Written by JENNIFER GUIDRY
You wouldn’t want to take a road trip without first checking your oil and tire pressure, or fly in an airplane that hasn’t had its regular safety check.
Similarly, you should assess your current security posture prior to initiating company culture change. The initial assessment will expose critical risk factors and set the course for policy and procedure updates.
Some organizations embark on a program to strengthen their security infrastructure without first performing a comprehensive assessment.
That’s a mistake. They risk misallocating resources and failing to address their most critical vulnerabilities.
Why a Risk Assessment is Important
Before explaining why a cyber risk assessment is vital, let’s take a look at a few recent statistics:
— Nearly half of all cyber-attacks are committed against small businesses.
— An estimated 556 million people fall victim to cybercrime annually, or 12 people every second.
— Cyber security incidents have surged 38% since 2014.
— The average cost of a data breach is $3.62 million, or $141 for each lost or stolen record containing sensitive and conﬁdential information.
— Attackers often have more than 200 days before being discovered.
Did those statistics convince you to run over to your IT department and ask when your last cybersecurity assessment was conducted? Because they should have. The fact is, it’s no longer a matter of if your organization will fall victim to cybercriminals, but when.
If your organization is like many others, and you have never conducted a risk assessment, now is the time to do so.
Not only will a cyber audit reveal technical security inadequacies, but will also take the human element into account by determining the factors that most put employees at risk of enabling a breach.
This is the most vital segment of the risk assessment, as human error is to blame for the majority of security breaches.
If you have performed a cybersecurity assessment in the past, this is still the place to start. Regular assessments and reviews are critical to keeping your company, and your employees, ahead of cybercriminals.
Things to Consider
While your IT department or outsourced IT company can handle the typical preventative measures, there are still breach risk factors tied directly to employees. These are just a few questions to consider:
— Does your company employ a bring-your-own-device (BYOD) policy?
— Are employees required to use multi-factor authentication for all work accounts?
— Do employees store or have access to company data on personal devices.
— Does the CEO’s secretary keep her passwords on a sticky note on her desk?
— What about disgruntled former employees? Are there any safeguards in place to protect your information following their termination?
— Is data segmented on a need-to know basis, or does every employee have access to all data?
These are all questions to consider when developing company-wide policies and procedures. Identifying and addressing common key risk factors is the starting point for developing policy and conducting awareness training.
Performing a Risk Assessment
According to the National Institute of Standards and Technology (NIST), the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.” As set out by NIST, conducting a risk assessment typically includes the following six steps:
— Identify and Document Asset Vulnerabilities
— Identify and Document Internal and External Threats
— Acquire Threat and Vulnerability Information from External Sources
— Identify Potential Business Impacts and Likelihoods
— Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impact.
— Identify and Prioritize Risk Responses
A risk assessment can be performed in-house, but is most effective when performed by an external cybersecurity firm. While internal IT departments have typical preventative measures in place, they are not equipped or trained to deal with today’s evolving threats. An external, objective assessment provides access to experienced professionals with the latest, advanced tools to provide an informative assessment that will influence security measures.
Jennifer Guidry is a wife, mother and chief marketing officer for IT Strategy, Inc. With a degree in psychology from Fresno State, Jennifer is a career consultant, known for advising organizations in business development and marketing strategy. As CMO, Jennifer oversees IT Strategy’s corporate brand, communications and integrated marketing efforts. She is a sought-after public speaker, renowned trainer and an expert on health care regulatory compliance.