Leaving vulnerabilities in your enterprise systems unpatched is like keeping your front door open all the time. It invites unwanted guests looking to do damage or steal your valuables.
But securing the systems and networks that you rely on to run your business is a little more complicated than protecting your home by locking your doors and windows and installing an alarm system.
Addressing security weaknesses in your operating systems is accomplished through vulnerability management, a proactive cybersecurity process of identifying and patching security holes in your systems, networks and software before they can be exploited by bad actors.
FreightWaves sat down with Antwan Banks, director of enterprise security at the National Motor Freight Traffic Association (NMFTA), to discuss the importance of vulnerability management, common challenges it presents and some best practices.
Along with providing cybersecurity leadership in the trucking industry, NMFTA is a membership organization that provides other vital services to the industry like the National Motor Freight Classification system, Standard Carrier Alpha Code and Standard Point Location Code. It also administers the Digital LTL Council to support the scalable automation and digitization of LTL shipments.
Why vulnerability management matters
Think about all the sensitive information across your business that is stored electronically. There’s likely financial and tax data, Social Security numbers, medical information, private email, trade secrets and more — all information that has the potential to do harm to an organization if leaked.
“The number one way hackers get inside a system is through email phishing to get to an unpatched operating system,” Banks said.
Any computer system that’s Internet-connected poses security risks and provides hackers with entry points to access sensitive information within your organization.
Unpatched vulnerabilities may also be financially impactful in less obvious ways, Banks noted, like causing compliance issues with the payment card industry data security standard or the Health Insurance Portability and Accountability Act. Security exposures could raise your cyber insurance rates as well or give your insurer a reason not to pay after an incident.
How to solve common vulnerability management challenges
While patch management is an essential part of an IT department’s cybersecurity efforts, unfortunately, many organizations are behind on this vital task. Banks shared some of the following challenges that are likely familiar pain points for many IT departments, as well as best practices to overcome them.
Problem: Employees are using home networks. A large percentage of the workforce working remotely at least part time means more are accessing company data on laptops on their home networks. In this environment, patching vulnerabilities has become an even more necessary but complicated task than if devices existed on a single corporate network.
Solution: Use a software client on laptops. Because of the work-from-home culture, Banks recommends IT departments use software clients on their laptops to patch employees’ systems.
“If you don’t have the right tools in place, it’s difficult to know what needs patching and to keep up with patching,” Banks said.
Problem: Companies lack accurate asset counts. Many organizations do not know all of the assets that are on their networks. That makes it harder for cybersecurity professionals to spot and solve vulnerabilities.
“They may not be able to either scan or see information systems that need to be scanned, like shadow IT or legacy systems that weren’t retired and are still on the network. You can’t secure what you don’t know about,” Banks added.
Solution: Use a network scanning tool. Without a good network scanning tool, systems or machines that are on your network could easily be missed.
Problem: Resources are limited. A common reason why many organizations are behind on their patching is that they don’t have the right tools or enough staff with the necessary skills to apply patches.
“You don’t just necessarily throw a patch on a machine,” Banks said. “You need to test it to make sure it’s applicable to your environment. You’d have a test plan, you’d need to go through a change control board so people are aware they are changing their system by applying a patch to it, then you need to push that patch out and test it to make sure it took. If there’s a problem, you need to be able to roll it back. There’s a lot of steps involved, and if you’re resource-constrained, it makes it difficult.”
Solution 1: Prioritize. For most businesses, time and resource constraints make it unrealistic to patch everything. You need a classification and prioritization system to identify the biggest risks. Banks recommends starting with anything that is internet-facing and has an active exploit.
“Make sure you’re scanning and patching your crown jewels routinely. If you’ve got a resource-constrained organization, make sure you cover your most critical assets before those things that are lower on the list,” he said.
If a company is using an outdated or legacy system that can’t be patched, it’s a best practice to put compensating controls in place to protect it.
Cyberthreat intelligence can also help companies prioritize what needs to be addressed first.
“It will tell you what’s actively being exploited, what hackers are looking for and what they’re doing,” Banks added.
Solution 2: Communicate with stakeholders. Communicating updates with system owners and leadership is important, even if your vulnerability team is running behind on patching.
“It’s always a best practice to let the leadership know where they are with your vulnerability management program so they can provide you with more resources or accept risk and have a much slower patching cadence,” Banks said.
Problem: There are tight maintenance windows. In most cases, patching must take place during off hours when systems are not in use. This means there may only be a handful of hours that can be used for scanning and patching, often at night or on holidays.
Solution: Automate. With organizations facing constant threats to their many systems, automating allows them to save time. Implementing tools that can help a business automate vulnerability management as much as possible can help the organization identify risks and remediate security threats more efficiently than traditional patching methods.
To learn more about cybersecurity in trucking, listen to NMFTA’s monthly cybersecurity webinar series, leading up to its October Digital Solutions Conference in Houston.
The conference will bring together cybersecurity, trucking and supply chain professionals to discuss emerging cybersecurity threats and related issues the transportation and logistics industries face.
To learn more about NMFTA, click here.
Join the conversation on social media #NMFTACyber.
The post Security gaps put your business at serious risk appeared first on FreightWaves.