How to approach your company’s cybersecurity posture more holistically
The topic of cybersecurity will be top of mind for many executives in 2019 as they will have a keen interest in understanding their organization’s cybersecurity posture. One of the first steps for securing this understanding should involve engaging in a conversation with an outside vendor who will offer an engagement to measure the organization with the intention of identifying and preventing any outside (or inside) influences from launching an attack.
Usually, this conversation involves a discussion around the fantastic tools and team the third party has on hand, complemented by a “show and tell” presentation of scanning tools, reporting processes and deliverables, dire threats faced by the company, and for good measure, an update on “must know” buzz words that are necessary for making a sound purchase decision. Often, the reputation, name, or relationship with the third-party weighs in as well.
If all this cybersecurity exploitation makes you confused and numb, then we suggest stepping back and approaching your organization’s cybersecurity posture more holistically.
A Cybersecurity Risk Assessment is More Than Scanning and Making Fixes
Cybersecurity involves much more than conducting scans and fixing some configurations on a network and servers. It is the intersection of People, Processes and Technology that enables an organization to design, deploy, monitor and maintain a sound cybersecurity program.
We believe that the interaction between People, Processes and Technology within your company’s IT environment is key to the development and overall success of a mature cybersecurity program.
Cybersecurity Assessment: People
People represent one of the most vulnerable areas of your cybersecurity program. A well-balanced assessment should include examination of areas such as organizational structure, policy, procedures, security training and awareness, communication, tone at the top and culture. People represent one of the most vulnerable areas of your cybersecurity program, and any complete Cybersecurity Assessment should include assessing an organization’s people and culture.
Cybersecurity Assessment: Process
The processes your organization implements to operate daily should include basic security measures and practices such as: asset management, access management, third–party IT management, patching & system maintenance, backup & restore processes, disaster recovery, physical protection of infrastructure, “acceptable use” practices, incident response, business continuity and disaster recovery plans. All of these play significant roles in a strong cybersecurity program. During the cybersecurity assessment, specific measurements should be obtained regarding the maturity of your processes, including any recommendations for process improvement.
Cybersecurity Assessment: Technology
For most cybersecurity practitioners, technology generates the most excitement. It’s what most third party firms will offer as the mainstay of their Cybersecurity Assessment, and usually involves a only a vulnerability assessment scan with a report listing findings.. To a seasoned cybersecurity team, this is only one small necessary area of an overall assessment, as a comprehensive analysis should also include access and network controls, wireless network controls, endpoint management, penetration testing, and web application assessments and other technical areas.
Connect with Cybersecurity Risk Assessment Experts
Too often, organizations seek out third parties to assess cybersecurity and receive a scan and a report that showcases the vendor’s lack of understanding of the organization and its business. Most approaches don’t include information gathering, interviews, analysis, specific prioritized recommendations that are actionable for your organization’s resources.
Be wary of cybersecurity firms that lack the ability to assess your complete cybersecurity posture.
At Freed Maxick, our cybersecurity team works closely with your team to learn what you do, how you do it, understanding the entire picture, not just one area. This is the experience that comes with 60 years of working with organizations.
For more information about our cybersecurity assessments and other related programs and services, please contact Sam DeLucia at 585.360.1405.
Make sure you are using the right cybersecurity test for the right purpose.
Many companies (and sometimes their cybersecurity consultants) refer to a vulnerability assessment and a penetration test as the same thing, and while they both serve to protect a networked environment, they are not. Unfortunately, the interchangeable use of these two terms blurs the lines between these two very distinct activities and can result in missed opportunities to find, repair and defend an organization against cyberattacks.
A simple way to understand the differences is that a vulnerability scan, which can be automated, searches for network issues like missing patches and outdated protocols, certificates, and services. A penetration test is a proactive attempt to actively exploit a weakness once found.
Though both a vulnerability assessment and a penetration test are individually important elements of a well-rounded cybersecurity program, they are designed with different goals.
What is a Vulnerability Assessment?
A vulnerability assessment is a scan intentionally designed to identify configurations on your systems that could possibly be exploited by an attacker. A good vulnerability assessment scan will identify all system vulnerabilities, assign a level of risk or score to each and prescribe a fix.
Many companies look to third parties to perform this assessment, and their report of findings should provide a clear understanding of what vulnerabilities exist and what needs to be fixed first. This type of assessment needs to be executed regularly to maintain network security, with attention paid when network changes like new equipment installation occurs or when new network functionality or services are added.
What is a Penetration Test?
A penetration test is a fundamental part of most required cybersecurity regulatory or compliance program requirements, like PCI compliance.
A penetration test is more complex than a vulnerability assessment, with multiple steps involved. It’s designed to identify system or network vulnerabilities that can be exploited by a hacker; and attempts to exploit those vulnerabilities and illustrate the level of risk involved by simulating a hypothetical attacker’s attempts to gain unauthorized access to critical systems or networks.
Penetration testing is a form of “ethical testing” that gives qualified and trusted cybersecurity consultants a green light to break into their client’s computers or devices to test their network’s defenses. If successful, the client gets the opportunity to shore up their network’s defenses, and even an unsuccessful attempt at a break-in holds a positive outcome, as it is an indication – although not an absolute certainty – that the organization’s defenses are secure.
Freed Maxick Cybersecurity Services
Today, companies need both vulnerability assessments and penetration testing to protect their company’s assets (and reputation), their employees, and the data they hold about their clients. In either case, having the knowledge to decide which is truly needed for your organization now and in the future, and most importantly, which service you are receiving from a vendor, is vital information for you and your company.
We can help.
Freed Maxick’s dedicated team of cybersecurity risk experts performs vulnerability assessments, penetration tests and designs comprehensive cybersecurity risk management programs. We work closely with your team through each step in our proven process to reduce any concerns or impacts and provide our industry recognized consultation.View full article