More than a third of all network devices attached to business nets are carrying at least one known security vulnerability, according to an annual report released by a global IT infrastructure company.

Dimension Data, headquartered in Johannesburg, South Africa, in its Network Barometer Report 2010 revealed that an analysis of data gathered from 235 organizations around the world showed that 38 percent of networking devices had vulnerabilities that had been publicly disclosed but remained unaddressed by their businesses.

The data was obtained electronically through technology lifecycle management assessments performed by Dimension Data. The assessment technology discovers installed assets on a network, identifies their lifecycle status and determines their maintenance coverage.

The 38 percent vulnerability number is significantly lower than the 73 percent found in last year’s report, but because the methodology in the 2010 report was altered from the 2009 one, results aren’t entirely compatible.

“However,” the report writers noted, “an overall figure of 38 percent for 2009 [data in the 2010 report] albeit dramatically lower than in the previous year is still a substantial percentage, and shows that over a third of all organizations’ estates are running with known security vulnerabilities that could have serious risk implications that could expose the business to both external and internal security attacks and threats.”

“Four in 10 devices running with at least one known security vulnerability, while a substantial drop from last year, is still very high and has serious risk implications,” they added.

Although comparisons between this year’s and last year’s reports may be like comparing oranges to tangerines, there’s still room for optimism, according to the report writers.

“A reduction in the number of devices running with at least one known security vulnerability indicates that organizations are probably remediating known security vulnerabilities more effectively than in the previous year,” they maintained.

The largest drop in vulnerabilities was among very large businesses, to 22 percent from 71 percent in 2009.

Another big drop was seen among small businesses, to 60 percent from an amazing 100 percent in 2009.

Regionally, Australia and Europe decreased their vulnerabilities the most–Australia to 33 percent from 74 percent in 2009; Europe to 27 percent from 68 percent last year.

Other than the methodology changes in this year’s report, its writers cited two developments that may have contributed to the decrease in vulnerabilities found this year versus last year.

One is the steady decline in vulnerabilities being identified by Cisco Systems in recent years. “As the rate at which Cisco discovers new vulnerabilities slows down,” the report writers explained, “organizations will find themselves increasingly able to “catch up” with their security patches and lower the overall number of vulnerabilities across their devices.”

“Additionally,” they pointed out, “not only are the number of vulnerabilities that Cisco is publishing on the decline, they are also now spread across a wider range of products meaning that the number of vulnerabilities per product for the set we’re analyzing (i.e. devices on the network) is fewer.”

Another contributing factor to vulnerability decline cited in the report is the impact of the assessments themselves. “[T]he network assessments and the recommendations they give rise to, as well as a more security aware and informed IT discipline, are having an impact on the way in which organizations address their security posture,” the report writers observed.

They noted that most organizations understand the importance of treating data with confidentiality, integrity and availability. What’s difficult for them to understand, implement and maintain is IT security and compliance. “Without a clear information security plan with defined and regular security vulnerability assessments,” they asserted, “many businesses are simply unaware of their risk exposure and could be leaving themselves open to financial, reputational and operational damage.”

“Furthermore,” they continued, “while new computing models and technologies such as cloud computing,
virtualization, wireless and visual communication promise a range of exciting business benefits, it is essential that due consideration be given to the impact that these initiatives can have on an organization’s security environment and risk appetite, so as to ensure that technology is facilitating business objectives and not impeding them.”

In concluding their report, they recommended that businesses do what has to be done to keep their networks humming.

“IT infrastructure is crucial to an organization’s ability to perform both efficiently and competitively,” they wrote, “yet the reality is that IT infrastructures can be poorly configured and contain assets that are past their end-of-life, which increases the likelihood of security vulnerabilities and limits effective       organizational productivity.”

“Given that the network is a production asset and key to effective business operations,” they contended, “it is obvious that it will need     ongoing maintenance, support and investment in order to function optimally.”