What does it take to protect your company from cybercriminals and data breaches? For a long time, a strong password and a hardened firewall was the simple answer.
Not anymore.
Now, it takes a host of different measures to prevent bad actors from accessing your systems. But how do you know you’ve got the right measures in place?
Enter cybersecurity assessments.
A cybersecurity assessment is a thorough review of a company’s cybersecurity program. It can reveal what cybersecurity measures a business has in place and what other ones it would benefit from to improve its cybersecurity posture.
Darren Nyberg, vice president of client strategy at Xantrion, and Brandon Robinson, an attorney in the cybersecurity and privacy group at the law firm Maynard Nexsen, recently joined together for a panel discussion on cybersecurity assessments. Here are three key takeaways from the event:
1. The best time to conduct a cybersecurity assessment is before an incident occurs.
There are many reasons to conduct a cybersecurity assessment. Regulators are increasingly requiring them. Investors often request them. Customers find them reassuring. But companies don’t have to – and really shouldn’t – wait for external pressure before conducting a cybersecurity assessment. That’s because a cybersecurity assessment can identify security vulnerabilities so they can be addressed before devastating breaches happen.
“Cybersecurity threats are constantly evolving. They’re a moving target.” Nyberg explained. Cybersecurity assessments, he said, help businesses ensure they’re evolving with the threat landscape.
Robinson shared how a small manufacturing business lost some $200,000 through a business email compromise (BEC) scam. A cybersecurity assessment could have helped the company put measures in place to fend off this common threat.
“We would always encourage clients to be proactive in their cybersecurity assessments and improvements — and to do it on the front end,” Robinson said. “There’s plenty of opportunity to have best practices that may not be legally required but that do reduce your threat level and prevent losses that might otherwise occur.”
2. Not all cybersecurity assessments are created equal.
There are three different approaches to cybersecurity assessments: self-assessments, automated scans, and third-party assessments.
Self-assessments and automated scans should be approached with caution. In self-assessments, the person completing the assessment may have inaccurate information or may give answers that portray the company in an overly favorable light. Automated scans, meanwhile, often provide incomplete evaluations since they don’t account for cloud-based data and applications.
“They’re better than nothing,” Nyberg said, “but these tools typically paint an incomplete picture.”
Third-party assessments comprise the gold standard for cybersecurity assessments. Working with a managed security services provider (MSSP) can provide a comprehensive evaluation of your technical protections (such as cloud security strategies and backup and recovery measures) while a law firm with cybersecurity expertise can evaluate myriad legal issues, including policies governing technology use and oversight. In many cases, there are overlaps in what MSSPs and legal experts work on, which presents an opportunity for synergy.
“What’s really ideal is when you have a comprehensive assessment where legal and technical experts are working together to identify in a holistic way what issues may exist, and then suggest recommendations for the company’s consideration,” Robinson said.
3. Experts use trusted cybersecurity frameworks.
If a business has hired a third-party provider to conduct a cybersecurity assessment, it’s in their interest to ask “What cybersecurity framework are you using?” (If the answer is “none,” it’s time to look for a different provider.)
Cybersecurity frameworks provide standards and best practices against which businesses can evaluate their own technical controls. One of the most used and widely trusted is the framework from the National Institute of Standards and Technology (NIST). Other highly regarded frameworks include those from the Center for Internet Security (CIS) and the International Organization for Standards, as well as the security rule portion of the Health Insurance Portability and Accountability Act (HIPAA).
Xantrion’s Nyberg noted that his team relies largely on NIST while also incorporating standards from the other frameworks as well as those derived from Xantion’s own client experiences.
“Coupling a framework with experts in the field who have helped deploy and manage that framework is really the best way to attack the problem,” he said.
To learn more about cybersecurity assessments and how Xantrion and Maynard Nexsen can help you protect your business, contact Darren Nyberg at dnyberg@xantrion.com and Brandon Robinson at brandon.robinson@maynardnexsen.com.
Access the full webinar recording here.
