Vulnerability Scans: What They Are and Who Needs Them

As cybercriminals continue to use their ingenuity to find ways to steal data, the tools we use to combat their efforts continue to multiply. One tool that has become more common (and more accessible and affordable as a result) in recent years is the vulnerability scan.

What Is a Vulnerability Scan?

A vulnerability scan is, more or less, what it sounds like. A software tool scans your network in order to detect vulnerabilities that cybercriminals could take advantage of to gain access to your data. In IT-speak, a vulnerability is a weakness in a system that could lead to an accidental or intentional breach or loss of data. Locating vulnerabilities is key to understanding the level of risk your data faces and, of course, determining what changes may need to be made to eliminate vulnerabilities and protect against threats. Thus, vulnerability scans are crucial to industry frameworks, such as the widely adopted NIST Cybersecurity Framework, for managing risks to confidential data.

Who Needs Vulnerability Scans?

The short answer is that any company or organization that stores highly confidential data—data it wishes or has the legal obligation to protect—should utilize vulnerability scans. 

The long answer is that, while vulnerability scans are helpful for any business that values cybersecurity, they are essential for companies and organizations who fall under government or third-party regulations. Here are just a few examples of regulations that necessitate vulnerability scans:

  • HIPAA: HIPAA requires healthcare organizations to perform regular risk analyses to determine exactly how secure patients’ EPHI (electronic protected health information) is. Vulnerability scans are an efficient way to establish a baseline of information for a HIPAA risk assessment.
  • GLBA/SEC: Like HIPAA, the Graham Leach Bliley Act (GLBA), requires that financial institutions (ranging from broker-dealers to insurance companies) perform regular risk assessments to establish the security of customers’ PII (personally identifiable information). And, in their September 2015 bulletin announcing their Cybersecurity Examination Initiative, the SEC specifically listed “Information regarding the firm’s vulnerability scans and any related findings and responsive remediation efforts taken” among documents their auditors would be looking for.
  • FINRA: This self-regulatory organization with oversight over brokerage firms and securities markets also recommended, in its 2015 Report on Cybersecurity Practices, that firms use vulnerability scans as part of a comprehensive risk management strategy.
  • PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to all merchants that directly process, store, or transmit credit card information and requires even small to mid-sized businesses to pass a vulnerability scan run by an Approved Scanning Vendor (ASV).

So, if your business falls under any of these regulations, vulnerability scans are critical to your compliance.

Ready to Take the Next Step?

Contact us today for help determining whether your business or organization needs a vulnerability scan, and for information on how to select the right kind of scan for your needs.