We talk a lot about keeping your business safe from cybercrime, whether we’re addressing industry specific issues, like those for healthcare and banking, or general tips to fight off phishing attempts, ransomware attacks, and other major cybersecurity threats. But how do you know if the measures you’re taking to protect your business from cybercrime are working? Where are the gaps?
There are different types of tests that measure your organization’s level of cybersecurity (some of which may be required to meet compliance standards). But among the many tests you can run, the top three are vulnerability scans, penetration tests, and risk analysis.
Ideally, you’d combine these methods to get a complete picture of your security health, but we recognize that the expense adds up quickly. So let’s help you figure out which strategy is best for your business by highlighting the benefits of vulnerability scans, penetration tests, and risk analysis tests.
This type of assessment is best for organizations who have no clue where to start, what potential threats they’re vulnerable to, or have little working knowledge of their IT health and maturity. A vulnerability scan examines the entire scope of your organization by plugging into your network and comparing the results against known vulnerabilities. It provides a complete inventory of your technology gaps.
In a vulnerability scan, there are 4 phases:
During this phase, all of your devices on your network are identified and then scanned for vulnerabilities.
Once the scan is complete, the results are evaluated to determine the urgency of fixes, which fixes may resolve large scale issues (sometimes one update can take care of 20 flagged vulnerabilities).
Your vulnerability scan provides areas of weakness. Your team will treat all or some of them based on your need and desire.
Here is where all the results of the before and after come to play. You’ll receive a comparison of the system before, what was fixed, and a plan of action for next steps.
This wide net approach simply provides a detailed roadmap of every entry point a threat could attack your business while providing the recommended resolution and rating them from mild to severe in priority.
This type of test is best for those with a particular concern in mind or when you’re looking to test something that is difficult to detect with scanning software. Also known as a “pen test,” penetration tests differ from vulnerability scans in that they don’t reveal your areas of weakness, they simply seek to exploit them to get into your system. This “hacking for good” tactic is known as White Hatting, and with penetration tests, the hackers usually stay in your system for long periods of time.
This method is designed to show you the level and scope of detail a hacker could get from your system over the course of months without you ever knowing. Penetration tests are more targeted than their vulnerability scan counterparts, where you’re looking to take a deep look into the security of one particular business component that your success may rely on. Penetration tests have several variations to choose from based on your business need.
Once the predetermined time period has passed, penetration test results are provided and the follow-up steps are up to you.
Simply put, risk analysis is a summary of the impact a breach would have on your business. This includes:
- Cost of risk
- Public harm from potential risk
- Level of vulnerability
- Business impact
This is a good way to get an executive level summary of just how damaging ignoring your weaknesses could be. It is important to note that a risk analysis does not examine specifics or provide a thorough roadmap of what needs to be resolved. It simply provides an analysis of what an event could do to your business.
No matter which solution you choose, it’s important that you maintain compliance, and test your business, especially after making large network changes (like scaling).
Subscribe to our blog