Slashdot Mirror

← Back to Stories (view on slashdot.org)

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com)

Posted by msmash on from the different-priorities dept.

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.

4 of 90 comments (clear)

  1. It's not time, it's money... by TFlan91 · · Score: 4, Insightful

    It's not that I don't have enough time, I do.

    It's that the powers at be only want to spend time on something if a client pays for it.

    1. Re:It's not time, it's money... by v1 · · Score: 4, Insightful

      well, it IS time. but time IS money. so, yeah, kinda.

      Pinheads that only how how to count beans and don't understand the problem are asking each other "Is it important? How much does it cost? What's the return on investment?"

      They don't see the risk or the cost of losing on the risk. They only see the cost of the fix, and that looks like a very poor ROI, and it gets shot down, or continuously delayed.

      --
      I work for the Department of Redundancy Department.
  2. Re:Then 26% should be sued by Anonymous Coward · · Score: 3, Insightful

    Were it only so simple, but a few things tend to push security down the priority list.

    1) Lack of perceived value. If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours do to the same thing but with poorer security practices, then most clients and consumers will choose company B (assuming no other factors at play) because of the reduced cost and the fact that good secure implementations are not easy to ascertain at a glance.

    2) Lack of perceived consequences for poor security. Equifax has had one of the biggest breaches personal information for the US. It's stock price hasn't recovered back to it's previous highs, but it's slowly and steadily coming back up (and to be fair, it was overvalued in the first place). To most people that just means that the cost of having a big breach isn't that big a deal.

    3) The traditional fight between connivance and security. Convenient things make good first impressions, good first impressions tend to make sales.

    There's some other factors but I think those three points tend to broadly cover most of the reasons why security isn't prioritized. I wish it wasn't so but that's the reality that we have to deal with.

  3. no consequences by Anonymous Coward · · Score: 3, Insightful

    it's because of the lack of consequences, not because of time.... they would take the time to fix the issues if there would be appropriate consequences if they don't