If you are wondering whether it is time for a security assessment, then the answer is probably yes. As more businesses adopt cloud computing and hackers continue to identify security weaknesses in order to steal valuable data, cybersecurity has become a growing concern. Hopefully you have been deliberate in implementing and monitoring security measures, but with the pace of technology, it can be difficult to stay ahead of the game.
With that in mind, here are a few signs that it is time for your organization to conduct a security assessment:
You store large amounts of data. This is probably true of most businesses, which is why there is never really a bad time to conduct a security assessment. Cyber criminals can steal personal information, hijack intellectual property, and completely take over websites. The more data you store, the more vulnerable you are to major attacks that can have lasting consequences to your business.
Even if you aren't responsible for handling and storing sensitive information, you can still be a target of cyberattack. Increasingly, cyber criminals are taking over sites and demanding ransoms. They will disrupt your entire business for even small sums of money.
You don't remember the last time you conducted an audit or assessment. It is imperative that you regularly conduct audits in order to identify whether your existing cybersecurity efforts are actually delivering as promised and adapt to new threats.
Ideally, any solutions you put in place will be effective and operate as expected, but that isn't always the case. An assessment will allow you to confirm that your policies are actually working as intended.
You recently moved your network to the cloud. While cloud computing is designed to be secure, it is susceptible to the same kinds of vulnerabilities and attacks as on-premises networks. It is important to update your security and conduct an assessment any time there are major changes to your existing technology.
Don't assume that any standard controls will be enough to protect your data.
You notice an increase in cybersecurity incidents in your industry. Security breaches tend to happen in waves. Once hackers discover a new vulnerability, they will go to work targeting a larger number of businesses so that they can inflict the most damage before cybersecurity experts have the chance to respond.
Pay attention to the news and take note when a rash of breaches occur. It is a good sign that you could be next.
Here are three key elements of an assessment:
Data Classification. Many organizations maintain the philosophy, “I know how to treat that data when I see it.” Unfortunately, due to the explosive growth of unstructured data and cloud-based services like Box, DropBox, Salesforce, ServiceNow, Slack, 0ffice 365, etc., you may never see it to treat it.
You need both written and electronic policy enforcement, and a strong data governance and oversight methodology. An assessment can help “connect the dots” on what is working, and more importantly, what’s not.
Incident Handling. Note Incident Response, or IR, gets a lot of play these days, but IR is one part of the Incident Handling, or IH, process.
Device Inventory and Control. Ask yourself, do you know what devices attach to your network every day, who has them, and what they all are? Even if you can answer yes, and many cannot, do you scan them, and evaluate whether they have your desired security image and patch level? Do you have a policy, a standard for computers, tabs, smart phones, and perhaps, chromebooks?
What about IoT? We see security cameras all the time riddled with old firmware and vulnerabilities. If one thinks this is minor, ask Dyn (now owned by Oracle) about their Mirai botnet attack last year on October 21st. DVRs and cameras were mobilized into a Denial of Service Army attacking Dyn’s DNS insfrastructure knocking several major retailers out of commission for more than half of a business day.
Who is minding the store?
Your business or institution likely has a Chief Financial Officer, a Financial Controller, and possibly even Analysts on staff, whose purpose is to make sure your financial house is in order at all times. But who handles this role for cyber?
Even if you have dedicated cyber staff, they may be so buried in security operations and event management, they may not ever have time to attend to an assessment. Many assessors have well-thought out and mature methodologies that can specifically address your organization’s needs.