Today’s Topic: Vulnerability Scans
So you are a business owner, the backbone of America and wrestling with the daily issues of running operations – payroll, HR, contracts, vendor payments, technology – and your annual budget for IT is up for consideration. You know how to run your business, you understand your technology, your product, but you don’t know how to assess IT. You don’t know anything about it, so how do you know your IT shop is functioning?
Welcome to my nightmare.
Over the years of building and managing companies, one of the strongest challenges I have faced is whether my IT Manager/Director was doing his job. I didn’t know anything about IT, and I had no tools to show me the status of my IT infrastructure, and was too busy to worry about the darn thing. In order for the SB owner to understand how secure or up to date they are, it is essential that they have a report, in English, not geek speak, which outlines the security status of their IT system. What I recommend to every business owner is that they get a vulnerability scan and a penetration test to outline the security of their system. These activities are not expensive and go far to provide an easy to understand report on the business security.
A vulnerability scan is just that, a scan designed to specifically detect weakness in your IT system that, if exploited, could lead to breach by an attacker. A scan can identify problematic issues such as: lack of patches to operating systems, outdated upgrades, known vulnerabilities for which patches are available, and open ports that allow hackers to enter the system. These scans are not expensive, usually under 500 dollars, depending on how many systems you have.
Depending on the need for the scan, both internal and external Internet Protocol (IP) addresses maybe scanned, along with the devices that belong to those IP addresses. For example, if your business falls under compliance requirements mandated by the Health Care Insurance Portability and Accountability Act (HIPPA) or Payment Card Industry Data Security Standard (PCI DSS), external and internal are required to be scanned. If you want a complete report on your IT system’s security status, I strongly recommend doing both.
Basically, the scan provides an easy to read report that outlines problems found. Most reports provide a pie chart that outlines in red, green and yellow the gravity of the issues that are found. The more read there is, the worse your status, and green means good. Fortunately for the technically challenged like me, the report also provides recommendations to fix these faults and to prevent them in the future.
For the business owner, this is gold. There is nothing like being able to understand what your problems are and being able to call out the right people to get them fixed. Conversely, if the report is all green and yellow, you can sleep deeply knowing that your IT system is up to date and as secure as it can be. However, now the owner is able to outline a plan of attack and hold the professionals responsible for IT security to the successful implementation of the plan.
These reports are usually as good as long as nothing changes in the company’s IT architecture and should be relied on for as long as 90 days. We recommend that follow on scans take place periodically—once per quarter — to demonstrate to the owner that progress is taking place and that the IT shop is following the remediation plan.