Part 3: What to Expect in a Security Assessment
Hi again fellow cyber-security concerned business people!
In my last security post (Five Areas for Complete Coverage), I promised to begin our cyber security journey with a “security assessment”. First, make sure you go into that security assessment in the right frame of mind. Focus on “balance sheet” items such as protecting assets and mitigating or eliminating liabilities if and when something bad occurs. In keeping with this “income statement” approach, don’t go broke spending on security measures needlessly but, depending on your role, don’t completely ignore the expensive solutions. Some advice, if you are…
Mid-level security IT personnel and security IT consultants: Don’t be afraid to solicit “top-level” (and top dollar) security proposals from industry leading sources (vendors and consultants) and make sure the proposal gets to senior (C-suite, ownership) management. When a breach occurs this may well save your job. If senior management don’t sign off on the top dollar solution, you have an out, and if they do buy in and you still get breached, you’ve recommended a “best in class” solution using the best available tools at hand.
Ownership group and C-Suite: Providing your organization with “better than you think you need”, “ leading best practices”, and “standards-based” security systems will protect your reputation with the public, with regulators (cyber-security is becoming politicized in a big way), from lawyers (privacy is apparently a growth industry for litigators now that ICBC has capped auto settlement claims!), not to mention salving your own conscience. Already, privacy rules are in place (PIPEDA) in Canada that require ever increasing vigilance and if you do business in the EU, the new General Data Protection Regulation (GDPR) will be implemented in late May, including non-compliance fines of up to 4% of revenues!
If you’re a medium-sized business, a “Goldilocks” effect seems to be relevant here. Large businesses have lots to protect and lots of security resources already. Very small businesses have nothing of major value typically so aren’t an attractive target. That leaves medium-sized enterprises as “just right” — just enough juicy digital assets but easy prey because most haven’t made major security investments.
Back then to starting your security journey with the security assessment. Even if you don’t have a compliance requirement (other than what we’ve touched on already) you can benefit from something like a NIST-based standards review. What can you expect?
The first undertaking is a review of your existing security stance. Within this framework, the assessment will review your security readiness using 20 security controls which have been developed, refined and validated by security experts from around the world. Download this poster for a graphic representation of these 20 controls, as well as a heat map of the effectiveness of various solutions. We won’t go through all 20 of these here, but here are the first five:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
I can’t stress enough the importance of assessing and dealing with these first five controls. A classic 80/20 reward/effort is in effect here: implementing effective security measures for these 5 controls will reduce your risk by 85%, while implementing measures for the remaining 15 reduces your risk by 94%. After the first five, it’s a lot more effort for not a lot more results.
At this point you will learn how to apply security principles and best practices. You will assemble standards, guidelines and procedures. You will develop policies, and test your security incidence response. Everything will be documented. You will review patch frequency, priority and testing. You will train, train, train, knowing that 91% of security issues come from users ignorance of threat tactics (for example, Java and Adobe products are targeted far more often than those of Microsoft as they get updated less frequently). You will put in place an AUP (acceptable use policy) for all users. And, as a result of this diagnostic and educational process, you will purchase some products and services!
The first question I’m asked: how much is this assessment going to cost? Budget $10-$20K, depending upon the size and complexity of your business. Can it be done cheaper? Of course, but the metaphor I like to use is this: If you have a life-threatening health issue (let’s not beat around the bush here — according to recent studies, 60% of enterprises go broke within a year of a serious breach; the average cost of a serious breach is $7.3 million, with reputational costs even higher), would you not like to visit the most qualified doctor, with the best reputation? My peers are some of the best cyber-security personnel in the business and we can stand up to any industry scrutiny. It helps me sleep at night.
Next Post: Reviewing your security assessment and security architecture. And don’t forget to check out the earlier posts in this series — Part 1: The Landscape of Security in 2018, and Part 2: Five Areas for Complete Coverage)
This is the third in a series of internet security posts which are intended to assist security aware business people. My name is Bruce Thompson and I have been in the telecom and IT industry for over 30 years and have numerous security certifications from industry leading vendors and associations. This third entry gives you an idea of what to expect when you undertake a security assessment.