Cybersecurity and information security risks are some of the biggest threats your company faces. How can your business escape their damaging effects? One defensive weapon you have on your side are security assessments. Security assessments have proved to be one of the most effective approaches in reducing their impacts on businesses.
In this article, we help you understand what security assessments are, why they're critical to your business, when to conduct them, and how to do so effectively.
What Is a Security Assessment?
Your business depends on many types of information technology (IT) assets like data, software, hardware, cloud resources, and third-party software services.
Also called a security risk assessment (SRA), a security assessment is a periodic evaluation of the security of all your IT assets. It produces an action plan for preventing, detecting, and addressing relevant security risks.
IT security covers both physical and digital security. The former covers aspects like alarm systems and electronic door locks for building or server room security, whereas digital security covers assets that are in digital formats, such as your data and software. For on-premise hardware assets like servers and network routers, digital security covers aspects like operating system versions and authentication.
Security Assessment vs. Risk Management
Security risks are some of the top business risks you may face, even compared to market shifts in your industry, intense competition, overall economic environment, and other threats. One survey even found cyber incidents are the most important business risk of 2022.
Risk management involves creating long-term strategies to handle all these business risks, whereas security risk management is just one component of these strategies. For example, security risk management analysis may conclude that a long-term contract with a managed security service provider is wiser than directing your efforts towards an in-house security operations center.
Security assessments are periodic evaluations to ensure your security posture, i.e., the state of your overall security, remains responsive to new security risks.
To use an analogy, security risk management is like planning and constructing a military base at a strategic location. And security assessments are like daily patrols and weekly wall inspections to make sure intruders are kept out.
The Business Case for Security Assessments
Why should your business conduct regular security assessments? Here are four issues you may face if you ignore them:
1. Financial Burden
Cyberattacks can create unexpected expenses for your business:
- The average cost of a ransomware attack in 2021 was $1.85 million. That includes downtime, ransom payments, engineering effort, and other expenses.
- An average cloud data breach in 2021 was estimated to cost $3.61–$4.80 million in lost revenue and brand damages.
These are unnecessary expenses you can surely put to better use regardless of whether you’re bootstrapped or funded.
2. Client Endangerment
Many startups don’t realize early enough that their security weaknesses may be exploited to attack their prominent B2B clients. Your client may have robust security that’s difficult to breach from outside. Knowing this, attackers look for ways to infiltrate them through the IT systems of trusted business providers like you.
For example, 2020 saw a cyberattack that used SolarWinds’ networking software to compromise many of its prominent large clients like Microsoft, Intel, and the Pentagon.
Failure to prevent these can mean lost revenue, legal penalties, and a damaged reputation. Losing a large client may even be fatal to an early-stage startup.
3. Regulatory Compliance Penalties
Is your startup in an industry like healthcare or financial services that’s governed by regulatory standards? Or do you have plans to acquire clients in those industries? If so, you may be asked — either by regulators or by your clients — to conduct regular security assessments to check compliance with their standards.
Regulations may require both internal assessments and external assessments by third-party assessors. Failure to conduct them may result in regulatory penalties or failed business deals. For example, HIPAA violations can mean a $1.5 million annual penalty.
Take a look at the expectations these standards have for security assessments:
- Health Insurance Portability and Accountability Act (HIPAA): A HIPAA security risk assessment is mandatory for any organization that handles sensitive health data. Even if a business partner or vendor isn’t directly involved in healthcare, if they handle this sort of data, they should comply with these regulations. The frequency of assessment is not mandated, but annual or bi-annual is the norm.
- Payment Card Industry Data Security Standard (PCI-DSS): PCI-DSS regulates credit card payments and requires quarterly security assessments at a minimum.
- General Data Protection Regulation (GDPR): GDPR is a European regulation to protect users’ privacy and personal data. It asks for regular security and privacy assessments but does not mandate their frequency. Any business that has European customers or users should be GDPR-compliant.
4. Reputation Damages
A successful cyberattack on a company is often seen as indicative of its weak security culture. The total damage done to your brand reputation from a cyberattack is not easily quantifiable. But you can expect to lose some existing customers, drive away potential future customers, miss funding and investment opportunities, or lose acquisition deals. Yahoo’s data breaches resulted in a reduced valuation from Verizon during their acquisition talks in 2017. Target’s profit fell by 46% following a data breach.
