Threatlist: Financial Services Firms Lag in Patching Habits

Almost half (45 percent) of financial services firms in a recent survey have reported a data breach in the last two years – with many of those attacks being completely avoidable if known vulnerabilities were patched.

In a Ponemon Institute survey of nearly 3,000 cybersecurity professionals at companies with more than 1,000 employees, commissioned by ServiceNow, respondents reported an average 17-percent increase in cyberattack volumes over the last 12 months, and they said that the severity of these attacks increased by 23 percent over the same period. In part, this is due to threat actors adding new tools to their arsenal: 66 percent said attackers are outpacing enterprises with technology such as machine learning and artificial intelligence.

Meanwhile, the stakes continue to rise: The polling found that the average cost of a data breach globally is $3.86 million. On average, the cost is $148 for every record lost and this rises to more than $206 for financial services institutions in the United States.

However, the good news is that despite the rise in next-gen attack methods, tried-and-true defenses continue to make a difference. Financial services firms that hadn’t been breached in the last two years rated themselves 22 percent more capable when it comes to the ability to detect vulnerabilities quickly than those that had (6.83 vs. 5.35 on a scale of one to 10).

Also, when asked to self-critique their defensive capabilities, institutions that avoided breaches in the last 24 months rated their ability to patch vulnerabilities in a timely manner 31 percent higher than those that had been breached.

In fact, patching is the most significant characteristic of firms that were not breached in the last two years. Almost half (47 percent) of respondents who reported a breach said that they were compromised due to a vulnerability for which a patch was available but not applied. Also, 37 percent say they actually knew they were vulnerable before the breach occurred.

This is set against the backdrop pf an ever-shrinking time-to-event horizon. About half (53 percent) of respondents from financial services institutions said that the time window for patching – the time between patch release and hacker attack –has decreased an average of 27 percent over the last two years.

Further complicating things is the fact that accurately prioritizing vulnerabilities requires a knowledge of both the severity of the flaw (measured by Common Vulnerability Scoring System (CVVS) scores, for example); and the types of business systems affected. However, these two pieces of information typically sit on opposite sides of the security/IT boundary, the survey found. As evidence of this disconnect, only 33 percent of respondents said that they use both severity and types of business systems affected to prioritize vulnerabilities.

Of course, good patching hygiene takes resources; and this is where financial services firms are stepping up. A majority (71 percent) of respondents say that they plan to hire additional dedicated resources for vulnerability response over the next 12 months. Across these respondents, the planned headcount increase is 5.14 people, which represents 57 percent growth over today’s staffing levels.