Posted on Nov 21, 2019
Just like people have unique fingerprints, every company its unique digital footprint. Even when overlaps exist, companies provide differentiated products, establish personalized IT infrastructures, and collect their own set of third-party vendors. While a large enterprise might deliver services via private cloud, smaller startups might be using a hybrid on-premises/public cloud infrastructure. While no “one size fits all” approach exists to cybersecurity, these six strategies can help you create a “just right” approach to developing your cyber vulnerability assessment checklist.
A cyber vulnerability assessment, also called a security assessment, starts by identifying an organization's computer networks, hardware, software, and applications, then engages in either penetration testing or vulnerability scans to determine the information security risk associated with the IT assets, including but not limited to network security and web application security.
After identifying and assessing potential threats as part of the cyber vulnerability assessment, the organization can engage in remediation strategies that strengthen its cybersecurity posture and mature its compliance posture. Additionally, cybersecurity compliance requirements increasingly require organizations to continuously monitor for control weaknesses and new threats that impact their security and compliance profiles.
Developing your cyber vulnerability assessment means understanding the risks that most directly impact your business. However, since malicious actors target organizations based on a variety of factors, you need to develop a personalized cyber vulnerability assessment.
Every cyber vulnerability assessment needs to start with the company’s long term business objectives. Communication between line of business and IT departments needs to be a continuous activity. An ecommerce business that primarily operates in the United States may need to meet the security requirements dictated by the California Consumer Protection Act (CCPA) or the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. However, if you’re planning to expand your operations and focus on European customers, you need to speak with your IT department about meeting the European Union’s General Data Protection Regulation (GDPR) security requirements as well. Ensuring that all internal stakeholders communicate as part of the information security vulnerability assessment process is foundational to effective security and compliance outcomes.
Although this seems like an obvious first step, many organizations struggle to identify all networks, hardware, software, and cloud-based IT assets. As organizations embrace digital transformation, they increase the number, type, and location of their digital assets. Equally important, organizations that merge with or acquire other companies need to incorporate these new assets as part of their cyber vulnerability assessment.
Organizations often struggle to monitor their cloud-based resources because the cloud’s scalability means that the number of workloads and objects can change at a moment’s notice. Identifying all the cloud-based assets can be overwhelming for organizations as they attempt to scale their business while also protecting their data from malicious actors.
An inherent risk is the risk associated with a type of business or industry. For example, the inherent risks associated with the manufacturing industry are SCADA and Industrial Internet of Things (IIoT). Meanwhile, inherent risks in ecommerce focus on cardholder data and network segregation.
Another inherent risk may be your organization’s geographic location. For example, global cybersecurity insights research indicated that network security risks were greater in European countries than in North American countries. While you can’t change your organization’s geographic location easily, you can prioritize the most important inherent risks for a stronger security posture.
An organization’s risk tolerance is based on whether the company can manage, or in most cases protect against, the risk identified. Organizations can choose to accept, mitigate, transfer, or refuse a risk based on their corporate structure and resources. However, as part of your cyber vulnerability assessment, you should continuously review your risk tolerance levels.
For example, as an organization scales its business operations, it may add more cloud-based resources. A company that previously accepted certain risks, such as using open source security tools, may find that they need to purchase tools or hire more IT staff to mitigate the new risks.
Control risks are often associated with manual reviews. While a weak control may be digital, such as an unpatched firewall or exposed AWS S3 bucket, the reason the weak control exists often lies in human error. An overwhelmed IT administrator may have forgotten to update the firewall or a developer forgot to change the configuration setting on the S3 bucket.
As part of your control risk review, you want to start by reviewing all manual tasks. Often, automating these tasks can lead to fewer control risks.
Malicious actors evolve their threat methodologies. Malware and ransomware are two of the most common threat vectors malicious actors use to gain access to networks, systems, and software. Although exploits of previously undiscovered vulnerabilities, or “zero day” attacks, make great headlines, these attacks also take a lot of time and effort. Most malware and ransomware programs are evolutions of the previously known code. In some cases, malicious actors can simply purchase the viruses on the dark web. In other cases, they may just tweak known programs. Either way, they are low cost and easy to deploy.
With that in mind, the controls that effectively protect your organization today may not mitigate risk tomorrow. In combination with your control risk and manual task review, you may want to engage in an automated continuous monitoring solution that alerts you to new risks, prioritizes the risks for you, and helps you more rapidly remediate new risks to better protect your organization.
SecurityScorecard’s cybersecurity ratings platform provides “at-a-glance” insight into your organization’s security posture. Using a variety of publicly available information from across the internet, our platform rates your controls’ effectiveness using an A through F rating system.
We monitor for ten factors including DNS health, IP reputation, network security, and web application security. We not only provide you with a holistic rating, but we allow you to drill down into the ten factors so that you can gain insight into your most vulnerable areas.
Our automation reduces the human error risk associated with manual tasks, such as overwhelming log reviews. With SecurityScorecard’s security ratings, you can prioritize your security activities, document your remediation steps, and prove governance over your cybersecurity program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.