Heinz has said that vulnerability management in any company should be handled by the whole business, and that it is not just a problem for the IT department to face.

The manufacturer, which said it had worked hard to ensure it carefully managed risk to its own data, observed that risk management often tended to be delegated to IT departments because they regularly deter some of the key threats to data.

Chris Leonard, European information security and compliance manager at Heinz, suggested at IDC’s Security Conference in London that executives outside IT departmens should also address the problem. He explained: “Vulnerability management is not just a technical problem, it’s a major issue for whole businesses. Research has shown that a Sasser worm attack could on its own cost an average large enterprise in the UK over £85,000.”

Leonard said firms should start with an assessment of what vulnerabilities they faced and what they needed to protect against most. “You need to have a multi layered approach starting with access control,” he told IT managers and chief information officers at the conference.

It was important to start with the creation of policies and making sure IT users were fully aware of them, he said. After that, it was worth properly tracking the security of business assets and scanning for known vulnerabilities.

A range of different ways of fighting exploits were needed, he said. These included intrusion detection systems at the network boundary, vulnerability scanning of operating systems and databases - for example using programs from vendors such as Microsoft, Qualys, Nessus or Application Security - statistical analysis, antivirus at the boundary and on each machine, and email scanning.

“You need to classify the risk of each vulnerability to your business, and mitigate the major ones first,” he advised. “You’ve got to proactively tackle new attacks that emerge, because patching known viruses is only part of tackling the problem.”

Now read:

'Trust no-one on the web' – security group

IT managers 'fearful' of remote workers

Gap contractor blamed for data breach

Chief security officers get IDC worry list