Defining your level of cybersecurity risk
Three factors play into risk determination: what the threat is, how vulnerable the system is, and the importance of the asset that could be damaged or made unavailable. Thus, risk can be defined as:
Risk = The scope of the threat x Your level of vulnerability x the value of the asset(s) compromised
Here are some common ways you can suffer financial damage:
Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.
System or application downtime
If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance.
Your FREE 3nerds cybersecurity risk assessment will consist of the following nine steps:
Identify and Prioritize Assets
Every client is unique but what we are looking at are the elements both physical and digital that are required to operate your organization. This would include hardware like PCs, servers, and other peripherals, your CRM database, your contact information, confidential documents, trade secrets and so on. In order to be certain that we have covered all bases and identified all critical assets, your 3nreds technician will interview the management team at your firm. Together we will define a standard for determining the importance of each asset i.e., the asset’s monetary value, legal standing and importance to the organization. Once complete we will be able to classify each asset as critical, moderate, or minor
With your assets identified and prioritized or next step is to identify what possible threats exist that can pose a threat to each asset. Here is what we will be looking for with respect to the threats your organization might be facing:
Floods, hurricanes, earthquakes, fire and other natural disasters can destroy and take your business down indefinitely. You can lose not only data but the servers and appliances as well. If fire, power outages or other disasters can take down your servers it might make sense to have your servers collocated in a data center facility which provides storage space, cooling, power, bandwidth and physical security.
The likelihood of system failure depends on the quality of your computer. Old or “no-name” equipment, has a much greater chance of failure than new equipment under warranty.
Accidental human interference
Regardless of the type of business you operate, this is a high threat. Accidents or mistakes happen. Critical files can be accidentally deleted or corrupted beyond repair. With the best of intention, an employee can click on malware links, or accidentally damage a piece of equipment. Therefore, you should regularly back up your data, including system settings, ACLs and other configuration information, and carefully track all changes to critical systems.
There are three types of malicious behavior:
- Interference - somebody causes damage to your business by deleting data, engineering a distributed denial of service (DDOS) against your website, physically stealing a computer or server, and so on.
- Interception – better known as hacking, where someone steals your data.
- Impersonation - the misuse of someone else’s credentials, which are often acquired through social engineering attacks, brute-force attacks, or purchased on the dark web.
A vulnerability is a weakness (a hole in your security) that a threat can exploit to breach security and harm your organization. We identify your level of vulnerability using our software
to access the National Vulnerability Database (NVD) a U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. You can reduce your software-based vulnerabilities with proper patch management and as part of our analysis, we can appraise you as to how up-to-date your software patches are.
Controls can be either technical or non-technical. We look at technical controls like encryption, intrusion detection mechanisms, and identification and authentication subsystems. Non-technical controls include security policies, administrative actions, and physical and environmental mechanisms. We will also look at what you are doing from a preventative and detective perspective with respect to your security controls.
Determine the Likelihood of an Incident
Here we are attaching a probability score to the threats we have identified. Not a numerical score but we label each threat high, medium and low with respect to the likelihood of an attack or other adverse events.
Assess the Impact a Threat Could Have
Should a threat be successful what will be the impact on the business? How long will the website be down, what files will be lost, will clients need to be notified of a breach, what will a replacement server cost and who long will it take before its back online? Each of these impact statements is assigned a value of critical medium or low with respect to the level of negative impact on your operation.
Prioritize the Information Security Risks
For each threat we determine the level of risk to the IT system, based on the following:
- The likelihood that the threat will exploit the vulnerability
- The impact of the threat successfully exploiting the vulnerability
- The adequacy of the existing or planned information system security controls for eliminating or reducing the risk
Our 3nerds technician will provide you with a series of recommendations for each threat discovered along with a level of urgency to be used to make decisions regarding the prioritization of steps taken to implement new security controls.
Documentation of the Results
The final step is a concise document that can easily be shared with management outlining the threats, vulnerability, expected impact, the likelihood of occurrence and overall risk of each identified threat along with a set of recommendations to neutralize the threats.
Schedule my FREE Cybersecurity Risk Assessment
Click to the right and give us your contact info. We will contact you shortly to schedule your assessment.