Much of the insight on the web about vulnerability management talks about what a cybersecurity team can do to enhance their performance, but what if you don’t have a dedicated cybersecurity resource? What if you’re a modest-sized IT team responsible for everything from data management and IT system maintenance to system integration and tech support? Information and system security is just one part of your job. And, because of the overwhelming number of responsibilities you have, it’s tough to know whether or not you’re doing it right, let alone seek help to make it better. Well, this guide is for you. We’ll help you identify the signs that you are losing the cybersecurity battle and tell you what you can do to fix them.
Suppose you don’t have specialist cybersecurity support within your IT team. In that case, you’ll likely have a long list of measures to put in place to make your business more protected, as well as reactionary tasks to patch specific vulnerabilities. The sooner you can tackle the former; the less overwhelming the latter will be.
As a bare minimum, you should regularly conduct vulnerability scanning, risk assessments and threat modelling to satisfy your insurers, executive board and shareholders/customers. The importance of cybersecurity is growing all the time, and no matter how stretched your team is, you cannot afford not to have these basics in place.
If you use a vulnerability scanner, and it’s correctly set up for your business, you probably see tens if not hundreds of new vulnerabilities after each scan. And, with a modest team of IT specialists in place, you won’t have the capacity to keep on top of all of them. If this is the case, critical vulnerabilities could be missed, leading to a breach and a significant operational problem.
Likewise, if you don’t have a vulnerability scanner, but your company has a large external estate, you won’t even have sufficient awareness of the threats your business is facing, let alone be in a position to tackle them.
Firstly, if you don’t have a scanner, get one. We recommend Qualys, Rapid7 or Tenable. Next, don’t worry about tackling every vulnerability that comes through; just find a way of prioritising them so you can tackle the most critical ones. You don’t have the time to do this manually, so a small investment in an automated triage tool such as RankedRight will help you to keep on top of critical vulnerabilities, even with a small team.
The feeling of being overwhelmed is all too common, particularly in IT. You have many areas of responsibility and little attention is paid by others to your work unless something goes wrong. The general view is that you “could always do better”.
If the CEO calls up with an IT problem or the marketing team needs a new system, they surely prioritise cybersecurity? No, they don’t.
Bring on board a ticketing system, such as Zendesk that integrates and prioritises all IT tasks in one place. With RankedRight also in place, you’ll have visibility of how many critical vulnerabilities require your attention, giving you peace of mind to prioritise all other elements around it. A well-ordered list will provide you and the team with the clear plan of attack you need.
We also recommend that as part of your ticketing system, an automated response is sent to set their expectations when employees log an issue. This would mean that they would understand that while their problem is important to you, you may not be able to respond immediately due to the volume of other responsibilities you have. Pressure eased.
A security breach can take many forms: a leaking of highly confidential and sensitive information; a very public hi-jacking of your website; a complete stop to company operations; or even a highly damaging yet subtle change to one or more of your IT systems. And even a company with a highly sophisticated cybersecurity program in place won’t detect it immediately. In fact, according to IBM, the average time it took a business to identify a breach in 2020 was 228 days.
Any breaches we’ve just mentioned will undoubtedly result in more work for your team to resolve and get the system back on track. Still, you’ll also need to explain why the breach happened in the first place and show that measures are being taken to ensure it doesn’t happen again.
Unfortunately, there isn’t a fail-safe solution to prevent your company from ever being attacked. However, there are steps you can take to protect your business better. As well as fulfilling the actions outlined in our solutions above, it’s recommended that you start monitoring for suspicious activity. Signs to look out for include an increase in an application or web page’s load speed, a significant change in network traffic, unusual administrator log in activity and unexplained system errors.
It may be the case that other teams spot breaches before you do, particularly if they’re affecting your website or crucial systems. But suppose they feel that you’re taking too long to handle their other issues and confidence in your team is low. In that case, they may start downloading new tools (which you’ve yet to test and could pose a significant security risk) or fix their IT issues themselves with tips they’ve found on the internet (also highly risky).
You need to get their confidence back to achieve some authority over how IT systems are adopted and managed to prevent more work for yourself at a later date.
Arrange a time with the executive team to outline the problem: what people are doing without your permission; why they are doing it; what impact this is having on its IT security (most important point); and what you need from them to resolve this. Their help would take the form of clear rules set out in the employee handbook with consequences should they be ignored and extra resource in your team to ensure that the task load can be handled better.
Read our article ‘How to ask the board for a bigger cyber budget‘.