Story image

Singapore organizations caught in 'patching paradox'

08 May 2018

Singapore organizations say they don’t have the resources to keep up with the volume of patches required to remediate software flaws – but more than half say they will hire more people to deal with vulnerability responses.

A recent report from ServiceNow and the Ponemon Institute, polled 3000 security professionals worldwide (165 from Singapore). It found that Singapore was the second highest country to report inefficient resources to keep up with the volume of patching (78% compared to 72% globally).

However 50% of those same global organizations say they will increase the headcount, despite already dedicating a significant proportion of their resources to patching. In Singapore, 68% of respondents say they will hire more dedicated resources for patching over the next 12 months.

However IT advocacy group ISACA says that hiring new staff will not solve the problem, especially as the global shortage of cybersecurity professionals may reach 2 million by 2019.

The ServiceNow report also says that there is a ‘patching paradox’ – hiring more people does not necessarily mean better security. Organizations need to fix their broken patching processes first.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” comments ServiceNow VP of APJ, Mitch Young.  

Organizations struggle with patching issues because they use manual processes and don’t prioritize what needs to be patched first.

The survey found that 58% of Singapore respondents attributed the root cause of data breaches in their organization to human error. Singapore security teams lost an average of 10 days manually coordinating patching activities across teams, and 60% say manual processes put them at a disadvantage when they try to patch vulnerabilities.

ServiceNow says efficient vulnerability responses are critical because timely patching is important for avoiding security breaches.

“Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach,” Young adds.

Overall, 45% of Singapore respondents say they have experienced a data breach in the last two years. Of those, 57% say the breach was due to a known vulnerability.

“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” Young says.

 “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”

ServiceNow offers five key recommendations that provide organizations with a pragmatic roadmap to improve security posture:

·         Take an unbiased inventory of vulnerability response capabilities. 

·         Accelerate time-to-benefit by tackling low-hanging fruit first.

·         Regain time lost coordinating by breaking down data barriers between security and IT.

·         Define and optimize end-to-end vulnerability response processes, and then automate as much as you can.

·         Retain talent by focusing on culture and environment.

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.