Author: Nikki Pike

Computer & Network Security

7 Questions to Ask Before Deciding Whether to Pay a Ransomware Attacker

Post author By Nikki Pike
Post date June 21, 2021

Intro

Ransomware is on the rise, owing to the pandemic. In 2020, ransomware exceeded $1.4 billion in the US alone, according to an estimate from Emsisoft.
Definition: When threat actors prevent a company from accessing their systems, network, or data until a demand is met.

7 Questions to Ask Before Deciding Whether To Pay a Ransomware Attacker

1. & 2. Do You Have a Backup? Will it Work?
- Today’s ransomware groups take backups into account. Even if you have backed up your critical files, it’s important to know the capabilities and functionality of your restoration services. If a threat actor has access to your backups, there is a good chance they will attempt to encrypt or even delete them. If you haven’t done so before and haven’t deeply investigated your capabilities, you won’t know how lengthy or difficult such a restore could be. You may also not understand whether there are backdoors in your restores or whether attackers have accessed any online backups.

3. How Much Will the Ransom Really Cost You?
- Many organizations wind up making the calculus that making the ransom payment is cheaper than losing data and/or business continuity. How badly does your company need the impacted system or the data stored on that system? if the machine is integral to business operation? There is also a cost to public perception and reputation. Paying ransoms may cast your organization in a negative light.

4. Do I Call Law Enforcement?
- Statistically speaking, law enforcement faces a low chance of catching ransomware groups. They also may not have the capacity to crack encryption or obtain decryption keys. However, that doesn’t mean there’s no utility to the act. One may reach out to law enforcement because it may be more likely the perpetrator will be caught, for the possibility that technical assistance from law enforcement may help, or because it helps show regulators and the public that you took all reasonable actions. It may also fulfil a requirement in cyber insurance coverage.

5. Have You Considered the Risk of the Ransom Being Reneged?
- Threat actors must maintain credibility in their claim that receiving the ransom payment will restore the victim’s systems. For the most part, that’s been the case, but further deception has occurred on more than a few occasions (Such as demanding another payment). Given that possibility, it’s in your interest to speak with ransomware experts about how your particular group has handled ransom payments.

6. Have You Considered Law Enforcement Guidance?
- Anyone who’s seen an action movie knows that the US doesn’t negotiate with terrorists. Perhaps surprisingly, the FBI doesn’t require or encourage not paying a ransom under any circumstances. What do they say?
  - “Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”

7. Can You Forstall The Attack on Your Own
- Ransomware attackers use many of the same methods as typical attackers. It’s possible that there’s guidance out there that could help you resolve the hack on your own.
  - The “no more ransom” project, a collaboration between European law enforcement and cybersecurity companies Kaspersky Lab and McAfee, offers decryption tools for more than 85 ransomware varieties.

Conclusion

Deciding to pay a ransom or not is a difficult question to answer. Ultimately, it should be an informed and calculated decision based on due diligence and support from internal and external parties. However, if we want to do our part to try and curb ransomware attacks, we should design our systems and protect our organizations such that paying the ransom is left as a last resort.

Tags ransomware

Computer & Network Security

What You Can Learn From SolarWinds – The hack That “Blindsided” The US Cyber Command

Post author By Nikki Pike
Post date May 11, 2021

Security firm CrowdStrike revealed “the worst U.S. cyber attack in years” last December, according to Reuters.

Suspected Russian hackers penetrated major IT management software provider SolarWinds as early as September 4, 2019, spreading to more than 3,000 of the firm’s clients. Such clients included many Fortune 500 companies and high profile organizations, like Microsoft, Cisco Systems Inc, the US Department of Homeland Security, and the US Cyber Command.

Cybersecurity experts say the depth and breadth of this incident calls into question status quo cybersecurity practices across the world. Once penetrated, organizational networks are much more difficult to secure again. Recovering from the attack may take years, according to Tom Bossert, former President Trump’s homeland security officer.

Here’s what happened, and what you need to know to prevent future compromise.

