A cybersecurity assessment is a review of your current security controls to see how well they stack up against either known potential security threats or the threats you have directly encountered.
The assessment will also evaluate whether you are adequately satisfying the relevant regulatory compliance requirements.
While there is no fixed method for carrying out a formal risk assessment, the most intuitive approach is to start with a list of questions, pertaining to the type and value of the assets you store, the potential threats you may encounter, the likelihood and consequence of falling victim to a breach, and the data privacy laws that are relevant to your organization.
Below is a comprehensive list of questions that need to be answered in order to adequately assess the security posture of your organization.
What types of assets do you store and how valuable are they?
Create an inventory of all assets you store. Bear in mind that companies store large amount of unstructured data, some of which will contain sensitive data that may be difficult to identify.
While it is theoretically possible to search for sensitive data manually, a better approach would be to use a data discovery and classification tool, which can be configured to identify the types of data that are most relevant to your industry.
What security threats are you likely to encounter, and what is the likelihood of falling victim to them?
Make a list of the most common attack vectors and decide which of these attack vectors are the most relevant to your industry and the assets you are trying to protect. For example, phishing, Distributed Denial of Service (DDoS) and ransomware attacks are the most common security threats faced by businesses.
However, companies who store sensitive data in an SQL database, and have web forms that are exposed to the public, will also need to pay attention to SQL Injection and Cross-Site Scripting (XSS) attacks.
Insider threats, whether negligent or malicious, are also common. A good idea would be to document all known security threats on a spreadsheet, which includes column headings such as the attack vector’s name, origin, relevancy, likelihood of attack, potential impact, mitigation strategy, and so on.
Of course, you can customize these headers as you wish. You should organize the spreadsheet so that the threats are listed in order of their priority.
What methods do these security threats use to breach your defences?
On the spreadsheet you will need to provide information about origin of each security threat. For example, both phishing attacks and ransomware attacks typically arrive in the form of an email attachment and rely on unsuspecting victims downloading the attachments.
With DDoS attacks, which are designed to flood your network with traffic, you will need to note the most likely point of entry. Understanding the origin of the security threats, will make it easier to pin-point any holes in your security strategy.
What would be the impact of falling victim to each of these threats?
On the spreadsheet mentioned above, make a note of how damaging each of these attacks vectors could be.
There are numerous potential costs associated with falling victim to a cyber-attack, which might include legal costs, regulatory fines, reputational costs, general disruption to business operations, and of course, there are costs associated with the loss of valuable assets.
There will also be remediation costs, which includes carrying out an investigation into the cause of the incident. In the case of a ransomware attack, businesses may have to pay the ransom, although this should be avoided at all costs.
Business Email Compromise (BEC) attacks should also be seen as a priority, as they are one of the most financially damaging forms of cyber-attack.
What vulnerabilities are you aware of, and how do you plan to address them?
This question specifically relates to your current security posture. Again, you should create a spreadsheet which keeps track of all known vulnerabilities.
It is a good idea to ask employees to report any security issues they come across. For example, an employee might notice that the validation on a public-facing web form isn’t working properly.
Additionally, you may want to use a network vulnerability scanner, which will scan for outdated network services, missing security patches, server’s misconfiguration and more.
Are your access controls relevant and periodically reviewed?
Given that a large number of data breaches are caused by unauthorized access to privileged accounts, it is crucial that you regularly carry out a thorough review of the access controls you have in place.
Are you using Multi-Factor Authentication? Are you adequately enforcing “least privilege” access? Do you have policies and procedures in place to ensure that privileges are revoked when they are no longer required?
What technologies are you using to help protect your assets from risk?
Create an inventory of all the technologies that you are using to keep your network and data secure. Such technologies might include Data Security Platforms, anti-virus software, firewalls, VPNs, IPS, SIEM, UBA and so on.
Arrange the list in order of their relevance and effectiveness, as doing so will help you to prioritize your workflow. For example, these days, as more employees work remotely, the focus tends to be on user behavior.
If you spend too much time monitoring network traffic, you could end up failing to identify the real threats. Make sure you stay up-to-date with the latest trends and technologies.
How confident are you that you can identify, contain and eradicate a cyber-attack in a timely manner?
Perhaps the most effective way to determine how fast you are able to detect and respond to cyber-attacks, is to carry out penetration tests.
Penetration testing is where a team of trained cyber-security professionals attempt to breach your security defenses.
They will try to compromise your servers, endpoints, web applications, and any other points of exposure. Each attempt should be documented, regardless of whether the attempt was successful or not.
A penetration test can be carried out by either your own security team, or it can be outsourced to a specialized service provider.
Which data privacy laws are relevant to your organization, and are you compliant?
Companies processing personal data belonging to EU citizens will be subject to the GDPR. Healthcare service providers in the US, will need to comply with HIPPA.
Companies who process credit card data will need to comply with PCI-DSS, and perhaps even FISMA and SOX.
Once you have determined which data privacy laws are relevant to your organization, you will need to make sure that you have taken the steps necessary to ensure that you are able to satisfy the compliance requirements.
For a free, turnkey analysis of your current security posture and threat landscape, schedule a risk analysis with our team of experts today.