A majority of organizations are struggling to detect unpatched vulnerabilities. In June 2019, Tripwire partnered with Dimensional Research to survey 340 information security professionals about their organizations’ experiences with handling vulnerabilities. More than a quarter (27%) of respondents told Tripwire that their employer had suffered a data breach as a result of an unpatched vulnerability. They also revealed that their organizations didn’t implement comprehensive vulnerability scanning across the enterprise, as shown in the findings below:
- Most (88%) of the survey participants said that their employers ran vulnerability scans. Of those, just 63% said that their organizations conducted authenticated scans.
- Half of respondents told Tripwire that their employers directed their resources to detecting and remediating only high-severity vulnerabilities.
- Nearly a fifth (16%) of information security professionals surveyed said that their employers conducted vulnerability scans just to meet compliance or other requirements.
Organizations can’t afford to leave themselves exposed to a vulnerability incident in the ways described above. That’s especially the case with small- to mid-size businesses (SMBs). Indeed, the 2019 Hiscox Cyber Readiness Report found that the average financial cost of a cyberattack for businesses of all sizes is about $200,000—something which many SMBs can’t survive.
Vulnerability Management as the Solution
SMBs need to restructure the way in which they address security vulnerabilities if they are to properly defend themselves against a costly cyberattack. One of the ways they can do this is by creating a vulnerability management (VM) program. It’s a formal way by which they can identify weaknesses in their IT assets and evaluate the associated risks, notes the SANS Institute.
Vulnerability management is not a one-and-done affair. According to IT Pro, it’s a process that consists of four steps. These are as follows:
- Discovery: SMBs can’t detect vulnerabilities in assets that they don’t know about. Therefore, it’s important that they begin their vulnerability management program with a discovery phase. This involves creating a dynamic inventory of all hardware and software that’s connected to the corporate network.
- Reporting: In the process of learning about all of their discovered devices, SMBs can figure out if those devices are receiving updates from their software developers and whether they are up to date. They can then compile all of this information into a report that uses various information including an asset’s business criticality to identify which connected systems are most vulnerable.
- Prioritization: At this point, SMBs need to begin prioritizing the manner in which they want to respond to the vulnerabilities they’ve learned about and documented in the previous steps. They can use the time it will take for them to fix each issue, how much they’ll need to spend on each fix and how much risk each vulnerability poses to their security to help them along the way.
- Response: The last step for SMBs is to address their vulnerabilities in the order that they set out. To fix some of these weaknesses, they might simply need to install a software patch. Other security holes might warrant more costly solutions including the replacement of an outdated device that no longer receives patches.
Some VM Challenges Confronting SMBs and How to Address Them
SMBs can use the steps identified above to maximize the efficacy of their vulnerability management programs. But that doesn’t mean they won’t run into challenges along the way. As noted by CSO Online, 43% of cybersecurity and IT professionals who participated in a research project admitted that vulnerability prioritization was their biggest VM challenge. Approximately the same percentage of survey participants said the same about tracking vulnerability and patch management over time (42%), patching all vulnerabilities in a timely manner (42%), tracking the long-term cost and effectiveness of the VM program (41%) and keeping up with the volume of vulnerabilities confronting their employer (40%).
These challenges are not intractable, however. Security Boulevard explained that SMBs can correlate internal sources (like the change management system) with external data (such as a weakness’s CVSS score) to improve their ability to prioritize their vulnerabilities. They can also help the actual remediation process along by integrating the VM databases, processes and tools used by security, IT and DevOps into a central location. Doing so will help them to orchestrate and automate at least some of their remediation tasks by fostering better collaboration between teams and by creating predefined playbooks based upon their unique environments. Finally, they can look past purely quantitative metrics and use vulnerability dwell time, the average number of vulnerabilities per asset and other qualitative metrics to evaluate and track their VM programs.
Tapping into a Well of Experience
Obviously, that’s obviously a lot for SMBs to do on their own. But SMBs don’t have to go it alone. They can work with a managed services provider like ITEGRITI whose team members have the experience to assess cybersecurity risk in the business, design a vulnerability management program and then assess for vulnerabilities using penetration tests and other efforts.
“Cybersecurity is only strong when defensive measures are updated regularly to handle exploits and other threats that emerge anew on an almost continual basis,” ITEGRITI CEO and Co-Founder Michael Sanchez said. “Both the number and sophistication of attacks has increased dramatically in recent years. These attacks, whether they involve locking the computer and demanding money to be unlocked, sending sensitive data to a hard drive far, far away to be sold on the dark web, or taking over the Energy Management System to disrupt the grid, all tend to start with at least a component of the attack leveraging malicious code. Limiting the impact of malicious code and unauthorized access through vulnerability management and hardening is a very important component of any cybersecurity strategy.”
To get started with creating a vulnerability management program of their own, SMBs first need to understand their cybersecurity risk baseline. They can gain this insight exposure by taking ITEGRITI’s Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies avoid hacks and minimize business impact during cybersecurity events. They will receive a copy of the risk baseline report along with a cybersecurity maturity score, based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.
To find out your SMB’s cyber risk baseline, take ITEGRITI’s assessment here.
This SMB Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:
- Cybersecurity Guide: The Role of a CISO
- Cybersecurity Guide: Security Awareness & Training
- Cybersecurity Guide: Asset Inventory
- Cybersecurity Guide: Asset Baselines, Hardening and Change Management
- Cybersecurity Guide: Vulnerability Management
- Cybersecurity Guide: Access & Account Management
- Cybersecurity Guide: Supply Chain Management/Third Party Vendors
- Cybersecurity Guide: Incident Management & Review
- Cybersecurity Guide: Information Management & Protection
- Cybersecurity Guide: Boundary Defense, Electronic & Physical Security