What is a vulnerability assessment and why should I do one?
When it comes to IT security, most businesses I speak to have become more sensitive and very concerned regarding IT security breaches.
“Why is everyone so worried?” you may wonder. The reasons vary depending on what type of business you’re listening to as well as the position of the person within that organization.
Some of the common responses I’ve heard include loss of data and personal identifiable information (PII), loss of revenue, and damage to their organization’s reputation.
These concerns are echoed from IT management all the way up to presidents and business owners. Across all those businesses and roles, no one has ever said to me that defending against those ramifications above “is not important to me”.
When meeting with clients who have security concerns, one of the first questions I ask is, “When was the last time you conducted a vulnerability assessment?” The responses range from, “just last week” (the least frequent) to “I did one a few years ago and it was fine.”
But, the response I usually hear the most is, “What is that?” or “I have never done one.”
As Vice President of Commercial Sales, I’ve asked this question to hundreds of businesses over the years as a crucial first question during any IT security conversation. The answer is important in determining where they are from an IT security standpoint and where they need to go to reach a solid-state of security.
In this article, you’ll learn what a vulnerability assessment is, the different types of assessments, and why your business needs them. By the end of it, you’ll also understand why I always start a security conversation with that question above.
What is a vulnerability assessment?
A vulnerability assessment is a point in time test to provide a snapshot of your security posture at a specific time or state.
There are two types of vulnerability assessments: internal (from the inside out) and external (from the outside in).
Internal vulnerability assessments
An internal vulnerability assessment is done to assess if any changes inside of the network have created a cyber threat to your organization.
For example, one of the most common ways a vulnerability is created within your organization is when you add a network printer to your network. Printers store sensitive information and are targets for hackers.
Since the printer is on the network, it is just like any other connected device on the network such as computers, mobile devices, servers, and others. Like those other devices, if the network printer is not secured, it can be accessed externally, and you lose that control over the device and the data it is storing.
How often should I have an internal vulnerability assessment?
From a frequency standpoint, it’s a best practice to conduct at least two internal vulnerability assessments per year. The reason for this is because it’s likely that your internal network changes frequently over 12 months. Consider how often you add or remove devices, update settings, and other things that may affect network accessibility. Couple that with the potential issues each of those changes opens like in the printer example above.
Eye-opening, isn't it?
External vulnerability assessments
An external vulnerability scan is conducted to determine what the potential exposure is for an attacker to break into your network from the outside.
This differs from the internal assessment where you’re looking to see what internally has changed and if any holes have opened. The external vulnerability assessment looks at things like your risk of exposure from the internet and known vulnerabilities in hardware or software.
How often should I have an external vulnerability assessment?
From a frequency standpoint, it’s a best practice to conduct at least one external vulnerability assessment per year. One of the reasons why the frequency is less than the internal recommendation is because there are typically more changes to your internal environment in a year.
Another reason is in theory your business would be applying patches and updates for known vulnerabilities disclosed by the hardware and software vendors you are using. For example, the manufacturer of your routers likely wouldn’t send your business a specific patch because someone on your team may have accidentally left the wrong port open.
Why do I need a vulnerability assessment?
Earlier in the article, I mentioned that I sometimes hear, “I did one a few years ago and it was fine,” to my opening vulnerability assessment question. This is always the most interesting response because those same people also say that they didn’t do another assessment because of budget or time constraints.
Security breaches, IT security risks, and hacking attempts have increased astronomically recently. Hackers are always innovating and trying to find their next bread and butter strategy. Zero-day vulnerabilities, or ones that are being exploited in the real world before vendors have patched them, are also becoming more common.
If your business conducted one of these assessments several years ago, you believed that there might be an issue, or you wanted to shore up your cybersecurity posture. Either way, you had a reason why you felt uneasy or concerned and conducted a vulnerability assessment at that time.
Years are like lifetimes in cybersecurity. The world is very different than it was even six months ago as was the technology you were using. So, when people reply that they didn’t conduct a more recent assessment due to budget reasons or time constraints, I like to ask, “what is the time commitment and potential budget loss if you don’t do one?”
How much could an IT security breach cost my business?
According to IBM’s most recent Cost of a Data Breach Report, an IT security breach costs a company in the United States an average of $8.64 million. That’s the highest average cost per data breach by country or region across the entire world.
That $8.64 million average is also for a single breach and being breached once doesn't prevent a company from being breached again especially if they haven't shored up their defenses afterward.
By comparison, two internal and one external vulnerability assessment would be a tiny fraction of that cost.
What could happen if I don’t do a vulnerability assessment?
If you have not conducted an assessment, your organization could have a myriad of issues in your environment to deal with. Or maybe you have been lucky so far and don’t have Pandora’s box of vulnerabilities ready to be exploited.
I have seen many clients who have had a breach or an issue, and they were unaware of why they were breached in the first place. Part of why is because they had no intimate knowledge of where the risks were in their network. They didn't have that intimate knowledge because they weren't conducting vulnerability assessments.
A cautionary tale from a client
For a specific real-world example, a client who was breached several years ago had never conducted any type of vulnerability scanning. This incident caused that company data loss, revenue loss, and they took a hit to their reputation. It also cost them double the cost to resolve the issue and get their business running again.
However, that IT security breach was a wake-up call for them. They started conducting regular assessments so they would be aware of their vulnerabilities and then addressing those issues to minimize potential harm from them being exploited if left unaddressed (or undiscovered).
Vulnerability assessments are a crucial part of a bigger strategy, not a silver bullet
No one tool will keep your business and data completely safe from threats.
Vulnerability assessments are a valuable tool as a part of a larger defense-in-depth strategy. It’s like knowing some of the answers to the test before it’s passed out.
However, there are so many other things to consider with IT security. For example, even with vulnerability assessments alone, how would you go about prioritizing and remediating the issues that are discovered? How do you address all of them without dedicating all your IT resources and budget to that one process when there are also likely other ways threats could breach your network?
Start protecting your business and your data
Partnering with a managed service provider (MSP) like Kelser is a streamlined way of addressing those concerns. Our team of certified cybersecurity engineers can conduct those initial vulnerability assessments, review the findings, and prioritize any issues that are found. This ensures that you don’t have to worry about making the common mistake of prioritizing lesser threats over more serious ones.
With our managed services you can then make sure those vulnerabilities are addressed and that they don’t make a comeback appearance. The managed services program includes features like managed network, managed anti-malware, automated patching, automated maintenance, automated monitoring, and unlimited technical support so your network is constantly protected from potential future vulnerabilities that would have made themselves known.
Even if you don't choose to partner with an MSP to handle your cybersecurity and ongoing technology needs, I’d highly recommend downloading our free eBook below which highlights 10 simple things you can do on your own to improve your organization’s cybersecurity.