08/12/2014

By Victoria Bentham, UK & Ireland Regional Director, Secunia


For business owners time spent managing IT is time taken away from growing the business. However, neglecting routine PC maintenance and not regularly applying security patches can expose the company to security breaches. Such programs include Java, Adobe and Flash are amongst those that contained several hundred vulnerabilities in 2014.

This emphasises the importance of having any type of program universally patched on a regular basis. This can be quite a daunting task, and one that cannot be dealt with, without automation. Technically, it is never possible to patch all programs on all devices immediately – that is why prioritization of remediation efforts is a key element in securing data.

To prioritise, business owners must know when a vulnerability is threatening their IT infrastructure, where it will have the most critical impact, what the right remediation strategy is and how to deploy it. It is of paramount importance that business owners understand the extent to which systems and applications are exposed and are therefore able to react quickly to address the most critical vulnerabilities. This requires full visibility of the IT infrastructure and frequent scans, in order to identify vulnerabilities, which can emerge from one day to the next. When this is put in place, users are able to reduce their system’s exposure to a threat.

The cost implications for business owners can also be quite high. Normally, they will either need to spend a considerable length of time devising and maintaining a work flow to keep their IT infrastructure secure, or invest in vulnerability intelligence and patch management solutions. These solutions vary greatly in scope, breadth and maturity. Price can also vary from a couple of pence up to over £20 per device/host, depending on the size, needs and security requirements of each organization.

Requirements are determined by both the size of the IT operation teams and the in-house competencies available within the business, which depends on the nature of the data that needs protecting.

It is also important to note that money alone cannot ensure an organization is secure from vulnerabilities as many security breaches stem from human error. One unusually well-documented example of human error is a report released by the US Department of Energy, which provided us with a detailed description of what went wrong, when the exploitation of a vulnerability in its Management Information System (MIS) led to a breach, allowing the theft of over 104,000 individuals’ identifiable personal data.

This particular case contains all the elements that organizations of all sizes face when dealing with IT security:

Internal misalignment which impairs decision making and accountability
Competing priorities which lead to delays in assessing and updating security-critical applications
Fragmented infrastructure which comprises a labyrinth of technologies and systems hooked up in precarious and sometimes mysterious way
Lack of security training and awareness among administrators and users who unintentionally open doors to machines and thereby networks
Poor communication and coordination which leads to misunderstandings and actions that are not taken in a timely manner
Undocumented processes which make it almost impossible to maintain and report security levels

The details of a security breach like this, is a strong reminder to organizations and their leaders, to focus attention on prioritizing the security of their IT environments.