Business leaders understand that their IT is the lifeline of their business. They know that technology drives the ability of their business to compete.
What they often don’t realize is that their network needs continuous care. Take cybersecurity, for example, the threats are constantly evolving, which means that what was secure yesterday may not be secure today.
So how can businesses combat this ever changing threat?
One way is through vulnerability scanning.
As a service engineer at Kelser, I perform vulnerability scans for customers.
In this article, I’ll answer some of the most commonly asked questions about this tool, the benefits of using it, and how often vulnerability scanning is recommended. (Don’t worry, I’m not here to sell you on working with us, just to provide information so you can decide the best course of action.)
After reading this article, you’ll have a comprehensive understanding of vulnerability scanning. We believe that knowledge is power, so we publish articles like this one, so that you can have all of the information you need to make educated decisions about IT solutions for your organization.
What Is A Vulnerability Scan?
An IT vulnerability scan is a tool used to determine possible gaps in security that could expose your network and devices to hacks. The scan discovers and scans every device on your network to see what ports are open and what communication protocols are in use that could expose you to an attack.
For example, maybe your software hasn’t had all of the security patches installed, leaving doors open for unauthorized people to gain access.
Why Are Vulnerability Scans Important?
Vulnerability scans are important because they provide actual data about possible paths of exposure on your network (software, hardware, and operating systems).
They provide information about security exposures such as gaps in software versions or missing patches that can be used to gain access to a company’s network and devices. They also will identify out-of-date protocols, so they can be phased out, upgraded, or changed to a more modern product that is more compliant and secure.
For example, a 10-year old switch may be running outdated firmware. So even though the software may be the most current release, you’ll want to replace that switch with one that is currently supported.
This knowledge of vulnerabilities can be used to develop a roadmap for addressing the exposures to ensure the security of your environment and data.
Vulnerability scans also can verify the effectiveness of third-party patch management software you may be using.
The scan will let you know that the patch management software is working (or that updates haven’t been installed maybe because a computer hasn’t been online since the patch was pushed out) without the need to touch and individually inspect each endpoint or device directly.
And, if vulnerabilities are exposed and you aren’t using a third-party patch management system, the scan can help you justify putting one in-place to provide single-source insight into whether devices are up-to-date and compliant.
In short, vulnerability scans make sure that your organization is at the lowest possible risk for security issues.
Scans are one part of a comprehensive vulnerability assessment. Other parts include the analysis of the data collected, the preparation of a comprehensive report of the findings by an experienced security professional, and the development of a prioritized plan to address the identified risks.
Related article: What Is A Vulnerability Assessment?
Who Needs A Vulnerability Scan?
I would argue that every organization needs regular vulnerability scans.
Is There Anyone Who Might Not Need A Vulnerability Scan?
These days even small businesses like plumbers, crafters, carpenters, and bake shops use technology, so every organization needs vulnerability scans to be aware of what devices are working on their network. There is always a risk that a device that you may not even know is on your wired or wireless network could pose a risk.
How Often Should Vulnerability Scans Be Performed?
I recommend regular scans. For some organizations that might mean daily and for others that might mean monthly or quarterly.
At the very least, vulnerability scans should be done annually. The more frequently the better because these scans only provide information about your infrastructure at a given moment in time. Systems can be compromised at any moment.
These scans can find holes that might be open in endpoints, networks or servers. In many cases these might be tools that you aren’t even using and can easily be turned off to mitigate the risk and enhance security.
With that being said, some software vendors recommend that organizations scan for vulnerabilities every day. If you have unlimited resources and that is an option for you, that is obviously the safest approach, but for most organizations monthly to quarterly is sufficient.
There are also more proactive software products that monitor network traffic in real-time. These can be costly and are typically used by organizations with higher risk.
How Much Do Vulnerability Scans Cost?
There are two costs associated with vulnerability scans:
1. The tool
Anyone can buy a single license for a scanning tool. But, just as buying a Ferrari doesn’t mean you can drive and understand the intricacies of the engine, the data that the tool generates could easily overwhelm an IT generalist.
2. Interpretation & Plan Development
The other cost (and frankly real value) comes in when working with an experienced IT security professional perform the scan and analyze the output, presenting a path forward that prioritizes addressing the most important vulnerabilities to systematically improve the security your network.
Most IT providers perform vulnerability scans as project work, which means you should know the cost before the project begins.
How Long Do Vulnerability Scans Take To Perform?
The total time depends on the number of devices and the particular scan you are running. In general though it typically takes several minutes to scan each endpoint.
How Long Does It Take To Get The Analysis/Report?
Depending on the amount of data there is to sort through, a brief analysis could take an hour or two to prepare. Most providers can analyze the data and have a fully comprehensive report ready within a week or two of the scan date.
Who Should Perform A Vulnerability Scan?
While anyone can perform a vulnerability scan, we recommend working with a trained, experienced, qualified IT security professional so that you can capitalize on the information gathered without being overwhelmed by data.
There is information in the scan data that could be useful to a lower level IT engineer, but the most value will be garnered by working with an experienced professional who can help you interpret the data, and prioritize and implement fixes.
Who Should Fix The Vulnerabilities Identified?
There may be some easy resolutions that can be handled quickly and efficiently by an in-house IT team such as updating a browser or uninstalling outdated software.
Many organizations use an external IT provider to implement larger solutions (such as updating a server) as part of an outsourced project agreement to reduce the strain on the internal IT team (assuming they have one).
What’s The Bottom Line?
The bottom line is that every organization needs to scan for vulnerabilities at least once a year (if not more often).
After reading this article, you understand what a vulnerability scan is and who needs one. You know how often they are recommended, the factors that affect cost, how long they take to perform, how long the analysis and report generation can take, who should perform them, and who should fix the vulnerabilities identified.
You may have a large internal IT staff that can handle both the scanning and analysis. If you are a business or IT leader at a small to medium-sized business, you may be considering partnering with an external IT service provider to perform your vulnerability scans.
If you are exploring external IT partners, we encourage you to explore several options to make sure you find the right partner for your organization. Read this article to learn the 10 best questions to ask any IT provider.
If you are evaluating providers, consider Kelser’s offering which includes a full suite of cybersecurity protections including vulnerability scans.
Wondering if your cybersecurity protections are up to the latest threats? Click the button below to learn 10 actions you can take today to improve your security and protect your data including: backing up data, implementing multi-factor authentication (MFA), and protecting mobile devices.
