Why Some Companies Skip Vulnerability Management

By Fortra's Digital Defense

Vulnerability Management may not be the most glamorous aspect of cybersecurity. But just like car insurance, brushing your teeth, and yearly physicals – it is absolutely vital to catching problems before it’s too late.  It’s no secret that many companies struggle for resources, especially their security departments.  And some unfortunately decide to skip security fundamentals that don’t include trendy buzz words. The drawback is that bypassing these proactive basics - like vulnerability management – will virtually guarantee you will encounter problems and larger expenses down the road. It’s like the old saying – an ounce of prevention is worth a pound of cure. In this case, if you think you can't afford or don’t have time for vulnerability management, you certainly don’t have the resources to deal with the likes of a ransomware or DDOS attack resulting in a data breach or outage.    

Here are some common reasons companies give for skipping proactive security steps like vulnerability management:

“I’m too small to hack” 

Alas, there is no such company. It’s important to remember that most of the time, a cyberattack is very impersonal (read: it’s not about you). Let’s say you have less than $100,000 in revenue? You’re still likely to be a key link in a supply chain to a bigger partner. Even if that’s not the case, it’s a fact that your employees have bank accounts, SSNs, and a network of scammable friends malicious actors could exploit. If you have employees, then you also have personal data that is worth time and money to cyber attackers.  

For example, attackers targeted a $11-billion-dollar American retail chain via its HVAC vendor.  The cybercriminals assumed  that the HVAC company, a link in the retailer giant’s supply chain, would be an easier mark. The resulting breach cost  a total of $162 million out the door.  

It’s important to remember that size is relative.  A “small” consulting firm can have several multimillion-dollar clients. Companies that are smaller than Fortune 500 members can still be very lucrative targets – either themselves or via their supply chain.  Companies of all sizes must employ proactive measures like vulnerability management to protect themselves, clients, and business partners.  

Any organizations should take steps to ensure they don’t harbor any lingering cyberhealth issues like unpatched, known vulnerabilities. “What’s the worst that can happen?”  Well, for starters, you can go out of business. Many businesses aren’t built to weather a catastrophic data breach , so it’s best to play it safe. Remember, hope isn’t a strategy.  

Through IBM’s report, we’ve learned that the average cost of a data breach this year is $4.45 million USD. The average annual revenue of a small business in the US is $53,000 and A 2021 Hiscox report found that the average cost of a cyberattack in the US was $25,612. No matter how you cut it, facing a data breach could put a lot of smaller enterprises out of business.  

Larger businesses hardly fare better. While they may be able to withstand the financial cost (though who wants to), there are also the lawsuits and regulatory fines that can pile up swiftly. 

In addition, the reputational damage and loss of trust is another factor all its own. Even if the enterprise is able to stand up to the PR firestorm, fines, and residual costs, - 21-43% of consumers won’t shop with a brand again once it has suffered a data breach. Plus, in the Executive Suite, more C-levels are being held personally responsible for instances of data exfiltration, cyberattack, and data privacy lapses. And it doesn’t stop at the top.  One in four employees reported losing a job after making a security error that compromised the company.  Proactively protecting your infrastructure by identify and eliminating weaknesses means fewer opportunities for attacks that can fool the most vulnerable part of your company – your staff. 

“We don’t have the resources” 

Every company has resources, it’s just a matter of how they are allocated and what is prioritized.    If your organization’s security team is stretched onion-skin thin, there are options.  Managed Security Service Providers (MSSPs) can help by acting as an extension of your internal team. They can perform vulnerability scans, prioritize the outcomes, and help you remediate. Using the right tools can make a difference as well. If your team is empowered with a modern VM solution that is easy to use, provides risk-based prioritization, and offers intuitive reporting, they will be able to manage vulnerabilities and report on security efforts efficiently, optimizing the use of your scarce IT resources.   

Vulnerability scanning is like insurance. You hate paying the premiums, but if something happens, you never say “I wish I had my $367 a month back so I could instead pay $15,000 out of pocket.”  Similarly, the relatively low costs of a vulnerability scanning solution, or the MSSP that will provide it, are negligible when compared with the fact they can help you avoid compliance fines, sidestep a PR disaster, keep your data, and ultimately stay in business.  

“I’m afraid of what we’ll find” 

It’s the ostrich with its head in the sand syndrome. Fear of the results – and an attitude of incredulity when it comes to the next steps – stops many a good company from taking proactive measures. In today’s threat climate, plausible deniability is not an excuse. Companies are liable under a number of standards (GDPR, HIPAA, SOX, CCPA, and more) and fines and penalties can now be assigned to executives and those deemed responsible, either for their actions or inactions. Vulnerability management is a small price to pay for job security and the chance to keep your reputation intact.  

