We’re often asked ‘why would a cybercriminal target our business?’. The reality is every organisation has something a threat actor can benefit from, so the more relevant question is, ‘how easy would it be for a cybercriminal to target our business?’.
Like many situations in life, cybercriminals tend to take the path of least resistance and pick the low hanging fruit. Any business that displays public facing technical vulnerabilities will be their first port of call. By using readily available scanning and reconnaissance tools to scope the security health of websites, applications, wireless networks, firewalls, etc, they will focus on weakness. In fact according to Forrester, 41% of successful cyber breaches are down to a technical vulnerability being exploited.
Rightfully, Saepio classifies vulnerability management as a Security Essential. To prevent exploitation of technical vulnerabilities, the following steps should be taken:
1) Create an inventory of all IT systems and devices on your network
2) Identify which are critical and hold your digital crown jewels
3) Understand where technical vulnerabilities exist
4) Assess the level of risk associated to each vulnerability
5) Prioritise remedial action, for example patch vulnerabilities in a timely manner based on system criticality and level of risk.
Once a Vulnerability Management and Patch Management policy is defined, technology solutions are required alongside defined processes that skilled IT staff execute to ensure cybercriminals see no vulnerabilities that would result in a compromise. If you know Saepio, we talk a lot about Policy, Product and People – vulnerability management is an excellent example of these three pillars working together.
The technology aspect is an important component, the better the product, the easier it is for the IT team to address the vulnerability management process. The market leading tools not only know how to highlight all the vulnerabilities that exist, but categorise them in order of risk severity and automate the remediation/patching process. This means policy is better enforced and reduces the time burden on IT resource. Forrester recently completed an independent analysis of this market - their report can be found here: https://www.rapid7.com/info/forrester-wave-2018/
As always, the Saepio team are on standby to discuss this subject and any other cyber security challenges.