How is a Vulnerability Assessment Done?

A vulnerability assessment is a systematic review of your business’s cyber security vulnerabilities. Its purpose is to identify any weaknesses in your systems that could be exploited, evaluate their risk and priority level, and recommend mitigation to any risks identified. Assessing these vulnerabilities is essential to ensuring that any risks identified can be dealt with before they can be exploited. Without understanding the risks that are present, there’s no way to prevent them from happening before it’s too late.

So how is a vulnerability assessment done? Vulnerability assessments are completed through a combination of automated testing, scans, and manual evaluations. These can be performed internally or remotely, and generally consist of three stages: vulnerability identification, analysis, and reporting.

Read on to learn more about how vulnerability assessments are done, what the risks are, how to mitigate them, and what the three stages of the process involve.

How Is a Cyber Vulnerability Assessment Done?

Vulnerability assessments use manual evaluations, automated testing, and scans to identify weaknesses and vulnerabilities in your organisation’s systems and generate a report. This simulates the approach that a cyber criminal would take to infiltrate your system, whether this is via the internet or through an employee. In this way, you’re able to identify the same vulnerabilities that a criminal would find, but by using a trusted company you can rest assured that they won’t exploit them. This is done so that companies can identify the attacks that they might be susceptible to, and mitigate the risk before it happens. After all, you’re not able to protect your business from threats when you don’t know that they’re there.

Vulnerability assessments can either be conducted internally or remotely. Internal testing will require access to your internal network and systems, whereas remote vulnerability assessments will review your connection to the internet and search for potential weaknesses that way. Remote testing isn’t the same as penetration testing, in that it focuses on identifying what weaknesses there are that may compromise your systems instead of simulating an actual attack.

Once the Cyber Vulnerability Assessment is complete, you will normally receive a service report that includes definitions of your weaknesses and associated risks, and plans and guidance on how to mitigate them.

At the North East Business Resilience Centre, our in-depth Business Vulnerability Assessment is performed by our police-led team of ethical hackers, ensuring that all your data is safe while we complete our testing.

What Are The Risks With This?

When working with a reputable company, it’s extremely rare that issues can occur from a vulnerability assessment. In theory, issues stemming from poorly maintained or designed systems can cause outages during a vulnerability assessment – although at NEBRC, we haven’t had an outage as a result of our testing process yet.

Other potential risks would be a result of choosing a service provider that isn’t trustworthy. Because the service includes finding vulnerabilities the same way that a cyber criminal would, the service provider could potentially use this information to exploit those weaknesses in the same way that a criminal would too.

How To Minimise The Risks?

To ensure that your data is safe in the event of an outage, you should support all vulnerability assessments with backup and recovery plans. This ensures that, should an outage happen, you’ll still have all of your data and be able to continue your business afterwards. You should also ensure that you choose an experienced reputable service provider so that you know they’re able to perform the assessment effectively. Choosing a reliable provider will also make sure that they’re trustworthy, and won’t exploit any vulnerabilities that they find.

For a vulnerability assessment from a police-led team that you can trust, visit our Business Vulnerability Assessment page to see what we can do for you.

What Are The 3 Components of a Vulnerability Assessment?

The vulnerability assessment process can vary from company to company, but generally consists of three steps: vulnerability identification, analysis, and reporting. These steps are necessary regardless of whether the testing is conducted internally or remotely, and are essential to cover all the bases.

1. Vulnerability Identification

The aim of this section is to use scanning and testing procedures to create a comprehensive list of vulnerabilities and threats. This can include both scanning with automated tools, testing, and evaluating manually. This process searches for weaknesses such as:

Poorly maintained or designed systems.
Insecure Wi-Fi networks.
Insecure access controls.
Opportunities to access & steal sensitive data and information.

2. Analysis

In this step, the aim is to identify the root cause of any vulnerabilities that have been identified and calculate their associated risks. This involves identifying the key system components that are responsible for each vulnerability so that the root cause can be located. The risks associated with the weakness are evaluated to provide more insight into the issue and enable you to prioritise each one.

3. Reporting

At the end of the process, you will receive a vulnerability assessment report that includes definitions of your weaknesses and the risks that are associated with each and potential mitigations on how to resolve the risks. The report is written in plain language to make it easy to follow and understand, so that you can adequately assess the severity of each and mitigate them effectively.

Other Business Vulnerability Assessment Recommendations

We recommend making employees and those that need access to your systems aware that the assessment is taking place – that way they aren’t alarmed in the rare event that an outage does occur. It’s also beneficial to plan ahead with alternative ways for your employees to continue their projects should an outage happen.

The IASME Cyber Essentials Partner network can also help to provide additional support (e.g. full penetration testing). They are also the certifying bodies for the Cyber Essentials and Cyber Essentials Plus schemes, and so can help you achieve these too.

Strengthen Your Cyber Resilience With the North East Business Resilience Centre

At NEBRC, we’re a police-led not-for-profit organisation that’s dedicated to your cyber security. We work closely with you to keep your data safe and reduce your risk of cyber attack.

Visit our website to find out more about our Business Vulnerability Assessments, or to find out about our Web app Vulnerability Assessment to protect your website too. You can also sign up to our free core membership to keep up to date with the latest cyber security matters and keep your business safe online.

Cookie	Duration	Description
CookieConsent	1 year 1 month 4 days	This cookie stores the user's consent state for the current domain.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
_fbp	3 months	Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.

Cookie	Duration	Description
lpv*	1 hour	This cookie is part of Pardot and prevents the tracking of multiple page views over a single session.
visitor_id*	1 year 1 month 4 days	Pardot sets this cookie to store a unique user ID.
visitor_id*-hash	1 year 1 month 4 days	Pardot sets this cookie to store a unique user ID.