Vulnerability management is one of the most important cyber security tasks. But it is also tricky and complex, giving rise to dangerous misconceptions which can lead to misguided practices and ineffective security. When it comes to communicating vulnerabilities, risks and threats to senior management, misconceptions can greatly harm communication and have a knock-on effect to your security strategy. Don’t let the myths stand in your way, get the facts and sharpen your security.
Myth 1. Vulnerability management and patch management are the same thing
This is the most common and also the most dangerous misconception about vulnerability management. According to the NCSC a vulnerability is any weakness in an IT system that can be exploited by an attacker to deliver a successful attack. So, patching vulnerabilities involves software updates, configuration changes or a combination of the two. Vulnerabilities are not always solved with patches.
So there is an overlap between the two, but they have different goals. A vulnerability management strategy aims to prioritise the reduction of cyber risks, whereas a patch management solution aims to have all the latest uypdates. Yet too often vulnerability management and patch manegement are used interchangably. This can be a serous problem for security strategy, since it can lead to only applying patches, overlooking configuration changes. This leaves systems vulnerable to attacks since often, a software update and a configuration change are necessary to resolve vulnerabilities. Also, patches are not always created to address vulnerabilities, sometimes they are just software updates. So sometimes staying on top of patching actually does nothing to reduce your risk. This is why it is co crucial for your vulnerability management strategy to prioritise based on risks, rather than just staying on top of updates.
Myth 2. All attacks rely on vulnerabilities
This one is really simple once you hear it, but when you’re talking about vulnerabilities it can be easy to overlook. While most attacks do target vulnerabilities, you can have the best vulnerability management strategy in the world and it won’t matter if you have weak passwords or you get phished. This highlights the need to take a hollistic approach to cyber security. A checklist mentality can develop if you are following cyber security standards or just trying to keep on top of patches, which can lead to a weak, haphazard approach to security controls. it’s essential to take a risk based approach to security.
Myth 3. You’re too small a target
This one is the easiest to underastand. Most cyber attacks you hear about in the news are the big ones, the giant corporations that everyone knows, Target, British Airways, T-Mobile. The trouble with this, is it creates a misconception that only large companies with lots of money are targets. The truth is, although big paydays are a strong motivator for cyber attackers, they will always target the lowest hanging fruit. Many smaller companies have weaker security and still have lots of valuable data that attackers have their eyes on. It can often be easier to get a quick payday from a smaller to medium sized business, in fact, BIPA estimates that 96% of cyber attacks target SME’s.
Myth 4. The goal of cyber security is to eliminate vulnerabilities completely.
Firstly, you can never eliminate vulnerabilities completely. There will always be vulnerabilities, there will always be risk. Security is about minimising risks and vulnerabilities. Anyone who tells you, you can have 100% security is lying. Also, cyber security is a balance of vulnerabilities, threats and security countermeasures. So while vulnerabilities create risks to your organisation, you can reduce those risks by eliminating threats rather than just focusing on reducing vulnerabilities. And what about security countermeasures that don’t address vulnerabilities that still improve your security?
This again, highlights the need for hollistic cyber security that includes, but is not limited to an effective vulnerability management solution. While it may take some time to implement this, there’s no better place to start than with a chat with one of our experts at Rebasoft.