“We’ve got XYZ technology already - we’ve got it covered”  

Two decades ago, it was firewalls. Then next-generation firewalls. Then Network Detection and Response, DDoS, and a host of anything with heuristics and behavioral-driven detection. And those are all great. They’re just all reactive, and only helpful after an attack has occurred. None of them can do what vulnerability management can.  

You need defense-in-depth. There is no sense in arming a battleship but neglecting to test for water leaks. You’re putting your resources at risk and undermining the whole operation by not completing the fundamental safety measures. Attackers will find your weakest link – and they will look for the path of least resistance first.  

“We’re not even sure what to do” 

This is understandable. Vulnerability scans can reveal a host of opportunities to shore up defenses, and without the right guidance, the task can seem insurmountable. This is where an outsourced vulnerability management program can help.  

We know what to do. We know what you’re looking at, and how you should prioritize, and even how to get it done. We can help. By meeting with you on a monthly, weekly, or even bi-weekly basis we can help establish your VM program and the next steps that will make this a palatable, sustainable part of your cybersecurity toolbox. And it will save you a lot of trouble down the road. 

“We don’t want to interrupt operations” 

A lot of companies are afraid that regular vulnerability scans will interrupt the flow of operations. If they’re done right, they won’t have to. And there’s no interruption greater than the cyberattack that can result from failing to do so in the first place. It’s like saying you’re too busy to stop for gas; once the tank is empty, you’ll have plenty of time to wait.  

“We only scan the important stuff” 

A partway solution we’ve seen (which is really no solution at all) is companies only scanning their “vital” assets, or Crown Jewels. Rationalizing that this saves time, money, and resources, they don’t realize that it actually wastes the good you’ve done by leaving other glaring holes open somewhere else. For example, servers and payment systems will get scanned while employee items like personal PCs, mobile devices, and laptops get left out. When an attacker cases your company, those easy-to-breach, often ignored spots are the first place they’ll go. If an employee has downloaded a personal app or service and uses the same device for work, that undiscovered asset becomes Shadow IT that the SOC can not protect. 

Attackers don’t care how they get into the network. In an attempted attack earlier this year on a security firm, attackers exploited the personal email of a new employee in order to pivot further into the network and exfiltrate data. The attempt was ultimately unsuccessful, but the lesson is sobering. While we’re looking high, they’re looking low in terms of technical sophistication and difficulty. It’s time to start thinking like an attacker and proactively locking all the doors and plugging all the leaks. Complete and consistent vulnerability management it is this cornerstone of this strategy.  

“We did that last year” 

That brings us to another point. Vulnerability management is no more one-and-done than is going to the gym, annual check-ups, or eating. They have to be done often to make any affect. Most organizations are evolving, with changing infrastructures and endpoints. It‘s likely your infrastructure will not look the same from one month to the next. Once a year vulnerability scans are too infrequent to protect a moving target. Attack vectors and methods continue to evolve as well, unearthing new weaknesses all the time. According to the National Vulnerability Database, there are upwards of about 2,000 new CVEs discovered every month. And each new service, app, or piece of technology comes with code that can likely have its own vulnerabilities as well. That’s a lot to keep track of, so accurate risk-based prioritization and management of vulnerabilities is essential.  

Being Proactive with Vulnerability Management 

Ultimately, a security strategy that is solely reactive is only half of a strategy.  Proactively identifying weaknesses before they are exploited can avoid a huge, costly debacle down the road.  Vulnerability Management may not be the sexiest thing in cybersecurity, but it is the foundation on which your strategy should be built.  

Modern VM Solutions 

Choosing a modern vulnerability management solution will save you time, headaches, and most likely data in the years to come.  Fortra Vulnerability Management (Fortra VM) helps you get the ball rolling on your VM strategy and keep it rolling. More than a one-time fix, it’s a long-term solution that helps you identify, classify, and prioritize vulnerabilities on an ongoing basis. Stay ahead of vulnerabilities, old and new, and set your team up for proactive success in the years to come. 

Additional benefits include: 

  • Less set up. Fortra VM is quick to stand up and easy to use, shortening your time-to-value.  
  • Simplified action steps. Fortra VM provides easy to understand on demand reports, giving you all the information you need to take action, and in the right priority. 
  • Expert support to help you. You don’t have to go it alone. Our superior support staff of dedicated customer advocates are here to lend an extra hand, offer expertise, and extend guidance.  

Choose the Right VM Option For Your Organization

Every company has different cybersecurity needs and vulnerability management can have many different options.
Get The Comprehensive Vulnerability Management Buyers Guide and see which choice is the best fit.

GET THE GUIDE

Share This