A recent study by cybersecurity firm Tenable has found that only 3% of vulnerabilities within organisations present significant risks.
The report, “The Critical Few: How to Expose and Close the Threats that Matter,” seeks to provide businesses with strategies to enhance their cybersecurity efforts by focusing on the most critical threats.
Tenable’s research, which spanned two decades, analysed approximately 50 trillion data points related to over 240,000 vulnerabilities.
The company developed a methodology to identify vulnerabilities that pose significant exposure risks, concluding that just 3% of these vulnerabilities are most likely to be exploited.
The study employed the Vulnerability Priority Rating (VPR) model, which rates vulnerabilities on a scale from 0.1 to 10, with higher scores indicating a greater likelihood of exploitation.
Vulnerabilities with a VPR score above 9.0 are deemed high-priority targets, likely to be exploited if exposed. Those with scores between 7.0 and 8.9 represent a moderate risk, while vulnerabilities with scores ranging from 0.1 to 6.9 are less likely to be exploited.
As of June 2024, the research reviewed around 240,000 vulnerabilities and found that approximately 3.1% – or fewer than 7,500 – were classified as “critical” or “high risk.”
The report suggested that by prioritising these high-risk vulnerabilities, organisations can more effectively bolster their cybersecurity defences.
Scott McKinnel, Tenable’s country manager for Australia and New Zealand (ANZ), highlighted the importance of proactive cybersecurity measures.
“As cyber threats continue to evolve, it is critical for ANZ organisations to adopt a proactive cyber strategy that identifies and mitigates vulnerabilities before they can be exploited,” he said, as reported by Security Brief.
He added that by prioritising the most critical threats, both public and private sector organisations can better protect their essential assets.
The report addressed the challenges cybersecurity teams face in managing large volumes of threat intelligence and vulnerability data. The VPR model is intended to guide organisations in making informed decisions on where to allocate resources to enhance their cybersecurity posture.
The report’s findings were released as organisations across Asia Pacific (APAC) seek to prioritise and refine their cybersecurity efforts in response to evolving threats and growing concerns about customer confidence.
A report by IT security firm LogRhythm revealed a gap between cybersecurity executives in the APAC region and their customers regarding the effectiveness of cybersecurity measures.
The report is based on a global survey of 1,176 cybersecurity professionals and executives, including participants from Singapore, Malaysia, Indonesia, Japan, India, Australia, and New Zealand.
The findings indicated that while 85% of APAC security executives rate their cybersecurity defences as good or excellent, 46% of companies have experienced issues related to customer confidence. In response, more than 90% of these companies have revised their cybersecurity strategies, with 72% reporting that customer confidence was negatively impacted within the past 18 months.
AI has been identified as a key factor driving these strategic changes, with 77% of respondents highlighting its role in threat management and the development of new security solutions. Other significant factors influencing these changes include compliance requirements (66%) and the emergence of new types of cyberattacks (58%).
The report also highlighted an increasing expectation for senior leaders to take on more responsibility for cybersecurity breaches. A notable 80% of respondents believe that cybersecurity leaders and CEOs should be primarily accountable for defending against and responding to cyber incidents.
Despite this increased responsibility, communication gaps between security teams and non-security executives persist.
While 90% of APAC cybersecurity teams believe they possess the necessary tools to effectively communicate security status to stakeholders, 59% report difficulties in explaining the importance of specific security measures to non-technical executives. Additionally, only 61% of non-security executives fully understand their company’s regulatory obligations.
These challenges are consistent with broader issues identified by other studies, including internal communication failures that impact the ability of Australian companies to defend against cyber threats effectively.
In response to the evolving cyber threat landscape, APAC organisations have seen increases in their cybersecurity budgets.
The report indicated that 84% of APAC respondents noted an increase in their company’s cybersecurity budget, exceeding the global average of 76%.
However, many security teams continue to struggle with demonstrating the impact of these investments, with reports focusing more on critical incidents and security risks than on operational metrics such as response and recovery times.
