Tenable finds only 3% of vulnerabilities pose significant risks

New research from Tenable has revealed that only 3% of vulnerabilities within organisations pose significant cybersecurity risks. The findings are part of a report titled “The Critical Few: How to Expose and Close the Threats that Matter,” which aims to help businesses focus their cybersecurity efforts more effectively.

Over a span of two decades, Tenable has collected and analysed approximately 50 trillion data points related to more than 240,000 vulnerabilities. The company developed a methodology to identify which of these vulnerabilities could result in significant exposure risks, discovering that a mere 3% frequently pose such dangers. The research utilised the Vulnerability Priority Rating (VPR) model, designed to reflect the current threat landscape. The VPR values range from 0.1 to 10, with higher values indicating a greater likelihood of exploitation.

Vulnerabilities with a VPR above 9.0 are likely to be exploited if exposed, categorising them as high-priority targets. Those with VPRs between 7.0 and 8.9 present a moderate risk, while vulnerabilities in the medium and low categories (0.1 to 6.9) are less likely to be exploited. The study reviewed around 240,000 vulnerabilities as of June 2024 and found that only 3.1%—fewer than 7,500—were classified as Critical or High. This analysis led to the conclusion that focusing on a smaller number of key vulnerabilities can significantly enhance an organisation's security posture.

Scott McKinnel, Country Manager for Australia and New Zealand at Tenable, emphasised the need for a proactive approach to cybersecurity. “As cyber threats continue to evolve, it is critical for ANZ organisations to adopt a proactive cyber strategy that identifies and mitigates vulnerabilities before they can be exploited,” McKinnel said. “Our latest research shows that keeping an eagle eye on the smallest of vulnerabilities can protect organisations from significant business risks. By implementing exposure management and prioritising critical threats, both public and private sector organisations will always be one step ahead in safeguarding their vital assets.”

The report aims to help cybersecurity teams overwhelmed by large amounts of fragmented threat intelligence and vulnerability data. By providing a focused strategy to eliminate the most dangerous threats, the study serves as a guide for risk management in the digital age. Tenable’s research suggests that concentrating on a small, specific set of high-risk vulnerabilities can enable organisations to allocate their cybersecurity resources more effectively, thereby reducing their overall exposure to cyber threats.

Tenable's methodology and findings may serve as a vital resource for businesses seeking to navigate the increasingly complex landscape of cybersecurity. The company's use of the Vulnerability Priority Rating model aids in prioritising threats based on their potential impact, enabling organisations to make informed decisions about where to focus their defensive efforts.

The insights presented in “The Critical Few: How to Expose and Close the Threats that Matter” provide actionable steps for businesses to enhance their cybersecurity measures. These guidelines can be particularly useful for organisations aiming to safeguard their operations and assets from the most critical and high-risk vulnerabilities.