We recently covered the ICO advice regarding ransomware. We mentioned the severe penalties for a breach of data and also how those on your email marketing lists might react. Many suggest the latter puts the former in the shade. In order to help you protect your data as far as possible, the NCSC has issued guidance regarding vulnerability management. https://www.ncsc.gov.uk/guidance/vulnerability-management
It is not a simple case of eradicating all vulnerabilities. You need to identify the threats of each, prioritise them, identify the ones which are likely to affect you the most and then, as always, manage funding in order not to waste money. The Guidance is written in a clear and straightforward manner. It is aimed at organisations that use technologies and are responsible for keeping them secure. Every company in email marketing has sensitive data needing protecting from Internet-based attacks. This includes yours.
There are limitations in addition to cost of protection systems. There’s disruption, compatibility and, that most unnerving of situations, the risks inherent in massive upgrades of software and more. If you look at the problem as a whole, it’s daunting. If it isn’t, you haven’t quite understood the problem.
The Guidance breaks the task into three main parts: working out what vulnerabilities you have; triaging them; finally, prioritising the various fixes required. All fairly predictable. Some of the suggestions under the first heading are fairly straightforward and probably, maybe hopefully, something you do already. You should have a regular, many suggest at least monthly, vulnerability check through your whole system; it helps make it as non-disruptive as possible.
Automated vulnerability assessments are covered, and explained for those of us not fully aware of their potential. For email marketing they are an essential. There is a temptation to think that once the assessment has been completed, work is finished. Ignore this feeling.
Triage is one of those words most often used without fully understanding all its implications. Obviously, it’s a judgement issue. It takes time to decide priorities. Such matters need to be fully resourced, not necessarily by money, but by having a group, one that includes all departments affected, meeting, perhaps by Zoom, every time a vulnerability assessment has been completed.
There is an inherent risk with triage, one that goes from email marketing to dealing with major road traffic collisions, and that is to ignore those matters which are not included in the top two. It’s an easy trap to fall into.
Finally, we come to prioritising the fixes. Don’t confuse this with triage as different criteria must be considered. The Guidance explains various limitations, and goes on to point out that not only what we should fix but also how to decide what we can afford to fix. We can’t just ignore a specific problem because of costs, despite money being critical in email marketing.
As always, you must document all your processes, including the reasons for your conclusions, and the checks you made to ensure the work was done according to the schedule. You never know when you might need to explain your processes.
