Slashdot Mirror

← Back to Stories (view on slashdot.org)

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com)

Posted by msmash on from the different-priorities dept.

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.

4 of 90 comments (clear)

  1. It's not time, it's money... by TFlan91 · · Score: 4, Insightful

    It's not that I don't have enough time, I do.

    It's that the powers at be only want to spend time on something if a client pays for it.

    1. Re:It's not time, it's money... by v1 · · Score: 4, Insightful

      well, it IS time. but time IS money. so, yeah, kinda.

      Pinheads that only how how to count beans and don't understand the problem are asking each other "Is it important? How much does it cost? What's the return on investment?"

      They don't see the risk or the cost of losing on the risk. They only see the cost of the fix, and that looks like a very poor ROI, and it gets shot down, or continuously delayed.

      --
      I work for the Department of Redundancy Department.
    2. Re:It's not time, it's money... by Sumus+Semper+Una · · Score: 4, Interesting

      Honest question though: What IS the cost? Equifax suffered a breach of pretty much the most sensitive possible data you can have leaked, and if this article is correct, the total cost is approaching about $500 million. Had there been no data breach or had the data breach never been made public or had there been no political will to prosecute the company then the cost would have been practically nothing.

      Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? What if the ticket is tens of thousands of dollars? What if it's hundreds of thousands of dollars? Is there a point where you will simply refuse to buy the ticket and accept the risk?

      I'm not saying these companies are making the right choice. I'm saying that from a purely practical standpoint I understand why someone might make the choice not to invest heavily into fixing security bugs. It's not the same choice I would make, but I seem to be more risk-averse than the average person judging by the choices I have seen people around me make. Still, if you don't understand why someone would make a decision, how do you ever expect to convince them to make a different decision?

  2. In related news by rsilvergun · · Score: 5, Informative

    74% of companies lie on surveys.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/