Hackers only need one unguarded minute. On average, you offer 60-150 days.

Software has vulnerabilities that provide hackers with the opportunity to steal data, install ransomware or sabotage your business. Criminal organizations and intelligence services are willing to pay a lot of money for vulnerabilities that (almost) no one knows about. Big bucks (or rather, cryptos) are paid for these zero-days on the so-called dark web, because they offer you an open backdoor just for you.

Usually a user or and ethical hacker runs into a weakness, otherwise the vendor’s software testers or the open-source community would’ve already found it. Such a weakness can be reported to the makers of the software. This is called a “Responsible Disclosure”, some vendors offer a so-called bug-bounty of sometimes tens of thousands of dollars, others an ugly t-shirt.

Vulnerabilities that are public are typically exploited after only five minutes.

It is the responsibility of the makers of the software to quickly solve the vulnerability with a software update, or patch. Some of the vulnerabilities are indicated by NIST with a Common Vulnerability Exploit (CVE) code on the day the patch becomes known. For serious vulnerabilities (Citrix, Log4j, Kaseya), the mainstream media are all over it and the national NCSCs offer warnings and advisories.

Apparently we have an (international) system for detecting and fixing vulnerabilities. But take a look at the following statistics:

On average, it takes 60-150 days for a found vulnerability to be patched.

Vulnerabilities that are public are typically exploited after only five minutes.

42 percent of all successful hacks occurred after a patch had already been released.

Organizations take an average of 58 days to install an effective remedy for a known vulnerability.

Unimpeded exploration and compromise of the infrastructur

Even in the most optimistic case, there is a good chance that your organization has been exposed for many months to vulnerabilities that can do great damage, without your knowledge. And in most IT infrastructures a malicious party often needs to get hold of one system only to continue to explore and compromise the infrastructure unhindered.

Of course, timely patching of software is critical, but when your cyber strategy rests solely on that approach than you are building on quicksand.

Of course, timely patching of software is critical, but when your cyber strategy rests solely on that approach than you are building on quicksand. The relentless arms race with hackers calls for a resilient, preventative strategy that assumes vulnerabilities will be exploited on your end as well.

That strategy is called Zero Trust, and ON2IT has a global reputation as a Zero Trust leader.