The Cyber Risk Assessment

Cyber SC
Cyber SC
Aug 8, 2017 · 4 min read

No organization is immune to cyber attacks. Companies are often in reactive mode, lacking cyber literacy among the leaders and security awareness among the staff. It is very common for IT to have too much on their plate, not having enough time, people or resources to be effective in cyber security. We find that a lot of companies either don’t have in-house security expertise or they do have technical expertise but they struggle to develop a cyber security strategy. They may have been doing some cyber risk management but lack the rigor to push security forward.

Other significant gaps we come across are a lack of endpoint security strategy and incident response capability. When an organization realizes they need outside help, they find themselves trying to acquire ten different experts performing ten different functions, desperately trying to put the different pieces of cyber security together themselves. Then, when these organizations do undertake a cyber risk assessment, they are given no help with the ongoing implementation of the action items of the cyber assessment report they’ve been presented with.

HYGIENE

Good cyber security hygiene resembles good human hygiene (showering, brushing your teeth, grooming etc.). It looks like doing the basics well so that you are not low-hanging fruit for cyber attacks. Organizations with good cyber hygiene are very cautious to make sure they have good security practices:

- Using their email (not clicking on random links)

- Surfing the web

- Using social media

- Using their smartphones

A complete cyber risk assessment involves an in-depth review of your organization’s risk management controls in three critical areas: Technology, Processes and People. With cyber security, it is often trying to accomplish more with less that harkens the need to embrace a pragmatic approach. This more cost-effective approach to cyber security is about embracing the Pareto Principle (80/20) rule where investing and focusing on 20% of the maturity opportunities can help you achieve 80% of the underlying gains and risk reduction.

TECHNOLOGY

The technology component refers to things like your intrusion detection and prevention system, your firewall, your underlying anti-virus system, and your anti-malware system. Many security vendors today are pushing their technology products without properly determining whether their solution is even appropriate to the organization. Before any technology solutions are considered, the assessment must be done to determine what your organization actually needs. The assessment will determine what is used for protecting the end points, what is used for secure encryption, and what is used for your intrusion detection system. All of these technology layers are important and are part of a cohesive ecosystem which must work quickly to be effective. Assessing the technical aspects of cyber security will help you ensure that the right technical controls are in place. Your technical controls are then married to the right cyber security processes and, the processes are, in turn, married to the right people using those underlying processes and technology.

PROCESSES

The process component involves assessing things like your disaster recovery plan, business continuity plan, and acceptable use policy. Technology is only as good as the security processes that you have defined and built around it. Your technology is not going to make your company secure by itself. The cyber security processes you build around your critical, intangible assets and business processes ensure that your business can continue in the event of a major cyber attack. There are many core processes that need to be evaluated as part of a complete cyber risk assessment:

- How are your firewalls checked and updated?

- Is your incident response process well defined?

- Is your organization able to respond to a security incident?

- When security alerts pop up, who is responsible for those?

- Does that dovetail into an incident response process?

PEOPLE

People underpin your whole cyber security operation. Here we are assessing how well the employees, the contractors, and the leadership know what their cyber security responsibilities are. The people component is assessed to make sure your overall cyber risks are being addressed effectively in two categories:

1. Cyber security program oversight and execution: Do you have the right people in place to leverage the security technologies and processes you’ve developed?

2. The General Staff: Do your people know what their cyber security responsibilities are? Do they have cyber awareness training? Do our staff know how to react (or not react) to phishing emails? Are there active phishing simulations?

At Cyber SC, we work to make your data security as close to impenetrable as possible. Your employees, suppliers and clients rely on your organization to keep your networks secure and their private information safe — this is a non-transferable liability for you. We make it our business to help you build protection around all the critical points in your organization so that your operations can continue to run smoothly and securely. In comparison to other cyber security vendors, including the larger accounting firms, Cyber SC doesn’t just provide you a static assessment report and end the transaction. We interpret the results of the assessment for you and work with you to implement the necessary changes. Ours is a dynamic approach built on an established relationship with you.