Are Security Assessments For Us?

Security Assessments are one of the 15 Ways to Protect Your Business from a Cyber Attack, which is just one of many assets associated with our Cybersecurity offerings. Periodic Security Assessments are part of every good security and cyber defense program.  Organizations subject to compliance regulations, like SOX or HIPAA should be performing formal Security Assessments at least every year. Some cyber insurance policies may require them as frequently as quarterly.  But what are they, anyway?

Security Assessments can vary in complexity and scope, but they tend to include three key elements: Policy and Procedure Review, Vulnerability Assessment, and Penetration Testing.  There are brief and more thorough versions for each of these activities, and some organizations may elect to do only a subset, but all are recommended as best practices.

Policy and Procedure Review

The first is a review of policies and procedures currently in place and a comparison between those and what actually happens around creating and disabling user accounts, and assigning rights, privileges, and permissions to those accounts.  This is activity that your internal compliance organization may do annually anyway, but the point of a Security Assessment is to have someone outside your organization perform that review independently.

Vulnerability Assessment

The second element common to a Security Assessment is an evaluation of currently running systems in your environment.  Computer hardware and software manufacturers are continually finding vulnerabilities in what’s been developed, and when they do they release patches to fix those vulnerabilities.  Unfortunately, many organizations aren’t good about keeping track of when systems have last been patched, so many organizations are running systems which can be easily hacked through well-known, sometimes really old, vulnerabilities.  Automated and sometimes human-run software can be run against your internal systems to suss out which systems haven’t been appropriately patched.  This then gives the organization a set of followup tasks to plug those gaps in their security posture.

I’ve seen insurance brokers who wanted vulnerability assessments done monthly, or quarterly, not just annually.  Luckily, there are services which can perform some of this testing on an on-going basis, at much less than the cost of hiring a person to perform the function.

Penetration Testing

Similarly, a “penetration testing” cycle can be run against internal systems and/or systems exposed to the broader Internet.  This process is essentially “white hat” hacking that uses hacker-style methods to try and break into your systems, but without doing any damage–just to see if it could be accomplished.  This is an important step because systems can be made vulnerable by the software they run–not just the operating systems or hardware they have.  Unless you try to break into an application, you will have a harder time understanding if it has unforeseen vulnerabilities.

Like vulnerability testing, penetration testing can become a routine function, performed as an on-going service to satisfy the more rigorous demands made by some cyber insurance underwriters.  Done annually, quarterly, or monthly, these results are extremely helpful toward shoring up cyber security defenses.

The End Result

The end-result of these measures is a report which identifies the types of gaps there are in a company’s cyber defenses.  Knowing where there are weaknesses can help owners prioritize the closure of those gaps in a way that both protects the company and stages potential expenditures over time.  It’s not typically sensible to break the bank to fix everything, everywhere, all at once. We can help you identify how to stage the needed changes over time.  Contact us, so we can start the conversation.