featured
June 14, 2022
May 30, 2022
Cybersecurity

When you can’t fix a vulnerability…how RankedRight helps you with risk acceptance

While some risks can be mitigated with the right precautions, others are simply impossible to avoid. That is where risk acceptance comes in and RankedRight can help.

~ 0 min read

Organisations face many risks, from natural disasters to cyberattacks. And while some risks can be mitigated with the right precautions, others are simply impossible to avoid. That is where risk acceptance comes in and this article will explain how RankedRight can help.

What is risk acceptance?

Risk acceptance is an important part of business management. By definition, risk acceptance is the decision to accept a risk, rather than eliminate it, instead developing a plan for how to deal with it if the worst should happen. For example, if you’re located in an area that is prone to hurricanes, no matter how much preparation you do, there is always the possibility of damage from high winds and heavy rains. In cases like this, the best option is to accept the risk and take steps to minimise the potential damage, such as investing in hurricane-resistant windows and doors, or having a backup plan for power and communication in case of an outage.

This can often be seen as a more pragmatic approach than trying to eliminate all risks, which is often impractical. While risk acceptance does involve some degree of accepting potential damage, it also allows organisations to focus their efforts on more critical risks and be better prepared to deal with incidents if they do occur.

In the context of vulnerability management, risk acceptance means deciding which vulnerabilities to fix and which to live with. This can be a difficult decision, as it involves balancing the potential consequences of a security breach against the costs and resources required to fix the vulnerability. However, making an informed decision about risk acceptance is essential to effective vulnerability management.

The second part to this is about continuously reviewing the risks you have accepted so that if and when factors change, you can ensure the best decisions are still being made.

What are examples of accepted risks in vulnerability management?

There are many different types of risks that organisations face, and no two are exactly the same. However, there are some common risks that are often accepted in vulnerability management. These include:

  • Unpatched third-party software: In some cases, an organisation may be using software that is no longer supported by the vendor. While it is always best to patch vulnerabilities as soon as possible, in some cases the risk may be low enough that it is not worth the effort to patch it.
  • Informational vulnerabilities: This could be a vulnerability where a piece of information has been leaked that wasn’t supposed to be but will cause no damage in being made public.
  • Low severity vulnerabilities: Vulnerabilities with a low severity rating may not pose a significant risk to an organisation and are therefore not worth the effort to fix.
  • Vulnerabilities that you can’t fix due to business impacts: It could be the case that by fixing one vulnerability, you could break or affect the operation of a system. In this case, accepting the risk might be the optimal option.

How can RankedRight help with risk acceptance?

As you may have noticed already, going through vulnerabilities to determine which you can accept and which you must address, can take time. And that is one thing that vulnerability management teams do not have.

RankedRight is an automated vulnerability management platform that prioritises and assigns vulnerabilities based on rules set by the user, eliminating the time-consuming and painful process of manual triage and empowering security teams to take immediate action on their most critical risks.

The setting of rules is simple and with a few clicks, the results of every new vulnerability scan are effortlessly organised and either delegated to the appropriate team to resolve or filed into a separate list of those risks you’ve accepted. You can also even defer risks by removing them from your task list and setting a date for when you’d like each one to be added back on to your priority list for consideration. The extra special feature here is that you can add settings that mean that if the vulnerability suddenly rises in criticality during the deferral period, i.e. new exploits become available, RankedRight will be able to help you reclassify it and action it in time.

Back to risk acceptance, in setting rules, you can automatically classify certain types of vulnerabilities as they come in by setting rules. You can then view what is remaining to determine if anything else should be accepted and make a note to put a control in place to manage the impact of this vulnerability being exploited. You can also then use the platform to check in on your accepted risks from time to time to ensure that circumstances haven’t changed that require you to take action.

Our mission is to empower businesses to take immediate action on their critical risks and a big part of this is removing the noise. Let RankedRight help you with risk acceptance so you can take control of your vulnerability management efforts.

Triage Library Screenshot
The RankedRight Platform

Book a demo

Learn about RankedRight and ask questions with a 45 minute call.

Other articles

Latest news within the cyber security space and some useful guides, links and other resources