In medium and large businesses across the country, CISOs (or chief information security officers) are under siege. The cyber-security landscape is more complex and threatening than it has ever been. They work on a tiny budget and are still expected to monitor, audit and provide for their company’s security needs. One slip-up and the company could suffer.
Businesses work hard at choosing good security products and the cyber-security industry has evolved to provide better businesses solutions over the years. Even so, staying secure requires more than security software. They need to address their software vulnerabilities.
What are software vulnerabilities? Users of Internet Explorer are familiar with them, often having seen updates arrive with an explanation about a “security vulnerability in the browser that could allow third party users to take control.” Why, Microsoft had a major Internet Explorer 9 security problem only in September 2012. Businesses needed to deny access to visitors on Internet Explorer until a patch could be installed. That’s just one program. A business network could have many of these vulnerabilities in each software program it uses. In theory, a talented hacker could use these, enter the system and take control of the entire business.
People often think that only software that’s deployed companywide poses a risk of this magnitude. This isn’t true, though. A careless employee who personally installs some ill-advised videogame on his company-issued laptop could open everything up, too. Fortunately, as studies show, most successful attacks only use well-known vulnerabilities – not obscure ones such as this. Cyber-security departments simply need to keep themselves updated on the latest in vulnerability intelligence and act quickly when something turns up.
How do you know if your company is careful enough? Ask yourself the following.
- Do you have dedicated cyber-security personnel with the training, resources and authority needed to do good job?
- Are your cyber-security people trained to tell critical vulnerabilities apart from the less urgent ones?
- How are you set up for zero-day vulnerabilities – security loopholes that haven’t been announced by the software maker yet and that do not have a patch? You need access to a quality vulnerability intelligence service to keep abreast.
Many businesses do not invest in vulnerability intelligence – they will wait until the software maker contacts them. If you are unlucky, your networks could attract a successful attack by then. Look for a good intelligence service and enable your cyber-security staff to put their recommendations into practice. You should be reasonably secure then.