While it’s certainly important to have tools and systems in place to detect and mitigate cyber attacks, the best approach to protecting your business against digital threats will always be proactive. By assessing weaknesses in your physical and digital infrastructure, you can determine how your business might be targeted. And by acquiring that knowledge, you can prevent that from happening at all.
Mind you, simply performing a cyber risk assessment isn’t enough to guarantee you’re safe from a cyber attack. The biggest error any business can make is assuming they’re entirely impenetrable. There are always blind spots, and there will always be vulnerabilities.
That said, some blind spots are more common than others. In my experience, here are a few of the most common ways a risk assessment might fall short. Ensure you aren’t falling prey to any of these, and your business will be all the more secure for it.
Assuming Security Is Only The Purview of IT
The days when your IT department was the only arm of your business responsible for cybersecurity are far behind us. We’re living in the age of mobile technology and the Internet of Things. Corporate data appears on innumerable endpoints, and end users are now more empowered than ever to work wherever and however they choose.
The problem with that, of course, is that they’re also more empowered to do harm to your organization if they’ve no idea what they’re doing.
Shadow IT is a perfect example of that. By isolating conversations on cybersecurity to your IT department, you create blind spots elsewhere in your organization. Your security professionals are no doubt skilled, but a CIO isn’t necessarily going to understand the specific needs of a salesperson.
A worker who finds the security measures their organization has in place too cumbersome can and will circumvent them. By bringing everyone into conversations on cybersecurity, you can determine how best to balance convenience with data protection. Moreover, by making business leaders at every level aware of the threats your organization faces, you can ensure a more comprehensive, more unified approach to addressing them.
Cybersecurity awareness training also plays into this, to an extent. While employees are always going to be the weakest link in your security infrastructure, you can reduce the chances that they’ll cause problems for you by training them to recognize certain red flags that may indicate a phishing scam or socially-engineered attack. We’ll discuss this a bit more momentarily.
Putting Too Much Stock In The News
Tune in to the news at any given time, and you’re guaranteed to see a story about the latest vulnerability or global cyber attack. Currently, everyone’s buzzing about Meltdown and Spectre – but once the news cycle on those two have passed, you can bet money that something else will rise up to fill the void. I’d even go so far as to propose that a media blitz is part and parcel of modern cyber attacks.
It’s hard to ignore worries that we might be targeted by a global IoT botnet or wind up infested with the next WannaCry. And while I’d certainly advise guarding yourself against these threats, it’s also important to remember that these are not the biggest risk facing your business.
The truth is, most cyber attacks that are devastating enough to make the news fall into one of two camps:
- Simple and easily preventable, to the extent that basic cybersecurity best practices will be more than enough to keep your data safe.
- Highly-sophisticated, enough that if you’re targeted by them, there’s little you’ll be able to do aside from mitigating the damage.
The likelihood that your business will be targeted by the latter is extremely slim. Truth is, most cybercriminals lack either the resources, the skill, or the desire to execute complex, intricate, sophisticated attacks. The majority of data breaches occur as a result of employee error – someone falling for a phishing email, forwarding a document to the wrong person, or connecting to a network with an infected device.
The rest exploit vulnerabilities like unpatched systems, unsecured networks, and simple blind spots in your infrastructure. The point I’m trying to make is that the kind of attack that whips the media into a frothing frenzy is so complicated to pull off that it’s not really worth worrying about – at least not until you’ve addressed the actual threats facing your business. These include:
- Uneducated employees
- Do your staff understand how to recognize phishing emails?
- Are they trained to deal with social engineering attacks? If someone walked into your office claiming to be in IT and had a fabricated guest badge, would they be able to acquire physical access to your systems?
- Have you mandated proper password practices amongst your employees?
- Do workers understand how to protect their devices against the threat of physical theft?
- Do workers understand the risks involved in connecting through an unsecured wireless network?
- Unpatched systems
- How often do you update your software?
- Do you frequently ignore security patches?
- Vulnerable endpoints
- Do you have a guest network for IoT devices like coffee makers or fridges?
- Do you have some form of VPN in place to protect data when employees dial-in to your network remotely?
- Do your monitoring tools provide a complete, comprehensive overview of your endpoints? If someone were to compromise an endpoint, would you be able to quickly determine how?
- Uneducated employees
- Lack of backups
- Do you have automated, isolated backups?
- Are there multiple copies of those backups?
- Do you test your backups regularly to ensure data integrity?
- If you were infected by malware, would you be able to air-gap your backups to protect them?
- No emergency response processes
- What happens if a breach or leak does occur?
- Do your employees know their specific roles in the event of a cyber emergency?
- How will you communicate with clients and shareholders in the aftermath of a breach?
- Disorganized data
- Do you know precisely where every critical file within your network resides? If you needed to isolate a dataset to protect it from attackers, would you be able to do so?
By all means, invest in a DDoS mitigation appliance.. Hire a cybersecurity consultancy to perform penetration tests on your systems.But don’t think you can ignore the basics just because you’re doing all that.
Focusing Entirely On The Perimeter
Eons ago, we’d build castles and walls to protect our most precious resources from attackers. That approach translated for a time into the enterprise. Firewalls, access controls, and isolated servers were more than enough to defend sensitive data.
This is no longer the case.
While it’s still critical that you strictly manage and control access – and while it’s still important that you use tools such as firewalls, network monitoring platforms, and antimalware systems – a truly comprehensive approach to managing and mitigating cyber risk requires more. It requires that you toss aside the idea of a security perimeter. That you look outside the walls of your organizations.
What, for instance, are you doing to protect data in transit between your servers and mobile devices? How are you handling smartphones and tablets? Do you have a means of containerizing and wiping data to prevent it from being compromised if a device is infected with malware or stolen?
What about your files? Do you know who they’re being shared with, and how? Are you able to maintain control over your sensitive documents once they pass outside your security perimeter?
These are questions that you need to answer as part of your risk assessment – because if you don’t, you’re taking a woefully-incomplete approach to security.
Speaking of external factors, what about your vendors and business partners? Most of the time, if your own security is too much for an attacker to circumvent, they’ll simply target a third party who happens to have access to your data. While there’s no real way to prevent this from happening altogether, what you can do is carry out a risk assessment on any business you intend to work with – and avoid working with any that aren’t up to snuff.
Cyber risk assessments are now essential to protecting our systems, people, and data from the vast array of threats they face. But when performing them, we need to make absolutely certain that we’re doing enough to address the blind spots we might have. The first step is awareness – equipped with that, you should do just fine.