Bug Fixes Take Twice as Long for Manufacturing Firms

Manufacturing firms take twice as long to fix vulnerabilities as their peers in other verticals, although healthcare organizations have over three-times as many flaws per asset, according to new research from Kenna Security.

The security vendor teamed up with the Cyentia Institute to lift the lid on vulnerability management in 14 key sectors, with a particular focus on four: tech, manufacturing, healthcare and finance.

Although remediation capacity remained fairly consistent across the verticals, with a typical organization fixing one in every 10 vulnerabilities on their system, the research revealed specific challenges in each.

The median number of flaws per asset affecting manufacturing firms is 10, slightly higher than in other industries (7). However, they are lagging behind the average when it comes to “remediation velocity.”

The half-life of vulnerabilities for manufacturing firms is typically 69 days, versus 36 days elsewhere, while fixing 75% of bugs takes 280 days versus 201, Kenna Security revealed.

“Manufacturing companies are able to patch eight out of every 10 high risk vulnerabilities, placing them in the top sectors,” explained Kenna Security CTO, Ed Bellis. “Individual companies lag however. About four in 10 firms end each month with more high-risk vulnerabilities than they started with. The other six either break even or gain ground.”

In healthcare, there’s an average of 34 bugs per asset, nearly five-times the industry average. Although these organizations seem to be doing a good job of keeping on top of flaws, there’s still room for improvement.

“Healthcare organizations are highly efficient at finding and patching high risk vulnerabilities. On average, they tend to close about 75% of them,” explained Bellis. “That’s an admirable result, but in terms of comparisons to other sectors, it seems that healthcare lags. Of the 14 sectors we tracked in all, more than half do better.”

The finance vertical had the second highest number of flaws per asset, at 18, which could be explained by the relatively large digital footprint of many of its firms. Although they remediate half of these vulnerabilities slightly slower than most firms (44 days versus 34) they’re good at tackling high-risk bugs.

“They close 85% of the most dangerous vulnerabilities,” said Bellis. “About seven in 10 finance firms either hold ground or close more vulnerabilities than hit their books every month.”

The tech industry stood out as having the fewest number of vulnerabilities per asset, just two, and in terms of coverage, with tech firms closing around 90% of them.

“A typical company – across all sectors – closes about 25% of its vulnerabilities in 19 days, and 75% of its vulnerabilities in 202 days. Tech companies, however, close half of all vulnerabilities in 17 days and they close 75% of vulnerabilities in 67 days,” said Bellis.

Agriculture was the worst performing sector in terms of coverage, fixing just 28% of vulnerabilities.

What’s Hot on Infosecurity Magazine?