Welcome to the first installment of a Mission Cyber Group blog series on protecting your business from a cyberattack. There are many ways your business and its data can be under threat, and as many ways to be protected from them, so in each blog we’ll dive into one area you can focus on at a time to start upping your security game.
The first one we’ll talk about is also the first step companies should take when they want to make themselves more secure: a basic security assessment.
We all know that cybersecurity threats against small and midsize companies are constantly evolving. The tools and techniques threat actors used yesterday are not necessarily the same tools they will use tomorrow to try and gain access to your company’s employee and customer data. It’s hard enough to try and keep up with the new threats out there, but compounding that problem is the fact that most companies don’t have an accurate or complete understanding of their defenses and where those protective measures are coming up short.
It’s hard to know what you don’t know, but you can bet that malicious forces online will find your weak point and do their best to get access through it to your corporate network. When cybersecurity isn’t your core business, finding yourself under attack by seasoned professionals is not where you want to be. It’s also not where you want to learn for the first time where the holes are in your defenses.
It’s common practice for whomever the highest-ranking IT person at an SME (who is sometimes the only IT person) to simply just plug in the tools they think are needed given their personal experience in the past and assume all is well. Not only is this ineffective, since that IT guy isn’t a cybersecurity professional—just the closest thing to one the company had on staff—it can also be unnecessarily expensive. The company might be paying too much for a product because they don’t understand the actual protection (or lack thereof) that product provides, or it could just be the wrong one for their needs entirely.
Ignorance is not bliss when it comes to your cyberdefense. The best first step you can take on the road to a more secure environment is to do a security assessment to find out where your risk lies and what you can do about those risks. And it’s important to bring in a seasoned cybersecurity team or partner to do this assessment; their experience and knowledge of the threat landscape will be invaluable to you, because they’re keeping up with the latest nefarious elements out there and can protect you from them. The average person has no shot against the expert criminals out there.
While it’s always good to try and stay up on the latest when it comes to your own security, there have been many cautionary tales we’ve seen of business owners or managers doing a “self-assessment” of their current security situation…and that not ending up very well. If you’re not an expert, it’s hard to know what to look for, or how to fix the things you find. The sophistication of the methods and tactics threat actors out there are using is very high; you need experts that can work with equally sophisticated tools!
So what are you looking for in a security assessment?
A proper security assessment will provide visibility and validation into each of the different parts of your overall cybersecurity defense (many of which we will highlight in more detail in future installments of this blog!) and lets you know both the risks involved with your current situation and provide recommendations on how to fix what isn’t up to par.
Not all risks are created equally, though, and the value of an expert security team providing your assessment is that they can label the severity of your risks. This will allow your business to do a cost-benefit analysis on acting to fix a problem or taking another route in the standard framework for handling security risks, which are generally classified as follows:
- Risk Acceptance: No actions taken; the risk is low enough compared to the benefit to justify leaving as-is
- Risk Mitigation: Steps are taken to find the proper solution to a problem and then apply it
- Risk Transference: Moving the risk to a third party, either by engaging a cybersecurity provider or acquiring cybersecurity insurance
- Risk Avoidance: Stopping the risky process or service entirely to remove the risk carried within it
Where your business will fall on this framework depends on both your appetite for risk and the context of the specific issue that needs addressing. Every business is different, and a professional security outfit will help you contextualize your risk assessment based on the specifics of your company, industry, technology, and beyond.
A security assessment is the first step toward a cybersecure business. Don’t go experimenting with solutions if you don’t know what you’re already working with. If you want to get started and locate the risks you need to address in your business, reach out to David Fizer, Managing Partner at Mission Cyber Group at [email protected], or reach out to us on our Contact page.