Skip to content

Trending tags

Vulnerability management prevents data breaches – yet most organizations still wait to get hit before they’re willing to change

Teemu Myllykangas

26.03.19 3 min. read

A new security vulnerability is identified every 90 minutes, with attackers frequently exploiting them to access an organization’s systems. If a hacker can successfully attack before the target patches the issue, there is a high risk of a data breach. Vulnerability management software helps companies prevent data breaches by identifying software and configuration vulnerabilities.

All known vulnerabilities are referenced by the Common Vulnerabilities and Exposures (CVE) identifier. Because the list is accessible to all, hackers can also take advantage of it. Known vulnerabilities are easy targets for attackers, as most businesses fail to implement software updates quickly. But why is that?

Firstly, patching a disclosed vulnerability can take a while because software updates need to be tested before they’re rolled out. And it makes sense: organizations have a responsibility to make sure critical operations are not disrupted. In hospitals, moving too quickly could lead to life or death situations, for example.

Secondly, two-thirds of cyber security professionals say it’s difficult to prioritize what needs to be patched first. With a long list of vulnerabilities, organizations need to decide which ones pose the most exploitation risk and should be tackled immediately.


The severity and volume of attacks has increased, and attacks are happening much faster. That’s why mitigating threats is a race against time. Unfortunately, it takes an average of 103 days for vulnerabilities to be remediated – a long time in today’s quickly evolving threat landscape.

A recent Ponemon study found that organizations that had avoided breaches in the last two years rated their ability to detect vulnerabilities in a timely manner 19% higher, and their ability to patch vulnerabilities quickly 41% higher, than those that had been breached. This showcases that organizations that detect and patch vulnerabilities quickly have a better chance to avoid cyber incidents.

The 2017 WannaCry crypto-ransomware outbreak is a great example of a known vulnerability being exploited to great effect. If organizations had patched the vulnerability within a month after its disclosure, WannaCry would’ve not been as widespread, costly and disruptive. It shows things can quickly escalate when vulnerabilities are not under control.


Why doesn’t hiring more people equal better security? In many organizations, too much of IT experts’ time is spent on things that could easily be automated. In fact, 61% of security teams say manual processes are putting them at a disadvantage when patching vulnerabilities. This, in turn, can create great risks for the organization.

Let’s imagine a new web application with more than 100 potential attack surfaces. Each entry point needs to be checked against 400 different web application vulnerability threats. This process requires a highly trained penetration tester to launch 40,000 security tests, each of which takes about two minutes. This results in 1,333 man-hours, or in simpler terms, half a year’s work. By using an automated web application scanner, the task could be completed in just a few hours.

Vulnerability management software can be a tremendous asset in identifying, evaluating, reporting and remediating security vulnerabilities for risk identification, reduction and reporting against compliance standards. It offers scalability by reviewing thousands of vulnerabilities, allowing IT experts to focus their efforts on two things: remediation and fine-tuning processes.

Prioritization of vulnerabilities should be done based on true business risk, rather than the perceived severity of the vulnerability. A severe vulnerability doesn’t rise very high in the remediation priority, when it’s on a laptop that you’re not using. However, a mediocre vulnerability on a business-critical server facing the Internet will certainly be one of the top priorities. Vulnerability management software makes risk-based prioritization a lot easier.


Organizations can reduce their risk of being breached by 20% simply by starting to scan for vulnerabilities. In fact, 57% of data breach victims were compromised due to an unpatched, but known vulnerability. It’s clear that organizations who are looking to avoid data breaches should invest in vulnerability management.

Data breaches can get very expensive: the average total cost of a data breach is $3.86 million. There are significant IT costs related to data breach detection, escalation, notification and response, but there are also costs for lost business: customer churn, business disruption and system downtime. The faster a data breach can be identified and contained, the lower the costs.

Organizations may also face fines. EU’s GDPR requires organizations to report breaches within 72 hours of discovery or they face significant fines. Organizations also need to have a process of regularly testing, assessing and evaluating the technical measures for ensuring security of data processing. This means they have no choice but to take data security seriously.

It seems like organizations do learn, but only when they’re forced to do so. According to Ponemon’s research, the larger the data breach a company has encountered, the less likely they are to experience another incident in the next 24 months

Rather than having to go through a breach situation, wouldn’t it be smarter (and less costly) to learn from others’ mistakes?

Teemu Myllykangas

26.03.19 3 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.