic (PDF)
*ServiceNow commissioned the Ponemon Institute to survey nearly 3,000 IT security professionals. Respondents are based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the UK, and the US, and represent organisations with more than 1,000 employees. The survey was administered online. The Ponemon Institute is a research centre specialising in privacy, data protection, and information security policy.
No comments:
Post a Comment