How the Hack Turned Elite Organizations’ Security Practices Against Themselves

In Fall 2019, hackers penetrated SolarWind’s network management tool, Orion, inserting the SUNBURST malicious code. The company unwittingly pushed updates containing the compromised code that ripped backdoors into their client’s IT systems, into which hackers installed even more malware to further their surveillance efforts.

Compromising Orion wasn’t the end goal, though. Instead, the backdoor was used to access SolarWinds’ SAML-tokens, which transmit sensitive data— like usernames and passwords—in concert with the SSL encryption protocol.

From there, hackers entered their networks through forged security certificates. After that, hackers were able to quickly move laterally throughout the network, escalating their privileges and compromising any number of systems under that network’s umbrella.

What The hack Tells Us About Modern Cybersecurity Practices

The incident reveals the weaknesses of current cybersecurity practices, commonly referred to as the “castle and moat” approach, where a premium is placed on perimeter security. The model’s lack of rigorous user access controls is frequently exploited by hackers, who usually exploit easy points of entry and escalate administrative privileges.

This attack effectively illustrates the need for zero-trust security architecture.

What’s zero trust?

It’s basic premise: “never trust, always verify.” That means securing access to networks through a process of authentication of the user’s machine, authorization of the user behind the device, and the verification of user’s security credentials.

Additionally, zero trust mandates that access to sensitive resources are granted on a least-privilege basis, in other words ensuring access only to staff that absolutely need a given resource.

Finally, rigorous logging is employed to track all traffic through specific inspection points to help enforce least-privilege access rules.

How Zero-Trust May Have Prevented SolarWinds

A core tenet of zero trust is adopting a state of assumed breach. Meaning all requests are inherently untrusted and must be verified.

There are no silver bullets when it comes to security and while companies couldn’t do anything to protect themselves from the attack’s first phase, as that compromise was on the service side, they could have better protected their network through stronger user authentication and verification.

Before users are granted access to sensitive resources or applications, Zero-trust architecture mandates that users prove both their identity and that of the device they’re using. Requiring multiple verification factors, which are continuously reviewed, zero-trust ensures that foreign actors aren’t using falsified security tokens.

What’s more, such architecture limits access to sensitive resources even after network access is granted using techniques such as just-in-time and just-enough-access (JIT/JEA), securing an additional layer of protection. And by limiting this access to only those who need it, commonly called least-privilege, the pool of potential social engineering targets are greatly reduced. This security layer could have prevented the lateral movement hackers demonstrated after breaching the Orion platform.

In sworn testimony from US CISO Christopher DeRusha, the official told the Senate Homeland Security and Government Affairs Committee that the government should move towards zero trust and away from perimeter security.

“In this new model, real-time authentication tests users and looks to block suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds attack,” DeRusha said. “Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies.”

What You Can Learn From SolarWind and Zero-Trust

Of SolarWind’s 36,000 customers, approximately 1800 installed the affected update. If you’re worried that your organization may be impacted and you haven’t taken steps to mitigate this attack be sure to update Orion to the latest version and follow SolarWinds guidance.

However, just because an organization doesn’t use Orion doesn’t mean they’re safe; you should contact your IT vendors or MSP to confirm that they’re not impacted. If so, ask them what they’re doing to reduce your exposure.

Organizations looking to secure themselves against a future attack should leverage a combination of improved network visibility, incident response, comprehensive vendor management and a zero-trust user access model.

You’ll also want to improve your organization’s security culture by teaching and enforcing best practices. That includes how to utilize tools like web filtering and two-factor authentication, how to create strong passwords, and how to properly configure firewalls.

Lastly, remember that your security efforts should be tailored towards the most likely and most potentially damaging threats. This means beginning with threat modeling to identify your most sensitive assets, and brainstorm the most likely paths hackers may take towards compromise. If all this sounds like too much, consider a trustworthy third-party security-focused managed IT provider like SecurIT360.

Conclusion

If nothing else, SolarWind is a reminder of how serious and far reaching attacks on third-parties can be to your organization. Given the wealth of consumer data now held by the average business, just about every company could be a target.

