Why Your Small Business Needs Vulnerability Manage
Well, that depends on who you ask, and what they know about vulnerability management. If you ask me, everyone needs a good vulnerability management program.
Why am I talking about this today? My friend and her daughter both recently received a letter from a healthcare organization that started with “We are writing to inform you of a security incident that may have involved your personal information, which we obtained in connection with your treatment at XYZ organization.” Not a great way to start a letter to a customer. It goes on to say “we discovered that a workstation and server located at one of our locations had been infected by a virus designed to block access to system files. As part of our investigation, we learned that external hackers gained access to our systems as far back as January, through a security vulnerability.” It only takes one machine, and one vulnerability, to suffer a breach.
Some may be asking what exactly is vulnerability management. Wikipedia defines vulnerability management as the “cyclical practice of identifying, classifying, remediating and mitigating vulnerabilities, particularly in software. Vulnerability management is integral to computer and network security.” But what does that mean? It means that scanning all of the devices on your network on a regular basis and fixing the issues identified is crucial to a good security program. Remember, most successful hacks or attacks utilize vulnerabilities that are 2 to 3 years old. This type of a program makes sure that those vulnerabilities are removed.
If you accept credit cards for payment, whether on the web or in retail, you know about PCI (Payment Card Industry) regulations. PCI is to retail as HIPAA is to healthcare. And any business that accepts credit cards for payment is subject to the regulations and are required to pass a quarterly scan. But, the scan is against your external facing connection to the Internet. It has nothing to do with the potential vulnerabilities that exist on the computers and other hardware connected to your network.
External scans, anti-virus, and anti-malware give businesses a false sense of security in thinking that they are completely covered. But as you probably already know, the bad guys out there are getting smarter all the time, and make it increasingly difficult to intercept potential threats. And once they get inside your network, they look for vulnerabilities in the systems connected to your network. That is why it is so important to be sure that those vulnerabilities are identified and fixed.
You may think that you have a good IT security program. I visited a business recently and was seated in their conference room. When I was led into the room, I was told “If you need wireless, the password is right there on the whiteboard.” Well, once I have the wireless password, what’s to prevent me from sitting in the parking lot, accessing the wireless network, and taking my time looking for any potential vulnerabilities on that network? Nothing!
The basis for a good security program starts with password management, but goes much further to include anti-virus, anti-malware, a good firewall, patch management on your workstations and servers, and a regular audit of all your systems to be sure that you are not exposed to a virus that gets past your defenses or a hacker accessing your network. Your security program should include quarterly internal vulnerability scans of all the devices on your network as well as making sure that all your other security systems are up to date.
As part of our managed services offering, we automate the patch management so that users cannot ignore the updates that come all too often. We also manage the anti-virus and anti-malware software, and include a quarterly internal vulnerability scan and can offer external scans of your website and external Internet connections, whether you accept credit cards or not.
Once you go through this process, you can actually breathe a little easier knowing that you have done more than most in securing your data. If you are interested in finding out more, please visit our Contact Us page and request a free consultation, or, give us a call and let’s discuss your current security plan and what we together can do to strengthen it.
Small business owners think they are not going to be targeted. But think about this: if small businesses are easier to breach, and a hacker can breach enough of them, they will get as much or more information than the big security incidents you hear about in the news. Remember, nearly 60% of small businesses that suffer a security breach go out of business. Don’t let that happen to you. Let us help.
Until next time,