People always say it's important to assess your organization's cyber risks, but like most business leaders, you may not know where to begin.
This article is for you!
At Kelser, we are committed to writing about important technical topics in easy-to-understand language, so that business leaders like you have the information needed to keep your organization's data and networks safe, available, and efficient. (And, don't worry, this isn't a veiled attempt to get you to work with us.)
Here's the thing: you aren't an IT expert and you don't need to be. What you do need is honest, clear information you can use to make the best IT decisions for your business.
In this article, we'll explain how to assess your cyber risk and why it is an important exercise.
After reading this article, you'll know 6 important questions that will help you assess your risk, so you can keep your business network and infrastructure safe from cyber threats.
What Is A Cyber Risk Assessment?
Just in case you aren't familiar with the term, a cyber risk assessment is a comprehensive evaluation of the security risks associated with your infrastructure and devices.
The goal of a cyber risk assessment is to identify gaps that could be exploited by people looking to do harm in the form of accessing sensitive data or damaging your infrastructure.
A cyber risk assessment provides an overview of risks as well as the potential harm that could be caused if someone from inside or outside your organization were to gain access.
Why Is It Important To Understand Your Cyber Risk?
I think of it this way: before you bungee jump or cross country ski, you are required to sign a liability waiver that indicates you understand the risks associated with the activity. You can choose to go ahead or to back out after evaluating the potential risks and rewards.
In a similar (yet completely different) way, it's important to understand your cyber risk. If you don't know what the risks are and the potential damage that can be caused, how can you begin to protect against them?
Assess Your Cyber Risk
The following six questions will get you started on a comprehensive assessment of your organization's cyber risk:
1. Are There Risks Inherent To Your Industry?
The information your organization possesses and stores can increase cyber risk. If your data could yield useful information (about your company or customers) or financial gain for an unscrupulous actor (either inside or outside your organization), you are at risk.
One way to calculate your ability to withstand industry-specific risks is to compare your current infrastructure to an industry-specific framework. For example, government contractors are required to comply with the NIST 800-171 framework.
Whether or not your business has specific contractual or regulatory requirements, it is a good idea to use an existing cyber risk framework to see how your infrastructure measures up.
The Center For Internet Security (CIS) framework is one to consider for general use.
Existing frameworks are an effective way to align your business with best-practice IT tools and will help you identify specific things that are expected of organizations operating in your space.
2. What Types Of Information Does Your Business Possess And Store?
As we mentioned, the type of information your organization possesses and stores can increase your cyber risk.
Understanding the value of the information you have on-hand is the first step toward protecting it.
Here are some examples of sensitive information:
-
- financial information (taxes, credit card ad bank account numbers, credit ratings, or payment histories)
- personal information (names, birth dates, addresses, social security numbers, medical records, email address, phone number)
- intellectual property (designs, secret recipes, etc.)
If you possess or store these types of information, your risk is higher than organizations that do not.
Information like this requires an enhanced level of protection.
3. What Security Tools & Technology Infrastructure Are In-Place?
Knowing the specifics about the tools and infrastructure you already have in place is a great place to start.
How old are your servers and devices? Have they been updated and patched?How are they protected?
Do you have modern firewalls in place?
Is your software up-to-date and still under warranty? Who manages your software licenses and installs updates?
Do you back up your data? Could you access the backups in an emergency?
Do you have policies and procedures in place? How are they enforced? Who manages and audits them and how often does that happen?
Related article: 7 Characteristics Of Successful Cybersecurity Policies
4. When Was The Last Time You Did A Vulnerability Scan & Penetration Test?
Vulnerability scans (or “vul scans”) and penetration tests (also known as “pen tests”) are two very different IT network evaluations that yield related, but vastly distinct information. And, the information they provide is a snapshot in time, so repeating them periodically is critical.
Vulnerability Scan
An IT vulnerability scan is an automated tool that identifies possible gaps in security that could expose your network and devices to hacks.
Every device on your network is identified and scanned to see what ports are open and what communication protocols are in use that could expose you to an attack.
For example, maybe your software hasn’t had all the security patches installed, leaving doors open for unauthorized people to gain access.