Computer & Network Security

Understanding the Cybersecurity Maturity Model Certification (CMMC) and its Benefits to You

Post author By Nikki Pike
Post date April 14, 2021

In today’s evolving threat landscape, organizations are often required to remain compliant with government and industry-based regulations, standards, and policies pertaining to data security and privacy. Therefore, attaining an industry-wide certification for your corporate cybersecurity posture is critical to maintaining a good reputation as well as assuring the confidentiality, integrity, and availability of critical and sensitive information within your computing infrastructure.

It is estimated that cybercrime causes global damages of over $600 billion per annum, thus it is now more important than ever for organizations to protect their information supply chain infrastructure, especially supply chains that process controlled unclassified information (CUI). For organizations looking to conduct business with the U.S. Department of Defense (DOD), there are special cybersecurity regulations that must shape handling of DOD-developed digital assets, and the Cybersecurity Maturity Model Certification (CMMC) is a prime example.

The CMMC consists of five maturity levels, which is used as a guide to protect DOD critical data from a range of cyber-threats, including sophisticated threats posed by advanced persistent threats (APTs). The CMMC framework aligns your organization’s cybersecurity response with security control-measures deemed sufficient by the DoD to protect sensitive information against emerging cyber threats, thus allowing Defense Industrial Base (DIB) companies to provide reassurance to the U.S. government that all CUIs are being monitored and secured with at least the basic controls that are recognized by the CMMC maturity levels.

The Importance of CMMC

Being CMMC-compliant not only protects your reputation, but it also mitigates against the financial burden of a breach. The CMMC framework allows you to leverage new operations and applications with the confidence that they are secured by your existing cybersecurity measures.

In terms of the industry-specific benefits, CMMC compliance will reassure clients that you are adhering to the latest cybersecurity recommendations, which will help you win new contracts and gain a competitive advantage over your competitors. Software vendors will be able to reassure enterprise clients that their security framework meets DOD guidelines, and the same applies if you operate in industries with a complex supply chain.

Another benefit of being CMMC-complaint relates to managing risks across your supply chain. If you know of other organizations in your supply chain that are not yet CMMC-compliant or are not prioritizing cybersecurity, you can recommend that they get an audit. This allows for better protection across your whole supply chain, instead of just your organization.

The main goal is to document all processes and constantly improve them, so there is no “weakest link” left within the supply chain. Having a common understanding of how every element of your supply chain operates from a cybersecurity perspective is hugely reassuring, as you can use this knowledge to maintain DOD contracts, expand your client network, and benefit from the subsidized nature of CMMC audits.

Particulars of the CMMC Framework

The CMMC framework consists of 171 practices mapped across five different levels of maturity. The more practices your organization implements, the better you become at protecting all unclassified data within your infrastructure. For the majority of subcontractors of DOD, the first level of the CMMC framework is what you can expect to be recognized when you invest in an audit from a trusted vendor. This level contains all of the common cybersecurity practices.

As you begin to approach the higher levels of the CMMC model, the processes become more documented and proactive. The main aim is to actively manage, review, and optimize cybersecurity processes to protect all of your devices and data points from the growing sophistication of APTs and their growing attraction to supply chain attacks.

Differences Between Each Level of the CMMC Framework

As mentioned earlier, level 1 CMMC states that organizations follow basic cyber hygiene. This is essential to assuring confidence in your supply chains, or to assuring DOD, that you follow basic cybersecurity practices on (at least) an ad hoc basis. The processes are not documented or actively expanded upon by your IT department, but your employees do adopt the recommended processes as and where possible.

Level 2 CMMC measures involve documenting any cybersecurity processes, so that there is proof that people are trained to implement DOD’s best practices for protecting CUI across your organization’s network.

A level 3 compliant subcontractor would have gone one step further than those in level 1 or 2, as their cybersecurity practices adhere to the NIST 800-171 framework. This model contains various security measures that must be undertaken for you to achieve the best protection for all of the CUI you store and manage. For example, instead of simply implementing security measures from a selective standpoint, you will roll the measures out to any section of your infrastructure that may store/move CUI, to enhance your protection from APTs.

If your organization has maturity level 3 CMMC, all of your cybersecurity practices are documented, assessed, and rolled out to the whole organization, while being reviewed on an ad hoc basis.

