Audience: IT admin, network security, management whose business depends on 3rd-party connected-devices.
Superpower: sentinel awareness of vulnerabilities in your network equipment/edge devices.
Armoury: deploy invincibility shields, strike reactively with ready-made tools direct from your product manufacturer.
Hero level: Guardian of Devices (G.o.D.)
Overview: an inspiring read to turn the dull topic of device security into a profitable and productive plan that will give you more time, less anxiety, and reduce the costs of reacting to outages caused by device vulnerabilities. You could be "the one"...continue reading to find out...
Common Vulnerabilities and Exposures
CVE® (Common Vulnerabilities and Exposures) is both the concept of cataloguing known vulnerabilities in devices with known preventions/solutions, and the registered trademark of The MITRE Corporation who developed the project now funded by the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA); see https://www.cve.org/
Just because you were born of a goddess, dipped into the immortality-empowering waters of the river Styx, doesn't mean you're invincible - as the bit she held whilst dipping you remains vulnerable...as Achilles would later discover. But wait! Revered manufacturers today have chosen not to repeat the mistakes of the past, including:
- NVIDIA
- QNAP
- Cisco
- Microsoft
- Teltonika
- Amazon
- Dahua
- Siemens
- Dell
By openly and transparently admitting vulnerabilities & bugs, and welcoming reports of such, they prevent the rest of us putting our hand on the same hot stove as someone else and importantly commit to developing both remedies and preventative updates. The price of this optical supervision power? Free - you just have to wear your superhero visor.
OK, I see the threat, now what?
She didn't have a country name it's capital city after her, with one of the greatest achievements of European culture (the Parthenon) dedicated to her, simply for using her owl-like vantage point to view the threats of war - Athena, the patron goddess of metal shield makers, was proactive! This is war, and at stake are your projects, customer data, and fatal blood loss in the form of downtime; you're going to need some armour-like security patches. Surely this will cost us? Nope - again, the manufacturers develop the remedy (firmware updates) or patches to quickly mitigate and protect.
However, who implements these amulets of digital protection - surely this is going to incur a labour cost, right? Indeed it could, so consider the 2 managers in this fictional example:
| Mr. Luke Warm (Director, "CCTV R Us") | Ms. Gail Force (Founder, "Agile Monitoring Ltd") |
| Didn't bother to read the latest CVE reports, apathetically implemented the ones that made the headlines...eventually. Got an SMS at the departure lounge informing that best client had a key site "down", followed by 10 more texts in the taxi after abandoning holiday because in-house staff were ill-equipped to react. Had to pay eye-watering costs of mercenary contactors on out-of-hours rates to stem the outages. Haemorrhaged key clients, bankrupt by Christmas. | Paid for a discounted security audit, nominated staff member to oversee implementation. Included 1 hour per week into employee job role to supervise alerts and remedies as published by device manufacturers. Staff became more productive since less "reacting" to problems, with bonus funding luxury upgrade to holiday. Never has any significant or sustained issues. |
Definitely a hyperbole, but played out time and again in real life to point where we can confidently predict that you will save a significant amount of money by spending a little each week to prevent a guaranteed life of reacting to mayhem. If you have no one to delegate to on your team, look to make a deal with a contactor in advance when you can calmly negotiate a reasonable price for outsourcing such important scheduled tasks rather than be held to ransom at emergency rates with unfamiliar "experts" you will desperately Google as your mailbox fills with "Cancel our contract" emails.
The average cost of reacting to a single incident in 2024 was reported to be £3,270 for an average business and £17,970 for medium/large businesses, including the costs of staff time, payments to external IT consultants or contractors, and legal fees, insurance excess, fines, or compensation; see section "4.6 Financial cost of breaches or attacks" at https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024#chapter-4-prevalence-and-impact-of-breaches-or-attacks
Secret superhero
If you plan to nominate someone in your team to become your organization's security superhero, it may only require 1 hour per week to supervise your strategy - and even if they are not a confident IT Expert they may be able to augment the skill gap with an affordable partner. Either way, your plan need not thwart your regular work or theirs, and you'll have confidence that this secret superhero has scheduled to verify that CVE reports are regularly implemented. Further, by adding to any initial audit, they'll have access to what devices you have where, what firmware and software versions are active, making them ready to react quickly should an unplanned incident arise.
Push the button
If this brief read has inspired you to embrace the dull topic of device security, then calendar a "to do", scribble a post-it note and slap on forehead, or lipstick a message on your mirror! You can be "the One" to prevent what will otherwise happen in the near future - avoid procrastination and push the button on this to start seeing the benefits: hardened security, resilience, reduced staff time and reduced money wasted reacting to device problems, and possibly the welcomed assistance of an IT partner into the equation. What are you waiting for?
Additional resources
Some useful links and tips include:
- Search for and subscribe to CVE news alerts from your device manufacturer, such as:
- Teltonika routers: CVE reports https://teltonika-networks.com/support/security-centre
- Dahua cameras: CVE reports https://www.dahuasecurity.com/aboutUs/trustedCenter/trustworthy
- HIKVISION cameras: CVE reports https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-nvr-devices/
- QNAP NAS storage: CVE reports https://www.qnap.com/en/security-advisories
- Dell servers & switches: CVE reports https://www.dell.com/support/security/en-uk
- Mikrotik routers: CVE reports https://mikrotik.com/supportsec
- If you manage devices on public IPs check/subscribe to live abuse reports, such as:
- Use free tools to view details of known threats detected such as https://www.joesandbox.com
- Implement ACLs (Access Control Lists)
- Enhance ACLs by also requiring VPN or PWAN (SD-WAN)
- Ask us for a discounted audit :-)
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article