October 6, 2015 By Douglas Bonderud 2 min read

Every organization considers itself unique. In many respects, the notion is accurate: Companies each have specialized corporate cultures, best practices and mission statements that they hope sets them apart from the competition. When it comes to IT vulnerabilities, however, a new study from NCC Group found that businesses have more in common than they realize — and this shared experience may pave the way for better cybersecurity.

Common Ground With Vulnerabilities

SecurityWeek has details on the upcoming study, which ran a commercial-grade scanning product across the networks of 100 organizations from a variety of industry verticals, covering everything from charity organizations to energy companies and financial institutions. Completed over 15 months from February 2014 to May 2015, the study produced 908,000 security issues. The most common “were related to Web application security, particularly flaws affecting the Web server or language in which the Web application was written.”

There were outliers: In the transport industry, for example, server and language issues were by the far the most prevalent type of failure points. Meanwhile, health care stood out as one of the quickest industries to respond once flaws were identified. In most cases, health care vulnerabilities were resolved in less than 10 weeks.

Other findings of note include numerous network issues related to cryptography, such as SSH, SSL and PKI, along with a failure by many companies to meet both internal and third-party best practice guidelines for securing Web apps. It’s also worth noting that while Linux-based bugs were typically fixed in 20 weeks or less, just 75 percent of those found in Microsoft systems were patched during the same period, and 10 percent of all Microsoft problems were still unresolved after a year.

The most interesting findings in the report, however, relate to speed and specificity. In cases where environment-specific solutions are necessary to solve problems, such as shutting down critical services to apply updates or changing default configurations, companies tend to drag their heels. And when it comes to speed, companies are eager to fix issues when they’re first identified: The report found that more than half of all vulnerabilities were patched in the first 10 to 20 weeks. After that, however, enthusiasm died down, and fixes were carried out only when time and money allowed.

Mobile devices and the emerging Internet of Things (IoT) also play a role in common cybersecurity. For example, many mobile apps carry similar flaws such as bypassing login prompts, letting users create weak passwords or not bothering to encrypt sensitive data. And when it comes to IoT devices, CRN noted that companies lack the tools necessary to secure this burgeoning ecosystem.

Doomed to Repeat?

So where does this common vulnerability report leave enterprises? Are they destined to make the same mistakes over and over, like a modern-day Sisyphus pushing out one security best practice after another, only to have them come tumbling back down and force a complete rework? Not exactly.

First, companies need to share what NCC Group has found to be commonplace: the insecurity of their Web apps. By combining forces, it’s possible to devise better defenses. Cybercriminals are willing to share their exploit tips and kits, and law-abiding companies need to do the same with threat intelligence sharing.

In addition, there’s a need for common ground — a way to build and scale up applications that is globally recognized, standardized and lowers the possibility of one-off attacks by malicious actors. Simply put, companies need to give up the idea that they’re unique when it comes to cybersecurity. In fact, similarity is a kind of strength: The experience of all used to the benefit of all.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today