Posted on Feb 15, 2018
In 2016, there were more than 1,000 data breaches in the United States alone and more than 36 million records exposed, according to Statista. Given the prevalence of high profile breaches in 2017, last year was not any better.
As organizations build and strive to improve their cybersecurity postures in 2018, the statistics alone should be enough to drive new risk assessment strategies-- but that’s often not the case. Many companies, organizations, and government agencies continue to rely on point-in-time risk assessments and point-in-time penetration tests leaving them unprepared to combat the continuous threat of a cyberattack.
The Inherent Pitfalls of Short-Term IT Security Risk Assessment:
Point-in-time IT security risk assessments can find vulnerabilities at a single moment, but they fail to monitor activity between the assessments. These assessments quickly go out of date and depending on the form, can be very subjective.
It’s not unusual for organizations to have a mad scramble in preparation for the point-in-time risk assessment resulting in securing systems and reviewing existing documentation to meet certain compliance or audit requirements. This means, the picture painted by such an assessment is reflective of more stringent security behavior that may not be the norm at the organization. Once the compliance requirements are met, it’s often back to business as usual, and business as usual can yield risks that were unaccounted for.
Organizations looking to make real improvements in cybersecurity must gain operational command of their security posture and the security posture of their third-parties through continuous, non-intrusive monitoring. Just assessing vulnerabilities at a single point-in-time is not enough.
Moving Toward a More Comprehensive Approach to IT Security Risk Assessment:
To combat hackers, organizations must think like hackers do and continuously monitor a broad range of risk categories such as application security, malware, patching cadence, network security, hacker chatter, social engineering, and leaked information. In doing so, organizations gain a real-time assessment allowing them to make better decisions to mitigate security risks. Gone are the days when organizations could focus on behind-the-perimeter attacks; now, organizations need advanced analytics to get a complete picture to respond accordingly.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.