"They're two different things," said Jason Kemsley, technical director at Uptime Solutions. While refuting the suggestion that the distinction is merely semantic, he acknowledges their interdependence. "They go hand in hand. A threat has to use a vulnerability to cause damage. So, if there's no vulnerability, the threat can't do anything, and if there's no threat you can have as many vulnerabilities as you want and not be at any risk."
Joseph Lee, a member of the senior networking staff at Managed 24/7, adds a third element: "In the same way that you have got your fire triangle of heat, oxygen and fuel to start a fire you need a threat actor, the asset that they want to damage or exploit, and the vulnerability, which is their way in."
There are different kinds of threat, too. There's the ransomware distributor, who will encrypt your server or individual drives with an eye on making a quick buck and, says Lee, "you've got APTs advanced persistent threats which I think are much more scary. A lot of the time, they're very high-tech threat actors with access to much more complex methods of exploiting your vulnerabilities. They'll access a network over an extended period to carry out a more calculated and targeted attack."
Usually, explained Lee, APTs go unnoticed for months, and a lot of the time they don't cause any damage: they just take your data and sell it to someone else.
Internal versus external threats
But the threat actor doesn't always reside outside the organisation. With foreign influence in elections and social media still a popular talking point, it's easy to forget that the most serious threat is usually close at hand. As Kemsley explains, "98% of security incidents are caused by a physical person inside an organisation, rather than outside, which is why it's so important to train staff about the threats they'll be privy to."
Lee agrees. "Insider threats are the biggest threat to a network. They don't need supercomputers cracking hashes and people exploiting vulnerabilities: they could just print off what they need and walk out the door. It could be anyone; even Bob who sits at the other end of the desk and didn't get a pay rise this year."
It's the very low-tech nature of insider threats that makes them so insidious, and why traditional penetration (or "pen") testing isn't greatly effective. The best firewall in the world, with every port bolted shut, can't mitigate against internal malice or an innocent mistake, such as a team member attaching confidential data to an incorrectly addressed email. Auditing your staff's knowledge and practices is, therefore, an essential part of identifying vulnerabilities before they're exploited by threat actors.
Identifying factors beyond your control
"You'll never be able to stop the kind of emails that lead to spearfishing being sent to your organisation, but you can educate your users," said Kemsley. "How your organisation deals with those incoming emails is something you can and should care about. We live in a world where people like to think that, if you throw enough money at it, a problem will go away. But really, just as people have to pass a driving test, businesses must start looking at how they can train their users on the security threats they should be aware of."
In encouraging us to think about security from the bottom up, Kemsley draws an analogy with a net. The smaller the holes (or vulnerabilities) in that net, the less chance there is of a threat slipping through.
"There are ways to manage threats by understanding what they are and hardening yourself against them," said Lee. "But a threat actor doesn't care what you do: they're going to try and get in anyway; you've got to try and mitigate that however you can. Top of my list is employee training."
Training staff and auditing their security chops isn't a one-time job. It's something that needs to become part of the organisational culture. Many of the businesses that Kemsley works with require staff to watch a 45-second video every Monday morning, which keeps them mindful of and alert to the threats they might encounter that week.
Other more practical measures can be implemented at the corporate level, often through HR. "You need to be operating on a policy of least privilege to make sure people don't have all the access in the world," said Lee. "Divide responsibility so it takes two or more people to access certain tasks... I've heard of people having compulsory leave-taking, during which accounts can be temporarily disabled."
Know your estate
"We typically see two types of customers," said Kemsley, describing organisations who have had a vulnerability exploited, and more savvy enterprises that are "forward-thinking and are doing everything they possibly can because they have some kind of compliance they need to adhere to". Usually, he says, "those in the former group typically haven't done anything to mitigate inside-out vulnerabilities, while those in the second group have usually made significant investment and recognise that staff are the weak point.
"Yet, for an outsourced management firm like Uptime Solutions, the only difference in the way they're treated may be that the exploited client's needs are somewhat more urgent, proving that, whatever your organisation's position, identifying and remedying vulnerabilities requires a methodical, step-based approach that focuses, first, on information gathering."
"The first step to being able to deal with a vulnerability is to know your estate," said Lee. "Where are your servers, what are they running, who are your vendors, what patch versions are applied, and which devices are your users using?"
Compiling this kind of data requires a well-managed asset register, which, Lee says, is another full-time job. Mobile device management (MDM) solutions such as Microsoft Intune can help but it can be a tough, although not impossible, sell in a BYOD environment. "You need to get employee buy-in there, which you can do through their contract of employment, but I also know of companies that are offering a supplement to the payslip for those who want to opt in to BYOD, on the understanding that they submit to MDM," said Lee.
Vulnerability versus threat
Identifying and patching vulnerabilities, and maintaining a high level of staff awareness, is like buying insurance: you hope you will never need to use it. However, when you can only control one half of the equation -- the vulnerabilities to which your organisation is subject embracing that partial control is essential if you're to deal with the other side of the coin: the threats looking to exploit the holes in your net.
That costs money, which, Lee argues, is why IT and cybersecurity need board-level representation. Fortunately, that's an emerging trend. "Every time the NHS gets hacked, you get more board-level representation of IT. You've still got some old-school boards who just want cybersecurity to go away because they don't understand it, but that's becoming less the case as time goes on."
Security threats and security vulnerabilities, then, are very different things, and the way the organisation views the former should inform how it handles the latter, where everything from budgets and resources to strategy and staff training are concerned. It's a bottom-up approach that needs to be sanctioned from the top down.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Nik Rawlinson is a journalist with over 20 years of experience writing for and editing some of the UK’s biggest technology magazines. He spent seven years as editor of MacUser magazine and has written for titles as diverse as Good Housekeeping, Men's Fitness, and PC Pro.
Over the years Nik has written numerous reviews and guides for ITPro, particularly on Linux distros, Windows, and other operating systems. His expertise also includes best practices for cloud apps, communications systems, and migrating between software and services.