Vulnerability Scanning: what it is and why you need it

Identifying cyber security vulnerabilities in your websites, applications and infrastructure.

What is vulnerability scanning?

A vulnerability scan assesses your systems for security flaws that could be exploited by cyber attackers aiming to take control of your systems or steal your data.

Learn more about the cyber threats your organisation faces

What's the difference between vulnerability scanning and penetration testing?

Vulnerability scanning is an automated process that identifies your cyber security weaknesses. 

Penetration testing goes one step further. It involves professional ethical hackers combining the results of automated scans with their expertise to reveal vulnerabilities that may not be identified by scans alone.

By mimicking the techniques used by criminals and other threat actors, they can determine the extent to which your organisations vulnerable to attack.

Speak to an expert

For more information about how our vulnerability scanning service and our CREST-accredited penetration testers can help safeguard your organisation, call us now on +44 (0)1474556685, or request a call back using the form below 

Get in touch

Why is vulnerability scanning important?

Managing the vulnerabilities in your networks and software is an essential component of your cyber security efforts.

Vulnerabilities are common. New ones are discovered all the time, or can be introduced as a result of system changes.

When such vulnerabilities are discovered, cyber criminals use automated attacks to attempt to exploit them and gain access to unsecured systems.

These attacks are cheap and easy to run, and are indiscriminate, so every Internet-facing organisation is at risk.

All it takes is one vulnerability for an attacker to access your network.

This is why applying patches to fix these security vulnerabilities is essential: if you don’t update to the latest versions as they are released, the vulnerabilities in your systems will remain exploitable and your organisation exposed.

Worse than this is the fact that the vast majority of intrusions are not discovered until it is far too late – usually months after the organisation has been breached.

What should a vulnerability scan entail?

Network scans should cover every Internet-facing device, as well as the software running on them.

Vulnerability scanning and remote working

Identifying and mitigating security vulnerabilities is especially important when staff work from home.

For instance, when you connect to the Internet via a home network, security features that you usually take for granted in the office, such as filtering, firewalls and encryption, might not be available.

And when staff use their own equipment (known as BYOD or ‘bring your own device’) to connect to the corporate network, you will have less control over the configuration of their security settings.

It is also essential to keep your VPN (virtual private network) software up to date to ensure staff have secure remote access to corporate systems.

When should you carry out vulnerability scans?

You should have a regular programme of vulnerability management. Scanning and penetration testing should be conducted at least monthly, as well as when you make changes to your systems.

This will help identify your security weaknesses and the extent to which you are open to attack.

This is why it is mandated by many laws, regulations and standards. For instance:

Cyber Essentials

Patch management is one of the five security controls of Cyber Essentials – a UK government scheme that sets out the basic cyber security measures that all organisations should implement to help mitigate around 80% of cyber attacks. Vulnerability scanning identifies where security patches are needed.

Learn more about the Cyber Essentials scheme

The PCI DSS (Payment Card Industry Data Security Standard)

Compliance with the PCI DSS requires merchants and service providers to undergo regular vulnerability scanning by an ASV (Approved Scanning Vendor).

Learn more about PCI DSS security testing

ISO/IEC 27001:2013

The international standard for information security, ISO 27001, states that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk”.

Learn more about ISO 27001

The EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018

Although vulnerability scanning is not explicitly required by the GDPR and DPA 2018, they do require organisations that process personal data to ensure that they have implemented appropriate technical and organisational security measures. This involves identifying and mitigating security vulnerabilities.

Learn more about UK data protection law

IT Governance’s Vulnerability Scan service 

With a monthly subscription to our Vulnerability Scan service, you can

  • Scan for thousands of vulnerabilities, helping you see exactly what criminal hackers can see; 
  • Receive a detailed report that gives you a breakdown of all your weak spots that need attention; 
  • Act quickly to fix your security weaknesses before criminal hackers find and exploit them; and 
  • Run and rerun scans as often as you like within a month. 

Find out more about how our Vulnerability Scan service can help secure your organisation

This website uses cookies. View our cookie policy