Contact us at

Compliance Does Not Equal security

David Millier


It’s a serious mistake—and one that too many people make all too often: assuming that your business is secure simply because you’re compliant with all current standards and legislation. Compliance simply isn’t enough to guarantee that your business is as secure as it could possibly be.

A Good First Step

Compliance is the starting point of security for many companies. For example, businesses that want to accept credit card payments will need to ensure they’re compliant with the PCI standards. Standards exist within industries to ensure businesses adhere to some minimum level of security in order to give clients, consumers, and other businesses peace of mind.

But while compliance is a good first step, it is just that: a first step. It is not the end of your business’s security journey.

The Problem with Compliance

Problems arise when ensuring adherence to various standards and legislations is the only step that businesses take to secure their operations. Most standards and laws contain only minimum requirements. They do not guarantee that you’re doing the most you can possibly do to be secure. While being compliant is better than having no security at all, the bare-bones requirements are often so minimal that they do very little to guarantee security. Take, for example, standards that require only annual scanning of systems. There are plenty of risks that will arise between scans—which means your business could be blindsided by a threat that comes up between scans.

Going Beyond

Once your business is compliant with the standards and legislation governing your industry and operations, it may seem like you don’t need to do much more to guarantee your security. After all, no one is asking you to do any more, so becoming compliant should be enough.

This is where many people make the fatal mistake: simply equating compliance with security. For your business to truly be secure, you need to go a step beyond. You must do more, even if a governing body isn’t asking you to. It may not seem cost-effective or efficient, but taking the extra step to ensure your business’s security is vital to your own operations.

What Should You Do?

Taking the extra step beyond compliance can seem like an enormous leap. After all, standards tend to set out measurable steps and finite guidelines for what you need to do. After you’ve become compliant, however, there’s much less in the way of guidelines; after all, if you only need to scan your systems once per year, no one is going to check if you’re going above that duty and scanning on a monthly basis.

Security can take many different forms once you’ve moved beyond simple compliance. You might opt to scan your systems more frequently; some businesses will do vulnerability scans once a month, or even more often. Other businesses will employ vulnerability management software to help them stay on top of potential risks. One of the best steps you can take is to adopt a risk-based approach to vulnerability management, which allows you to rationalize your IT security operations. Some standards will even outline additional or optional steps a business can take to ensure their security.

The Benefits

You need to move beyond simple compliance for your own peace of mind, so the methods you use to ensure your business is secure are largely up to you. Although the initial costs of engaging in additional scans or adopting vulnerability management software may seem daunting, the benefits far outweigh the costs. Mitigating risks, both known and unknown, now and in the future, is imperative for any business owner.

Why Compliance Does NOT Equal Security

Read More
Topics: Vulnerability Management, Compliance, Security

7 Things About Information Security Your Boss Wants to Know

David Millier
Laptop Work-3.jpg
  1. Email is NOT Secure

Email is not as private as people sometimes think it should be.  Left unencrypted, email could potentially be read by a hacker.  You cannot always trust that the name of the sender in the “from” field is the actual sender of the email.  In some cases, a hacker may try to disguise themselves in an attempt to steal your information (Phishing). Often, an attachment may not be what is advertised, you may think you are receiving the latest company financials in Excel, but in reality, opening that attachment may lead to the installation of ransomware

  1. How to Recognize Phishing Attempts and Prevent Identity Theft

A phishing attempt is an attempt by hackers to try to gain information about you, usually by tricking you to go to an insecure website and steal your passwords.  How it usually happens is an email is sent claiming to be from reputable or trusted organization.  That organization may include links to a fake website, where they may ask you to enter your username and password or other personal information.  One way to recognize these attempts, is that most are poorly written with many spelling and grammatical errors.  Carefully inspect web links, as sometimes these link to fake web sites.

  1. Why You Should Keep Your Computer Updated

Having the latest and greatest version of software on your computer can help protect you from already established vulnerabilities.  Operating systems, firewalls, and anti-virus software all have regularly scheduled updates to provide the best possible security available.  Always update your systems!

  1. How to Use network security tools

Network security tools are useful to help prevent unlawful access to network systems (firewalls), spam filters to protect you from unwanted email, and anti-virus protection to protect your systems from viruses, are all important security tools.   Many more tools, such as vulnerability management tools, can help secure your network by telling you where the vulnerabilities are in your network. 

  1. Secure Passwords Are Important

Your password is the key to all your information on your organizations systems.  Follow those steps to ensure you have as secure a password as you can. After all, why make it easy for hackers.  Do use a combination of uppercase and lowercase letters, symbols and numbers and don't use commonly used passwords such as 123456 or the word "password.” Ensure your user passwords are at least eight characters long. The more characters and symbols your passwords contain, the more difficult they are to guess.  Don't write your passwords down, share them with anyone or let anyone see you log into devices or websites and do change your passwords regularly.  Make sure you log out of websites and devices when you are finished using them. When possible, use Two-Factor Authentication (2FA) whenever possible. 2FA adds another layer of security to any account you may be logging into.

  1. How to Prevent Data Breaches

Scammers are always trying to steal sensitive data.  Sometimes, unscrupulous competitors could be trying to steal your business’s sensitive data.  Beware of phishing and social engineering scams.  Ensure that company data is backed-up onto secure servers.  Ensure that your security systems and software are up to date.

