Today’s reality of vulnerability management for SMEs
By Chris Wallis, CEO and Founder, Intruder
It’s becoming cheaper and easier for hackers to commit cyber crimes. Everyone knows ransomware is one of the biggest threats facing companies today, but what they might not know is that cybercriminals can subscribe to ransomware as a service (RaaS) solutions – including 24/7 support, user reviews, forums, and all the other features you get from a legitimate SaaS provider – for as little as $40 a month.
A decent price considering the average ransomware payment for US companies is more than $6 million. Ransomware has become like a business, and business is booming.
Gone too are the days when smaller companies could fly safely under the radar. BT research found that the UK alone sees around 65,000 attempted cyber attacks on SMEs every single day. These attacks might not make the headlines but there is mounting evidence that bad actors are beginning to focus on picking off the low-hanging fruit as well as going for the big, one-off pay-outs. With the rise of cybercrime gangs and more advanced technology, bad actors are even automating their efforts to hit a wide range of targets all at once. In other words, no one is safe anymore.
Vulnerability management is crucial
SMEs are increasing investment into cybersecurity in response to this trend; they’re set to spend $90bn on cybersecurity by 2025. However, they still aren’t as prepared to reduce risk and counteract emerging threats as bigger organisations with dedicated internal resources, including CISOs, security operations centres (SOCs) and budget for top-line extended detection and response software. This is one reason why, in Canada, a think-tank told Parliament that small firms should be given a tax break so that they can invest in cybersecurity.
Many companies still employ reactive cyber-security practices, scrambling to address attacks and plug gaps that attackers have already identified. But once a hacker has located an open door, it’s often already too late.
It’s one thing to try and catch an attacker once they’re in your systems, but another to stop them gaining access in the first place. Like the old saying an ounce of prevention is better than a pound of cure, many companies, regardless of size are finding the best form of defence is to make it as difficult as possible for hackers to gain access to systems – hopefully to the point where they can’t even be bothered to try.
That’s why it’s becoming common knowledge among business leaders – even if they’re not security experts – that they need a vulnerability management system in place to help them gain a holistic view of assets and work out where gaps exist.
However, just having the system in place is not where the issues end for smaller companies. Once such a system is implemented, they often still lack the resources to keep up to date with what needs scanning, or deal with the volume of information churned out by these tools.
Instead of a dedicated CISO or other security professional, it is often left up to an IT manager or a lead engineer to look after a company’s cybersecurity as just one, and usually secondary, pillar of their overall role. This can mean that they don’t have the time to sift through all the information or to look at the scan results every day, meaning they can easily miss high-impact vulnerabilities.
Poor asset management is another common area where these programs fail. With cloud platforms giving ever greater control to developers to easily host services like storage or APIs online, it becomes easier to lose track of what’s even there – let alone whether it has any vulnerabilities. If an organisation doesn’t know what it has, how can it hope to protect it?
So how can SMEs solve these challenges without access to the resources of their larger counterparts?
Proactivity is key
With attack surfaces constantly in a state of flux, and high volumes of data around vulnerabilities to sift through, automated asset management, proactive scanning and intelligent prioritisation become central to an effective cybersecurity strategy.
Scanners can be a really helpful tool in finding issues, but no organisation will be able to address everything that is flagged. Some modern scanning solutions offer incremental scan results and proactively look out for the latest emerging threats which could be helpful here. As hackers become ever faster at weaponising vulnerabilities as they come to light, these scanners not only give peace of mind by keeping businesses informed about whether they’re at risk, but they also save organisations time by alerting directly about whether or not they are affected.
Meanwhile, prioritising the threats the scanners find will allow companies to reduce their attack surfaces intelligently and efficiently. They can even hook into cloud accounts and monitor which assets are being made available to the internet – to ensure they are all being monitored for threats.
Every company will have individual needs when it comes to protecting their digital estate, and – whether it’s specialising in threat intelligence or reducing an organisation’s attack surface – the range of vulnerability scanners out there today reflect that.
Ultimately, all organisations are facing increased risk without the corresponding increase in time and other resources to address it. They should make sure they can keep themselves safe by adopting modern vulnerability management which combines automated asset management, proactive scanning, and intelligent prioritisation. It’s a never-ending battle, but one we must all keep fighting.