Debunking vulnerability management myths for a safer enterprise

Cybersecurity is one of the most daunting challenges enterprises will face in 2020. According to IBM’s 2019 Cost of a Data Breach report, the average cost of a data breach in the U.S. is $8.19 million, with companies averaging 206 days to identify breaches before even attempting to address them (a task that averages another 38 days).

These stats and hundreds of others on cybercrime are quite sobering. Cyberattacks are beginning to seem like an inevitability, another cost of doing business. Yet, a lot can be done to reduce risk, particularly when it comes to vulnerability management.

Top vulnerability management myths

The importance of vulnerability management is often discounted or overlooked. Let’s look at and debunk the top vulnerability management myths, so that enterprises may opt to change their practices in ways that make fortifying cyber defenses and reducing risks significantly easier.

Myth 1: Periodic scanning is enough

One common and dangerous myth to dispel is that periodic vulnerability scans are good enough. Not true. Even once a day is no longer enough. New apps and endpoints are added to corporate networks each day — and this does not happen in unison at 8 am. Changes are made throughout the day, which means network compromise can happen at any time. And it can take a mere 18 minutes for hackers to go from foothold to a full-on breach.

Companies can’t just scan once per day, even if they fix a number of vulnerabilities every day. The rate at which new vulnerabilities appear is simply too high. Enterprises must scan continuously to be protected. Fortunately, new vulnerability management solutions make scanning at scale significantly faster and easier without impacting network performance, so there is really no good reason why enterprises should put networks at risk unnecessarily.

Myth 2: Vulnerabilities = patching

Many people equate vulnerabilities with patching. In reality, vulnerability management can be much more detailed and complex. For example, a configuration change might solve an issue, or if a company is running an old piece of software, a patch or configuration update might not be available. In this case, teams might need to put in a mitigating control, such as a firewall or routing change, to prevent certain types of traffic from getting to a port or application. In fact, sometimes mitigating controls work better than patches.

The bottom line is this: to think solely in terms of patching is short-sighted. Taking a broader view of vulnerability management will serve organizations better.

Myth 3: Fixing critical vulnerabilities ensures safety

The view that organizations have to fix Level 5 vulnerabilities first is outdated. Conventional logic goes that the most serious vulnerabilities demand immediate attention. The problem is that cybercriminals are aware of this mentality. As a result, they’ve begun attacking lower hanging fruit in middle-layer vulnerabilities. These are not as attention grabbing; they don’t have people playing beat-the-clock to remediate them, which gives hackers longer to figure out a way in, and they can ultimately cause tremendous damage as they go undetected for long periods of time.

When it comes to vulnerability management, companies need to adjust their approach. They either need to adopt new considerations and ranking systems for how they address vulnerabilities or they should opt for a two-pronged strategy, leveraging automated vulnerability management solutions to immediately remediate lower level vulnerabilities while freeing up team members to fix higher level vulnerabilities simultaneously.

Myth 4: Vulnerability management is no big deal

There is a distinct lack of respect for vulnerability management. Whether it is from teams that adopt a certain arrogance about their abilities — a “my guys can fix anything manually” attitude — or those that operate under the assumption that vulnerability management is a low priority background task, the result is the same: vulnerability management has taken a back seat.

The problem is that there are simply too many vulnerabilities popping up too quickly. Even the most talented, best staffed teams are not equipped to deal with all of them. By viewing them as a lower priority or letting vulnerability management fall by the wayside due to a lack of time or resources, companies open the door to cyberattacks, ultimately making their jobs exponentially more difficult in the long run — not to mention potentially costing their companies millions of dollars if/when a breach occurs.

Some companies that hold cyber insurance policies may feel a false sense of safety. I would urge these organizations to take a look at Merck or Mondelēz, which held policies they perceived will protect them financially in the event of an attack. They were wrong. After NotPetya, their claims have been denied through a loophole that declared NotPetya an act of war. Today, these companies are hundreds of millions of dollars out of pocket and are tied up in legal battles with their insurance companies – battles that are expected to take years to resolve.

I would encourage all IT teams to prioritize vulnerability management, throw out their preconceived notions and myths. It may not be the sexiest task IT teams deal with but vulnerability management very well could be the biggest factor in preventing a serious malicious attack.