Effectively mitigating business risks while the evolution of threats blindfolds traditional defenses
June 2011 by secunia
As security threats increase and regulatory requirements grow more complex, businesses are recognizing that compliance and security are business-critical priorities. However, recent industry studies have concluded that investment in compliance does not necessarily reduce risks. Secunia has completed research into determining what is preventing the interrelation and harmony between IT security, risk management, and compliance.
KEY STATS FROM - Research Content:
· Research reveals that an 80% risk reduction can be achieved by patching and identifying either the 12 most risky programs or the 37 most prevalent programs.
· 0-days are potentially paralyzing external forces that are difficult to control. Organizations hold the power to patch 65% of vulnerabilities on the day of disclosure firmly in their hands.
· It is not the amount invested in IT security that is of importance for achieving optimal risk reduction - it is the type of technology and its capabilities that matter. A comparison of two patching strategies shows that knowing what to patch pays off.
· Analysis of different patching strategies, under the assumption of limited resources, and challenges the common trade-off between the risk of patching vs. the risk of testing.
· Understanding the risk of a failed patch vs. the cost of extensive testing.
· How cybercriminals have refined the malware manufacturing and development process to systematically bypass them - thereby initiating an arms race with defenders
· Patching as a primary security measure as it eliminates the root cause of compromise.
· Compliance does not imply security.