The finance, healthcare, and IT sectors are among the most vulnerable to cyber attacks, new research reveals, with thousands of critical security flaws identified across all three industries.
Research from software firm Black Duck analyzed data from over 200,000 dynamic application security testing (DAST) scans on around 1,300 apps across 19 industries between June 2o23 and June 2024.
Black Duck’s report identified 96,917 vulnerabilities in total, and 30,726 of these were listed as cryptographic failures that could be exploited to expose sensitive data.
The report found that 86% of the companies included in Black Duck’s analysis were affected by this class of security flaw.
The study added that organizations should “implement strong encryption practices, use up-to-date security protocols, and ensure that sensitive data is properly protected both when it’s being transmitted and when it’s stored.”
Examining the financial services sector specifically, Black Duck found nearly 1,300 critical vulnerabilities companies in this space, making it the most at-risk industry.
Healthcare and social assistance organizations were close behind, with scan data revealing 992 critical flaws, as well as 446 critical weaknesses in the information services sector.
Delving deeper, Black Duck said the prevalence of vulnerabilities in applications across these areas varied widely in terms of sophistication. The firm’s analysts used a metric dubbed ‘site complexity’, which is based on the number and sophistication of interactions performed during the scanning process.
“This metric is based on the number and sophistication of interactions performed during the scanning process. Applications with less complexity may have minimal interactivity and a simple crawl tree—that is, an application with a straightforward structure of URLs. Higher-complexity applications may have many interactive elements and dynamically generated content,” Black Duck explained.
The finance industry had the most vulnerabilities in each of the three categories for site complexity, with 565 critical flaws in smaller complexity web assets, 580 in medium sites, and 154 in large sites.
Healthcare businesses were not far behind, however, the report noted, finding 367 critical issues in smaller sites, 486 in medium sites, and 139 in larger sites.
Utility sector lagging behind industry on vulnerability remediation times
Black Duck also looked at the average vulnerability time-to-close, which is the time it takes for an organization to close or eliminate a security vulnerability once it has been discovered.
The study found the utilities sector was the worst performer when it came to dealing with security flaws, with an average of 876 days to close critical vulnerabilities in medium sites.
Smaller sites took less time with an average time of 107 days, whereas the largest sites were able to remediate critical security weaknesses within larger web assets within one day.
Black Duck speculated the poor performance of the sector could be down to limited cybersecurity resources and budget constraints affecting utility organizations.
Education was another sector that lagged behind in terms of speed to address vulnerabilities in their applications, with an average time to close of 342, 111, and 1 day(s) for small, medium, and large sites respectively.
Healthcare organizations on the other hand were far quicker to act on security issues, the report noted, with an average of 87 days to close critical security vulnerabilities for small sites, 30 days for medium sites, and 20 days for large sites.
The report added that this could be down to the sector being heavily regulated, with periods of extended downtime incurring significant impacts on patients, which drives the imperative for prompt vulnerability remediation.
“Sectors with significant regulatory pressures and sensitive data tend to act swiftly to mitigate vulnerabilities, reflecting their proactive stance.”
It compared this to sectors without similar pressures that also suffer from budget limitations.
“On the other hand, sectors with limited resources and budget constraints face longer exposure times, underscoring the need for tailored cybersecurity strategies and increased investment in under-resourced industries.”
