More than half of US organisations ‘vulnerable to IT failure’

As the world recovers from one of the biggest IT failures in history, new research highlights the scale of cyber vulnerabilities in the US.

A working paper by the US National Bureau of Economic Research (NBER) looked at more than 150,000 medium and large US organisations. It found that more than half had “severe security vulnerabilities” because of failures to update key software.

The paper states that a huge number of organisations are exposed to cyber risk. Its findings suggest that the risk is compounded for those organisations – such as central banks – that use third-party IT services.

Authors Raviv Murciano-Goroff, Ran Zhuo and Shane Greenstein focus on users of Apache web server software. By using the Internet Archive’s Wayback Machine, they were able to check websites’ metadata to see when key security updates had been installed.

Their results point to “widespread use” of software that is open to cyber attack. Between 2000 and 2018, 57% of the organisations in the study were operating with software that contained severe vulnerabilities even when later, more secure versions of the software were available.

“Almost every Apache HTTP server hosting the organisations’ homepages has operated with a publicly disclosed severe security vulnerability for some months,” the authors say.

Furthermore, organisations that “stand to lose the most” from cyber attacks, such as high-traffic websites and those using “monetisation technologies”, are more likely to have vulnerabilities in their software.

The authors say cost is a key reason why organisations fail to update software. They suggest the problem can be tackled through “software update rebates”.

Organisations could also take steps such as moving their websites to the cloud to both cut costs and make it easier to install updates. Policy-makers and managers could “focus on organisational routines and culture to improve cyber security”.

Almost every Apache HTTP server hosting the organisations’ homepages has operated with a publicly disclosed severe security vulnerability for some months

NBER working paper

The organisations that update their software promptly would not have avoided the July 19 worldwide cyber incident, which was caused by a faulty software update by cyber security firm CrowdStrike.

Events on the previous day highlighted the cyber risks faced by central banks as a result of their links with third-party service providers. The Bank of England’s high-value payment system was affected for several hours on July 18 by problems originating in the Swift messaging network. The European Central Bank also chose to close its key payment systems late to deal with the same issue.

Central banks often outsource payment work to third parties – the practice was used by 51.5% of respondents to Central Banking’s 2024 payments benchmark.

Third-party risks manifest themselves in a host of other ways for central banks, from the cloud to treasury management software, data storage and transfer, and financial services.

“A lot of us are depending on the same software provider, the same cyber recovery experts, etc,” Filipe Dinis, chief operating officer at the Bank of Canada, told Central Banking in 2023. “In a real crisis, when everything needs attention, these vendors are going to be called upon from all the same clients.”