The ER Has a System for Deciding What to Fix First. Your Cybersecurity Should Too.

-
Thought Leadership Cyber Risk
May 2026  ·  8 min read

Every day, emergency rooms triage hundreds of patients — not by who arrived first, but by who will die without immediate care. Most small businesses manage cybersecurity the opposite way. They fix what's easiest, loudest, or most recent. That gap is costing them.

Imagine walking into a busy emergency room with chest pains, only to find yourself waiting three hours because the waiting room filled up before you arrived. Meanwhile, a teenager with a sprained ankle gets seen first because they checked in earlier. That scenario doesn't happen — not because ERs are perfect, but because they built a system specifically to prevent it.

In 1998, emergency physicians developed what became known as the Emergency Severity Index — a five-level triage algorithm now used in 94% of U.S. emergency departments. Its entire purpose is to answer one question before anything else: who will die, or suffer permanent harm, if we don't act right now? Everything else waits. Level 1 patients get immediate care. Level 5 patients — the sprained ankles — wait their turn.

Now think about how your business handles cybersecurity vulnerabilities. When your IT team or MSP surfaces a list of issues, what gets fixed first? In most small businesses, the honest answer is: whatever's easiest, whatever someone has time for, or whatever was flagged most recently. There's no triage system. There's no Level 1 equivalent. And the vulnerabilities that could actually destroy the business — the open RDP port, the unpatched internet-facing server, the admin account with no MFA — sit in a list alongside low-risk findings, waiting their turn.

That's not a security problem. It's a prioritization problem. And it has the same consequences as an ER that treats patients in order of arrival.

95% of successful cyberattacks exploit vulnerabilities that had known fixes available. The problem isn't that businesses don't know about their risks — it's that nobody told them which ones to fix first. Without triage, the most dangerous vulnerabilities wait in line behind the most convenient ones.

How ER triage actually works — and why it maps so precisely to cyber risk

The Emergency Severity Index assigns every incoming patient one of five levels based on two factors: the severity of their condition, and the resources their care will require. Level 1 means immediate life-saving intervention is required right now. Level 5 means the patient is stable, needs minimal resources, and can safely wait. The triage nurse makes this call within minutes of arrival — before any treatment begins — so that limited clinical resources go to the highest-impact cases first.

The same two-factor logic applies directly to cybersecurity vulnerabilities:

1 Immediate — life threat Actively exploited CVE on internet-facing system. Fix now.
2 Emergent — high risk No MFA on admin accounts. Exposed RDP. Fix within 24–48 hrs.
3 Urgent — needs attention Missing email auth (DMARC). Outdated software. This week.
4 Less urgent — monitor Theoretical risks. Low exploit probability. Next cycle.
5 Non-urgent — planned Best-practice improvements. No active threat. Roadmap item.

The ER doesn't treat Level 4 patients before Level 2 patients because Level 4 is easier to treat. It doesn't let the sprained ankle cut in front of the chest pain because the sprained ankle arrived first. The system is designed to keep the highest-stakes cases from dying in the waiting room — and that's exactly what a proper vulnerability prioritization framework does for your business.

The four triage levels that matter most for SMBs

Level 1 — Immediate intervention required

Fix today. No exceptions.
ER equivalent The patient is not breathing or has no pulse. Every resource in the room goes to this person right now. Time is measured in seconds, not minutes. No other patient takes priority regardless of what else is happening.
Cyber equivalent Actively exploited vulnerabilities on internet-facing systems. Credentials confirmed in breach databases. Open RDP with no authentication. These aren't theoretical risks — they're open doors attackers are walking through right now, in businesses identical to yours.

Level 2 — High risk, urgent care required

Fix within 24–48 hours.
ER equivalent The patient is in severe distress — not yet dying, but will be without intervention. The nurse reassesses every 15 minutes. The situation can deteriorate rapidly.
Cyber equivalent No MFA on admin accounts or email. Unpatched critical CVEs on internet-facing assets. Missing email authentication (SPF, DKIM, DMARC). These are the controls cyber insurers scan for, and their absence is what triggers claim denials.

