We all appreciate and admire innovation, but in technology, that does introduce new vulnerabilities. There are often weaknesses in the code when software companies put updates forward, and hackers are waiting to exploit them. Software makers then address the vulnerabilities with a security patch. The cycle repeats itself with each new software or hardware update.

According to a Positive Technologies study, about 93% of corporate networks are susceptible to hacker penetration. Assessing and managing these network weaknesses isn’t always a priority for organizations. Many suffer breaches because of poor vulnerability management.

61% of security vulnerabilities in corporate networks are over 5 years old.

Hackers take advantage of unpatched vulnerabilities in software code, which is commonly known as ‘zero-day'. This includes ransomware attacks, account takeovers, and other common cyberattacks.

If you are reading about a data breach and see the term ‘exploit’, that signifies an exploitation of a vulnerability. Hackers write malicious code to take advantage of these ‘loopholes.’ That code can allow them to elevate privileges, which they then control, or to run system commands or perform other dangerous network intrusions.

You can reduce your risk by putting together an effective vulnerability management process. It doesn’t have to be complicated - just follow the steps we’ve outlined below to get started.

Vulnerability Management Process

First, recognized the difference between a Vulnerability Assessment and Vulnerability Management.

According to Microsoft Security:
A Vulnerability Assessment determines the risk profile of each vulnerability.
Vulnerability Management is an ongoing process of identifying, evaluating, treating, and reporting vulnerabilities as they occur.

Step 1: Asset Identification

First, identify all the devices and software that you will need to assess. Your In-house IT support department or outsourced Managed Services Provider (MSP) should be able to generate this list. You will want to include all devices that connect to your network, both remote and in-office, including:




IoT devices


Cloud services

Vulnerabilities appear in many places, such as the code for an operating system, a cloud platform, software, or firmware.  So, you’ll want a full inventory of all systems and endpoints in your network.

This is an important first step, so you will know what you need to include in the scope of your assessment.

Step 2: Vulnerability Assessment

Next will be performing a vulnerability assessment. This is usually done by a trusted IT services professional using assessment software. This could also include penetration testing.

During the assessment, the professional performs a non-invasive scan on your systems for any known vulnerabilities. The assessment tool matches found software versions against vulnerability databases.

For example, a database may note that a version of Microsoft Exchange has a vulnerability. If it detects that you have a server running that same version, it will note it as a found weakness in your security.

Step 3: Prioritize Vulnerabilities by Threat Level

The assessment results merely provide a roadmap and a ‘call to action’ for mitigating network vulnerabilities. There will usually be several, and not all are as severe as others. You will next need to rank which ones to address first.

The vulnerabilities that experts consider severe need to be at the top of the list. Many vulnerability assessment tools will use the Common Vulnerability Scoring System (CVSS), which categorizes vulnerabilities with a rating score from low to critical severity.

It is also wise to rank vulnerabilities by your own business needs. If a software is only used occasionally on one device, you may consider it a lower priority to address, but a vulnerability in software used on all employee devices should be ranked as a high priority.

Step 4: Remediate Vulnerabilities

Refer to the prioritized list and remediate vulnerabilities accordingly. Redressing these vulnerabilities often means applying issued updates or security patches, but it may also mean upgrading hardware that may be too old for you to update.

Another form of remediation may be ringfencing - ‘walling off’ an application or device from others in the network. A company may choose this option if a scan turns up a vulnerability for which a patch does not yet exist.

It is also recommended to increase the advanced threat protection settings in your network. Once you’ve remediated the weaknesses, you should confirm the fixes.

Step 5: Document the Process

Documenting the vulnerability assessment and management process is important. This is vital both for Cybersecurity needs and compliance.

You will want to document when you performed the last vulnerability assessment and all the steps taken to remediate each vulnerability. In the event of a future breach, keeping these logs will be crucial. They also can inform the next vulnerability assessment.

Step 6: Schedule Your Next Vulnerability Assessment Scan

Vulnerability assessment and ensuing mitigation are not one-time tasks. Vulnerability management is an ongoing process. Here at IT Support LA, we like to say that battling cybercriminals and vulnerabilities is like a never-ending game of ‘Whack-a-Mole.’ Whack one and a new one appears.

In 2022, there were more than 22,500 new vulnerabilities documented. Developers continuously update their software, and each new update can introduce new vulnerabilities into your network.

Your best practice is to set a schedule for regular vulnerability assessments. The cycle of assessment, prioritization, mitigation, and documentation should be ongoing. This fortifies your network against cyberattacks as it removes one of the main enablers of hackers.

Frequently Asked Questions

Q: Is vulnerability scanning the same as penetration testing?

A:  No. A vulnerability scan is an automated process that looks for and reports potential vulnerabilities.
Penetration testing involves ‘hands-on’ examination of the system by a real person. It tries to detect and actually exploit any vulnerabilities found. A penetration test might be included in the overall vulnerability assessment.

Q: Why is a penetration test considered to be better than a vulnerability scan?

A: According to PurpleSec, “Vulnerability scanning identifies known vulnerabilities, lack of security controls, and common misconfigurations within systems on a network. Penetration testing simulates an attack to exploit weaknesses in order to prove the effectiveness of your network's security.”

Q: How long does a vulnerability scan take?

A: It all depends on the size (data, apps, etc.) of what is in the network it is scanning. These scans generally tend to run from 20 to 60 minutes.

Q: When should a vulnerability assessment be done?

A: It is recommended to perform a vulnerability assessment on a quarterly basis, although whatever Compliance requirements a company must meet may have its own timeline in order to remain compliant.

How secure is your network?

As a reputable member of the IT Support Los Angeles community since 2002, IT Support LA offers a FREE, no-risk network and security assessment. It is a non-intrusive scan that allows us to deliver a comprehensive report that is yours to keep. No strings, and no obligation to ever use our Managed IT Services.

The best defense is the best Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider (MSP) to ensure continued reliability and defenses against newly emerging threats.

With our 100% Money Back Guarantee in writing, we offer a risk-free way for prospective clients to try us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.

Among the Managed IT services we provide:

IT HelpDesk Service
Onsite IT Support
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)

Get Started with a Vulnerability Assessment

Take the first step towards effective vulnerability management. We can help you fortify your network against attacks. Our FREE network and security assessment will shine a spotlight on all vulnerabilities in your system. Give us a call today!

IT Support LA is an award-winning Managed Services Provider (MSP):
o  3 Years awarded Best IT by the Small Business Expo
o  Awarded 2nd best company of any type in the US by the Small Business Expo SB100
o  Awarded Best IT in California by Channel Futures
o  Winner of Best IT Support in Los Angeles 2021 by Channel Futures
o  Listed as one of the world’s Top 501 Managed Services Providers by CRN and in the top 250 in the   ‘Pioneer’ listing
o  4 years listed as one of the Top 501 MSPs in the World by Channel Futures
o  Globee 2021 Bronze Award winner for Chief Technology Officer of the Year
o  Globee 2022 Gold Award winner for Chief Technology Officer of the Year
o  Named one of 2022’s 50 ‘Best’ businesses in California by UpCity
o  Named Best of IT Services winner for 2021 by UpCity
o  Winner of Local Excellence Award for 2021, 2022 and 2023 by UpCity
o  Named Best of Cloud Consulting winner for 2021 by UpCity
o  Certified as Top MSP and Cybersecurity Pro for 2021 by UpCity
o  Named Best IT Support in Los Angeles for 2021 by Expertise.com.

For more information, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at: