Paul Dughi

How Often Should Vulnerability Assessments Be Performed? “Cyber-crime is the greatest threat to every company in the world.” Those are the words of IBM’s Chairman, President and CEO, Ginni Rometty, back in 2015. Since then it’s only gotten worse. Just take a look at these statistics, updated for 2018: • • • • • • The potential cost of cyber-crime internationally is $500 billion a year Data breaches will cost the average company in excess of $3.5 billion Ransomware attacks grew by 36% in 2017 1 in every 131 emails contains malware 43% of cyber-attacks target small businesses 230,000 new malware threats are produced every day Everything, it seems these days, is connected to the internet. The cloud can be a dangerous place. Throughout your organization, you have employees using email, remote access, or the internet daily. It’s impossible to monitor and manage every point of entry into your network from every employee in your organization. “I don’t know that much about cyber (attacks), but I do think that’s the number one problem with mankind.” Those are the words of Berkshire Hathaway’s Warren Buffett at a shareholder meeting, where he told investors that cyber-attacks are a more dangerous and imminent threat than nuclear, biological, or chemical attacks. Doing Proper Threat Assessments The first step is to schedule regular assessments. Realistically, you need to scan your network at least once a month at a minimum and address any vulnerabilities. Yes, this may be more than you are required to do based on your own compliance requirements or guidelines, but a lot can happen in a month. Here is what your network scan should include all devices with an IP address, including desktops, laptops, printers, routers, switches, hubs, servers, wired and wireless network, and firewalls. Don’t forget to check multifunction printers, like copy machines, which often store documents. You want to assess whether there are missing software patches and updates and that no changes have been made to your network. Many of the biggest hacks have been created through vulnerabilities left open when software wasn't updated. The recent hack at Equifax, one of the world’s top credit reporting agencies, occurred because it hadn't update a known security flaw with a patch made available months earlier. Disaster Recovery Plan At the same time, you want to make sure you have a disaster recovery plan in place. This includes what to do if your threat assessment reveals a vulnerability, or even worse an actual breach, or if malware, ransomware, or a virus has managed to infect your systems. Consider Getting Outside Help It’s not enough to run automated scans and do periodic testing. Are you also doing penetration testing, vulnerability assessments, security audits, and code reviews? If you want to provide maximum protection against security threats, you may want to consider bringing in professionals to help monitor and maintain your systems. Doing a full analysis of your systems and structure can help protect your proprietary data and help keep things running smoothly.