Penetration Test
A penetration test is a hands-on, manual investigation that is typically conducted by an authorized IT expert you pay to poke around your network looking for vulnerabilities. It’s basically an authorized, ethical cyberattack.
This test not only identifies potential vulnerabilities, but also explores the consequences of the vulnerabilities being exploited by a person with malicious intent from inside or outside your organization.
These tests combined will give you a good idea of all of your vulnerabilities and weaknesses, so you can develop plans to address them.
We recommend a vulnerability scan and penetration test be conducted at least annually, with vulnerability scans performed more frequently depending on the nature of your business.
The reasoning behind this recommendation is that threats change and networks are fluid. You may never know that someone connected an unauthorized and unmaintained printer to your network without a vulnerability scan. That one printer could be the hole that exposes your entire network.
Related article: The Differences Between Vulnerability Scans & Penetration Tests
5. What Are Your Contractual And Regulatory Requirements?
Your business may be obligated to adhere to industry or contractual requirements for cyber risk mitigation.
For example, manufacturing companies that work with the government typically need to be compliant with NIST 800-171/CMMC 2.0.
Health care providers must comply with HIPAA requirements. ITAR requires specific data protection measures including verification that permissions for restricting access to U.S. citizens are set up correctly.
Related article: Does NIST 800-171 Apply To My Business?
Payment Card Industry Data Security Standard (PCI DSS) has certain requirements for organizations that use and store credit card information.
This list is not comprehensive. Understand your regulatory and contractual requirements.
Best practice is to have one person in the organization responsible for understanding the regulatory requirements of all of your contracts.
And, remember, whether your contracts specify security requirements or not, it's best practice to ensure that your cybersecurity tools are up to the job and comply with the requirements outlined in an industry-specific or general framework.
6. Do Employees Understand Their Role In Keeping Your Data & Infrastructure Safe?
You wouldn't dream of asking a member of your team to operate a complicated piece of machinery without training. Yet, so many organizations overlook the opportunity and responsibility of educating staff members to identify and report cyber threats.
When you stop to think that reports estimate human error accounts for 80-95 percent of cyber attacks, it makes sense to implement cybersecurity awareness training for all employees.
Frequent and comprehensive security awareness training keeps your employees one step ahead of the ever-evolving threat landscape and is a cost-effective way to mitigate cyber risk.
Related article: Why Is It Important To Provide Security Awareness Training For Employees?
Why Is Assessing Organizational Cyber Risk Important?
Cyber threats change every day, and we all know that awareness and response are key elements to keeping the data of your organization and customers safe. In addition, contractual requirements may demand a specific level of compliance with best IT practices.
What’s The Bottom Line?
After reading this article, you know the right questions to ask to determine your organization's cybersecurity risk. You also know why conducing this exercise is important for your business.
But. the assessment is just the beginning. The next step is to prioritize and develop plans to quickly plug your security gaps and shore up your defenses.
Whether you have the internal IT resources you need to carry out this risk assessment or must rely on an external provider, we encourage you to take action.
You can't protect against threats you don't understand and those you don't know about. And, since the threats are ever-changing, it's important to remember that cybersecurity is not a "set it and forget it" exercise. Ongoing assessment is critical to keeping your information and network secure.
You may have a full complement of internal IT experts that can carry out some or all of these actions. But, most small and medium-sized businesses will need extra support to conduct a comprehensive cybersecurity risk assessment.
If you are considering hiring an external IT support provider, I encourage you to consider several providers.
It may seem funny that I’m suggesting that you to shop around.
Kelser has been in business for more than 40 years and we've learned along the way that it doesn’t make sense to work with an IT provider isn't the right fit for your organization.
While we offer a full complement of managed IT support services, we know that isn’t the best solution for everyone. The most important thing to us is that you get the IT solution you need.
And, the truth is, you have options. Read this article to learn your options for IT support.
Wondering what managed IT is all about? Learn what managed IT includes and how much it costs.
Work at a small or medium-sized business and curious what size organizations are a good fit for managed IT? We know that's an important question, so we've already answered it!
If you have questions we haven't answered and prefer to talk to an actual human (our preferred method of communication), click the button below and one of our IT solutions experts will reach out to learn more about your business, your strategic goals, and your technology pain points. Let's see if we are a good fit to work together.
