Here NEBRC student Jake Woodhams looks at vulnerability scans, and why they are important

Updated: Oct 15, 2021

What are vulnerability scans?

Vulnerability scans identify the risks and security flaws present in the computer systems, applications, and networks of an organisation. This is usually done through the use of software known as a vulnerability scanner, which searches for these vulnerabilities automatically to identify any risks efficiently. The software will identify and list threats, the skill is in determining which are the most dangerous so that they can be prioritized and fixed over and above the lessor threats. Often this information needs translating from tech speak into plain business language, this is something which we at the NEBRC are always keen to do.

The threats that an organisation face are always changing. For this reason, it is essential that vulnerability scans are carried out regularly, ideally once a year, sometimes more, depending on the business context, to ensure that any new threats are identified as quickly as possible.

Why are they important? Are they necessary?

Fix Issues before they are found by the wrong people

Identifying the weaknesses within systems early and consistently means that they can be managed before a hacker discovers them. Hackers could use these weaknesses to cause harm to a business by accessing computer systems via the weakness or releasing confidential information held by the company. This is commonly known as a data breach.

An investment that could save a business a lot of money

Data breaches can leave a business with large financial losses due to fines and remediation costs. For this reason, it is important that these vulnerabilities are fixed before they can be exploited. It is much cheaper for a business to remediate vulnerabilities through scans than paying the costs of these vulnerabilities being exploited - not to mention the associated reputational damage.

Keep customer information safe and confidential

Preventing these types of breaches by remediating vulnerabilities can help to give a business a good reputation and gain trust from their customers. It can further add real value to a business, increase share price and sale value. Any business due diligence now looks at cyber security positions and asks questions such as when was your last security testing? What was its scope? How frequently do you do run scans?

Gather information about the effectiveness of the company’s security

Frequently assessing the weaknesses within an organisation’s systems can also help to determine the effectiveness of other security measures that are in place, such as antivirus software. This will allow businesses to see if deployed security measures are working to the best of their ability to protect their systems.

How can the NEBRC help with this?

The NEBRC offers a vulnerability assessment service which includes three types of vulnerability assessments: internal, remote and web. The difference between these three assessments is the scenarios that they attempt to simulate.

An internal vulnerability assessment simulates a hacker who already has access to a computer system within the organisation. This could be an employee or a hacker who has already managed to gain access to a system through an untreated vulnerability. An internal vulnerability assessment will help to protect systems internally to prevent a hacker from causing any further damage, and contain the threat.

A remote vulnerability assessment simulates a hacker who would be trying to find vulnerabilities in a system, service or application that is connected to the internet by the company. By protecting systems externally, hackers will not be able to gain access to any systems or access any information that they shouldn’t be able to.

A web application assessment simulates a hacker scanning your website for weaknesses, which could be exploited. It also tests any fields which allow text input, and checks for outdated software.

The crucial thing to remember about our services, is that we don’t just print out and give you a copy from a software scanner with no support or interpretation of the findings. We pride ourselves in helping non-technical businesses understand the jargon, in an easy to understand, actionable report, putting any findings into a business context.

Remember, cyber risks are just like any other risks to your business, and if you treat them as such, and put the things in place to mitigate or reduce those risks, your business will be in a strong, resilient position.

For further information contact us at