How cybersecurity’s “5 Percent Rule” could help you avoid the next cyber attack

5 Percent Rule Blog

It’s not easy being a cybersecurity leader these days. Security vulnerabilities in software, hardware, and devices are rising in number and severity, bringing with them risk of ransomware, breach, and other dangerous cybersecurity incidents. The risks presented by vulnerabilities are rising fast:

  • Vulnerabilities are rising in number: 25,000 in 2022, up 25% from the year prior.
  • “Known Exploited Vulnerabilities” — those vulnerabilities observed to be exploited by malicious actors in the wild — nearly doubled from 2021 to 2022.
  • Ransomware incidents remained high in 2022, up 20% from 2020.

Here’s the important question: With cyber vulnerabilities rising and presenting increasingly serious risks, are organizations doing enough to fight back? The answer might surprise you.

What are organizations doing about vulnerabilities?

Notwithstanding current risks, vulnerability management programs struggle to keep up. Quantitative research from the Marsh McLennan Cyber Risk Analytics Center suggests that vulnerability management may be the single most important thing a cybersecurity leader can implement to effectively and measurably reduce the risk of experiencing a cybersecurity incident. So, vulnerability management programs should be overwhelmingly high-performing and polished, right? Not quite.

Bitsight studied organizations’ vulnerability management programs by analyzing how quickly – or slowly – organizations remediate the typical vulnerability. Unfortunately, we found that many organizations struggle to implement an effective vulnerability management program. After analyzing 140 medium, high, and critical software vulnerabilities across over 100,000 organizations around the world with varying rates of remediation at the time of observation, Bitsight found that the average vulnerability remediation rate across organizations is a mere 5 percent per month. This 5 percent rule implies that after an entire year, more than half of the originally vulnerable organizations will remain vulnerable. That’s the status quo of vulnerability management and organizations need to take action to change it.

Are you a 5-percenter?

A 5-percenter is an organization that remediates a new vulnerability within one month of observation.

Remediating a new vulnerability in the first month sets you apart from the pack and promotes organizational security. Only 5 percent of organizations remediate a new vulnerability in the first month while those who remain vulnerable leave their organizations open to potentially critical threats like data breach, ransomware, and other serious cyber incidents. This is bad for business and can impact relationships with stakeholders like executives, board members, customers and business partners, investors, insurers, credit rating agencies, and government regulators.

Four crucial steps you can take to become a 5-percenter

Remediating a new vulnerability within one month can serve as your North Star but how do you get there? Cybersecurity leaders require innovative and comprehensive solutions that can assist them in identifying their attack surface, enhancing their vulnerability management programs, effectively handling zero-day vulnerabilities and other significant security incidents, and communicating their success to stakeholders. Prioritizing these initiatives can significantly reduce organizational risk, foster trust within the organization, and improve your odds of becoming a 5-percenter when the next vulnerability hits.

1. Prioritize vulnerability management

As a starting point, vulnerability management must be considered critical to organizational security, because it is. This means prioritizing human resources, technology solutions, and pillars that guide governance. The foundation of an effective vulnerability management program begins with strong governance and prioritization of key analytics to benchmark performance.

Marsh McLennan found Bitsight’s Patching Cadence risk vector — a measure of an organization’s vulnerability management program — to be most correlated with incident likelihood. Confidently leverage Bitsight’s analytics to assess the effectiveness of your program, identify gaps, and take steps to improve your overall security posture.

2. Identify your attack surface

You can’t fix what you can’t see. It is critical that you have visibility of the cyber assets that comprise your attack surface, where the greatest risks are, and how to mitigate them. But visibility is only the start. Organizations then need to prioritize vulnerability management based on the risk of each asset and the criticality of the vulnerability itself.

Bitsight helps you see a complete view of your organization’s attack surface — on-premise, in the cloud, and throughout the supply chain — and allows you to discover where your organization’s cyber risk lies. Our solution allows you to gain visibility into your digital assets, discover shadow IT, and visualize areas of disproportionate risk; ultimately arming you with what you need to identify and remediate cyber risks in your digital ecosystem.

3. Understand third-party cyber risks

A successful attack on your third-party vendors and relationships could potentially result in business disruption, financial loss, reputational harm, and even compromise your internal systems and data. Many organizations rely on time-consuming processes to evaluate cyber risk in their third-party ecosystems, opting to send mass emails with spreadsheet questionnaires with little prioritization or way to track responses. This approach makes it difficult to swiftly and accurately assess and address cyber risks, particularly new, zero-day vulnerabilities that may arise.

Bitsight helps organizations streamline cyber risk detection, management, and mitigation within their third-party ecosystem, including critical, zero-day vulnerabilities. Bitsight’s solutions help organizations:

  • Detect, manage, and mitigate emerging zero-day events with speed.
  • Scale and track vendor outreach efforts with precision.
  • Remediate risk quickly with better prioritization of vendor outreach efforts.
  • Confidently adhere to growing regulatory pressure with easy access to vulnerability data.

4. Communicate effectively with stakeholders

Organizations face a significant challenge in effectively communicating their cybersecurity posture to critical stakeholders such as the board, executives, and the capital marketplace. A strong cybersecurity posture is becoming a crucial differentiator for businesses, so much so that many executives are hesitant to onboard risky partners, while investors are increasingly cautious about investing in companies with high cyber risk. Even government regulators like the Securities and Exchange Commission (SEC) are setting cyber risk transparency into motion with proposed mandatory cybersecurity disclosure rules. And insurers aren’t holding back either – a weak cybersecurity posture will impact your ability to achieve a more competitive coverage and premium.

Bitsight provides independent, objective analytics that enable security leaders to have more effective conversations with internal and external stakeholders about their cybersecurity effectiveness. Bitsight lets you quickly pull universal metrics that reframe the conversation about cybersecurity towards business risk. For example, you can present information on how many vulnerabilities you have in your digital ecosystem and their severity — i.e., their likelihood of contributing to a breach — or the status of how many in your portfolio have been breached and made known of that breach. This enables executives and board members to make more informed decisions about where investments and resources are needed.

Take action now

Becoming a 5-percenter is an achievement that is larger than a mere designation. When the next vulnerability is discovered, you want your organization to be among the first 5 percent to effectively remediate that vulnerability. Focusing on the above four steps will position your organization to better protect itself from vulnerabilities in the wild, and Bitsight is your trusted partner in this journey.

Adopting the right tools and partners is critical. Contact Bitsight today to learn how we can help.