How secure is your network? Probably not as secure as you think.
Although network attacks and data breaches are on the rise, U.S. businesses tend to dramatically miscalculate their risk. New research from MIT’s Sloan School of Management finds that most organizations either underestimate or ignore potential threats and believe generic, off-the-shelf cybersecurity solutions deliver sufficient protection.
As we noted in our last post, a comprehensive security assessment is essential for creating a clearer picture of your risk. An assessment will help you evaluate your current security posture, identify potential risks and vulnerabilities, and provide the basis for an organization-wide incident-response plan.
The risk assessment process can follow many different methodologies. Most industry experts agree that the guidelines outlined in the National Institute of Standards and Technology (NIST) special publication 800-30 provide a good framework for effective assessments. The NIST guide suggests the following nine steps:
System Characterization. The first step is to identify and inventory key technology components, including applications, hardware, operating systems and endpoint devices. This ensures your assessment will address every place where data is created, received, maintained, processed or transmitted.
Threat Identification. This process is meant to document all sources of potential threats, whether intentional or unintentional. Threats are commonly categorized in three main classes — human threats such as malware attacks and data breaches, environmental threats such as power failures and HVAC failures, and natural threats such as storms, fires and floods.
Vulnerability Identification. This step is meant to identify flaws or weaknesses that could be exploited. These could include outdated or unpatched systems, insufficient safeguards, incomplete or conflicting security policies, and poor password practices.
Control Analysis. This is the process of identifying what controls are in place to detect, prevent or mitigate threats. This would include firewalls, access controls, authentication and antivirus tools, as well as physical security controls such as alarms, locks and fire suppression systems
Likelihood Determination. This step is designed to assess the probability of a security breach based on your previous evaluation of threats, vulnerabilities and existing controls. Typically, threats are defined in three tiers — high (likely to be exploited this year), medium (likely to be exploited within three years) or low (unlikely to be exploited).
Impact Analysis. The goal here is to estimate the potential damage that would result from a successful exploit. Factors to consider would include the value of systems or data, remediation costs, loss of confidentiality, reputation damage, and availability of systems and data.
Risk Determination. Quantifying risk involves evaluating the likelihood of the threat, the vulnerability of a particular asset and the value of that asset. Creating a risk rating for all your network assets makes it easier to prioritize remediation efforts.
Control Recommendations. This is a plan for implementing security improvements based on the risk determination. It will include a cost-benefit analysis to demonstrate that the cost of new security controls can be justified by the reduction in risk.
Results Documentation. Results of the assessment are documented in a report that helps senior management make decisions on policy, procedural, budget, operational and management changes. The report should clearly describe threats, vulnerabilities and risks, with specific recommendations for control implementation.
Ideally, a security assessment should be performed by an independent team in cooperation with internal IT staff. The external viewpoint is essential to gaining an objective assessment of the organization’s security posture.
RMM Solutions can work with you to develop a detailed security profile assessment. To demonstrate the value we provide, we’re offering a basic security posture assessment at no cost or obligation to you. This complimentary service only takes about an hour and will give you a good overview of your current security environment. Give us a call to learn more.