Why Small Businesses Need Vulnerability Assessments | Cyber Security for Small Business

Adam Gleeson, Vendor Alliance Manager at CyberLab, discusses top vulnerabilities found in small businesses and outlines why you should use external vulnerability assessments to kick-start your business cyber security.

He covers:

• • What is a vulnerability assessment? 

• • Why are vulnerability assessments important? 

• • Top five reasons to run external vulnerability assessments 

What is a Vulnerability Assessment?

A vulnerability scan is a type of testing that is run against IT systems or services to looks for known weak-points that could be exploited by cyber criminals.

Vulnerability scans are typically referred to as Internal – scanning computers, servers, network devices, etc, from a point on the inside of your IT network, or External – scanning your internet-facing interfaces – IP addresses, web servers, firewalls etc – from a point outside your network.

Why are vulnerability assessments important?

Scanning IT environments for vulnerabilities is not new, but in recent years the need to run these scans has become more pressing. As the cyber threats increase and the cyber criminals get more advanced, it’s important for businesses to protect their systems and the services they use. Not only to protect the business, but customers too.

The long and the short of it is that vulnerabilities in software, cryptography, operating systems etc., earn cash for those whom exploit them.

Historically, it was only large sprawling enterprise environments that ran vulnerability scans, and indeed this was often necessitated by regulatory needs or the complex nature of their software and device estates – smaller organisations felt able to keep a handle on what was going on in their environment.

Today, however, the vulnerability landscape changes almost constantly and we’re not just talking about software applications. The easiest way to keep yourself up to date with the changes is to run regular checks on your systems and automate them as much as possible such that they become part of your business-as-usual operation.

Automated External Vulnerability assessments are an excellent way to do this; whether you do them monthly or quarterly you do need to be doing them for your own protection. A one-off vulnerability scan is also a good place to start in securing your business as it can help identify where you are already vulnerable.

Top reasons why you need to be running External Vulnerability Assessments

Securing your business

Modern firewall solutions work brilliantly, but they need to be managed effectively for them to offer the best protection they can. Many small businesses manage their own firewalls and changes are necessary from time to time to allow different applications and services to function properly – sometimes these are permanent changes and sometimes they are short-term. In environments that have been in place for some time it becomes difficult to see at-a-glance what firewall configuration is actually in effect due to numerous rules.

If a robust change control system is not in place it is easy for firewall configuration changes that were once necessary to be reversed when no longer required – the most common of these is having firewall ports open that are not required.

External Vulnerability assessments can test the full range of ports that are open on your firewall and provide this information in a report that makes understanding what is and isn’t much easier.

Keep up with Cryptography obsolescence

The constant improvements and advances in semiconductor technology is making CPU’s increasingly powerful and this, in turn, means that cryptographic algorithms that were deemed so complex as to be essentially un-breakable at their conception, can now be crunched through on a realistic time scale.

Cryptographic algorithms are the encryption keys that are used to ensure all information and network traffic (flowing to and from your organisation over the internet), is kept secure and unreadable by the bad guys.

Without cryptography and encryption, every username, password, credit card number, payroll detail and file you send can be easily intercepted and read conceivably by anyone with an interest in doing that.

This is one of the key areas why external vulnerability testing applies to every organisation with an internet connection regardless of their size. Often cryptographic algorithms get retired and its easy to miss the notifications, regular monitoring will provide alerting of obsolete ciphers.

Ask yourself how often do you check whether all of your cryptographic ciphers are still valid and secure?

Comply with regulations

Anyone who much comply with the Payment Card Industry Data Security Standard (PCI DSS) is required to run External Vulnerability Scanning (amongst other measures) to ensure data security. Any organisation that must maintain compliance with GDPR standards is obliged to demonstrate they are maintaining a secure environment, running Vulnerability Scans on a regular basis is an excellent way to demonstrate that.

There are numerous other standards that Vulnerability Assessments contribute towards demonstrating compliance and they are a relatively inexpensive way to achieve it.

Double-checking your systems after making changes

Making changes to your internet connection or implementing new software or hardware solutions that affect your external connectivity are a common weakness found in organisations.

In the interests of validating new services or solutions are able to function, sometimes configuration changes are implemented on a temporary basis to facilitate testing, alternatively, the new service or solution itself may have vulnerabilities present or may introduce vulnerabilities that were not present previously.

Validating the integrity of your external security after any significant piece of work or change is a sensible approach to ensure peace-of-mind.

Cyber Insurance

Most organisations now have some form of cyber insurance policy to offer a degree of protection from the cost of a cyber incident, many find out to their detriment that the policy now includes a clause stating something to the effect that vulnerability testing must be performed periodically on the IT systems covered by the policy. Ensuring you are compliant with the requirements of the cyber insurance policies is another good reason to consider getting a regular vulnerability assessment schedule established.

–

Please reach out if you want to talk about protecting your business from cyber attacks.