UK organizations are trailing their European counterparts on time to remediate software flaws in the US Known Exploited Vulnerability (KEV) catalog, according to a new report from Bitsight.
The security vendor reviewed the security posture of 1.4 million entities, excluding cloud and other service providers, to compile its report, A Global View of the CISA KEV Catalog: Prevalence and Remediation.
KEV is an initiative from the US Cybersecurity and Infrastructure Security Agency (CISA) designed to document security vulnerabilities that have been successfully exploited, and those associated with ransomware campaigns.
Federal agencies are given a mandatory deadline by which to patch the bugs listed in the KEV catalog, although all organizations are urged to do the same as a matter of best practice.
However, the Bitsight report revealed that UK organizations take on average 225.4 days to remediate KEVs – longer than the 220.6 days it takes European entities.
Read more on software vulnerabilities: MITRE Announces Most Dangerous Software Weaknesses
By contrast, in Germany, organizations take only 21.7 days to remediate KEV CVEs – the fastest in Europe and among the best performers globally.
For non-KEV vulnerabilities the figures are even worse across the UK and Europe. In the former, organizations take over two years (736.6 days) to patch, while across the continent, the figure is 573.9 days.
Globally, organizations are also doing better than in the UK and Europe – the average KEV is resolved within six months (around 180 days).
The figures should be a concern for UK CISOs, despite the fact that Bitsight found fewer KEVs in their environments than across the continent. On average, 30% of UK organizations had detectable KEVs in 2023, versus an average of 43% in the rest of Europe.
“Most organizations are still too slow to mitigate,” argued Derek Vadala, chief risk officer at Bitsight.
“The situation creates significant risk. It speaks to the need for business leaders on the board and in the C-suite to recognize these vulnerabilities as the serious threats they are, and demand a security posture that prioritizes deep insight and swift action. From there, organizations have an opportunity to grow.”