Dive Brief:
- Poor management of software vulnerabilities at a company can be an indicator of overall poor cybersecurity governance practices, S&P Global Ratings said in a report released Monday.
- Companies that fail to identify and remediate vulnerabilities could be held accountable when they are assessed for their overall level of risk management and internal controls, according to S&P.
- The report cited data in the 2024 Verizon Data Breach Investigations Report, which noted exploitation of vulnerabilities almost tripled in 2023. S&P analyzes thousands of companies and poor cyber hygiene could place a company at risk of operational disruption, reputational loss and financial impacts.
Dive Insight:
The recognition and remediation of software vulnerabilities has become an increasingly urgent issue in the cybersecurity community in recent years.
These vulnerabilities involve flaws left behind in the code base of applications, which can allow malicious attackers to gain unauthorized access to computer systems.
Vulnerability management has become a key concern for preventing ransomware and other malicious activity.
CVEs are continuing to rise and are expected to reach nearly 35,000 in 2024, according to data from Coalition.
S&P analysts said the failure to manage these vulnerabilities could be a sign of larger security management problems of companies they monitor.
Companies are attempting to prioritize the most serious vulnerabilities and are also being pushed to make sure their software is up to date, as threat groups are increasingly targeting older vulnerabilities in unpatched or older software.
“Having a vulnerability management process in place can help reduce cyber risk,” Paul Alvarez, lead cyber expert at S&P Global Ratings, said via email. “In fact, the NIST Cybersecurity Framework outlines the need to understand what vulnerabilities may be present as part of its risk assessment process.”
Federal agencies have made a major push to remediate critical vulnerabilities in the tools they use. In 2023, federal agencies remediated 872 vulnerabilities, a 78% increase from the year before.
Source link