Level 3 — Urgent but stable

Fix this week or this sprint.
ER equivalent A real problem that needs treatment — broken bone, significant infection — but not immediately life-threatening. Monitored while higher-priority cases are addressed.
Cyber equivalent Outdated software on internal systems. Weak password policies. Excessive user permissions. Security headers missing from your website. Real risks that compound over time — but survivable if addressed in the current cycle.

Levels 4 & 5 — Non-urgent

Roadmap and planned improvements.
ER equivalent Minor complaints — sprained ankle, mild rash. They need care, but they can wait. Treating them before Level 1 or 2 patients would be actively harmful to the system.
Cyber equivalent Best-practice improvements, theoretical vulnerabilities with low exploit probability, long-term hardening. Valid work — but scheduling it before Level 1 and 2 items is the security equivalent of treating the sprained ankle before the chest pain.

The four ways SMBs get triage wrong

The ER model took decades to develop because the intuitive approach — first come, first served — turned out to be actively dangerous. Small businesses make analogous triage errors constantly, and they carry the same consequence: the most serious issues wait while lower-priority work gets done.

Treating by arrival order

The newest finding gets attention. The vulnerability on the list for three months gets ignored. Age of discovery has nothing to do with severity — but without triage, recency wins by default.

Treating what's easiest first

Low-effort fixes feel productive. Closing five easy findings looks better than closing one hard Level 1. But five sprained ankles don't outweigh one heart attack. Effort required has nothing to do with clinical priority.

Treating what's loudest first

The vulnerability that triggered an alert gets immediate attention. The critical issue sitting silently on an internet-facing server waits. Noise isn't the same as severity.

No re-triage as the situation changes

ERs reassess patients continuously — a Level 3 can become a Level 1 as their condition deteriorates. A vulnerability that was theoretical last month may have an active exploit today. Static lists go stale.

The most dangerous words in an SMB's security program are "we're working through the list." Working through a list in the wrong order is not the same as being secure. An ER that works through patients in order of arrival is not providing emergency care — it's providing scheduled care with an emergency waiting room. The distinction matters when someone is dying in the hallway.

What a proper cybersecurity triage system actually requires

The ER's triage system works because it combines two inputs: the severity of the condition and the current real-world context — what resources are available, what other patients are waiting, and what the likely trajectory is if nothing is done.

Effective cybersecurity triage requires the same combination:

  • Severity scoring that reflects real-world exploitation. A vulnerability's theoretical severity score matters less than whether it's being actively exploited in the wild right now — whether attackers are specifically targeting it in businesses like yours. That's the difference between a Level 1 and a Level 4.
  • Asset context. A critical vulnerability on an internet-facing system is a Level 1. The same vulnerability on an air-gapped internal system is a Level 3. Location and exposure determine clinical priority, not just the vulnerability itself.
  • Continuous reassessment, not point-in-time scanning. The ER doesn't triage patients once at admission and then ignore them. Your attack surface changes every time you update software, add a service, or a new exploit is published. Quarterly scanning is working with stale information.
  • A clear protocol for each level. The ER doesn't leave Level 1 decisions to individual judgment — the protocol is defined, trained, and followed. Level 1 findings trigger an immediate response. Level 2 findings have a 48-hour SLA. Level 3 findings go into the current sprint. Without defined protocols, triage becomes suggestion.
Platforms like Veriti Spottr are built to provide exactly the triage layer most SMBs are missing — continuous scanning that cross-references your findings against real-world exploitation data, assigns priority based on actual risk rather than theoretical severity, and surfaces a clear answer to the most important question in cybersecurity: not what's on the list, but what to fix first.

The waiting room nobody wants to be in

The Emergency Severity Index exists because someone recognized that without a principled system for deciding what to treat first, the most critical patients were dying in waiting rooms while lower-priority cases received care. It took a structured algorithm, trained practitioners, and a culture that treats prioritization as a clinical discipline — not an administrative inconvenience.

Your cybersecurity posture faces the same structural challenge. Not a shortage of findings — most vulnerability scans surface more than any small team can address. A shortage of priority. A clear, defensible, continuously updated answer to the question: given everything on this list, what actually needs to happen today?

The sprained ankle can wait. The chest pain cannot. The system that tells you which is which isn't optional — it's the whole point.

Know what to fix first — not just what's on the list. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more