In 2016, there were more than 1,000 data breaches in the United States alone and more than 36 million records exposed, according to Statista. Given the prevalence of high profile breaches in 2017, last year was not any better.
As organizations build and strive to improve their cyber security postures in 2018, the statistics alone should be enough to drive new risk assessment strategies-- but that’s often not the case. Many companies, organizations, and government agencies continue to rely on point-in-time risk assessments and point-in-time penetration tests leaving them unprepared to combat the continuous threat of a cyberattack.
The inherent pitfalls of short-term IT security rrisk assessment
Point-in-time IT security risk assessments can find vulnerabilities at a single moment, but they fail to monitor activity between the assessments. These assessments quickly go out of date and depending on the form, can be very subjective.
It’s not unusual for organizations to have a mad scramble in preparation for the point-in-time risk assessment resulting in securing systems and reviewing existing documentation to meet certain compliance or audit requirements. This means, the picture painted by such an assessment is reflective of more stringent security behavior that may not be the norm at the organization. Once the compliance requirements are met, it’s often back to business as usual, and business as usual can yield risks that were unaccounted for.
Organizations looking to make real improvements in cyber security must gain operational command of their security posture and the security posture of their third-parties through continuous, non-intrusive monitoring. Just assessing vulnerabilities at a single point-in-time is not enough.
Moving toward a more comprehensive approach to IT security risk assessment
To combat hackers, organizations must think like hackers do and continuously monitor a broad range of risk categories such as application security, malware, patching cadence, network security, hacker chatter, social engineering, and leaked information. In doing so, organizations gain a real-time assessment allowing them to make better decisions to mitigate security risks. Gone are the days when organizations could focus on behind-the-perimeter attacks; now, organizations need advanced analytics to get a complete picture to respond accordingly.