Over 40 000 common vulnerabilities and exposures (CVEs) were discovered in 2024 − 38% up on the year before, with an average of 108 CVEs discovered daily.
But these are far from the only cyber risks within most organisations: there may be misconfigurations, poor password hygiene and human error creating multiple critical vulnerabilities throughout the business.
It’s always wiser − and more cost-effective − to find vulnerabilities and understand the potential impacts of risks before someone else does. This is where vulnerability assessments play a key role in identifying vulnerabilities, understanding the risks associated with them, and prioritising measures to address them.
The core effect of the vulnerability assessment is to provide a systematic, auditable method for identifying and classifying the organisation’s cyber security weaknesses in a standard, internationally accepted way, with a framework to then remediate risks within the company.
Despite the hype and emphasis on the importance of vulnerability assessments, too many companies still treat them as checkbox exercises, instead of understanding where they fit into the entire security paradigm.
In some cases, organisations are startled to discover the number of vulnerabilities they have.
Approached methodically in line with international best practice, a vulnerability assessment is the organisation’s first line of cyber security defence and should be used as a stepping stone for continuous improvement.
It is, in essence, a systematic process to identify and help classify security weaknesses in an organisation so it can better understand and prioritise which vulnerability or weakness to tackle first. Prioritisation is important because security budgets aren’t endless.
There is some mathematics behind the process of identifying what is critical based on a classification, for example the Common Vulnerability Scoring System (CVSS) − a standard to assess the severity of software vulnerabilities by assigning a numerical score to vulnerabilities.
A thorough vulnerability assessment also enables the company to benchmark itself and track improvement over time. It can identify trends; for example, how vulnerabilities are increasing, and how these vulnerabilities are being mitigated over time.
The vulnerability assessment process offers further benefits within the organisation. The process is to first of all establish the target range, so be it from a network perspective or an application perspective. For the IT manager who is new to the job, it offers an opportunity to discover and understand all assets that are connected to the network, then the operating systems, and then on top of that, vulnerabilities associated with what's on the network.
For those who want to scale down and look at a web application, a full vulnerability assessment looks at the vulnerabilities of the web application and then if any vulnerabilities are found, the company can take it back to its service provider and ask for further controls to be implemented to make it more secure.
Why prioritisation is important
Because few organisations have the resources to mitigate all risks immediately, they can be prioritised, and the risk can even be transferred. For example, if a vulnerability is found in an application by a third-party development house, the company can transfer that risk to them to fix it, or move to a different supplier.
Some risks might also be deemed acceptable. Some medium risks identified in a vulnerability assessment could be addressed temporarily by ‘putting a band aid’ on it. For example, if there's a vulnerable server that can't be patched immediately due to dependencies of the business, it can be put behind access controllers where only the necessary people could access that vulnerable element until the available time arrives − either in operation or budget.
Following a full vulnerability assessment and penetration testing, organisations gain an understanding of their vulnerabilities, and what the real impacts of these vulnerabilities could be.
In some cases, organisations are startled to discover the number of vulnerabilities they have. In others, IT was aware of them but battled to secure a budget to mitigate the risk.
In a feedback session after a vulnerability assessment, I outline which external and internal vulnerabilities would affect the company the most, based on both the CVSS score and the context in which they are found.
For example, a self-signed certificate that's on a printer in someone’s office is a lower risk internally than externally. If that was seen from an external perspective, it would be a higher risk because it could cause reputational damage.
Prioritisation isn’t based on the technical finding alone, but rather on the technical finding based on its context. The vulnerability is still worth noting, but companies can be advised on where in their roadmap they should address it.
Share