If your personnel regularly send a spreadsheet of vulnerabilities to IT for fixing, you need to read this opinion piece urgently!
Last year, a study found as many as 96% of organizations in Singapore experienced at least one breach in the past 12 months due to cyber threats. The report noted that 99% of the respondents in the survey planned to increase their cyber-defense budget. Senior executives are taking notice of this but there is something else these companies need to be focused on that goes beyond the security defense budget.
As vulnerabilities rise, the investment cannot just be in stopping these attacks from happening but more quickly and effectively finding and fixing known software vulnerabilities within a company’s infrastructure so they cannot be exploited. This is part of vulnerability management.
Known software vulnerabilities are on the rise—NVD has already found over 400 new vulnerabilities in 2020 alone—yet, the ability to quickly remediate these vulnerabilities remains to be a challenge for most companies.
According to The State of DevOps Report (SODOR) 2019, only 13% of firms in Singapore were able to remediate critical security vulnerabilities in a day, trailing behind Japan at 40%. Furthermore, only 1% of Singapore companies could remediate critical vulnerabilities within less than an hour. Leaving critical vulnerabilities unresolved for extended periods of time allows hackers the time to obtain even more valuable information.
The lack of attention to security and mitigation risk with known vulnerabilities needs to be a bigger priority for executives and practitioners alike. There are too many companies that still allow security teams to send an excel spreadsheet over to their IT teams to fix all the vulnerabilities they have found in the system. The results of this practice? Based on a Ponemon study, IT Operations spend on average 320 hours a week on a single vulnerability remediation.
As we move to an even more software-centric world, attack surfaces will grow and vulnerabilities will rise in the software that companies produce and consume. If there is no plan in place for how a company can remediate known vulnerabilities at scale and proactively, the company’s reputation and finances are ripe for disaster.
So how can companies strengthen their security profiles to stay protected from vulnerabilities and address growing threats? What are some business systems that need to be adapted in order to make automation and orchestration better serve the security needs of your company?
Here a few key steps to start better managing your vulnerabilities:
- Embed industry-best security frameworks (ISO, CIS, NIST) into your processes and mindset in creating your standard operating environment
It is important to consistently set a high-bar for security as a proactive measure across all your different operating systems (Linux, Windows, AIX, etc.) and applications across on-prem, hybrid, and cloud environments.
In support of better security standards, all organizations are required to appoint a data protection officer (DPO) to ensure compliance with the standards set, which include ISO standards for data protection. In Singapore, the Personal Data Protection Commission (PDPC) of Singapore offers training courses for DPOs and plans to train 500 of them by next year.
- Standardize and automate your environment
With the proliferation of technology, there is more work to do than can be done given shortages in technical talent. Automating your environment is an effective way to manage your growing environment effectively while also reducing the risk of human error. Additionally, automation allows you to more quickly remediate vulnerabilities when they are found making this a key step in allowing you to scale in a secure manner.
- Follow a risk-based approach to prioritize what to remediate first
A risk-based approach takes into account the severity of a vulnerability as well as the context and criticality of the host or machine. Leveraging automation and consistent information as the common language between security and IT allows the team to better understand which part of their system is most vulnerable so they can prioritize accordingly. Following a risk-based approach allows you to remediate the vulnerabilities that might impact and hurt your business the most first, like any sort of financial software or even a customer database.
As the saying goes, you are only as strong as your weakest link, so having a huge cyber defense protocol will not matter if you have a ton of vulnerabilities lurking in the most important parts of your infrastructure. Build out a strong vulnerability management practice now and help your company avoid the security mistake that could cost you millions.