9 Myths of Cyber Vulnerability and Risk Management

A follow-up to our blog post on why not doing Vulnerability Management could cost your company a fortune, this blog post is for those who believe lots of the myths surrounding the process. Many of these myths are really holes in the program that make all the work you are doing less effective.

1. Myth: We already have technology that prevents attacks

   Fact: all technologies that are in place usually function in a reactive manner. Vulnerability management is proactive and prevents attacks from even happening. A subset of this program is pen testing and vulnerability scanning, both of which are important, and often required. These processes, along with patching keep your organization in good shape. It is like going to the doctor’s: an ounce of prevention is worth a pound of cure.

2. Myth: We are too small for someone to want to hack us

   Fact: Small companies are often targeted by hackers because they lack strong or proactive defenses. Big companies make the news because of the sheer amount of money lost, but when small companies are hit, it usually is the end for them. Breaches can be devastating for SMBs and often cause bankruptcy due to the effect of business interruption. Hackers know this, hence why SMBs are so often hit with ransomware. Beyond this, many small companies aren’t even aware when hackers are in, due to poor security posture.

3. Myth: We already scan the important systems, the rest doesn’t matter

   Fact: scanning all systems in your environment matters, because hackers get in the place you least expect them. It’s very common for breaches to occur from phishing, take home laptops, employee error, or forgotten devices. If only the servers are secure, hackers can still run amok and ransomware all of your employee devices bringing the company to its knees.

4. Myth: Our team did all of this earlier this year

   Fact: Vulnerabilities come out all the time, see our weekly updates as an example. If your team is not on top of scanning, patching, and confirming, your company could be at risk. It only takes one month old zero-day for the bad guys to break in. Staying up to date requires monitoring the news and running scans at regular intervals to check for the latest discoveries.

5. Myth: Patching causes service interruptions and we can’t afford that

   Fact: patching can cause outages if not done correctly, but not patching at all can cause even worse outages. Like our post on the recent Cisco zero-day an attacker could take control of your network and stop all business. It is important to carefully plan and test your patches, but there is no excuse for not patching critical devices less than once a month. High-availability setups should be used to allow for live patches if taking systems offline isn’t possible.

6. Myth: More findings is only more work and I don’t have time

   Fact: findings usually take effort to fix, but that effort is nothing compared to restoring operations after a breach. Business interruptions and outages can mean lots of overtime work for cybersecurity teams, losing nights and weekends. A few patches or configuration changes with testing are nothing compared to the effort required from incident response. Beyond that, it is common for many issues to be resolved by a single solution, so sometimes more results is the exact same amount of work.

7. Myth: Vulnerability management is costly

   Fact: Business is about money, and anything that costs money is bad, but it needs to be understood that in the long run, vulnerability management saves more money than it costs. Doing no cybersecurity costs nothing until the business is attacked and then the costs are often enough to wipe away a year’s revenue or more. Many breaches cost more than five years worth of the protection that would’ve been needed to prevent the attack in the first place, and that’s discounting lost revenue from operation interruptions.

8. Myth: Why bother patching, hackers won’t get into our environment

   Fact: many companies overestimate their cybersecurity posture and defenses to their detriment. Hackers are a determined, scrappy, and intelligent sort of folk; they won’t give up when they see a challenge. A firewall isn’t enough to stop an attack, nor is antivirus. A determined attacker can simply use email and clever wording to have an employee open the door to the network for them. Even with the best training, an employee is no match for someone who spends all their time trying to trick them. Patching internal systems can reduce the damage a hacker can do in your environment.

9. Myth: Even if we patch, that won’t stop the hackers

   Fact: A counter to the above point, patching and vulnerability management can great reduce what a hacker can do to your company. Plenty of business know that the sooner they catch the hackers inside their environment, the better. A strong vulnerability management program reduces dwell time and the cost that a breach could have. Even if you don’t stop the bad guys from getting in, making sure they can’t do anything once in is valuable.

If you want to know how Glassportal fits into your vulnerability management program, schedule a demo with us: demo@glassportal.io