Furthermore, a level 4 compliance posture differentiates good cyber hygiene from proactive cyber hygiene: the risk from APT actors is managed in real-time with a “constant improvement mindset.” This maturity level combines all of the processes contained in levels 1–3 while using a forward-thinking approach, surrounding the developing sophistication of APTs and the tactics, techniques, and procedures (TTPs) they implement.

Lastly, level 5 maturity will require your organization to implement all of the previous levels of the CMMC framework while leveraging the controls and procedures to ultimately lower the risk and burden caused by APTs on your CUI—essentially before the risk to your reputation or finances becomes anything more than minimal.

Required IT Controls for Each CMMC Level of Certification

Each level of the CMMC framework implies a different (and more managed) level of IT control. As a guide, here is what you may be expected to implement depending on your industry:

Level 1 maturity can include staff updating passwords, updating/patching critical applications, and installing antivirus or other free/low-cost cybersecurity tools.
Level 2 maturity ensures that procedures to protect CUI are documented and actively encouraged by your IT department. Best practices may be taught via security awareness training.
Level 3 IT controls may include multi-factor authentication (MFA), meaning the NIST 800-171 framework is adhered to. Your organization will identify and implement cybersecurity controls across all data points that may contain CUI.

An organization with level 4 compliance can be expected to implement forward-thinking measures, such as cybersecurity controls on emerging technology, mobiles, or IoT. These are areas of your infrastructure that may have previously been under-prioritized from a cybersecurity standpoint.

Lastly, to become a level 5 compliant entity, your IT department must implement 24-hour controls, to minimize the impact of any form of cyber-threats. For example, a security operations center (SOC) may be created, leveraging both human and automated mechanisms, to actively manage threats. With this type of dualistic data security and privacy countermeasure, security goals remain dynamically-aligned with the needs and objectives of your organization.

Conclusion

Being able to certify your cybersecurity posture is now more important than ever, and the newly implemented CMMC framework offers this opportunity for DOD subcontractors and other eligible organizations to do this. With 5 different levels of maturity, the CMMC model can help your organization to understand what is required of your IT department, and it can help your team proactively manage, detect, and improve against the TTPs of APTs.

Becoming CMMC certified at any level provides immense reassurance to your clients, contractors, and anyone you interact with, as it shows you are fully compliant as an organization with what the DOD recommends. Not only will CMMC certification serve as a route to gain a competitive advantage in your industry, but it can also help you to obtain knowledge about your entire supply chain.

You can use this framework to identify any existing weak links and recommend procedures to implement to further minimize the threats against your organization and anyone else you work with within your industry. If you would like to find out more about the CMMC framework, and how to become certified, contact SecurIT360 today to see how we can help you obtain the audit you need to gain a competitive advantage in your industry.

Tags certification, cmmc, cybersecurity

Computer & Network Security

Endpoint Detection and Response: Monitor and Mitigate Your Cyber Threat Environment

Post author By Nikki Pike
Post date January 11, 2021

There’s one lasting cybersecurity misconception that’s misled many: that perimeter security is sufficient in itself.

While preventing attacks using tools like anti-malware, access management, anti-phishing training, and SIEM are effective, they’re ultimately insufficient on their own. Endpoint protection and monitoring (EDR), paired with managed detection and response (MDR), provides the missing element here, pairing prevention (EDR) with response (MDR) to curtail any attempted intrusion before serious damage is done.

To make matters worse, threats have risen 400 percent since before the coronavirus—with a 40 percent growth in ransomware specifically. What’s more, the explosive growth of workers performing their jobs at home has greatly expanded attack surfaces. Here, we’ll delve into endpoint protection and response, its place in modern cybersecurity, and the benefits it supplies.

Why EDR is Relevant to Today’s Threat Landscape

Much of the internet and IT technology was not designed with security in mind. As such, security approaches are enormously varied, often unsophisticated, and rely on mistaken assumptions about today’s threat landscape.

Case-in-point is the industry’s overwhelming reliance on perimeter security or network security, often referred to as the castle-and-moat approach. The thinking is simple, use a few different technologies like firewalls, anti-malware applications, and other security tools to prevent each potential attack vector.

