Why is it important for organisations to perform regular scans?
"New vulnerabilities are being discovered all the time, even in software that has been in use for some time. Cybercriminals are eager to exploit them. As a result, a system that is assumed properly hardened today can be a target tomorrow. Regularly performing a vulnerability scan ensures that as an organization you can proactively identify and remedy these vulnerabilities, so you can keep cybercriminals at bay. By the way, it is not just about protection against external threats; we also scan to comply with certain agreements or maintain certifications."
Yet we still often hear of large companies becoming victims of digital intrusions or data breaches. What goes wrong?
"It can be anything from a sophisticated attack to an accident, but usually it's just a mistake or an action of carelessness: forgetting to adjust a setting, clicking on a link in a strange-looking email, or not updating in time. But in all situations, vulnerability scans can be valuable. For example, to detect unsafe settings and missing security updates."
Wrong settings, clicking unsafe links – that's about human behavior
"And so it is very important for an organization to be aware of cyber risks. That way you avoid most mistakes and can take appropriate action based on the information from those scans. Some organizations do perform scans, but then do not act quickly enough to fix identified vulnerabilities. Because the lack of resources or because the risk is underestimated. Then you make yourself vulnerable."
How often should organizations perform vulnerability scans?
"Ideally, you continuously monitor all your systems. For many organizations, a weekly or monthly vulnerability scan is already a good start. In case of changes in a company's IT landscape, such as onboarding a new application, it is also advisable to perform a vulnerability scan and take measures against any vulnerabilities."
Are there diverse types of vulnerability scans?
"Yes there are. For example, there are internal and external scans. Internal scans focus on an organization’s own network, while external scans focus on the systems that are accessible from outside, such as a website or mail server. There are also specialized scans for specific applications, databases, or operating systems. In addition, we can perform compliance scans. These specifically check whether the computer or network equipment is set up according to laws and regulations."
More and more organizations are using cloud services. How do you deal with that?
"When using cloud services, it is essential to know where the responsibilities lie. Many providers follow a ‘shared responsibility’ model: they are responsible for cloud security, while the customer is responsible for security inside the cloud. So, you should definitely include your cloud environments in your vulnerability scans."
What do you say to organizations that are not yet running vulnerability scans?
"Start as soon as possible. The question is not íf you will ever have to deal with a security incident, but when. It all starts with gaining insight: which systems are we actually managing as an organization? How many are there and where are they located? If you don't know what you have, you can't secure it. By mapping everything and scanning it regularly, you can prevent a lot of problems."