Cybersecurity assessments: automated vs human
There are so many tools and offers around cybersecurity that it can be difficult to figure out which one is best for your situation. See our Cybersecurity page for details about Kosh's security service. At Kosh, we see customers with different needs that typically fall into two categories:
The need for constant cybersecurity evaluations coming from machines
The need for a one-time or annual cybersecurity assessment with an expert
Both automated and human cybersecurity assessments are valuable in different situations. Automated will work best for companies that need constant monitoring and real-time reports. Human-based is better for getting high-level business questions answered for risk analysis, cyber insurance, and budgeting.
In this article, I'll take a look at both types of assessments and break down the pros and cons of each. In general, automated cybersecurity evaluations are useful for periodic testing and most useful to IT professionals. Alternatively, human evaluations with a cybersecurity professional work best for understanding the big-picture technology environment of the company. This is great for CEOs and decision-makers because they get a report in a language they can understand and take action on.
Automated Cybersecurity Assessments
An automated assessment is one where software is loaded on your network and "bots" go out and run some diagnostics. Some of the things these programs are looking at include:
Detect System Protocol Leakage
Detect Unrestricted Protocols
Detect User Controls
Detect Wireless Access
External Security Vulnerabilities
Network Share Permissions
Domain Security Policy
Local Security Policy
If those bullet points don't mean much to you, then you're not alone! That's one of the issues with automated reports - they are great for IT pros but not for laymen.
Three Pros of Automated Assessments
Systematic and consistent
I think the biggest advantage of automated reports is the systematic repeatable nature of the evaluation. It verifies or investigates and returns a yes or no. It can lack nuance but it is consistent.
Quick evaluation of large numbers of endpoints
These reports are nice because they can take in a lot of endpoints (computers, printers, laptops, mobile devices) and return valuable data.
Frequency - speed
This type of report can be run as often as desired. Typically, it is just the click of a button and prepared within minutes or hours.
Three Cons of Automated Assessments
Difficult to understand
For most non-tech people, these reports are difficult to understand and are even more difficult to distill down to actions for the business.
Lacks business intelligence
These reports do not take into account the specific situations of each business.
Doesn't typically address the biggest security risk - humans
Automated reports usually don't address the biggest entry point into your network...humans. According to Cybint, a global cyber education company, 95% of cybersecurity breaches are due to human error.
Cyber-criminals and hackers will infiltrate your company through your weakest link, which is rarely in the IT department.
Human Cybersecurity Assessments
This type of assessment is conducted by a cybersecurity professional. Typically, the IT pro talks with the company's decision-makers and works to understand their current technology environment in relation to their business vertical.
Three Pros of Human Assessments
Custom and nuanced evaluation
Most automated reports don't evaluate the compliance need of the company's business vertical. This is a critical component for any business to make sure they get right. Regulated industries require specialized security setups which can be addressed by the cybersecurity expert.
Peace of mind conversation
A lot of the value of a human running the assessment is the company executives and decision-makers can ask questions and get clarity. A business might have a question about cyber insurance or best practices and the cybersecurity professional will be able to address their situation.
Addresses the human component
This is the biggest risk when it comes to cybersecurity and a security expert should probe into the practices of your company to better understand the security posture of all your staff.
Three Cons of Human Assessments
It can be difficult to get a consistent year-over-year security evaluation. This is partly because the needs of your business change over time, or the threat environment changed, but also because the assessment is conducted by a human and will have some level of variability.
This type of evaluation is not good for daily, weekly, or even monthly assessments. Human assessments are best carried out annually.
A thorough evaluation will take time on the part of the security expert AND the stakeholders of the company. There will need to be at least one or two meetings between the IT pro and your company. In order for the IT pro to put together a well-thought-out report, they will need a few days to digest your technology and business environment.
Automated vs human assessments
As you may have guessed, the best practice is to use both kinds for their different strengths. The automated assessment is great for staying up to date and is most useful for your IT team. The human assessment is great for annually getting a big picture look and delivering an easy-to-understand report to company leaders.
Kosh offers a human cybersecurity assessment. It's 4 steps:
Sign up for the assessment here.
Meet remotely with our expert to go over our cybersecurity checklist.
Our expert prepares a unique set of recommendations for your company.
Meet remotely with our expert to review your recommendations and develop an action plan.
If you'd like to see our full Cybersecurity Checklist fill out your name and email so we can email it to you!
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.