There’s no such thing as perfect defense against an unknowable threat landscape. Each year, organizations face a roughly a 50/50 chance of experiencing a cybersecurity incident. Between malware, ransomware, advanced attacks, insider attacks, and social engineering attacks, such incidents occur so often they’re almost predictable.

Social engineering attacks are a good example. Approximately 91% of data breaches start with a phishing email, according to a Deloitte study. One might assume that effective education and training could prevent most social engineering attack attempts. However, such attacks are incredibly sophisticated, often taking the form of a court notice, IRS refund, fax notices, and are successful through repetition. Falling prey may be a statistical likelihood.

In test attacks from cybersecurity firm Positive Technologies, a whopping 17 percent of employees fell for the fake scam (Done with permissions from leadership). Among those: 25 percent of managers, and 3 percent of security personnel.

While EDR itself can’t prevent an employee from an ill-advised disclosure of data to a phishing email, their later activity in the system—in elevating their privileges and moving across their system—would be visible to effective EDR.

What’s more, EDR serves another important function: reducing the crucial time period between network penetration and the discovery of compromise. Currently, companies take an average of 197 days before discovering an intrusion, according to a Ponemon study. Reducing discovery time can significantly decrease the cost of containment.

Given the extremely high volume of these attacks and the predictability with which they occur, then it follows that cybersecurity must not only prevent attacks but also focus on responding swiftly by containing or removing any such vulnerabilities.

How Endpoint Detection & Response Works

EDR complements typical network security by adding visibility in activity occurring on endpoints, analyzing the resulting data for signs of malicious activity or compromise, and issuing automated responses that contain or remove threats, and alert administrators.

Note that the added responsibility and technical sophistication necessary for effective EDR may be too much for many IT departments. That’s why managed detection and response, a service provided by many cybersecurity managed service providers, may be necessary to cover these responsibilities, 24/7 monitoring, and any necessary maintenance. Together, EDR and MDR combine to form a comprehensive incident response program.

Personal Devices in the Workplace Are On The Rise

The explosion in personal devices in the workplace forms one of the most pressing security concerns today. Approximately 90 percent of US employees use their smartphones at work, while 50 percent of companies with permissive personal devices usage policies had such devices breached, according to Trend Micro.

Given their enormous cost savings benefit and their preferred status amongst workers, this is unlikely to change. Still, this growth means business networks are hosting a high volume of endpoints that aren’t likely to be secure.

Popular operating systems, whether we’re talking about Windows, MacOs, IOS, Android, or others, rest on a foundation of insecure code and contain a wealth of vulnerabilities to boot. Also, the software they run may not be secure, and they’re easily able to download malicious resources from the web.

If such devices can be manipulated and controlled by hackers, either directly or through malware, one can’t assume trustworthiness. Attackers depend upon this weakness and use it to escalate their privileges to gain access to the resources they’re after.

Endpoint protection’s deep visibility shows which user owns the endpoint, the location in which it’s currently being used, any applications running on it, and any content it’s creating.

EDR greatly minimizes that risk, ensuring that, if and when a cybersecurity event occurs, it can be quickly shut down, through deletion, containment, and rapid notification of relevant personnel.

This is crucial as it currently takes organizations an average of 197 days to identify a breach and another 69 to contain.

Continuous Monitoring and Forensic Analytics

As we mentioned up top, perhaps the most transformative aspect of endpoint services is the greater visibility they lend to endpoint activity.

For instance, EDR can validate that packets coming from an endpoint have been created by a legitimate application. It can also monitor the file integrity of key resources, which are automatically flagged in the case of improper access to secure files and theft of sensitive data.

What’s more, this monitoring is continuous, meaning EDR is always on the hunt for signs of compromise, recording, and storing all related data.

The latter is essential in providing usable forensic data that can help security professionals understand circumstances surrounding any attack, and thus how to prevent the next one. Such investigations could uncover patterns of behavior behind such threats to predict future ones.

Real-time monitoring leverages file integrity monitoring of key data, applications, and devices to find compromise. This includes activities like changes to a malware-related registry, improper access to secured files, and sensitive data theft. EDR is also capable of monitoring critical system events like startups and shutdowns, license changes, hard disk failures, and changes to the systems clock. And with automated policy enforcement, any such event can be rapidly contained.

