Vulnerability Assessment for SMEs: what to know to protect yourself effectively

The Clusit Report 2024 analyzes the main cyber threats in Italy and around the world, with a focus on the most affected sectors and prevalent attack techniques. Already in 2023, attacks have increased by 12 percent globally, with a 65 percent growth in Italy compared to the previous period. Particularly vulnerable are the healthcare and financial sectors. The most common attack techniques include malware, vulnerabilities and phishing. The report also highlights the growing impact of cyberwarfare and the use of artificial intelligence in cybercrime. Let’s find out what SMBs can do to adequately protect themselves.

What is Vulnerability Assessment (VA)

For the National Institute of Standards and Technology, the Vulnerability Assessment is ” The systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.”

On VA, the European Union Agency for Cybersecurity(ENISA) has published essential guidelines and recommendations, with a focus on Coordinated Vulnerability Disclosure (CVD)-that is, “coordinated vulnerability disclosure,” which is useful for correcting and remediating vulnerability issues-to strengthen the security of organizations, including the SME sector. This approach harmonizes the vulnerability detection and reporting process, allowing discoverers to collaborate with stakeholders (ICT infrastructure vendors and owners) to mitigate risks before publicly disclosing vulnerabilities.

(Digital Agenda)

Evolution of threats and types of attacks

According to Clusit reports, cybercrime growth continues to dominate among attack types, making up 83.3 percent of incidents. This is followed by attacks motivated by hacktivism (8.6 percent) and espionage/sabotage (6.4 percent). At the severity level, there is an increase in high-impact attacks: about 53 percent of incidents in Italy are classified as high severity, with a 13 percent growth in critical impact attacks, particularly those based on malware.

SMEs among the hardest hit sectors

The government/military sector was the hardest hit in Italy in 2023, followed by SMEs with manufacturing and the financial/insurance sector seeing an increase in attacks of +286%.

The healthcare sector, one of the most targeted globally, has seen a 30 percent growth in incidents. Here are the key findings from the “Clusit Report 2024” and theupdate published on November 7, 2024 regarding cybersecurity for Italian SMEs:

An alarming scenario

Seventy percent of the companies surveyed are small enterprises with turnover of less than 10 million euros, while 30 percent are medium-sized enterprises with turnover of up to 50 million euros. In micro enterprises, 72 percent have no dedicated cybersecurity staff. Even in larger enterprises, about one-third have no formal delegation to cybersecurity. Adoption of basic technologies: Only 20 percent of SMEs use advanced security technologies such as Security Operations Center (SOC) and Endpoint Detection and Response (EDR) systems, with higher adoption in more structured companies. However, firewalls and other basic protection systems are present in a substantial share of the sample. Cyber Risk Assessment and Insurability: Fifty-five percent of companies that have conducted a cyber risk assessment, also supported by UnipolSai, have an uninsurable risk profile. This indicates the need for significant improvements in security practices to reduce the risks of compromise. Incident Response Procedure: The cyber incident management procedure is formalized in only 22 percent of companies, highlighting a gap in cyber attack response capabilities. Training and Certifications: Only 17 percent of employees in cybersecurity SMEs have received certified training. Moreover, in microenterprises, regular training on cybersecurity and privacy issues is almost absent, and only 5 percent of companies offer training on a structured and regular basis. These data highlight a picture of vulnerability for Italian SMEs and an urgent need to improve awareness, resources and security practices to keep companies competitive in the face of growing cyber threats.

Attack techniques

Among the main techniques, DdoS (Distributed Denial of Service) increased by 98 percent, while phishing and social engineering-based attacks grew by 87 percent. Attacks exploiting known and zero-day vulnerabilities saw a 75.9 percent increase, reflecting high infrastructure exposure to sophisticated threats.

Impact of geopolitics and future trends

The report highlights how the geopolitical situation, including conflicts such as that between Russia and Ukraine, has influenced cyber attacks, with more frequent disinformation campaigns and targeted attacks on critical infrastructure in Western countries. In Italy, 11 percent of global attacks targeted local organizations, a figure that is up from previous years.

Cyberwarfare and the increasing availability of services such as DDoS-as-a-Service are worrisome trends, along with the increased use of artificial intelligence by cyber criminals to automate attacks. This analysis outlines a landscape in which cybersecurity plays a critical role in protecting essential infrastructure and requires an increasingly integrated and resilient approach.

Operation of vulnerability assessment

The VA process involves the discovery of weaknesses in the system and coordinated communication to resolve them in order to protect organizations from cyber attacks. ENISA recommends that VA for SMEs include the following elements:

  1. Vulnerability identification: Searching for errors in IT systems that can be exploited by attackers.
  2. Coordination of disclosure: Sharing of vulnerabilities with responsible parties to enable correction before public disclosure.
  3. Legal protection and incentives for researchers: The guidelines recommend establishing clear legal criteria to distinguish between ethical and illicit hacking activities while protecting researchers.

Benefits

Implementing an effective VA improves IT infrastructure resilience, reduces the risks of large-scale attacks and ensures compliance with security regulations. In addition, VA enables SMEs to gain continuous and in-depth insight into their vulnerabilities, helping them to take proactive action.

