Posted in:

Security patch delays due to ‘poor organisational co-ordination’

Some 60% of cyber breaches in 2019 involved vulnerabilities where available patches were not applied, reveals new study from ServiceNow.

Despite a 24% average increase in annual spending on prevention, detection and remediation in 2019 compared with 2018, cyber security patching – changes to software to fix vulnerabilities – in many organisations is delayed an average of 12 days due to data silos and poor organisational co-ordination.

According to the report Costs and Consequences of Gaps in Vulnerability Response, published this week, the average timeline to patch the most critical vulnerabilities is now 16 days.

The report, from ServiceNow, also recorded a 17% increase in cyber attacks over the past 12 months, with 60% of security breaches linked to a vulnerability where a patch was in fact available but not applied.

The study surveyed almost 3,000 IT security professionals in nine countries to understand how organisations are responding to vulnerabilities. Its key findings include:

  • A 30% more downtime compared to 2018, due to delays in patching vulnerabilities.
  • A 34% increase in weekly costs spent on patching compared to 2018.
  • A 69% of respondents plan to hire an average of five staff members dedicated to patching during 2020, at an average annual cost of €584,707 for each respondent organisation.
  • An 88% of respondents said they must engage with other departments across their organisations, which results in co-ordination issues that delay patching by an average of 12 days.

“This study reveals the vulnerability gap that has been a growing pain point for CISOs and CIOs,” says Jordi Ferrer, VP & General Manager UK&I at ServiceNow. “Companies saw a 30% increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands. Many organisations have the motivation to address this challenge, but struggle to effectively leverage their resources for more responsive vulnerability management.”

More information: