Close
  • Français
  • English

2018/01/13Vulnerability management: act before it is too late (By Sergio Loureiro, SecludIT)

In an even more connected society and facing the 2.5 quintillion data bytes generated every day in the world (2017, Up Numérique), companies have two important security challenges: protecting their data and information systems as well as data of their users and customers. In order to make businesses aware, many laws and regulations recommend to monitor continuously the IT of companies and to correct any breach as quickly as possible. Yet 90% of CISOs indicate that the detected security flaws are not processed (ServiceNow 2017 study). So, are companies condemned to lose the battle against vulnerabilities?

Vulnerability management: recommended by every regulations

Over the years, the various national and European regulations and security standards such as ANSSI’s hygiene guide (French security agency), the Network and Information Security (NIS) directive, the PCI DSS standard for online payments, the Military Programming Law (LPM) have all had the objective of encouraging companies to strengthen their cyber security.
Thus, they push to “implement qualified systems of detection of the events liable to affect the security of their information systems” (Article 22 of the LPM) or “to ensure the follow-up, the audit, the control and to ensure to the security of systems and facilities “(Chapter V – Article 16 NIS).
For its part, the PCI DSS requires the establishment of a vulnerability management program (Conditions 5 and 6 – Data Security Standard v3.0). When we know that 50 new vulnerabilities are discovered every day, the area of exposure to cyber attacks for companies has never been so important. It is also time to act because currently, a company corrects a vulnerability on approximately 200 days after its detection while the patch process has decreased from 45 to 15 days.

GDPR accentuate security duty

More binding, the new European regulation expects more organisation and rigor. Articles 25, 32, 49 and 50 in particular express the new measures for personal data security. Article 49, in particular, focuses on “the ability of a network or information system to resist (…) accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered”. So, security must be provided preventively, continuously and companies must keep the traceability of the data and alert the users in case of violation of those ones. Unlike the national and European regulations mentioned above, the RGPD imposes its directives on the security policy to be carried out under pain of legal penalty for non-cooperative companies.

The only effective solution: the vulnerability scanner

Today the question is no longer “am I safe?” but “what is my security level and what are the actions to put in place to improve it?”. To answer this one and to be in good standing with the legislation and especially the RGPD, the most adapted tool is the vulnerability scanner. Automated, it continuously monitors the breaches potentially exploited by hackers and detects all new referenced vulnerabilities. It saves time for technical teams who will no longer have to do time-consuming manual analysis. They will be able to correct more quickly vulnerabilities, in particular the most critical ones which are the most dangerous.
Simple, rapid and effective, the vulnerability scanner has everything to reassure companies and support the CISOs work. At this time of RGPD and penal constraints tightening, it would be regrettable for companies to suffer from legal actions which would greatly affect their activity.

Companies are not condemned to lose the battle against vulnerabilities but they must choose and coordinate their weapons (the vulnerability scanner is the first shield). For this, the FIC is the perfect opportunity to discover the latest cybersecurity novelties and find the solution or solutions that best suit its business. In terms of security, the ball is in the companies’ camp.