  1. Mobile Protection

From physical theft of phones, to shoulder surfing in a crowd, your mobile data is at risk. Never leave mobile phones, tablets and laptops unattended.  Never read sensitive data in public places.  In all cases, your mobile devices should be password protected. 

Following all seven steps will help secure your organization.  To learn more about the 7 things your boss wants you to know about information security, visit our website:

New Call-to-action


Read More
Topics: Vulnerability Management, Security, Ransomeware

Trump Administration’s Cyber Security Strategy

Alix Postan


On May 11th, President Trump finally signed an executive order for cybersecurity protocols. This new executive order updates the existing cyber security protocols and outlines the framework that will be enforced. The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, has always been preached by the Department of Homeland Security (DHS), and is now mandated that the DHS follow it as well.

Some highlights from the executive order:

  • Vulnerabilities that are not remediated, are considered to be the highest threat to the country’s cyber security;
  • Programs will have to be maintained with the most current software patches available and can only be used if the software provider continues to offer remediation tactics for that version.
  • Heads of executive departments and agencies (agency heads) will be held accountable for any and all risk management decisions. The agency heads are required to submit a risk management report to the DHS within 90 days of the order being published. In the report, the agency heads are required to explicitly outline: which risks they will be prioritizing for remediation, the necessary budget required, the remediation tactics they will use, and an explanation as to why they chose to prioritize those specific risks over others. The DHS and the Office of Management and Budget (OMB) will be reviewing each of these reports.
  • There will be a greater emphasis on cybersecurity education through specific curricula, training and apprenticeship programs from primary through higher education. This order recognizes the changing cyber environment and the United States’ need to maintain a long-term cybersecurity advantage

What does this mean for you?

As stated in Section 3(a) of the executive order, the purpose is to:

“ensure that the internet remains valuable for future generations, … to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.”

This means that the government of the United States is finally taking the same action that is required for commercial businesses; since commercial businesses are required to follow specific frameworks and compliance standard, the government is now holding its agencies to the same level of accountability.

Moreover, the education section of the executive order shows the country’s investment in cyber security, and the prioritization of this field in the economy. Also, it demonstrates the country’s progressive laws and the need to stay current in this industry.

For more information about Remediation Management, download
our free guide on A Risk-Based Approach to Vulnerability RemediationA Risk-Based Approach  to Vulnerability Remediation

If you’re a commercial business owner and are looking for Remediation Management tools, click here.

Read More
Topics: Vulnerability Management, Compliance Management, Compliance, Remediating Risks

3 Ways to Improve Remediation Management

David Millier


It doesn’t matter how big or small your company is, you will never be completely safe from cybersecurity threats. This idea shouldn’t scare you. Total safety is a myth. No single method can protect you from all of the perils that every network faces. Still, you need to take the right steps to minimize the likelihood of a potentially catastrophic breach. 

Unfortunately, many companies fail to take these measures, and they suffer the consequences as a result. Cybercriminals usually attempt to exploit a system to access a proprietor’s valuable information. Once they find this data, they usually steal and/or delete it before ransoming it back to the victim for an inflated cost. This puts organizations’ clients at risk, and lest you think this is a rare occurrence, it happens all the time. Major brands like T-Mobile and VTech have faced data theft on a large scale. If the director of the CIA can be compromised, how safe do you think you are? 

Thankfully, you can still take steps to fortify your networks and preserve your data. Remediation management represents one of the most effective strategies in this regard. It helps you compensate for the weaknesses in basic cybersecurity practices and gives you greater control over your system’s maintenance. These three tips will help your organization defend itself against outside hazards.

  1. Follow up Thoroughly When You Scan

Imagine this: Your home security company calls you at work to tell you that your alarm is going off. They ask you whether they should investigate the problem. You tell them even though you believe the break in is a real threat, the alarm system itself should be enough to scare the intruders away, so an investigation isn’t necessary. Does this seem logical to you? 

If not, you’d probably be surprised to see how many companies fail to follow up on their scans. Many organizations will perform basic remediation efforts, but they only do so to live up to international security standards. Unfortunately, these regulations represent the bare minimum that an agency must do to protect itself. Their recommendations are often woefully inadequate for a standard network, so a company may still end up compromising its system if it only performs these actions. 

Your remediation management strategy should do more than the bare minimum. You need to perform scans more often than security standards suggest, and you must act on your results when you receive them. A scan means nothing if it leads to no new actions.

  1. Consider Your Context before You Remediate

Do you find it difficult to parse your vulnerability reports? You’re hardly the only person to face this problem. A scan will usually return thousands of results, all of which fall into overly broad categories. Still, you need to understand these results if you want to tangibly secure your network.

Remediation management uses a risk-based approach to organize these outcomes. It prioritizes assets based on information such as location, confidentiality, integrity, and more. When you consider these factors, you’ll be able to find your network’s most critical assets and give them the protection they need.

  1. Watch High-Risk Vulnerabilities Closely

Say you had a valuable Ming vase in your home. Would you rather set up a surveillance system to protect it or leave it unprotected? 

Your information may be as valuable as the Ming vase in this scenario, so you should protect it accordingly. If your scans reveal your assets to be particularly vulnerable, you need to start monitoring them. Even if you take steps to stabilize them, they may become insecure again later. So constant monitoring and vigilance is essential.

 Want to learn more about Remediation management?  Follow the link below:

 Learn More

Read More
Topics: Vulnerability Management, Remediating Risks