The term ‘vulnerability threat control’ describes a methodical approach used to combat the most pertinent cyber risks facing an organisation or system.

The first step in this methodology is to identify vulnerabilities. “There are potential vulnerabilities in all the people, processes and technologies involved in an IT system,” says Peter Bassill, founder and security researcher at Hedgehog Security. “A threat is something that can take advantage of a vulnerability for a particular type of gain,” he says. “It could be a simple script that’s checking every IP address in the world for vulnerabilities and running an exploit against them; it could be an employee who wants to cash out.”

When a newly identified cyber threat seems to align with a vulnerability in a system, it’s advisable to implement a control or countermeasure to manage the risk. “This is where you take a vulnerability and reduce the risk to something that is acceptable,” says Bassill. “You’ve got a vulnerability; your threat is that someone could gain access via that vulnerability; and your control could be something that patches that vulnerability.”

In the context of a cyber-security workflow, this translates into a process broadly comprising three steps:

1. Vulnerability: audit the system for cyber vulnerabilities.
2. Threat: carry out research or analysis to decide which vulnerabilities are most susceptible to cyber threats.
3. Control: put measures in place to manage the identified threats/vulnerabilities.

Bassill says the best way to identify the vulnerabilities in a system is to use a professional pen tester who will simulate hacks to reveal the system’s weak spots. He recommends the National Cyber Security Centre (NCSC) as a good source of information on emerging threats.

York-based web development company Castlegate IT has to keep over 200 clients’ websites secure, as well as its own. According to technical director Andy Reading, identifying threats and vulnerabilities that could affect the sites has been a matter of doing “lots and lots of research”.

“Our focus is building bespoke websites on the WordPress content management system, so we spend a lot of time reading WordPress’s recommendations and guidelines on emerging cyber threats,” says Reading. “If you understand the methods and tools hackers use to gain access, you’re able to lock your site down.”

However, the rate at which new cyber threats emerge means even diligent webmasters sometimes get caught out by a novel hack. According to the Castlegate IT’s managing director Jim Semlyen, cybercrime became a graver concern for the company in 2016. WordPress sites like Castlegate IT’s were becoming key targets for financially motivated hackers, who had developed new tactics for extorting webmasters, sometimes by threatening to compromise their data. “We had to learn how to make websites secure against these new threats – specifically sites on WordPress, which drives 40% of content-managed websites,” says Semlyen.

The firm adopted a raft of controls to meet the rising threat, including an increased focus on keeping all applications and plugins updated to the latest version to guard against newly detected threats. It also added security measures such as two-factor login authentication and a functionality to detect unexpected file changes.

Semlyen says the process of finding controls for the threats and vulnerabilities facing Castlegate IT’s sites has been cost- and labour-intensive. But according to Reading, the investment has paid off. “It’s beneficial now as we have around 200 WordPress sites running currently under our security process, and we’ve had no incidents in years,” he says.

Pet supplies distributor Tuff Pets is primarily focused on selling goods via Amazon, which means some aspects of the business’s cyber security are taken care of by the platform. However, the security of user account passwords remains a key responsibility of Tuff Pets itself.

“I noticed a new potential threat when I watched a YouTube video on how passwords are hacked,” says Tuff Pets director Michael Oddie. “It’s to do with the way passwords are stored by [a social networking] platform. When you create your password, it’s converted into a hash key based on what you’ve written. The system will turn the same password into the same hash key every time, so if you have the same password as me, you have the same hash key as me.”

Oddie says this setup creates the risk of hackers finding out a user’s password if they have already cracked another account where the same password – and therefore, hash key – is used.

To combat this threat, Tuff Pets uses randomly generated passwords that are difficult to hack and unlikely to be used by other online accounts. “Our passwords are nothing to do with words, nothing to do with dates, and don’t contain any names. They’re random strings of characters that would take an AI or a brute-force program months, if not years, to crack, so it’s not worth it for them,” says Oddie.

“I might be a bit overzealous with enforcing it, but for me it’s very important,” says Oddie. “There’s no way you’d guess my password, and that’s the way it should be with every business.”

Good technical support is an essential safety net for when cyber threats and vulnerabilities appear unexpectedly. Daniel Rowles, founder of digital marketing training company Target Internet, received excellent support from his hosting provider when his site was targeted by hackers.

“Not long after we launched the business, we experienced a brute-force attack where thousands of login attempts were made at once on our website, which brought it to a standstill,” says Rowles. “Thankfully, our hosting provider’s support staff were able to put in place a temporary fix and we weathered the attack.”

Since then, Target Internet uses a combination of expert support and proactive security auditing to manage its cyber risks.