If you’ve been following this series of blog posts, you know that SolarWinds MSP recently released the results of a survey into the cybersecurity preparedness of businesses based on experiences of 400 SMBs and enterprises across the U.S. and the U.K.— read this blog post here for the full story.
As part of this survey, we uncovered seven key areas where companies were obviously failing in their approach to security. This series of posts unpacks these areas, one by one with the intention of help companies, managed service providers (MSPs), and other IT professionals get a handle on growing security threats.
Last week we looked at how companies are being “Shortsighted” in the way they are applying security policies across the board. This week we focus on how too many companies are being “complacent” in terms of reporting and keeping on top of their potential regulatory requirements.
One of the biggest problems companies and their service providers face during and post breach is figuring out what went wrong and where. This is one of the most crucial parts of the process as it helps you pinpoint failings or gaps in your cyber defence strategy so that you can plan against future ones. Often companies are able to locate the point where it started—in most cases this is a phishing email where an unwitting member of staff has been duped into either clicking on an infected document or a dangerous link. However, after that the trail too often goes cold.
To adequately track where things went wrong, companies need to embrace a robust vulnerability management program—essentially solid patch management—along with robust documentation and reporting. For anyone dealing with companies in Europe, this is going to be a big part of GDPR as well as being an essential cyber security best practice.
Disturbingly, our survey revealed that there is not enough documentation of vulnerability and patch management being done.
Only 29% of respondents could call their vulnerability reporting robust, with the majority (51%) optimistically classifying it as adequate. Surprisingly, as many as 19% claimed that they have no reporting in place at all, and 11% even said they categorically had no plans to investigate its deployment or usefulness.
This means that MSPs have the perfect opportunity to be the superheroes; providing a well-documented vulnerability recording process. They can handle the patch management and retain the documentation for that. Not only is this a huge step for cyber security, it’s something that MSPs can monetize.
This is a crucial part of any vulnerability management program, as you need to be able to provide proof. This is especially true if there is a regulatory requirement to have a vulnerability management program in place. It doesn’t have to be complex, but for MSPs if they are patching on a monthly basis, they should have evidence of that and what patches they have installed in their emails, PSA, or service desk.
Without a vulnerability management program, you could be exposing your customers to a risk of regulatory non-compliance, and ultimately accusations of negligence in how they protect customer data. As a service provider that’s not something you want to encounter, because it’s likely that your company will blame you for their failings.
Next week’s blog post will look at how companies’ “inflexibility” is affecting their ability to defend themselves.
Click here to find out more about how SolarWinds MSP can help you with your layered security.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.