To understand cyber security assessments, think of other checkups such as medical examinations or a vehicle inspection. In each of these cases, the best assessments aren’t simply a case of concluding “pass” or “fail”. To get the most from the exercise you need an assessor who:
- uses a clear set of objectives for what’s required;
- identifies shortcomings;
- offers practical help and advice to remedy shortcomings; then
- lays down guidelines and best practice to make sure you continue to meet the objectives.
Running The Risk
According to the Ponemon Institute, you’re now more likely than not to be hit by a cyberattack. Its report ‘State of Endpoint Security Risk’ estimated 54 percent of companies were compromised by at least one successful attack in 2017. Indeed, 70 percent of surveyed companies believe the risks they face increased in 2017.
Why? The main reason is the increasing range of incentives to attackers. Gone are the days when cyberattacks were either the work of bored pranksters trying to cause disruption or criminals trying to access confidential data for financial gain or corporate espionage. Now you also need to worry about ransomware attacks where your compromised network is effectively locked down until you pay up. Some attackers aren’t interested in your data at all and simply want to hijack your resources to help them make money from ‘mining’ virtual cryptocurrencies such as Bitcoin.
Ponemon reports that the average attack has a cost impact of $301 per employee. This can include direct financial losses, lost productivity, the costs of repairing or rebuilding hardware and software, and the costs of reputational damage. It’s clear that identifying and fixing security shortfalls before an attack happens makes sound financial sense.
Setting The Standard
While the precise steps a cyber security consultant takes will vary, the procedure will follow a few basic principles. The starting point is to establish the benchmarks for where your business needs to be with your security, coming at it from a couple of perspectives. One is the purely functional: neutralizing likely threats so that you can continue doing business without disruption. The other perspective is external requirements, which can include:
- meeting mandatory standards laid down by potential clients (particularly government agencies);
- regulations that affect your specific industry (such as protecting data under HIPAA, DFARS, GDPR, etc…); and
- any rules laid down by your insurers as a condition of coverage.
The Gap Analysis
The next step is a gap analysis. This involves:
- taking a model of how things would be working if you met the required benchmarks;
- inspecting your cyber set-up to see how things are really operating; and
- detailing exactly where and how you are falling short.
The big benefit of an expert cyber security consultant is that they don’t just have the experience to know exactly what to examine, but they can come at the task with an external perspective. In particular, they’ll look for security shortfalls that aren’t currently presenting any practical problem. That overcomes the limitation of internal inspections where you might be tempted to overlook a sub-optimal practice on the grounds that “it’s never been an issue so far.”
You may be surprised to discover just how much of the gap analysis involves inspecting procedures rather than just the current state of your equipment or network. To see why this is the case, imagine reviewing your home’s security. A basic inspection might show you have suitable locks in full working order. A more sophisticated audit might reveal that your hide-a-key is in an easy-to-locate place.
The Remediation Plan
Following the gap analysis, a cyber security consultant will prepare a remediation plan. This is a detailed list of the steps you must take to plug the security gap. An effective consultant will present clear, actionable steps, often in an order of priority.
Some of these steps will be straightforward such as upgrading a software security tool or reconfiguring a network. Others will be more detailed and wide-ranging, such as changing the way in which your staff authenticate themselves or redesigning your file system so you can more effectively control who can access or alter specific sets of data.
The beauty of using an expert consultant is that they not only know what changes you need to make, but have the experience to help you make them with minimal disruption to your ongoing business. Some consultants can even train your staff in security best practices and deal with any resistance or lack of enthusiasm among employees faced with changes to their work practices.
A Long-Term Cyber Security Solution
The remediation plan isn’t usually the end of the process. A cyber security consultant can return later to make sure you’ve carried out the necessary steps adequately. They could then either formally certify that you meet relevant standards and regulations or give you the assurance you need that everything is in order before you undergo an official audit.
A good consultant will also offer ongoing services to monitor or maintain your security posture. This could be as basic as returning for regular inspections or as sophisticated as installing and operating monitoring tools that can quickly identify any security breaches, spot new vulnerabilities, or highlight if staff aren’t following the procedures you’ve put in place.
If your company is interested in having an expert take a look at your systems and procedures, get a Cyber Security Assessment from SysArc.