UK organizations are finding themselves behind their European counterparts when it comes to remedying software vulnerabilities listed in the US Known Exploited Vulnerability (KEV) catalog, a recent report from Bitsight has found.

In the report titled “A Global View of the CISA KEV Catalog: Prevalence and Remediation,” Bitsight analyzed the security posture of 1.4 million entities, excluding cloud and other service providers. The KEV catalog is an initiative by the US Cybersecurity and Infrastructure Security Agency (CISA) that documents security vulnerabilities that have been successfully exploited, including those associated with ransomware campaigns.

While federal agencies are given mandatory deadlines to patch the bugs listed in the KEV catalog, all organizations are encouraged to do the same as a best practice. However, the report revealed that UK organizations take an average of 225.4 days to remediate KEVs, which is longer than the 220.6 days it takes European entities.

In comparison, organizations in Germany take only 21.7 days to address KEV CVEs, making them the fastest in Europe and among the best performers globally. The report also highlighted that for non-KEV vulnerabilities, the figures are even worse for UK and European organizations. UK organizations take over two years (736.6 days) on average to patch vulnerabilities, while the average across the continent is 573.9 days.

Globally, organizations are performing better than their UK and European counterparts, with the average KEV being resolved within six months (around 180 days). Despite finding fewer KEVs in their environments compared to the rest of Europe, the figures should still raise concerns for UK Chief Information Security Officers (CISOs). On average, 30% of UK organizations had detectable KEVs in 2023, compared to an average of 43% in the rest of Europe.

Derek Vadala, the Chief Risk Officer at Bitsight, emphasized the importance of organizations being swift in mitigating vulnerabilities. He stated, “Most organizations are still too slow to mitigate. The situation creates significant risk. It speaks to the need for business leaders on the board and in the C-suite to recognize these vulnerabilities as the serious threats they are, and demand a security posture that prioritizes deep insight and swift action. From there, organizations have an opportunity to grow.”

In conclusion, the report sheds light on the remediation challenges faced by UK organizations compared to their European counterparts regarding software vulnerabilities from the KEV catalog. With the growing sophistication of cyber threats, it is essential for organizations to prioritize swift action in addressing these vulnerabilities to enhance their overall security posture.

Source link