Buyer beware – software programs or tools that claim the ability to conduct a risk assessment by scanning your network with little to no human interaction should raise concern!
These tools will generally do a nice job discovering vulnerabilities that exist in your technology environment, but vulnerabilities are not risks by default.
Is you business familiar with vulnerability assessments and their benefits? If not, visit our website here to learn more about the benefits and how they can enhance your cybersecurity posture.
What is Needed
Risk requires the presence of a vulnerability PLUS the action of threat actor.
To illustrate this concept using an example from the tangible world, lets visualize a car. The car is parked, and the doors are unlocked. A premature conclusion would be to state that the doors being unlocked translates to risk. If you apply critical thought however, you will discover that the unlocked doors are simply a vulnerability that could be exploited.
You would need more information to determine actual risk. Is there anything valuable in the car? What is the crime rate associated with the place the car is parked? What would the impact be if someone gained access to the car? Who would attempt to gain access to the car? Are there other compensating controls in place, like a security camera? The same logic applies to the digital world.
The presence of vulnerabilities like unpatched computers or misconfigured devices will contribute to the likelihood of a risk event occurring, but it is shortsighted to say that vulnerabilities equal risk. That statement simply is not true.
A risk assessment requires critical thought to occur beyond the discovery of vulnerabilities by software tools. It requires critical thinking and the use of logic and reason. All of which made capable by the involvement of qualified human beings during the risk assessment process.
Relying on the arbitrary risk statements and scores created by software tools that simply discover vulnerabilities in your network, can lead to a false understanding of your actual risk profile. This can then easily lead to the wasteful allocations of resources – intended to reduce risk – but end up remediating a vulnerability instead.
What Happens After the Assessment?
Typically, a vulnerability assessment can be completed in a day or two. The results of a vulnerability assessment are documented and provided to the stakeholder complete with recommendations around remediating any weaknesses found.
Security shortcomings found during a vulnerability assessment can almost always be fixed. Many times, the fixes are very easy to accomplish. Roughly 60% of all reported cybersecurity breaches occurred because the bad actors exploited common vulnerabilities and exposures (CVE).
This means that roughly 60% of all reported cybersecurity breaches could have been prevented if the victim had simply conducted a vulnerability assessment and made small improvements to their cybersecurity posture that would have eliminated a substantial amount of risk.
Interested in setting up a vulnerability assessment? Contact Databranch today at 716-373-4467 x115, info@databranch.com , or fill in the form below to set up a meeting with one of our experienced team members.
Not only will we help with the assessment, but our team of highly trained engineers will help your business prioritize based on your specific business needs.
Request your free security risk consultation with a Databranch Security Expert here:
Content was provided courtesy of CyberStone.
comments powered by Disqus
