Posted on Feb 15, 2018
In 2016, there were more than 1,000 data breaches in the United States alone and more than 36 million records exposed, according to Statista. Given the prevalence of high profile breaches in 2017, last year was not any better.
As organizations build and strive to improve their cybersecurity postures in 2018, the statistics alone should be enough to drive new risk assessment strategies-- but that’s often not the case. Many companies, organizations, and government agencies continue to rely on point-in-time risk assessments and point-in-time penetration tests leaving them unprepared to combat the continuous threat of a cyberattack.
The Inherent Pitfalls of Short-Term IT Security Risk Assessment:
Point-in-time IT security risk assessments can find vulnerabilities at a single moment, but they fail to monitor activity between the assessments. These assessments quickly go out of date and depending on the form, can be very subjective.
It’s not unusual for organizations to have a mad scramble in preparation for the point-in-time risk assessment resulting in securing systems and reviewing existing documentation to meet certain compliance or audit requirements. This means, the picture painted by such an assessment is reflective of more stringent security behavior that may not be the norm at the organization. Once the compliance requirements are met, it’s often back to business as usual, and business as usual can yield risks that were unaccounted for.
Organizations looking to make real improvements in cybersecurity must gain operational command of their security posture and the security posture of their third-parties through continuous, non-intrusive monitoring. Just assessing vulnerabilities at a single point-in-time is not enough.
Moving Toward a More Comprehensive Approach to IT Security Risk Assessment:
To combat hackers, organizations must think like hackers do and continuously monitor a broad range of risk categories such as application security, malware, patching cadence, network security, hacker chatter, social engineering, and leaked information. In doing so, organizations gain a real-time assessment allowing them to make better decisions to mitigate security risks. Gone are the days when organizations could focus on behind-the-perimeter attacks; now, organizations need advanced analytics to get a complete picture to respond accordingly.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.