Why Vulnerability Management?

Why Vulnerability Management?

Cybersecurity is in a constant state of flux. Data breaches happen frequently, to the point where it’s no longer a shock to hear that your personal information has been compromised. With the increased scrutiny placed upon managing your potential security risks, it’s more important than ever to create and implement a robust vulnerability management program.

Embedded in the cybersecurity world, we have seen firsthand the damage a single vulnerability can cause and the ease with which some breaches could have been avoided. My team has worked with numerous companies to shore up their defenses and create a mature cybersecurity posture, often starting with vulnerability management.

What Is Effective Vulnerability Management?

Vulnerability management is more than running a vulnerability scanner and remediating the resulting vulnerabilities on an annual basis. A vulnerability management program should be a robust program that includes multiple scans per year, detailed tracking and remediation, vulnerability and root-cause analysis, as well as finite reporting.

Vulnerability scanning should happen on a frequent basis. The frequency at which vulnerability scans are performed is determined by the organization’s risk appetite and any applicable regulatory requirements. However, I recommend at least quarterly scans as part of a robust program. Performing only a single vulnerability scan each year puts companies at risk of not uncovering new vulnerabilities for an extended time period. This period of limbo is all an attacker needs to compromise a network. I’ve seen this happen with clients who just wanted to check the security box to satisfy regulatory requirements. These clients typically have the same vulnerabilities year after year, and as time progresses, so do the number of vulnerabilities discovered.

Why cyber insurance?

Why cyber insurance?

A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in errors and omissions (E&O) insurance, cyber insurance began catching on in 2005, with the total value of premiums forecasted to reach $7.5 billion by 2020. According to PwC, about one-third of U.S. companies currently purchase some type of cyber insurance.
The numbers indicate that organizations are seeing a need for cyber insurance, but what does it cover? Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Although there is no standard for underwriting these policies, the following are common reimbursable expenses.

• Investigation: A forensics investigation is necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
• Business losses: A cyber insurance policy may include similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.
• Privacy and notification: This includes required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
• Lawsuits and extortion: This includes legal expenses associated with the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.