October is Cybersecurity Awareness Month. Now in its 18th year, it is a collaborative effort between government and industry to educate and encourage individuals and organizations on their role in protecting themselves against cyber threats. Reflecting the need for both knowledge and action, the theme is “Do your part. Be Cybersmart.”
Before you can do your part, you need to know what actions you can take to improve things, and that requires knowledge. The first step is to understand where you are right now. The second step is to determine where you want to be. Only then can you determine the actions that need to be taken to help you move towards your goal. This process can be summarized as:
2. Gap analysis and prioritization
All your devices, technologies, and business processes have inherent security risks. It’s impossible to eliminate all security risks, but it’s imperative to understand what risks exist and put measures in place to mitigate those risks. In some cases, you may be legally required to formally evaluate these security risks and adhere to certain standards to minimize them. A Security Risk Assessment is a formalized process that begins with the Identification stage.
We’re familiar with security risk assessments when it comes to buildings. We put locks on doors and cameras at entrances. High-value inventory is stored in a secure room with additional security measures. HR files are stored in locked cabinets. There are alarm systems to notify us when there is a problem. We regularly review these security measures, update with new technology, and change processes to reflect the latest needs of the business. But when it comes to cybersecurity, our understanding of the overall process often isn’t as clear, and that’s where a proper security risk assessment can help.
With a security risk assessment, a team of experts will conduct of thorough review of your entire business infrastructure and processes. This covers everything from which systems have access to the internet to how you manage employee passwords, from electronic payment information to internal communication processes. These experts are familiar with the latest risks and threats and know the key weaknesses and misconfigurations to look for.
Once the review is complete, the potential security gaps and recommended changes are documented and discussed with the client. An important aspect of this assessment is prioritization. Few organizations have the resources to fix everything at once. With a prioritized list, however, organizations can put a plan in place to address the most critical vulnerabilities first, while also having a long-term plan to address less urgent but still critical threats.
The security risk assessment will focus on several aspects of your business:
Infrastructure analysis – will examine your overall IT infrastructure. Are your servers physically secured? Do they have backup power supplies? Does your network have a backup internet connection in case the main connection fails?
Device analysis – will examine your servers and PCs. Do they have adequate anti-malware protection? Are the authentication and login systems adequate? Is the data backed up regularly and easily restorable?
Network analysis – looks at the general connectivity issues. Does your firewall have any holes allowing external traffic in? Is your internal network segregated so that, for example, computers in the sales department do not have access to computers in the manufacturing department? Is your Wi-Fi network properly configured?
Application analysis – focuses on the applications your business uses. Do they have any security vulnerabilities of their own? What data do they collect and how do they protect it? Are they properly configured to enable all the security features they support?
Information security analysis – looks at the data you’re storing. How is it encrypted? How is it backed up? How do people get access to this data?
Business policy analysis – examines your IT policies, disaster recovery plans, business continuity plans, and ongoing risk management policies. Even something as mundane as allowing personal devices such as phones and smartwatches onto the Wi-Fi network are examined.
Once the team has reviewed these areas, phase two begins: gap analysis and prioritization. A misconfigured firewall that is exposing your internal servers to the internet is a high-priority gap. A password policy that allows employees to reuse passwords across multiple sites, while still an issue, isn’t as urgent to fix. Some high-priority issues may take a while to fix, whereas several low-priority issues can be fixed in one day. This is where expertise is critical: knowing what to focus on first for maximum effectiveness. Because the security risk assessment spans so many different areas of your business, there will be different prioritized lists for different areas of your business.
After you receive the prioritized risk assessment, the final step is remediation. Some of these steps could be as simple as changing a few settings, whereas others may require replacing vulnerable software with a more robust solution. This is an area where it’s critical to have people with experience working on the projects. If you install new software but don’t properly configure it, you may have gone through a lot of effort without effectively improving your security posture. In order to make sure your efforts aren’t in vain, you’ll want to make sure you have the right experts involved with the remediation phase.
Because business needs and security threats are always changing, security risk assessments quickly become stale. Ideally, once a year you should perform an update to your previous security risk assessment, determining what threats have changed and whether the recommendations in the previous risk assessment are still the best practice today.
With October being Cybersecurity Awareness Month, there’s no better time to perform your risk assessment, and Clare Computer Solutions is ready to help you. If you’d like to perform a self-assessment, download our 15-step checklist here. If you’d like to learn more about having Clare Computer Solutions perform our formal Security Risk Assessment, click here.