Many businesses mistakenly assume that by complying with industry standards and legislation, their systems are as secure as they can be. Almost nothing could be further from the truth; companies that stop at compliance are leaving themselves open to attack. To truly be secure, your firm needs to make vulnerability remediation a priority.
Vulnerability Management and Remediation
Most companies engage in some form of vulnerability management, such as completing an annual vulnerability scan of their systems. Vulnerability scans and other recommendations in standards and legislation are great first steps. The problem is that too many firms make that their only step. Once they have the vulnerability report and are declared compliant, they simply stop.
It should be obvious that simply receiving a report about risks to your systems is not a great approach to security. However, many firms are intimidated by the actual work of vulnerability remediation. After all, scans can return hundreds or thousands of items that need to be fixed. That seems like an awful lot of work and, when scan reports contain no contextual information about what risks are threatening critical system components, it can be hard to know where to start. Once you do get started, however, you’ll see that remediation is an integral part of your firm’s security.
The Problem of Remediation: What Do You Fix?
As discussed, vulnerability scans often report hundreds or thousands of items without much guidance as to what is really a threat to your system. Typically, reports sort threats into high-, medium-, and low-risk categories. However, that grossly oversimplifies the situation: It gives you no information as to where the risks are located in your system. A risk may be reported, but is it affecting assets deemed critical or confidential? Is the risk threatening your client-facing servers, or an individual workstation? Even if you tell your IT department to remediate all of the high-risk items, they could be working on “high-risk” items in low-risk locations while high-risk locations go unmonitored. You could ask your employees to simply fix all vulnerabilities the scan—but that could involve remediating hundreds of low-risk and low-priority items.
Given this, it’s easy to see why some businesses simply skip the remediation step. However, vulnerability remediation is important to keep your systems secure. Think about it: If your insurance company proves you knew about a leak in your roof and did nothing about it, they’re not going to pay for the water-damaged floor to be replaced. Similarly, if your systems are breached and it can be proven that your company knew of the vulnerabilities, but did nothing to fix it, you’re going to be held accountable.
A New Approach to Remediation
What can be done? Obviously, vulnerability remediation is an important part of your security program. But it can also be time-consuming and daunting. Instead of giving up or skipping remediation work altogether, however, make vulnerability remediation a priority and adopt a new approach. Instead of working blindly, use a risk-based approach to improve your remediation management.
Using a risk-based approach to vulnerability remediation allows your team to work in a more methodical, efficient manner, as the approach takes into account contextual system information. That means your team knows where an at-risk asset is physically and on the network, and who is responsible for it.They can also use this information to determine the level of threat posed by a vulnerability, based on which assets are threatened. That means they can effectively remediate risks that affect critical assets first, and it opens up a wide range of possibilities for approaching remediation in more cost-effective and efficient ways.