Organizations take two months to patch critical vulnerabilities

business security

Organizations are taking nearly two months to remediate critical risk vulnerabilities, with an average mean time to remediate (MTTR) across of 60 days.

A new report from smart vulnerability management firm Edgescan, based on analysis of over 40,000 web application and API assessments, three million network endpoint assessments, and circa 1000 penetration tests, finds high rates of known, patchable vulnerabilities that have working exploits in the wild.

57 percent of these vulnerabilities are more than two years old, with as many as 17 percent being more than five years old. Edgescan has also observed a worrying 1.5 percent of known, unpatched vulnerabilities that are over 20 years old, dating back to 1999.

The size of an organization doesn’t seem to make much difference to MTTR, however, Edgescan has observed significant differences across industries. Healthcare organizations, despite the extreme pressure they have endured in the past two years, come out on top, with an MTTR of just 44 days. At the opposite end of the spectrum, the public administration sector takes an average of 92 days to remediate known vulnerabilities — a month longer than the cross-industry average.

“We are delighted to be able to share our intelligence with the wider security community for the seventh year running,” says Eoin Keary, CEO and co-founder of Edgescan. “Patching and maintenance are still a challenge, and so is detection. Attack surface management and visibility is paramount, and with our report we aim to inform enterprises of the most common exposures”

You can get the latest Vulnerability Statistics Report from the Edgescan site.

Author: Martha Meyer