Common vulnerabilities and exposures (CVEs) have been rising for the past few years, and they show no sign of stopping. New vulnerabilities are added to the National Vulnerability Database at an alarming rate — and the incredible volume makes tracking them increasingly difficult.
In 2000, there were only about 1,000 disclosed vulnerabilities. With this lower volume, security teams could review and remediate them efficiently: The systems were less complex and more easily siloed, and the sheer number was lower than today. Now, the number of disclosed vulnerabilities has exploded to over 23,000 in 2022 — a 2,200% increase in 22 years. And based on our Seasonal ARIMA model that builds on 10 years of data, Coalition anticipates more than 1,900 new CVEs per month in 2023, including 270 high-severity and 155 critical-severity CVEs.
For CISOs everywhere, this massive amount of information can be daunting since good cybersecurity hygiene is necessary for an organization to survive. However, not all CVEs are even exploitable, and there are varying degrees of difficulty in creating exploits for CVEs.
The situation can be even more overwhelming for industries with different technical and digital requirements, in which cyber may not be a focus area. Further, these security flaws also do not impact every industry in the same way. For example, a vulnerability may need to be prioritized differently for the consumer sector versus the healthcare or real estate sectors.
Below we’ll dive into findings from Coalition’s Cyber Threat Index 2023, which examines how today’s security vulnerabilities impact various industries. The analysis stems from aggregations created entirely from underwriting scans run on these companies during the insurance quoting process.
Healthcare and Real Estate CVEs Tend to Be Less Serious
The healthcare sector is particularly vulnerable to cyberattacks, given the volume of personally identifiable information (PII) that ransomware attackers can exploit if they get into the network. The real estate industry is also a premium target because of the sensitive renter and owner application data managed.
Both have become appealing targets with digitization. Hospitals were forced to move to virtual doctor’s appointments during the pandemic. Real estate has experienced the rise of smart buildings that use Internet of Things (IoT) devices to analyze building data and improve operations. Both these digital evolutions have expanded the attack surface into the cloud.
But while healthcare and real estate tend to have more security vulnerabilities or issues detected per asset or technology services, we found that they are often targeted with less harmful CVEs. (A silver lining!)
Healthcare also has one of the lowest numbers of distinct breaches on average, demonstrating the smaller impact of these less harmful CVEs.
This lower level of exploitation may be because real estate and healthcare tend to use less technology on average. And when they do use it, they usually opt for more reliable and stable tech stacks compared to other industries, reducing their overall attack surface.
Just because healthcare and real estate have less-serious CVEs doesn’t mean organizations shouldn’t be patching. But it does point toward the need to take a more holistic view of gaps in their security posture to better understand which vulnerabilities are most important to prioritize and how vulnerabilities may affect them differently.
Consumer Services and Technology at Higher Risk
Unlike healthcare and real estate, technology and consumer services have complex, digitally oriented tech stacks. The technology industry uses the largest number of disparate technologies, such as developer favorites jQuery, Microsoft IIS, NGINX, and Cloudflare. The increase in cloud-hosted technologies expands the technology industry’s attack surface.
The saving grace for the technology sector may be that it is more acutely aware of security and, thus, more likely to patch issues quickly. This is likely why the technology sector has the lowest rate of distinct data leaks per company at 5.59 average breaches in 2022.
According to our analysis, the consumer services industry stores the highest percentage of assets in the cloud. This is surprising because the industry processes and stores customers’ PII. Storing PII in the cloud is a significant security risk because, if not done correctly, it can be exposed for anyone to view and download. Consumer services need to be on guard against vulnerabilities in the cloud and increase awareness around how a threat actor might exploit data stored in the cloud.
When you look at the CVEs impacting each industry, the consumer services and technology sectors have the highest average severity of the industries we analyzed during 2022. Over the last year, the consumer services sector had an average CVE criticality of 9.36 out of 10, and technology had an average of 9.29 out of 10. (Real estate had a much lower score of 7.78 out of 10, for context). This higher severity means that the CVEs impacting these two sectors have much more significant impacts and have the potential to cause the most damage.
Respond to Threats Accordingly
Understanding how security vulnerabilities impact these different industries can help cybersecurity vendors, including cyber insurers, make smarter decisions when assessing risk. It also helps companies improve their security posture by patching issues and flaws according to their particular risk. Organizations should look beyond the criticality of a vulnerability. Security teams also need to consider the context in which the vulnerability exists, the type of asset it exists on, and the types of losses that could result.
This difference in the breakdown of average attacks, severity, and attack surface size all dictate how organizations in different industries need to prioritize vulnerabilities differently. Consequently, it shows how they need to allocate technology defenses and human resources, too.