What are the most common misunderstandings about vulnerability assessments?

Let's say you were in line at a deli and you overheard someone ask "hey, what the heck is a vulnerability assessment anyway?"

Would you feel an urge to chime in or strain to hear the reply? 

Okay, if it were me, I'd probably be more concerned about which sandwich to order but the point is that answers to that question vary widely.

In our experience, the mention of "vulnerability assessment" gets us a confused look and then either an awkward pause, or an eruption of myths mixed in with some good questions.

Here's NSI's description of it.

It's an analysis of a business’s breach risk, followed by the delivery of risk-reducing recommendations that meets both short and long-term security needs.

Of course we can't clear up every myth that may exist, but we can certainly tackle the most common misunderstandings.

So here we go!


Vulnerability Assessment Myths Debunked-1


The infographic was made possible by the contributions of the cyber security experts who weighed in on this topic. 

To get their full answers, continue reading below.


What are the most common misconceptions small business owners have about vulnerability assessments?


There is a general lack of understanding by many small business owners. Many think it’s just a “penetration test,” where a third party attempting to enter your network is seeking vulnerabilities. A complete vulnerability assessment typically contains 3 parts; a logical penetration test, a physical security test and a social engineering test.

Jeff BathurstJeff Bathurst, Director of SC&H Group’s Technology Advisory


A core business misunderstanding about vulnerability assessments is not whether SMBs understand the difference between a vulnerability assessment and a pen test, or if all patches have been applied and open ports identified, but rather, interpreting the vulnerability assessment absent business risk analysis.

Vulnerability assessments (identified areas of weakness) do not identify risk, which is the intersection of assets, threats, and vulnerabilities. A meaningful security risk assessment will identify the likelihood that a key asset will be impacted by some threat that exploits the vulnerability. Just knowing your areas of weakness at a point in time is not enough for a small business.

Vulnerability assessment scope issues are another key business misunderstanding. A meaningful vulnerability assessment is not an ordinary internal and external scan that's so often found today, but rather includes people and business processes. A vulnerability assessment is not solely a network configuration exercise, but rather includes employees, 3rd party vendors, operational processes, applications, web-sites, mobile devices, the cloud, and the IoT. The assessment should include live transactional data collection and be a regular and periodic operational process.


John HolbelJohn Holbel, President of CMIT Solutions of Ann Arbor, Michigan



Security is the IT Department's job.


Caleb ChristopherCaleb Christopher, President of InfoSec Consulting



In speaking with SMB leaders, I’ve found two major misunderstandings concerning vulnerability assessments. The first is that they often feel that this is a tool better suited for a larger enterprise then them – that the results don’t apply for a business on their scale. The second is more concerning; they would rather not know what problems are revealed because the corresponding spend to fix it is too high.


Robert FreebornRobert Freeborn, Managed Services Executive with HighPoint


SMBs often look at vulnerability assessments with a 'check the box' mentality to either conform with regulatory requirements or in response to a major customer. The reality is that vulnerability assessments are part of conducting an ongoing security program and should be used to inform decisions about how well they are managing risk.


Hanno EkdahlHanno Ekdahl, Founder and CEO of Idenhaus




Request a One-on-One Tech Strategy Call with Amoeba

About The Author

Client Success Manager for NSI