The Week Ahead: Stop Treating KEV Like a Newsletter
Hello, Mauven here.
This week we pulled apart the comfortable idea that a firewall is a strategy. Noel opened with the firewall-as-comfort-blanket argument. I made the case that a collection of controls is not Defence in Depth. Corrine walked through what the Fortinet edge bypass tells us about trusting the edge. Graham gave you ten questions for your provider. Lucy ran the accountability audit. And Noel closed with the green-dashboard problem.
Let me tie the week together with the single habit that connects all of it, and set up the week ahead while I am at it.
Stop Treating KEV Like a Newsletter
KEV stands for Known Exploited Vulnerabilities. It is a catalogue maintained by the US Cybersecurity and Infrastructure Security Agency. It matters because a listing on it does not mean interesting, and it does not mean theoretical. It means known exploited. As in, attackers are using this flaw right now, in the real world, against real organisations.
That is a different category of urgency from the ordinary stream of patch notices. Most vulnerabilities are possibilities. A KEV entry is a present tense. It is a clock, not a headline.
The Fortinet flaw CVE-2026-24858 was added to the catalogue in late January 2026. It carried a severity score of 9.4 and, as we covered this week, it worked against devices that had already been fully patched against the earlier flaws. That is exactly the sort of entry that should trigger immediate action, not a quiet filing for the next maintenance window when someone gets round to it.
The Week-Ahead Habit
Here is the discipline I would like every small business to adopt. It takes about five minutes, once a week. It is the opposite of panic.
First, check whether any new KEV entries match the kit you actually run. You do not need to read the whole catalogue. You need to know your own asset list well enough to recognise your vendors and products when they appear. This is precisely why the asset list from Graham’s Thursday piece matters: without it, you cannot do this step at all.
Second, if there is a match, ask your provider the advisory-to-asset-to-action questions. Which of our devices are affected? What did you do? What did you check before and after? What evidence is available?
Third, confirm that internet-facing management is still locked down. Configurations drift. A device that was safe last quarter can be exposed this quarter because of a change nobody flagged.
Fourth, note anything overdue and assign it an owner with a date. Not “someone should.” A named person and a deadline. Someone should is where security goes to die.
That is the whole habit. It will not make headlines. It is meant not to. The point is that the calm, boring, weekly version of this work is what turns the next major advisory into a routine Tuesday task rather than a Friday-night emergency.
What Is Worth Watching
I will not pretend to predict which vendor has the next bad week, because nobody can. Edge devices, remote-access products, and identity platforms remain the high-value targets, for the structural reasons Corrine set out: they face the internet, they are trusted by design, and they often have weaker monitoring than the laptops behind them. Expect the pattern, not a specific name.
What I will say is that the direction of travel in UK policy is clear. The Cyber Security Breaches Survey 2025/2026 found that the financial impact of breaches is rising even as the headline rate holds steady, and that only 24% of businesses have the basic five technical controls. Regulators, insurers, and customers are increasingly asking whether reasonable steps were taken. A weekly KEV habit is one of the most defensible reasonable steps you can point to, and one of the cheapest.
How to Turn This Into a Competitive Advantage
A weekly habit is easy to demonstrate and hard to fake.
You respond before your competitors notice. When a major flaw lands, the business already watching KEV is asking its provider the right questions while others are still finding out it happened. That speed is a genuine market edge in a sector where most react late.
You can show the discipline. “We review the KEV catalogue weekly against our asset list” is a concrete, verifiable answer for any client, insurer, or auditor. It signals maturity that a green dashboard never will.
How to Sell This to Your Board
Three short points.
It is the cheapest security upgrade available. Five minutes of attention a week, against the cost of discovering an actively exploited flaw during the breach it caused. The asymmetry sells itself.
It fits how a board already works. A weekly check that surfaces decisions and owners is governance, not technical detail. The board reviews movement and assigns accountability, which is exactly what it already does for every other risk.
It is a reasonable step you can evidence. The survey data and the regulatory direction both point at the same expectation. A documented weekly habit is proof, not promise.
What This Means for Your Business
-
Put a recurring five-minute slot in the diary for a weekly KEV check against your asset list. Make it a standing task with a named owner.
-
Use the asset list from Thursday’s piece as the input. Without it, the check is impossible. Build it first if you have not. See the ten questions to ask your provider.
-
Treat a match as a clock, not a memo. When your kit appears on the catalogue, the response starts that day, not at the next convenient window.
-
Keep a simple record of what you checked and what you decided. That record is your evidence of reasonable steps. Pair it with a recovery plan you have actually tested.
-
Review the week’s themes with whoever owns cyber risk. Defence in Depth, edge trust, provider accountability, and honest reporting are not separate topics. They are one argument: stop buying comfort, start buying evidence.
The week’s message reduces to a single sentence. Ask the questions before the incident, demand evidence before the breach, and own the risk before someone else owns the story. Have a calm week.
Related Posts: