You work hard to ensure your business is compliant with various security standards and legislation governing your security measures. Often, that means performing vulnerability assessments—sometimes on your own and sometimes by hiring an outside vendor. But while vulnerability assessments can be useful, they are not enough to ensure your business will be secure.
Off to a Good Start
By now, you know that compliance and security cannot be equated. Too many businesses make this erroneous assumption: By complying with standards and legislation, the firm will achieve security. Since many standards require vulnerability assessments, many firms believe they can simply assess their system for vulnerabilities and then stop.
The problem is that, while vulnerability assessments are a good start, it’s not all you can do to ensure your systems are safe. Much as being compliant doesn’t mean you’re secure, doing an assessment doesn’t mean you’ve done anything to address the problems.
Utilizing Your Assessment
Imagine requesting a report about hazards in the workplace. You get the report back and it turns out there are a lot of potential risks to your employees! Some of them are high-risk—it’s very likely someone will be hurt if you don’t fix this hazard. Some of the items are lower-risk, but someone still could get hurt. And if it can be proven that you have this report, but didn’t do anything about the hazards before someone gets hurt, you could be looking at the wrong end of a lawsuit.
This is precisely the same situation with vulnerability assessments: You get a report detailing the potential risks to your systems. Now it is up to you to determine what you do with that information. If you stop there and do nothing to address the risks, you’re leaving your business open to attack, potentially exposing your clients to harm, and, in some cases, risking a negligence lawsuit. Much as you want to address those physical hazards that could harm your employees, you want to address the risks that could harm your systems and your clients! That’s why you need vulnerability remediation.
Assess, Then Remediate
Relatively few firms engage in vulnerability remediation, for a variety of reasons. The most common problem is that vulnerability assessments can be daunting. A single scan can report hundreds or even thousands of items, often with very crude categorization of threat levels. If your firm isn’t using a risk-based approach to assessment and remediation, then the task of fixing the identified risks can appear absolutely overwhelming.
That means that remediating identified vulnerabilities can become an exercise in futility for IT departments as they spend time fixing items without knowing if they’re actually improving system security. That doesn’t seem very cost-effective or efficient. Rather than spending the time and money, then, many companies will simply stop at the assessment stage, because nothing more is required of them to be compliant.
Get More from Your Assessment
Most scans don’t take network context into account, which creates issues when you try to rationalize remediation activities. Without network context, it’s difficult to know which risks are threatening the crucial parts of your system operations, and which ones have been identified on lower-priority network assets. With a risk-based approach, additional information about assets—such as the type of asset and the asset’s location—gives you better insight into what needs to be fixed right now. Remediation tasks are prioritized and performed with a more rational approach, leading to higher efficiency in implementation, better security for your systems as you address actual risks, and an improved ROI on your initial assessment—and any subsequent vulnerability management activities you undertake.