Earlier this year, Travelex fell victim to the first large-scale cyber-attack of 2020. The currency transfer company, which has 1,200 branches across 70 different countries were forced to go offline while they investigated the incident and attempted to restore operations. Hackers had threatened to release 5GB of data, including names of clients and payment information, unless a $6 million (£4.6m) ransom fee was paid within seven days. It is rumored that Travelex had been aware of the vulnerability that was ultimately exploited, but waited eight months to patch affected servers, giving cyber criminals an opportunity to penetrate their systems (The Independent, 2020).
But they are not alone…. A survey by the Ponemon Institute in April 2020 found that 53% of respondents said their organizations had a data breach in the past two years with 42% of them admitting that the data breaches occurred because a patch was available but not applied.
It only takes is a single blind spot or vulnerability for your organization to be at risk. With thousands of vulnerabilities, how can organizations protect themselves and avoid disruptions to crucial business operations?
The answer is risk-based vulnerability management. This approach allows you to:
See: Vulnerability scans provide no security value unless they are used to reduce risk. The problem is that while vulnerability scanning tools identify weak spots, they don’t facilitate the management of vulnerabilities nor provide the business context needed to make decisions. By incorporating vulnerability management into the over risk management strategy, organizations gain a bird’s-eye view of the assets that are most at risk.
Prioritize: Protecting critical assets (e.g. those that hold sensitive PII, health information, payment card data, etc.) should be a top priority for organizations but with an individual scan identifying an average of 779,935 vulnerabilities (Ponemon Institute, April 2020), where do you begin? Realistically, not all vulnerabilities can be addressed and not all of them pose equal bearing. Risk-based prioritization is the best way to ensure that efforts and resources are best focused on what matters.
Comply: A number of regulatory standards require assessment and remediation of vulnerabilities. Requirement 6.1 of PCI DSS states that organizations must prioritize and patch vulnerabilities based on risk to be compliant. Article 32 of GDPR requires organizations to implement “appropriate technical or organizational measures to ensure a level of security appropriate to the risk.” There’s also an emphasis on vulnerability management in the CIS Top 10 Security Controls and the HIPAA Security Rule which highlights the danger of vulnerabilities to the confidentiality, integrity, and availability of health information.
Report: Communicating vulnerability management data through dashboarding and reporting can help you make informed decisions. By understanding the risks associated with the vulnerabilities, organizations can develop an appropriate action plan and determine budgets. It is important to report on progress of vulnerability management as well so that management can see the impact on the actions taken by the remediation team.
Review: For vulnerability management to be effective, it must be reviewed periodically to ensure that the organization is not left exposed. This is because the risk environment is dynamic – whilst some vulnerabilities may be addressed, newer ones are appearing elsewhere. Changes to the business and technology infrastructure can also require a change of focus and approach.
In conclusion, in order to gain real security value, a risk-based approach is needed. It provides context and insight to help businesses prioritize remediation of vulnerabilities whilst protecting critical assets. In return, businesses can better allocate resources, become more efficient and ultimately operate more smoothly to avoid disruptions.
If you are ready to take vulnerability management to the next level or would like to see what “what good looks like”, please view our webinar on-demand.