Assessing your cyber readiness every year is vital to ensuring that your network, applications, and systems have the appropriate protections in place. As we flip the calendar ahead into 2022, performing your cyber assessments is a great way to ring in the new year, along with dropping 15 pounds, hitting the gym 3 times a week, and finding true happiness.
Unlike those annual resolutions which recur year after year, there have been some pretty significant changes to most business networks. Two years ago, the pandemic forced businesses to adopt a hybrid work model, where employees worked remotely. These changes were initially viewed as temporary, and while efforts were made to secure connections, few businesses were able to install the type of security measures that protect against a nation-state grade attack.
Today, workers overwhelmingly have stated their preference to continue working from home. Organizations that balked at that idea are seeing their employees resign and find other jobs. Businesses that once viewed remote work as temporary now realize that it is here for the long term. As we head into the new year, IT departments need to holistically assess whether the security measures they put in place to enable work-from-home are sufficient for the long term.
Assessing your cyber risk position is only one assessment you need to be doing. In addition, you’ll want to perform a third-party assessment, to identify your vulnerability to things like the Apache Log4J vulnerability, and your potential for a supply chain attack.
You’ll also want to perform a compliance assessment. Regulations change, as to the standards of your partners and suppliers. Take the time now, at the beginning of the year to ensure that you are still in line with those requirements.
Assessing Risk
It’s important to recognize that cybersecurity systems don’t completely eliminate risk. Rather, they limit the likelihood of an attack so that the likelihood of a successful breach or attack is low enough that business owners can sleep well at night. That means protecting your system against ransomware/ malware, data leaks, phishing attacks, and insider threats.
Your risk assessment should enable you to identify the risk that the organization faces, estimate the costs if your security measures aren’t strong enough, and prioritize security measures based on risk. For example, a customer database with sensitive information is an important asset. You want to evaluate the measures you have in place to protect it from being breached, evaluate the likelihood of those measures failing, and then determine whether it is enough of a priority to invest additional resources in protecting that database.
Begin your assessment by identifying the high-value assets that need protection. Corporate proprietary data might be high on your priority list, while 20-year-old sales records might not need the same degree of security.
Next, look at the threats that face your organization, and the vulnerabilities inherent in your system. Depending on your industry, these threats could be used to launch nation-state grade attacks, corporate espionage, general cyber threats, or even natural disasters. Vulnerabilities are often identified by cybersecurity tools but can also include employees handing over credentials in a phishing attack or someone getting a key and walking in the front door.
Once you’ve identified your assets, threats, and vulnerabilities, it’s time to assess the likelihood of different attack scenarios and the impact if they happened. Based on likelihood, you’re now able to prioritize the risks you need to mitigate, factoring in the cost of prevention against the cost of the information being stolen, deleted, or exposed on the Internet for the world to read.
After completing the assessment, document your findings and start with the action items relating to the top security and business priorities. Obviously, when imminent steps are required for cyber defense, take the necessary steps to protect your data or hire security experts to handle it for you.
Third-Party Assessments
Supply chain attacks are difficult to protect against, as businesses today use hundreds of third-party programs for their daily operations. However, that doesn’t mean businesses can’t assess the risk they run when working with third parties.
Begin by crafting a cybersecurity third-party risk management policy. This document will function as your guide for managing all software vendors.
Next, identify all your vendors, making sure to include small vendors that could potentially go unnoticed. Perform tests to assure that your vendors meet industry standards. Have all vendors fill out annual questionnaires to ensure that they are still meeting the standards defined by your organization and your industry.
It’s also advisable to look up your vendor security ratings. These only provide some of the information you’ll need to make a full assessment, but when combined with your security questionnaire, it provides a fuller picture.
After completing the assessment, document all findings. Continue to update your assessments every year.
Compliance Assessments
Every year brings changes to regulations and requirements from your partners and suppliers. Performing an annual assessment helps you stay ahead of changes and ensure that you don’t run afoul of regulators.
There are several different types of compliance assessments to perform. In addition to the regulatory compliance assessments, you’ll want to run cloud compliance assessments and partner compliance assessments.
Cloud compliance covers two different areas. The first is aligned with regulatory compliance. You’re obligated to comply with any laws or regulations that apply to the cloud, including data localization laws, which might require personal data to be processed in a certain area, or data sovereignty laws, which could impact the way data is used within a country’s borders.
The second relates to organizational policies. Cloud applications generally have their own security tools in place, but you’ll want to ensure that the applications or servers that you use are aligned with your specific requirements. For example, your corporate policy might demand different levels of data access based on roles. You need to ensure that the settings are in place to enforce your company’s standards.
Partner compliance is another, similar issue. If you are connected to your partner’s network, they may require a specific security standard to be met. Failing to comply could impact the relationship or expose your company to legal proceedings in the event of a breach. Performing an annual compliance assessment ensures that your security measures comply with your partners.
Begin by reviewing any changes or updates from your industry regulator. Compare those changes to your current security posture, identifying whether there are any gaps. If there are gaps in place, prioritize and eliminate them to improve your level of compliance. When finished, document those results so you have a record for any compliance officer.
Don’t put off Assessments
It’s tempting to push off assessments. They’re both time-consuming and difficult to do correctly. However, failure to perform these annual assessments could lead to serious cracks in your cyber defenses and expose you to severe attacks. Taking the time to perform your assessments leaves you with the assurance that you’ve taken the necessary steps to protect your business and avoid catastrophic consequences in the event of an attack.
Learn how HolistiCyber’s holistic cybersecurity risk assessment is used by organizations to bolster their cybersecurity state.