Digitization of processes

81 percent of large German companies have deficits in dealing with vulnerabilities

In particular, the regularity and depth of vulnerability scans are of crucial importance here. But it is precisely here that German companies show fundamental deficiencies that can lead to serious consequences. Regularly examining one's own IT infrastructure for vulnerabilities is one of the core aspects of minimizing security risks through a forward-looking strategy. In 45 percent of the companies surveyed, for example, the IT infrastructure is scanned for security gaps using a software solution on a daily basis, and in more than one in three on a weekly basis. By contrast, one in five German companies carries out such a scan only once a month (10 percent) or irregularly (11 percent) without a routine. 

This shows that the regularity of a security scan varies greatly depending on the size of the company; the larger the company, the more frequently scans are performed. Especially in grown and complex IT infrastructures, routine and continuous vulnerability scans must complement the IT security concept, otherwise companies run the risk of falling victim to cybercriminals. In cooperation with ManageEngine, the research and analyst firm Techconsult investigated the question of how vulnerability management is structured in German companies and what role software solutions play in this context. For this purpose, 150 IT managers from companies with at least 2000 employees were surveyed in the now published study "Efficient vulnerability management in dynamic IT infrastructures: How German companies deal with IT security risks".

Optimized closure of critical gaps can be achieved not least with the help of a holistic software solution. However, only one in three companies surveyed (33 percent) uses a holistic solution for scanning, assessing and remediating vulnerabilities.

In contrast, 38 percent of organizations use two separate applications for assessment and remediation, which can lead to a more cumbersome and longer remediation process. The longer a vulnerability remains open, the greater the risk of attack, because cybercriminals seek out precisely these "open gates." One in ten companies (11 percent), meanwhile, appears to be at a permanently high risk. In these companies, the complete abandonment of supporting software solutions, using only manual vulnerability assessment and remediation, leads not only to a disproportionately high burden on IT security managers, but also to more security breaches. The extent to which these two factors play out is directly dependent on the complexity of the IT infrastructure in question.

To reduce the extent of potential damage, the companies surveyed prioritize identified vulnerabilities in particular according to damage potential (54 percent) and exploitability (47 percent). This is because highly critical vulnerabilities that can be easily exploited and cause major damage should be closed immediately and with the highest priority. Along with this, severity and vulnerability (45 percent) and the number of affected systems (43 percent) are often used for prioritization. As part of a forward-looking security strategy, vulnerabilities should be assessed using software in order to reliably prioritize and thereby minimize risks.