According to a recent SecurityFocus report, "nearly two-thirds of Web sites have at least one serious security issue that would allow someone to remotely attack the site."
The number of known vulnerabilities increases with time. Every day we learn of new flaws in software. For the average business owner today, in this troubled economy, the flawed cyber-jutsu tactic is the old "head in the sand" trick. Unfortunately, unless you are sticking the attacker's head in the sand, this generally doesn't help.
Organizations without dedicated internal security teams must partner with Information Security Service Providers such as CyberCede Corporation. A company like CyberCede can assist a CIO or business owner in improving their situational awareness. Without knowing what is going on, you can't make informed decisions. Your chosen Information Security provider should employ individuals with well known and useful certifications such as the CISSP.
An Information Security professional should help you to know yourself and know the enemy. Many of the website vulnerabilities come from improper configuration. These issues can usually be remedied quickly. For organizations with large amounts of custom code, including web applications, and dynamic sites based upon database back-ends, the work can take longer; but, is even more important to accomplish.
How often should a vulnerability assessment be performed? Only you can decide; but, your Information Security Professional should help you assess the risks to your organization so you can make an informed decision.
Don't forget to breathe!