Understanding your weaknesses through regular cyber security audits and assessments is critical. Without them, it’s difficult to withstand cyber attacks and protect your organization.
As the wise Japanese author Shusaku Endo noted, ““Every weakness contains within itself a strength.” Knowing your weaknesses helps you focus on what you need to do to improve your cyber security posture. Where should you invest your coveted IT budget in security technology and services to get the most bang for your buck? How do you know where to focus resources to best prevent a data breach or security breach? In addition to network security, how are you handling cloud security in risk assessments?
Evaluating your cyber security program on a periodic basis and auditing it regularly helps you discover weak areas while answering questions like these.
How Do You Define Periodic and Regularly?
So what do we mean by “periodic” and “regularly”? Doing periodic assessments means that they’re not done only when they have to be. For example, in the government world, a system accreditation was typically good for three years. That generally meant that because an assessment was only required every three years for accreditation, that was the only time they were done, even though this wasn't effective against rapidly evolving threats. Regardless of what type of organization you’re in, I’d recommend you create a plan to assess your most critical functions at least once a year, if not more often.
When I talk about conducting a cyber security audit on a “regular basis,” I’m referring to a scheduled plan as well. For example, you can audit 25 percent of your security controls each quarter to work your way through the list over the course of the year. This can ensure that results stay current regardless of changes in your cyber environment. You can make adjustments to the schedule as needed, of course.
The point is to make sure your assessment and auditing activities stay on a generally agreed-upon schedule. You need to make that schedule is communicated to everyone involved in the process, too.
Identifying Critical Assets and Gaps in Your Defenses
As ridiculous as it may seem, many organizations do not know what their most critical information is or where it lives, exactly. Before you try to figure out all the ways security can be compromised by internal and external forces, the first step should be to identify the information that is key to your business. This can help you allocate resources more efficiently and ensure you’re aligned with business priorities and risk management efforts. As a side benefit, you can also prioritize risks better to focus on your company’s critical assets.
A lot of thought, planning and work goes into selecting, then implementing, cyber security controls to defend your company’s critical information. But how do you know they are doing what they are supposed to do? And how do you know if any new threats exist? Completing timely and regular assessments and auditing those controls can give you that insight.
If you don’t know where the gaps in your security controls are, how can you possibly fill them? The truth is, you can’t. Conducting regular assessments will not only illuminate holes in your defenses and your security architecture; it will also validate your efforts to plug them. Assessing and validating this on a regular basis makes it easier to defend your network and reduces your risk.
Assessing Controls and Auditing for Compliance
Once you’ve selected the appropriate controls and implemented them, you need to think about what happens next. We discussed this in a previous post on how to lower your security risk. Will they always control the risk at the same level? What if the threat changes? New malware variations are unleashed every day, and bad actors are constantly developing new threat tactics to breach your defenses.
A simple re-assessment can tell you if your controls are still doing what you need them to do. Even a cursory documentation review can tell you if what worked when a control was put in place is good enough now. For example, did your company decide that scanning for new vulnerabilities once every two weeks was sufficient to mitigate potential risk to your network? That won’t work anymore. Sophisticated attackers can now exploit a new cyber vulnerability within hours.
Periodically auditing for compliance can also alert you to issues you may have assumed were covered. For instance, say your policy states that all users must use multi-factor authentication for logins. However, when auditing your company’s authentication process, you discover that this is being waived for certain employees. This is clearly not in line with policy and something that needs to be documented and addressed.
Taken together, periodic assessments and audits can identify previously unknown risks. Maybe the time between scans was considered an acceptable risk in isolation. Throw in non-compliance with multi-factor authentication, and your risk may have increased exponentially. At least now that you know about both weaknesses, they can be considered in your overall risk determination and acceptance decisions.
Next Steps: Addressing Weak Spots
Now that you have identified the weaknesses in your cyber defenses, you need to address them. First and foremost is to reduce any new risks you’ve found. That means reducing risk not just at the control and IT level, but from the top down, strategically.
Thinking back to the example above, how does insufficient scanning and lack of multi-factor affect the business? What kinds of business-critical functions may be affected.? And how should this be addressed from a company-wide point of view? Prioritize your risk reduction efforts based on this overall company strategy and make sure to get buy in from your leadership team.
Once the risk strategy is determined, there will plenty to keep you busy as you strengthen your company’s program. This will obviously take some effort and may require new investments in people and technical solutions.
The good news is that if the leadership team has agreed to and prioritized that risk company-wide, it should be a lot less challenging to get the resources you need. Be prepared to develop a business case if needed, and to provide cost estimates that sync with the risk reduction plan so they can be worked into the company’s financial plans and forecasts.
With the strategy clearly defined, the plans in place, and resources secured, you are all set right? Well, almost. While you might have people to help, do you have the right people? You may have identified issues that require skills and knowledge beyond you staff’s in-house capability. But you know exactly what needs to be done because you have stayed on course with regular, periodic assessments and audits. You can hire more people, or secure training for existing staff since you now know exactly what needs to be done. Given the scarcity of trained cyber security experts, you may also need to make the case for hiring consultants. Look for a firm that offers expertise in areas your team doesn’t have.
Cyber security assessments and audits are not a silver bullet that will alleviate all your worries. There are still a lot of things to consider. And, inevitably, things will change, priorities will shift, and new problems will arise. However, it’s certainly more comforting and certainly a lot more manageable when you know your strengths and weaknesses. Given the correct information, leadership can more accurately determine business risk, develop a big-picture strategy, and get you the resources you need to keep your organization safe.
The National Institute for Standards and Technology (NIST) and the Institute for Standards Organization (ISO) provide solid guidance for strengthening your network’s defenses They have years of best practice in information security that you can leverage.