Bitsight has revealed the UK data from a new report by its TRACE security research team analysing the Known Exploited Vulnerabilities (KEV) catalog.

The report, titled “A Global View of the CISA KEV Catalog: Prevalence and Remediation,” analyses data from 1.4 million organisations globally – the only such study to encompass Internet-wide scans – and highlights the deep challenges that global organisations face in remediating critical, exploited vulnerabilities in a timely manner.

The European data reveals that the UK leads in lowering its KEVs, however the vulnerabilities it does have take longer to remediate than the European average. 

“Most organisations are still too slow to mitigate,” said Derek Vadala, Chief Risk Officer, Bitsight.

“The situation creates significant risk and speaks to the need for business leaders on the board and in the C-suite to recognise these vulnerabilities as the serious threats they are and demand a security posture that prioritises deep insight and swift action.

“From there, organisations have an opportunity to grow.” 

What did the report discover?

Key KEV prevalence and remediation findings from the Bitsight TRACE study include: 

• The percentage of organisations in the UK with detectable KEVs is much lower than the European average. 
• 30.2% of organisations in the UK had detectable KEVs in 2023, compared to an average of 43.2% in the rest of Europe. 
• The UK has the lowest prevalence in Europe. 
• Closely following the UK is Norway with 30.62%. The country with the highest prevalence of KEVs in Europe is North Macedonia with 62.59%. 

• The UK lags behind the European average on remediation time. 
• UK companies take, on average, 225.4 days to remediate KEVs and 733.6 days to remediate non-KEVs. 
• The European average is 220.6 remediation days for KEVs and 573.9 remediation days for non-KEVs. 
• The best performing country in Europe is Germany, taking 21.7 days on average for remediation. 

• Globally, vulnerabilities included in the KEV catalog are highly prevalent and over a third of organisations had at least one in 2023.  
• KEVs are 2.6x more prevalent compared to the typical non-KEVs. 
• 35% of organizations experienced a KEV in 2023 – 66% of which had more than one, 25% of which had more than five and 10% of which had more than 10. 

• Globally, remediation of KEVs is significantly faster than non-KEVs of similar severity. 
• The average KEV is resolved within 6 months (174 median days), whereas non-KEVs can take more than 1.7 years (621 median days)  
• Remediation of KEVs varies based on the severity:  
• Critical severity KEVs took nearly 4.5 months (137 median days)  
• High severity vulnerabilities take more than 9 months (238 median days) 
• Medium severity vulnerabilities take nearly 1.5 years (517 median days) 

Mounting pressures

“The research from Bitsight sheds light on the mounting pressures facing every organisation and proves that, now more than ever, security leaders need a seat at the table and the ability to influence operational change across the organisation,” said Roland Cloutier, Former Fortune 100 CSO and Bitsight Advisor.

More Security News