Single Source for Endpoint Management

The unprecedented visibility that EDR extends is crucial; users will find that having a centralized location to monitor network endpoints is immensely valuable and educational.

From here, policies can be set and automatically enforced. Historical data across each endpoint can be investigated, which can uncover routes to penetration not previously considered; every endpoint, affected user, and step in the hacking process.

Since EDR systems are tasked with monitoring all devices within a network, they’re often much easier to integrate into network infrastructure. Many EDR solutions are compatible with a wide range of security tools, allowing endpoint data to be analyzed alongside other security network data.

This accessibility is further enhanced by the simplicity and ease of use of many modern endpoint solutions. Drag-and-drop interfaces and easy-to-read analytics make them layperson-friendly—crucial if they’re to be understood by stakeholders.

Perhaps the most compelling, and necessary, component of an EDR solution is its ability to be remotely managed by cyber security professionals.

EDR remote management options allow trained and certified experts to monitor network activity, flag and respond to anomalous activity, and stop cyber attacks that would otherwise compromise your organization. Having experienced and trained security professionals on your side is a superior alternative to installing a piece of software and hoping the built-in software is sufficiently up-to-date and nuanced enough to effectively identify and respond to threats.

Where to Go From Here

The combination of endpoint monitoring with traditional network security gives organizations an unprecedented and holistic view of their organization’s threat surface—and the once-invisible activity occurring on it.

At SecurIT360, we are a team of skilled cyber security professionals that can partner with your organization to provide an EDR solution that is customized to protect your business, its data, and your bottom line. EDR can integrate with minimal lift from your team or changes to your existing security architecture.

Oh, and if you’re curious: the proper way to respond to a cybersecurity incident.

SecurIT360 is a managed services provider proficient in monitoring and incident response, assessments and penetration testing, compliance, and general cybersecurity consulting. Contact us to learn more.

Incident Response

The Benefits of a Cyber Security Risk Assessment

Post author By Nikki Pike
Post date November 13, 2020

As organizations rely more on information technology and data systems to conduct business and manage operations, the inherent risks of using those technology assets increase. Several effective frameworks exist for managing those risks, to help enterprises and small businesses reduce exposure to threats, meet compliance obligations and compete in the marketplace.

A cyber risk assessment is an increasingly common, often mandatory operation for businesses of all sizes. An assessment can be applied to any application, function, or process within an organization. Conducting a cyber security risk assessment is often a detailed and complex process that requires expert planning, specialist knowledge, and stakeholder buy-in to deliver appropriate and actionable results. If you’re new to IT risk governance in general, here is what you need to know.

What Is a Cyber Risk Assessment?

Assessing and quantifying cyber risk is required for compliance with all commonly accepted US and international standards, including HIPAA, ISO 27000, GDPR, and NIST:

“Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.” – NIST Special Publication 800-30

A cyber risk assessment is a tool used to inform decision-makers and support appropriate risk responses. It’s a comprehensive evaluation, testing and auditing process that asks and seeks to answer critical questions about your cyber security posture, including:

What are our most important IT assets?
What are the most relevant threats and vulnerabilities for our organization?
How likely is it that vulnerabilities can be exploited, and what would the impact be?
What is our organization’s attitude toward risk, and how can it be managed?
What are the highest priority security risks we face?

The cyber assessment process helps you fully understand these questions, reveals answers and provides suggestions how best to proceed. Your organization will emerge with a better understanding of the value of the data you are trying to protect, the cost of that protection, and the potential consequences of failure.

One important note: cyber risk assessment should be an ongoing process. Continually monitoring and reviewing your risk environment is required to detect changes and maintain an effective overview of your evolving risk stance and security environment.

