There are about as many variations of cyber security assessments as there are cyber security threats - there're a ton of them! We asked a few experts and pulled together what a cybersecurity risk audit or evaluation should look like.
In short, a cybersecurity threat assessment should include a certified cybersecurity expert, automated tools, evaluations of your staff, and a standardized form that offers a remediation path and aids in obtaining cyber insurance.
Please keep in mind that there will be a wide range of offerings from companies and an even wider range of prices. I've seen anywhere from FREE to over $15,000 for a cybersecurity assessment! Let's get into what to expect in a typical assessment.
Cybersecurity expert involvement
Every assessment should have a security expert at some point in the evaluation process. For some, it might be that a security expert created the automated tool. Or perhaps your company gets one-on-one time with the expert (we prefer this one!). Whatever level of involvement, there needs to be an expert that oversees the assessment and can give some context to the results.
For Kosh Solutions, we have our cybersecurity expert get to know your business and technology environment to better evaluate your unique vulnerabilities and strengths.
What makes someone a cybersecurity expert?
There are a few internationally recognized certifications that tell you the person you are working with is truly a security expert. The big certifications in order of strength are:
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Automated tools' role in a cybersecurity evaluation
We all love efficiency and employing a bit of software to go do a bunch of reconnaissance work is a great way to get a lot of bang for your buck. Typically, these security tools get loaded onto your network and they go out to your computers, printers, servers, virtual machines, firewalls, or anything on your network and bring back data.
The type of data the tool brings back will vary, but it should at least bring back:
Detect System Protocol Leakage
Detect Unrestricted Protocols
Detect User Controls
Detect Wireless Access
External Security Vulnerabilities
Network Share Permissions
Domain Security Policy
Local Security Policy
Evaluations of staff's cybersecurity awareness
Above is Casey, our Service Manager out of Las Cruces, NM, and a man who looks like he just clicked a phishing email link! The human aspects of security are by far the most important because 92%+ of cybersecurity breaches come from humans clicking something they shouldn't. Awareness training should be a continuous effort throughout the year and it should include how to identify phishing.
Other areas this should cover are more targeted attacks like spoofing, spear phishing, and social engineering.
Here is an example of a real-life attack that we saw:
The attacker went to LinkedIn and found out who the purchasing officer is. Then the attacker spoofed the CEO's email (made the email look like it came from the CEO) and sent a message to the purchasing officer requesting that they transfer money for the services of an independent contractor that did some work. The purchasing officer felt something was a little off, so she contacted the CEO to verify. Of course, the CEO had no idea what she was talking about. There was no independent contractor. The attacker was trying to get her to transfer money into their account. Good thing the purchasing office had the wherewithal to call and confirm.
It may sound a bit trivial but a solid checklist and form are fantastic ways to make sure all the t's are crossed and the i's are dotted. Checklists keep everyone on the same page and on track. A standardized form can also lend itself to year-over-year analysis of progress.
Another benefit to a well-thought-out cybersecurity checklist or assessment form is that it can make applying for cyber insurance less of a headache. Every insurance carrier has a different form but there are a lot of areas of overlap and a thorough cybersecurity checklist can help answer many of the questions.
Kosh Solutions has a great cybersecurity checklist that we put together. We can email you a copy. Fill in your name and email below.
What's the point of having a report that just tells you if you are at risk? The assessment should also give guidance on how to address the vulnerabilities in your technology environment. We like to see not just steps but a thought-out priority list of all the issues as well as a quote so you can shop around for providers to fix your issues.
Quick side note
Another item that might be on an assessment is a penetration test - but we usually see this sold as a separate product.
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.