Vulnerability management and your business

Posted By:
Lifeline Design

There is no such thing as a foolproof data security plan. Whether you're talking about your software security, the physical security of your building, or your staff's resistance to scams and social engineering ploys, your business is always going to have certain vulnerabilities. But that doesn't mean your data is a lost cause! Good data security is all about recognizing these vulnerabilities, understanding them, and mitigating them.

Vulnerability management is the name of the game, and it can save your business from having to deal with a data breach.

Why management and not solutions?

No matter how hard you try, you'll never get to a place where your security is "done.” There is no end product or ideal goal to hit when it comes to protecting your data, only a continuous process of testing, reporting, and refining. You should always be reconsidering your current vulnerabilities rather than thinking in terms of "solved” or "finished.”

This is because your security situation will always be changing, no matter what you do. Consider your network and computing infrastructure. The programs you use, from accounting software to operating systems will always be updated, patched, and changed. As your business expands and technology develops, new applications and programs will always be introduced to the workplace. Your users will always be changing as employees move into different roles and new hires are given access to different aspects of your business. And of course, your network is connected to the wider world, meaning there will always be an avenue for new malware, ransomware scams, and so on, to be introduced into your system. 

None of these elements are static, and that's why your security policy can't be.

The process

First, you need to know what you're working with. In security parlance, this is known as "asset discovery,” a comprehensive overview of what is currently being used on your network and who is using it. This might seem like a simple thing, but if you have multiple users working on multiple computers, it is entirely likely that your employees have installed their own programs, preferred browsers, and have made other changes to their systems. It's going to take a bit of work to compile all the information.

The next step is to do a vulnerability sweep. This will generally require a third party software that will scan your system and look for possible avenues of attack. Plenty of vendors such as McAfee, Qualys, Rapid 7, and Tenable Network Security offer different options in this space. There are also open source and free solutions like the CVE security management database where you can manually review your vulnerabilities. This step will either take some work or a (relatively) small amount of money, but it is well worth the effort/cost.

These reports should be organized by the kind of vulnerability they present. Is it a software issue such as a known exploit or flaw? Is is a breach issue where a certain site or software you use had its database breached and possibly exposed passwords or other sensitive information? Are there dangerous settings such as auto-executing macros or manual-only updates that need to be addressed? Take them all down and sort through what can and can't be immediately addressed.

You also need to make your staff part of the process. They need to report on suspicious emails they've received, possible scams, physical site vulnerabilities (a door nobody ever watches, poorly maintained windows and locks, etc) on an ongoing bases. These reports should also be collected and organized by type (social engineering scam, attempt to make a user run a shady executable, fraudulent identity, etc).

When you have these sorted, prioritize them by what you can do. If a certain program suffers from a known serious exploit or is prone to security disasters, see if you can find an alternative to use. If there are unsafe settings that need to be adjusted, go through and make sure they are taken care of on each machine. Set up training sessions with your staff about email security, password management, and common social engineering scams. If you're not confident you can speak on these matters, hire a consultant to run a training class – it might seem like an unnecessary expense, but it is far more affordable than dealing with a real security breach.

Next, figure out your risk response. Which risks can you mitigate and to what extent? Some things will be easy fixes – you buy a better lock for the back door, or your make sure your anti-virus and windows updates are set to auto-patch. Others, you might not be able to address so easily. Maybe you've identified outside, employee owned devices are a security risk, but they're also essential to your operations. You can't just ban them outright, but how can you make them less of a risk? What process or policy can you put in place (and enforce) that will help stem the risks you can't outright eliminate?

Rinse, lather, and repeat! Once you identified your risks and set your policies, you need to continually adapt and improve them over time! Fold it into your regular operations and embrace it as a way of life for your business. 

Yes, you may never completely eliminate your vulnerabilities, but by continuously working on them and staying on top of the most pressing threats, you'll make your business a less appealing target and minimize your chances of getting hit!