Who are they – the real enemies of modern companies?
Conclusions of the new report "Navigating the Paths of Risk: The State of Exposure Management in 2024" by XM Cyber shows that cybersecurity specialists spend too much effort on fixing critical vulnerabilities, ignoring other, even more dangerous threats. The report is based on hundreds of thousands of attack vector estimates conducted by the XM Cyber platform in 2023. Research has identified more than 40 million security issues affecting many critical business resources.
The results showed that the most dangerous vulnerabilities that allow remote code execution account for less than 1% of the typical threat landscape for companies. Even if we take into account all the critical vulnerabilities that can lead to hacking of particularly important assets, they account for only 11% of the total risk level.
So where are the main threats really concentrated?
Account management errors represent an astounding 80% of all cybersecurity problems in organizations. And a third of them directly opens up critical resources for hacking — a huge gap that hackers are actively exploiting.
So while fixing bugs is very important, it's not enough. More common threats, such as hackers injecting malicious code into shared folders and using the same credentials on multiple devices, open up much wider access to critical infrastructure (24%).
Traditionally, experts try to fix every vulnerability, but the report also proved that 74% of the detected problems do not actually threaten security and do not allow hackers to move further. These issues are less critical, allowing you to focus on the real issues at hand.
Of the remaining 26% of vulnerabilities that are potentially dangerous, XM Cyber identified key nodes where many attack vectors converge on important systems. These are called "critical points". Only such units make up only 2% of the total number of vulnerabilities. This allows you to focus on a small number of the most risky issues and close them first. According to the report, 20% of critical points endanger 10% or more of the company's valuable infrastructure. Therefore, identifying and closing such gaps is the most effective way to reduce risks.
Cybersecurity departments in large companies are usually divided into groups that are responsible for different systems. This is important in order to conduct more thorough audits, but unfortunately, this separation can cause the overall threat picture to be lost.
The report also analyzes differences in cybersecurity threats across industries. In areas with a large number of components (potential attack points), the total number of vulnerabilities is higher. For example, there are 5 times more threats in healthcare than in the energy and housing sectors.
However, the key risk metric is the percentage of errors that threaten the main production systems. And here the picture is changing: for transport and energy, the indicator is much higher, although the total number of threats is less.
The bottom line is that different industries need different approaches to cybersecurity. Financial institutions have more digital assets, but a smaller percentage of critical vulnerabilities compared to the energy sector.
Understanding industry-specific risks is critical to an effective cybersecurity strategy.
Conclusions of the new report "Navigating the Paths of Risk: The State of Exposure Management in 2024" by XM Cyber shows that cybersecurity specialists spend too much effort on fixing critical vulnerabilities, ignoring other, even more dangerous threats. The report is based on hundreds of thousands of attack vector estimates conducted by the XM Cyber platform in 2023. Research has identified more than 40 million security issues affecting many critical business resources.
The results showed that the most dangerous vulnerabilities that allow remote code execution account for less than 1% of the typical threat landscape for companies. Even if we take into account all the critical vulnerabilities that can lead to hacking of particularly important assets, they account for only 11% of the total risk level.
So where are the main threats really concentrated?
Account management errors represent an astounding 80% of all cybersecurity problems in organizations. And a third of them directly opens up critical resources for hacking — a huge gap that hackers are actively exploiting.
So while fixing bugs is very important, it's not enough. More common threats, such as hackers injecting malicious code into shared folders and using the same credentials on multiple devices, open up much wider access to critical infrastructure (24%).
Traditionally, experts try to fix every vulnerability, but the report also proved that 74% of the detected problems do not actually threaten security and do not allow hackers to move further. These issues are less critical, allowing you to focus on the real issues at hand.
Of the remaining 26% of vulnerabilities that are potentially dangerous, XM Cyber identified key nodes where many attack vectors converge on important systems. These are called "critical points". Only such units make up only 2% of the total number of vulnerabilities. This allows you to focus on a small number of the most risky issues and close them first. According to the report, 20% of critical points endanger 10% or more of the company's valuable infrastructure. Therefore, identifying and closing such gaps is the most effective way to reduce risks.
Cybersecurity departments in large companies are usually divided into groups that are responsible for different systems. This is important in order to conduct more thorough audits, but unfortunately, this separation can cause the overall threat picture to be lost.
The report also analyzes differences in cybersecurity threats across industries. In areas with a large number of components (potential attack points), the total number of vulnerabilities is higher. For example, there are 5 times more threats in healthcare than in the energy and housing sectors.
However, the key risk metric is the percentage of errors that threaten the main production systems. And here the picture is changing: for transport and energy, the indicator is much higher, although the total number of threats is less.
The bottom line is that different industries need different approaches to cybersecurity. Financial institutions have more digital assets, but a smaller percentage of critical vulnerabilities compared to the energy sector.
Understanding industry-specific risks is critical to an effective cybersecurity strategy.
