The Right Time for a Pre-Breach Assessment is Actually Before You are Breached

The Right Time for a Pre-Breach Assessment is Actually Before You are Breached

It used to be that organizations’ information (either its own, or data that was entrusted to the organization) was relatively safe.  In the days before computers and the popularity of the Internet, someone could physically remove information.  While not as prevalent, even that can happen today.  But let’s face it, in today’s information-crazed economy, data is ubiquitous and information is golden.  Gaining access to it and stealing it is no longer a rare event, either.  Nor is it isolated to larger companies or companies that have “sexy” data (yes, I did just use those two words in the same sentence).  Suffice it to say, your organization is a target if only because you are connected to the Internet.

It is no longer a question of “If”, but rather a question of “when” your organization will be faced with a data breach.  Your job, therefore, is to get that risk as low as possible and to make the impact of a data breach as low as possible when it does occur.

Fortunately, there are some fantastic strategies for accomplishing this.  Unfortunately, no usable system can be 100% risk-free. Security is a delicate balance between convenience and security.  The more secure you make something, the less convenient it is to use.  Take a situation that most readers are probably familiar with – passwords.  You’ve heard it, read it and been harped on by IT and outside experts about how important “complex” passwords are for maintaining security.  You’ve been told to not use the same passwords for multiple accounts.  Your IT department makes you change them on a frequent (read “too frequent for you, not frequent enough for them”) basis and you’re up to your eyeballs with the inconvenience that all of this introduces to what was just a simple computing task.  I’d argue that we’ve not yet reached the level of inconvenience that really needs to be endured to raise security to the next level, but where does it end?  The more secure we make something the less convenient it is.

I know…Grim news.  But there is some silver lining in it.  First, at the present day the vast majority of breaches occur because there’s a lot of low-hanging fruit out there and the bad guys are focusing on those targets.   Like the popular joke about getting caught in the woods with a bear and a group of your friends – you don’t need to be the fastest runner in the group, you just need to be faster than the slowest one in the group.  If you can handle addressing the low-hanging fruit then move onto an additional level or two of hardening, you will have far outpaced the vast majority of organizations out there.  Will this remove all of your risk?  Absolutely not!  But it helps to reduce it, as the bad guys will likely move on to easier targets.  Of course, vigilance is the name of this game–since new vulnerabilities are discovered every single day.  Further, as more organizations get their security in order, you still need to stay ahead of the curve; so constant attention to this is a must.

So, how do you get started?  That is precisely where a Pre-Breach Security Assessment comes in.  In any assessment, are we looking to remove 100% of the risk?  Well sure…we’re looking to, but is it realistic?  Not at all.  Therefore, the goal of such an assessment is to understand the lay-of-the-land, determine the risks that exist, discover the current state of the controls that are in-place and then report on the gaps between those controls and the ideal state.  The results provide a roadmap that can be used to then start addressing the deficiencies and shore up your security.

A Pre-Breach Assessment therefore should look at:

  • Identification of your Actual Threat Environment (being compliant to statutory regulations such as HIPAA, PCI, SOX, Gramm-Leach-Bliley (GLBA), etc., is NOT good enough),
  • Best Practices surrounding the various systems, environments and technologies in-place at your organization (Risk Assessment),
  • Prioritization of the systems (a collaborative approach between Assessor and client),
  • Scoping to determine what should be assessed (results of Risk Assessment and prioritization),
  • Assessment (“gap finding”)
  • Presentation of those Findings
  • Agreement on Remediation Prioritization
  • Remediation
  • On-Going Review

 

The End Result

At the tail end of the day, the purpose of the Assessment is to accurately understand what isn’t working the way that it should be.  It is with this information in-hand that a prioritized game plan is put together that, when followed, will bring your organization’s security to that new level that we all need to strive for – being (significantly) better than the “low-hanging fruit”  that attackers are ready to pounce on.

Knowing what those gaps are can let you rest easier at night, build confidence in your client-base that their data is secure and significantly lower costs of responding to a breach should one occur.

(Visited 56 times, 1 visits today)

Ready for more? Browse additional articles in Technology!

Leave a Reply

Your email address will not be published.

Inspire Future Articles!
What is your biggest challenge as a CEO or Executive? What information would be most helpful to you?
Download your free guide to Living a Conscious Life
Thank you!
Please download my free guide to living a conscious life or contact me to discuss working together.
Download your free eBook.
Thank you!
Please download and enjoy my FREE eBook.
Download your free eBook.
Thank you!
Please download and enjoy my FREE eBook.
Download your free eBook.
Thank you!
Please download and enjoy my FREE eBook.