Slashdot Mirror

← Back to Stories (view on slashdot.org)

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com)

Posted by msmash on from the different-priorities dept.

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.

1 of 90 comments (clear)

  1. Re:It's not time, it's money... by Sumus+Semper+Una · · Score: 4, Interesting

    Honest question though: What IS the cost? Equifax suffered a breach of pretty much the most sensitive possible data you can have leaked, and if this article is correct, the total cost is approaching about $500 million. Had there been no data breach or had the data breach never been made public or had there been no political will to prosecute the company then the cost would have been practically nothing.

    Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? What if the ticket is tens of thousands of dollars? What if it's hundreds of thousands of dollars? Is there a point where you will simply refuse to buy the ticket and accept the risk?

    I'm not saying these companies are making the right choice. I'm saying that from a purely practical standpoint I understand why someone might make the choice not to invest heavily into fixing security bugs. It's not the same choice I would make, but I seem to be more risk-averse than the average person judging by the choices I have seen people around me make. Still, if you don't understand why someone would make a decision, how do you ever expect to convince them to make a different decision?