A high percentage of businesses are unprepared for security threats and are using inefficient threat prevention tools such as vulnerability scanning, according to a survey released by security risk management solutions specialist SkyBox. The survey found that although 92 percent of companies have a vulnerability management program in place, nearly half consider their networks to range from somewhat to extremely vulnerable to security threats, and in the past six month, nearly half (49 percent) of companies surveyed have experienced a cyber-attack that lead to a service outage, unauthorized access to information, data breach or damage.
Forty percent of companies scan their internal networks once per month or less frequently, and even the critical demilitarized zone (DMZ), a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, are typically scanned once per week or less often. Internal networks and data centers received top priority in terms of scanning frequency, with 35 percent of organizations scanning these zones on a daily basis, although 49 percent of respondents said their organizations did not conduct vulnerability scanning as often or as in depth as they would like.
Evidently, active vulnerability scanning can cause huge management headaches due to its disruptive nature and information overload, so scanners tend to be used primarily for spot checks that arent effective at minimizing risks, Gidi Cohen, CEO at Skybox Security, said in a prepared statement. Critical vulnerabilities have to be identified, prioritized and remediated daily, across a significant portion of the infrastructure, in order to systematically shrink the risk window and prevent data breaches and attacks."
Large and midsize organizations both cited concerns about disruptions caused by active scanning and dont have the resources to analyze more frequent scan data as the top reasons for scanning less often than desired, though large organizations (more than 1,500 employees) tend to scan more frequently and with greater coverage of hosts compared to midsize organizations (250-1,499 employees). However, large organizations cited lack of patching resources and non-scannable hosts as a significantly greater issue than midsize organizations.
The survey, conducted in partnership with Osterman Research, polled more than 100 IT decision makers including security managers, and network and systems engineers involved in vulnerability management processes. The companies surveyed ranged in size from 250 to 350,000 employees, with median size of 2,900 employees. Vulnerability scanners are the main tools used over the last 15 years to detect vulnerabilities by actively probing network hosts for many thousands of attack patterns.