Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

All CVEs Are Not Created Equal

Vulnerabilities impact each industry differently, so each sector needs to think about its defenses and vulnerability management differently.

Tiago Henriques, Vice President of Research, Coalition

February 27, 2023

5 Min Read
Hexagonal blocks with lock icons printed on them are arranged in lines, with an open lock block sending one line awry
Source: Andrii Yalanskyi via Alamy Stock Photo

Common vulnerabilities and exposures (CVEs) have been rising for the past few years, and they show no sign of stopping. New vulnerabilities are added to the National Vulnerability Database at an alarming rate — and the incredible volume makes tracking them increasingly difficult.

In 2000, there were only about 1,000 disclosed vulnerabilities. With this volume, security teams could review and remediate them efficiently: The systems were less complex and more easily siloed, and the sheer number was less than today. Now the number of disclosed vulnerabilities has exploded to over 23,000 in 2022 — a 2,200% increase in 22 years. And based on our Seasonal ARIMA model that builds on 10 years of data, Coalition anticipates more than 1,900 new CVEs per month in 2023, including 270 high-severity and 155 critical-severity CVEs.

For CISOs everywhere, this massive amount of information can be daunting since good cybersecurity hygiene is necessary for an organization to survive. However, not all CVEs are even exploitable, and there are varying degrees of difficulty in creating exploits for CVEs.

The situation can be even more overwhelming for industries with different technical and digital requirements, in which cyber may not be a focus area. Further, these security flaws also do not impact every industry in the same way. For example, a vulnerability may need to be prioritized differently for the consumer sector versus the healthcare or real-estate sectors.

Below we'll dive into findings from Coalition's "Cyber Threat Index 2023," which examines how today's security vulnerabilities impact various industries. The analysis stems from aggregations created entirely from underwriting scans run on these companies during the insurance quoting process.

Healthcare and Real-Estate CVEs Tend to Be Less Serious

The healthcare sector is particularly vulnerable to cyberattacks, given the volume of personally identifiable information (PII) that ransomware attackers can exploit if they get into the network. The real-estate industry is also a premium target because of the sensitive renter and owner application data managed.

With digitization, both have become appealing targets. Hospitals were forced to move to virtual doctor's appointments during the pandemic. Real estate has experienced the rise of smart buildings that use Internet of Things (IoT) devices to analyze building data and improve operations. These digital evolutions have expanded the attack surface into the cloud.

But while healthcare and real estate tend to have more security vulnerabilities or issues detected per asset or technology services, we found that they are often targeted with less harmful CVEs. (A silver lining!)

Healthcare also has one of the lowest numbers of distinct breaches on average, demonstrating the smaller impact of these less harmful CVEs.

This lower level of exploitation may be because real estate and healthcare tend to use less technology, on average. And when they do use it, they usually opt for more reliable and stable tech stacks compared with other industries, reducing their overall attack surface.

But just because healthcare and real estate have less-serious CVEs doesn't mean organizations shouldn't be patching. But it does point toward the need to take a more holistic view of gaps in their security posture to better understand which vulnerabilities are most important to prioritize and how vulnerabilities may affect them differently.

Consumer Services and Technology at Higher Risk

Unlike healthcare and real estate, technology and consumer services have complex, digitally oriented tech stacks. The technology industry uses the largest number of disparate technologies, such as developer favorites jQuery, Microsoft IIS, NGINX, and Cloudflare. The increase in cloud-hosted technologies expands the technology industry's attack surface.

The saving grace for the technology sector may be that it is more acutely aware of security and, thus, more likely to patch issues quickly. This is likely why the technology sector has the lowest rate of distinct data leaks per company, at 5.59 average breaches in 2022.

According to our analysis, the consumer services industry stores the highest percentage of assets in the cloud. This is surprising because the industry processes and stores customers' PII. Storing PII in the cloud is a significant security risk because, if not done correctly, it can be exposed for anyone to view and download. Consumer services need to be on guard against vulnerabilities in the cloud and increase awareness around how a threat actor might exploit data stored in the cloud.

When you look at the CVEs impacting each industry, the consumer services and technology sectors have the highest average severity of the industries we analyzed during 2022. Over the past year, the consumer services sector had an average CVE criticality of 9.36 out of 10, and technology had an average of 9.29 out of 10. (Real estate had a much lower score of 7.78 out of 10, for context). This higher severity means that the CVEs impacting these two sectors have much more significant impacts and have the potential to cause the most damage.

Respond to Threats Accordingly

Understanding how security vulnerabilities impact these different industries can help cybersecurity vendors, including cyber insurers, make smarter decisions when assessing risk. It also helps companies improve their security postures by patching issues and flaws according to their particular risks. Organizations should look beyond the criticality of a vulnerability. Security teams also need to consider the context in which the vulnerability exists, the type of asset it exists on, and the types of losses that could result.

This difference in the breakdown of average attacks, severity, and attack surface size all dictate how organizations in different industries need to prioritize vulnerabilities differently. Consequently, it shows how they need to allocate technology defenses and human resources, too.

About the Author

Tiago Henriques

Vice President of Research, Coalition

Tiago Henriques has had a rich career across the cybersecurity industry as an entrepreneur, CEO, pen tester, security analyst and auditor. In 2015 he founded BinaryEdge, a cybersecurity company specializing in enterprise infrastructure scanning and attack surface management. Since Coalition's acquisition of BinaryEdge in 2020, Tiago led customer security efforts across the organization as Director of Engineering for Security, recently becoming Vice President of Research.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights