Described by the ICO as ‘a good starting point’ the Cyber Essentials certification is designed to give businesses of all sizes the confidence that they are protected from the vast majority of cyberattacks, Vulnerability Management forms the backbone of this.
Unskilled hackers carry out most attacks, trying to make a quick buck from the most vulnerable. Therefore, basic cybersecurity hygiene will stop these.
Many small to medium businesses don’t have the money or resources to throw at Cybersecurity, let alone employ somebody full time to look after it. Yet a Cyberattack could be more devastating for these companies than their deeper-pocketed counterparts.
This is where Cyber Essentials developed by the government’s NCSC (National Cyber Security Centre) comes in.
Cyber Essentials basic, achieved through self-certification walks businesses through the most basic protection. The Cyber Essentials plus certification takes things a little further and an external body must carry out the certification. There is no shortage of companies offering this service!
Managing vulnerabilities forms a major part of both certifications.
As we’re all aware, systems and software are inherently vulnerable. New vulnerabilities pop up daily but not all of them are equal. Some are more high-risk than others and need addressing sooner.
As Cyber Essentials standard is self-certifying, organisations simply need to state that their systems are up to date and patched. With Cyber Essentials Plus if you’re found to have any vulnerabilities with a CVSS score of 7+ you will fail.
You can, of course, do a one-time fix of vulnerabilities. The problem here is that the day after, you’re potentially out of compliance.
Whether completing Cyber Essentials Standard or Plus, businesses should complete regular vulnerability scans of your systems. It’s also important to ensure that a contingency plan is in place if the person responsible for completing this task isn’t able to do so. This was one of the contributing factors to the Equifax data breach back in 2017.
Cyber Essentials states that businesses should patch all software within 14 days where possible. If businesses want to take things one step further, ISO27001 states that they must ensure that urgent patches are rolled out across their infrastructure on a regular basis, and their systems fully up to date at point of audit. This is another reason for regular vulnerability scans.
Many organisations, for obvious reasons, use WSUS (Windows Update Services). However, there are two reasons this doesn’t count…
- It is a repository, not an enforcement tool. Group Policy can permit installation of a particular patch, however, sometimes it doesn’t and WSUS will be none the wiser.
- It only covers Microsoft patches, what about all the other systems/software in place.
Make no mistake, none of the certifications states that businesses MUST have a Vulnerability Management tool in place. Only that they must address them. However, there are many benefits to using a tool.
Prioritisation is one of the most important. Medium to Enterprise size organisations could have hundreds or thousands of systems in place. Each requiring their own patches. Many of these vulnerabilities will be low risk or may not relate to security problems at all meaning that business can deal with them in due course.
The danger is that without a Vulnerability Management tool you focus too much of your attention on these and not the smaller number of high-risk vulnerabilities.
With a tool in place, you will be able to prioritise the most urgent vulnerabilities and ensure these are mitigated.
A Vulnerability Management tool will also allow you to monitor vulnerabilities across multiple software and systems. Not just Microsoft!GO BACK