Welcome to 2025! A new year, new beginnings and new hope, right ? Given all that is happening globally in terms of war, conflict, diseases and other negative developments, can we be hopeful on the cyber threats and vulnerability front ?
Nah! The data does not lead to much optimism, I am afraid.
Disclosed vulnerabilities and exploits are trending up: From 2018 to 2022, there is a steady rise in the number of disclosed vulnerabilities (CVEs). Similarly, Exploit DB listings inch upward. This indicates that as more flaws are discovered and disclosed, more proof-of-concept or in-the-wild exploits appear.
There are proportionately fewer exploits than CVEs: The volume of exploits is always smaller than the total CVEs published. Not every vulnerability is accompanied by a public exploit. However, the consistent growth of both suggests an elevated threat environment.
There are hard to explain fluctuations: Breaches climb from 1,244 in 2018 to 1,473 in 2019, then drop to 1,108 in 2020, only to spike to 1,862 in 2021 and dip slightly to 1,802 in 2022. All that this shows, in my opinion, is that breach numbers don’t follow a simple linear pattern even as vulnerabilities and exploits rise.
What does this all mean?
- Higher vulnerability counts and public exploits don’t always correlate directly with more breaches, but they significantly increase the risk of successful attacks. Quantifying this risk helps organisations allocate resources more effectively.
- The cost of breaches is rising, driven by the complexity of modern attacks and stricter regulatory penalties, making proactive risk management a financial imperative.
- The data underscores the need for a proactive, risk-based approach to identifying, prioritising, and remediating vulnerabilities. This minimises both the likelihood and the financial impact of breaches.
- A risk-based vulnerability management strategy is no longer optional—it’s a necessity to combat today’s increasingly sophisticated threats.
- Understanding and quantifying the potential business impact of vulnerabilities, especially those with a high likelihood of exploitation, is critical for prioritising remediation and mitigating operational and financial risks.
Bottomline, the financial and operational consequences of unpatched vulnerabilities are escalating. Adopting a quantified, risk-based approach is the most effective way to stay ahead.