Why Enterprises Perform Cyber Risk Assessments

Cyber risk assessments are increasingly necessary, and often required, in the 21st century digital marketplace. They are an integral feature of any wider risk management strategy. Additional reasons enterprises regularly perform cyber risk assessments include:

Avoid data breaches, IT incidents and adverse security events: The costs and reputational impact of an incident can be substantial.
Reduce long-term costs: Mitigating threats and eliminating vulnerabilities can save money in the long-run, not just by preventing costly incidents but also by creating a foundation for continuous improvement, by better understanding and more effectively managing the data and security environment.
Create a template for future assessments: Cyber risk assessments should be conducted regularly, completing one assessment supports continued evaluation of the evolving risk and security environment.
Meet regulatory and compliance requirements: Organizations have increasing obligations to meet rigorous standards for data management and security performance, including from HIPAA, PCI DSS, GDPR and others.
Establish a competitive advantage: Organizations with best-in-class cyber security posture enjoy increased productivity, improved public relations, enhanced capability to gain and retain employees, and have a leg up over other firms in their space.

Internal vs. External Assessment: Which Is Right for You?

If you have sufficient resources in-house, along with an experienced and capable security team available to manage those resources, then the full range of security operations is within reach. Enterprises of suitable scale, with the assets in place and the know-how to command them, can successfully conduct cyber risk assessment operations in-house.

With that said, large organizations with internal capabilities often want a fresh look at their cyber security program. In such cases they opt for an independent expert to provide support for conducting assessments and formulating new policies and standards.

On the other hand, if you are a startup or SME, you may face challenges to effectively manage cyber risk assessments in-house: limited budget, insufficient staff and time resources, and the need to have all hands on deck for mission-critical operations are all barriers not just to success, but to even launching an operation. Conducting an assessment in-house can be insurmountable in these circumstances.

Engaging an external security provider allows these organizations to access cyber risk assessment leadership and best practices, without diverting limited resources away from core operations. You can have effective information security guidance and oversight, but not have to make sacrifices that might stand in the way of your goals. Other advantages include:

Independent perspective on threats, vulnerabilities and improvement opportunities
Access to enhanced capabilities, skill levels and knowledge of best practices
Reduce overall costs
Provide confidence for clients, vendors, shareholders and other stakeholders

What an Assessment Should Look Like

The foundation for an effective cyber risk assessment is framed as a comprehensive, iterative, and well-defined process aimed at identifying all risk types: operational, strategic, transactional, compliance and reputational risk. The basic steps include:

System categorization includes an assessment of each system to determine the type, internal and external interfaces, who uses the system, data flow, and more. This process reveals likely threats.

Threat identification begins in the previous process and is formalized in this step. Threat types include:

Unauthorized access
Information misuse
Data exposure
Data loss
Service or productivity disruption

Risk determination and impact is assessed independent of the control environment. High, medium and low risk levels are assigned to create a prioritization schedule.

Control analysis identifies the available threat prevention, mitigation, detection and/or compensating controls, and assesses their effectiveness. Recommendations for added controls emerge from this analysis.

Threat scoring determines the likelihood of a given exploit, within the context of the control environment. Threats with a “low” rating have insufficient motivation or capability to exploit a vulnerability, or current controls are adequate to meet the threat. “High” rating threats have dangerous motivation and capability, and there is also a lack of adequate controls to prevent or impede the threat.

Calculation of final risk ratings creates a cyber risk assessment report with deep insights, actionable data, and recommendations for necessary adjustments. Risk assessment reporting is a fundamental element of an effective risk management process and allows enterprises to manifest an acceptable risk environment, while highlighting required control measures. The cyber risk assessment process is continuous, and should be reviewed regularly to ensure the relevance of findings.

Partner with SecurIT360 to Successfully Manage Your Risk Environment

Cyber risk assessments are integral to information risk management, compliance and enterprise performance. SecurIT360 is trusted by organizations just like yours to provide sensible risk analysis that catalogs relevant assets and their value, identifies threats and vulnerabilities, analyzes controls, and then prioritizes and fully documents risks in a report that includes recommendations for how to proceed. Assessment and reporting is customized to your organization’s needs, to ensure your team has complete support to make the best, most informed decisions.

SecurIT360 is a trusted advisor to small businesses and enterprises that are motivated to meet complex and evolving security challenges. We are available to help you compete and thrive in today’s digital environment – contact us to learn more.