Implementation

To implement a VA program, ENISA suggests: – Creation of a CVD policy: Every organization should have a public policy for vulnerability management, with clear procedures for reporting.Staff Training: To ensure a quick and effective response to reported vulnerabilities. – Incentive and Protection Systems: To offer rewards for reporting vulnerabilities while complying with CVD rules, protecting researchers from legal repercussions. ENISA has produced key documents such as the “Good Practice Guide on Vulnerability Disclosure” and the “Developing National Vulnerability Programs,” which provide detailed guidance on policies and practices for effective coordinated disclosure.

Vulnerability Assessment and the Penetration Test

Vulnerability Assessment and Penetration Testing are two key cybersecurity methodologies, but they have distinct goals and approaches. As reported by Digital Agenda, the Vulnerability Assessment is an automated scan that identifies known vulnerabilities and assesses their severity, offering a map of weaknesses to be corrected. Penetration Testing, on the other hand, is a manual, simulated attack analysis that seeks to exploit vulnerabilities to verify their real impact. Both are essential: the former to identify broad areas of risk, the latter to verify the real security of enterprise systems.

WANT TO CHECK THE SECURITY OF YOUR COMPUTER SYSTEMS? ASK FOR A FREE CONSULTATION

Using Vulnerability Assessment and Penetration Test in synergy allows you to maximize IT protection by addressing risks comprehensively. Vulnerability Assessment provides a broad and systematic view of vulnerabilities, while Penetration Test explores the actual usability of these vulnerabilities in a simulated attack context. Together, these approaches identify and test for weaknesses, enabling organizations to prioritize solutions and improve defense against real threats, creating a more resilient and secure IT ecosystem.

WANT TO LEARN MORE? CONTACT AN EXPERT

Entities that manage sensitive data or critical infrastructure, such as hospitals, banks, government agencies, and technology companies, particularly need a synergistic approach between Vulnerability Assessment and Penetration Testing. These sectors are frequently under attack and need to protect their systems from known vulnerabilities and emerging threats. The combined approach makes it possible to quickly identify weaknesses and test the robustness of defenses in real-world scenarios, reducing the risk of compromise and ensuring the security of data and operations. In conclusion, the most affected sectors appear to be:

  1. Public sector: administrations, government agencies, and health care facilities to protect personal data and vital infrastructure.
  2. Finance and insurance: to protect financial transactions and data.
  3. Energy and utilities: to ensure the security of energy infrastructure.
  4. IT and telecommunications companies: to maintain the integrity of digital systems.

These sectors are particularly exposed to complex threats and need constant security monitoring to protect data and ensure business continuity.

 

Glossary:

DDoS-as-a-Service: “A DdoS attack floods Web sites with malicious traffic and makes applications and other services unavailable to legitimate users. Unable to handle the volume of illegitimate traffic, the affected system experiences a total slowdown or crash and is no longer available to legitimate users. DDoS attacks are part of a broader category, denial-of-service attacks (DoS attacks), which include all cyber attacks that slow down or disrupt applications or network services. DdoS attacks send attack traffic from multiple sources simultaneously-that is why they are referred to in English as “distributed denial-of-service.” Although cybercriminals have been using distributed denial-of-service (DdoS) attacks to disrupt network operations for more than 20 years, only recently has there been an increase in frequency and power. In fact, according to one report, DdoS attacks increased by 203 percent in the first half of 2022, compared to the same period in 2021.” (Source: ibm.com).

 

<strong>Request a free consultation</strong>

 

The watchword is “simplification”: a reliable and simple service to solve any IT problem.

Whether it is a personal computer, an enterprise server, a router or an advanced firewall solution, we are your trusted experts.

Our expertise extends to all major operating systems, including Microsoft, Linux and Apple OSX. We take care of installations and support, ensuring that your local networks are efficient, high-performing and protected using the best anti-virus software and the latest anti-intrusion equipment.

We know how important it is to manage costs and infrastructure issues. For this reason, we offer a wide choice of technical support contracts, from hourly packages to All-Inclusive solutions, so that you can choose the option that best suits your business needs.

Discover the plan that best suits your business. Contact one of our experts for free

 

Sources:
Clusit Report 2023, ENISA – Guidelines for Vulnerability Assessment.
ENISA (https://www.enisa.europa.eu/)
https://clusit.it/wp-content/uploads/download/Rapporto_Clusit_2024_web.pdf
agendadigitale.eu/security/vulnerability-assessment-and-penetration-test-what-they-are-in-different

Rapporto Clusit

 

About Fastbrain and why to choose it

We are Certified Partners of leading Technology Players, offering customized solutions, pre-sales and after-sales support and operational rental included.

As a RealWear Gold Partner, we offer state-of-the-art assisted reality solutions designed to connect and collaborate with experts remotely, track digital workflows, visualize IoT data, and more.

Safely reduce downtime, improve quality and employee productivity, while realizing a significant return on investment.

Discover all the benefits of intelligent assisted reality for your Company.

Info: [email protected] | Tel 011.0376.054

 

Contattaci su Whatsapp!
Ciao! 👋 Siamo il Team di Fastbrain Engineering Srl, come possiamo aiutarti?