5 Basic Elements of a Security Assessment
Now that you know why you should conduct security assessments, it’s time to understand how. The first step is understanding the five key elements that should be analyzed during a security assessment:
Any type of IT system your business uses is an asset. Here’s a non-exhaustive list of assets:
- Employee workstations, laptops, and mobile devices
- Customer data, including payments and subscriptions
- Cloud provider services
- Data storage devices
- Internal applications
- Third-party software services
A threat is any entity — person, group, nation-state, software, or competitor — that can potentially exploit, or trigger, some weakness in the security of your assets. Example include:
- Hacker groups
- Malware, ransomware, botnets, and viruses
- Intelligence agencies of other countries
- Malicious insiders
A vulnerability is a flaw or weakness in your assets or organization that enables a threat to exploit it. Here are some examples:
- Software bugs like the notorious Log4Shell bug of 2021
- Hardware flaws like the Spectre CPU bug of 2018
- Weak passwords
- Employees who don’t follow security best practices
Risk describes and quantifies the impacts — and likelihoods — of a threat exploiting a vulnerability in a specific asset. Likelihood tells you the probability of that threat and its impact actually occurring.
Technical impacts include prolonged downtime for your business services, permanent loss of customer data, data leaks, and so on.
Other impacts can be on your revenue, reputation, funding, business deals, acquisition discussions, stock market listing, or any other business metric.
5. Security Controls
Security controls are the mechanisms and safeguards you use to reduce the impacts and likelihoods of risks. They help you in the mitigation and remediation of threats to your business assets. By nature, they may be technical, organizational, or legal.
Examples for technical controls include:
- Strong authentication, like two-factor authentication (2FA)
- Access control policies, i.e., assigning specific permissions to specific job roles
- Data encryption at rest (on storage devices) and in transit (over the network)
- Security testing techniques like automated daily vulnerability scanning and regular penetration testing exercises
- Network firewall policies
- Canary dummy accounts whose presence in a data leak indicate a data breach in your company
Note: Organizational security controls include employee training and assigning clear responsibilities. Legal controls include legal agreements with vendors and non-disclosure agreements with employees.
Plan the Security Assessment Process
A security assessment can either be an internal assessment done by your employees or an external assessment done by third-party assessors. Both are important.
Internal assessments are not expensive. They can be done frequently to make your security strategies aware of the latest threats and vulnerabilities. Partial assessments can be planned more frequently for assets that are particularly vulnerable to new threats, such as customer-facing web applications.
External assessments are relatively more expensive. But they may be necessary for regulatory compliance. They also signal your seriousness about security to potential investors, business partners, B2B clients, or acquiring companies.
A Security Assessment in 7 Steps
An internal security assessment can be broken down into these seven basic steps:
Step 1: Form Assessment Teams
Assessment can’t be done by just your security teams. Software architects, who have the domain knowledge and technical experience to understand the importance of an asset, should be part of your assessment teams. Sometimes, project or business managers may have to be included.
We suggest creating multiple teams and assigning a set of departments or projects to each one. The architect or manager in each team can evaluate the assets, and the security analyst can assess their vulnerabilities and threats. Both evaluate risks and security controls.
Step 2: Discover Assets
Use automated tools to discover assets quickly. However, assessing risks for every asset separately is inefficient and even unnecessary. Instead, group them logically by type or function, and assess the risk for the entire group.
For example, a cluster of database servers hosting a critical database can be assessed as a whole rather than assessing every node individually.
Step 3 : Assess Vulnerabilities
Use automated vulnerability assessment tools designed for the type of asset being evaluated. But be aware that organizational vulnerabilities — like sloppy employees who write passwords on sticky notes — also exist.
Step 4 : Analyze Threats
The growing set of technical and non-technical threats makes this a critical step. Plus, every class of asset has a different set of threats with different likelihoods. The security analyst in an assessment team should be experienced and skilled at threat management and aware of the latest security news and threats.