For many businesses, the rush to maintain productivity while meeting the challenges of a world amid a pandemic meant compromises in the security of their networks, data, and privacy.
Products like Zoom, Teams, Dropbox, and OneDrive became the norm for working and, as we saw, the focus of plenty of embarrassing moments.
With that hindsight, let’s talk about getting our own companies back on track and using this same blueprint to facilitate our clients’ efforts to keep their businesses safe.
Size up the Situation
Cybersecurity always begins with assessing the risk. We cannot address any situation until we know the extent of the problem and the details that surround it. For some industries, there’s a basic regulatory template that provides a framework for conducting a risk assessment.
The medical industry, for example, has a well-established set of standards and questions that we can evaluate under the HIPAA/HITECH guidance.
General business can follow the National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF) or, if a more formal protocol is required, the NIST 800-171 framework provides a more thorough set of controls to assess against.
For regulated industries such as medical and financial, the choice of framework may not be an option but for others, the NIST CSF will cover the basics and provide a great baseline. The key takeaway here is: every business should be assessing its risk regularly.
What is regular? Some argue annually is a good regular rhythm, but every competent security practitioner acknowledges that each time a fundamental network change is made, an assessment of the risk impact should be completed.
Businesses in the technology field should be looking at NIST 800-171, at minimum, and paying close attention to what controls their clients are required to apply so they can meet or exceed those standards.
When conducting this assessment on your business and client businesses, be sure to collect evidence supporting each claim. This is also a great time to update your documentation!
Evaluate and Decide
With a fresh risk assessment on hand, take each deficiency and rate it by impact, cost, and difficulty. This will result in an easy to sort list that will help you make some decisions about how to tackle the problem.
Impact refers to the odds of this risk coming to light weighed against simply accepting it for now. Keep it simple by using a scale of high/medium/low to rate the impact. A high–impact risk means there’s a great likelihood of it being exploited and/or it’s something so elementary that it just cannot be ignored.
Some great examples of a high impact risk would be missing patches or no anti-virus being used. Medium impact risk will be something that you could argue is not needed right away but should be on the roadmap for the next four to six months, such as multi-factor authentication.
A low impact risk would be something that is very unlikely or may not immediately impact your environment. An example of a low impact risk is having documented system build processes and checklist.
While necessary and an excellent control, it can be developed over the next twelve to eighteen months and does not need to be immediately addressed.
Cost is simply how much in time and money each risk will take to mitigate. You can use a simple scale similar to impact or can actually fill in dollars/hours depending on your sophistication. This is a planning tool, so you don’t need to be specific, just close enough to make good decisions.
Difficulty is the final criteria I recommend you use to rate each risk. Again, a high/medium/low scale will be fine for our purposes here and it refers to how difficult each of the mitigations will be to implement in your organization.
For example, we could all agree that full biometric authentication to sign on to a computer is an optimal way to authenticate a user, but for a small office this could be difficult to implement.
Another example would be matching passwords against a known exploited list – though this may seem simple in theory, it can be challenging to implement based on the systems used by the organization.
Once you have rated each risk using the criteria above, I recommend you create another list with all the items that are high impact, low cost, and low difficulty. Then, create a list for high–impact, medium cost and medium difficulty. Those are likely going to be the first risks you will mitigate.
There is important psychology behind this. You’ll want some quick wins to give you fuel to tackle the tougher ones.
Close the Gap
Now that you have a few lists to work from, begin to close the gap. Remember that you’ll have some easy, inexpensive, quick fixes that will keep you motivated. Commit to implementing one to two per week (more or less depending on your situation and the size of the list) and the process should stay on track.
Bear in mind, this is NOT a guide on full compliance or professional risk assessments. This is intended to get you started, bringing you into the shallow end, so you can get some exposure to the process if you have never done so.
Rinse and Repeat
Finally, this is an iterative process of continuous improvement. Do not let this be the end, but rather let it be the beginning and make it a part of your culture so that, with each pass, your overall situation is improved.
Perhaps you are not where you need to be to perform a full-on risk assessment the next time you do it but that’s not the point – you will be miles ahead of the folks who read this article and decided they’ll start on it next year.