Cybersecurity and information security risks are some of the biggest threats your company faces. How can your business escape their damaging effects? One defensive weapon you have on your side are security assessments. Security assessments have proved to be one of the most effective approaches in reducing their impacts on businesses.
In this article, we help you understand what security assessments are, why they're critical to your business, when to conduct them, and how to do so effectively.
What Is a Security Assessment?
Your business depends on many types of information technology (IT) assets like data, software, hardware, cloud resources, and third-party software services.
Also called a security risk assessment (SRA), a security assessment is a periodic evaluation of the security of all your IT assets. It produces an action plan for preventing, detecting, and addressing relevant security risks.
IT security covers both physical and digital security. The former covers aspects like alarm systems and electronic door locks for building or server room security, whereas digital security covers assets that are in digital formats, such as your data and software. For on-premise hardware assets like servers and network routers, digital security covers aspects like operating system versions and authentication.
Security Assessment vs. Risk Management
Security risks are some of the top business risks you may face, even compared to market shifts in your industry, intense competition, overall economic environment, and other threats. One survey even found cyber incidents are the most important business risk of 2022.
Risk management involves creating long-term strategies to handle all these business risks, whereas security risk management is just one component of these strategies. For example, security risk management analysis may conclude that a long-term contract with a managed security service provider is wiser than directing your efforts towards an in-house security operations center.
Security assessments are periodic evaluations to ensure your security posture, i.e., the state of your overall security, remains responsive to new security risks.
To use an analogy, security risk management is like planning and constructing a military base at a strategic location. And security assessments are like daily patrols and weekly wall inspections to make sure intruders are kept out.
The Business Case for Security Assessments
Why should your business conduct regular security assessments? Here are four issues you may face if you ignore them:
1. Financial Burden
Cyberattacks can create unexpected expenses for your business:
- The average cost of a ransomware attack in 2021 was $1.85 million. That includes downtime, ransom payments, engineering effort, and other expenses.
- An average cloud data breach in 2021 was estimated to cost $3.61–$4.80 million in lost revenue and brand damages.
These are unnecessary expenses you can surely put to better use regardless of whether you’re bootstrapped or funded.
2. Client Endangerment
Many startups don’t realize early enough that their security weaknesses may be exploited to attack their prominent B2B clients. Your client may have robust security that’s difficult to breach from outside. Knowing this, attackers look for ways to infiltrate them through the IT systems of trusted business providers like you.
For example, 2020 saw a cyberattack that used SolarWinds’ networking software to compromise many of its prominent large clients like Microsoft, Intel, and the Pentagon.
Failure to prevent these can mean lost revenue, legal penalties, and a damaged reputation. Losing a large client may even be fatal to an early-stage startup.
3. Regulatory Compliance Penalties
Is your startup in an industry like healthcare or financial services that’s governed by regulatory standards? Or do you have plans to acquire clients in those industries? If so, you may be asked — either by regulators or by your clients — to conduct regular security assessments to check compliance with their standards.
Regulations may require both internal assessments and external assessments by third-party assessors. Failure to conduct them may result in regulatory penalties or failed business deals. For example, HIPAA violations can mean a $1.5 million annual penalty.
Take a look at the expectations these standards have for security assessments:
- Health Insurance Portability and Accountability Act (HIPAA): A HIPAA security risk assessment is mandatory for any organization that handles sensitive health data. Even if a business partner or vendor isn’t directly involved in healthcare, if they handle this sort of data, they should comply with these regulations. The frequency of assessment is not mandated, but annual or bi-annual is the norm.
- Payment Card Industry Data Security Standard (PCI-DSS): PCI-DSS regulates credit card payments and requires quarterly security assessments at a minimum.
- General Data Protection Regulation (GDPR): GDPR is a European regulation to protect users’ privacy and personal data. It asks for regular security and privacy assessments but does not mandate their frequency. Any business that has European customers or users should be GDPR-compliant.
4. Reputation Damages
A successful cyberattack on a company is often seen as indicative of its weak security culture. The total damage done to your brand reputation from a cyberattack is not easily quantifiable. But you can expect to lose some existing customers, drive away potential future customers, miss funding and investment opportunities, or lose acquisition deals. Yahoo’s data breaches resulted in a reduced valuation from Verizon during their acquisition talks in 2017. Target’s profit fell by 46% following a data breach.
5 Basic Elements of a Security Assessment
Now that you know why you should conduct security assessments, it’s time to understand how. The first step is understanding the five key elements that should be analyzed during a security assessment:
1. Assets
Any type of IT system your business uses is an asset. Here’s a non-exhaustive list of assets:
- Servers
- Databases
- Employee workstations, laptops, and mobile devices
- Customer data, including payments and subscriptions
- Cloud provider services
- Data storage devices
- Internal applications
- Third-party software services
2. Threats
A threat is any entity — person, group, nation-state, software, or competitor — that can potentially exploit, or trigger, some weakness in the security of your assets. Example include:
- Hacker groups
- Malware, ransomware, botnets, and viruses
- Intelligence agencies of other countries
- Malicious insiders
3. Vulnerabilities
A vulnerability is a flaw or weakness in your assets or organization that enables a threat to exploit it. Here are some examples:
- Software bugs like the notorious Log4Shell bug of 2021
- Hardware flaws like the Spectre CPU bug of 2018
- Weak passwords
- Employees who don’t follow security best practices
4. Risks
Risk describes and quantifies the impacts — and likelihoods — of a threat exploiting a vulnerability in a specific asset. Likelihood tells you the probability of that threat and its impact actually occurring.
Technical impacts include prolonged downtime for your business services, permanent loss of customer data, data leaks, and so on.
Other impacts can be on your revenue, reputation, funding, business deals, acquisition discussions, stock market listing, or any other business metric.
5. Security Controls
Security controls are the mechanisms and safeguards you use to reduce the impacts and likelihoods of risks. They help you in the mitigation and remediation of threats to your business assets. By nature, they may be technical, organizational, or legal.
Examples for technical controls include:
- Strong authentication, like two-factor authentication (2FA)
- Access control policies, i.e., assigning specific permissions to specific job roles
- Data encryption at rest (on storage devices) and in transit (over the network)
- Security testing techniques like automated daily vulnerability scanning and regular penetration testing exercises
- Network firewall policies
- Canary dummy accounts whose presence in a data leak indicate a data breach in your company
Note: Organizational security controls include employee training and assigning clear responsibilities. Legal controls include legal agreements with vendors and non-disclosure agreements with employees.
Plan the Security Assessment Process
A security assessment can either be an internal assessment done by your employees or an external assessment done by third-party assessors. Both are important.
Internal assessments are not expensive. They can be done frequently to make your security strategies aware of the latest threats and vulnerabilities. Partial assessments can be planned more frequently for assets that are particularly vulnerable to new threats, such as customer-facing web applications.
External assessments are relatively more expensive. But they may be necessary for regulatory compliance. They also signal your seriousness about security to potential investors, business partners, B2B clients, or acquiring companies.
A Security Assessment in 7 Steps
An internal security assessment can be broken down into these seven basic steps:
Step 1: Form Assessment Teams
Assessment can’t be done by just your security teams. Software architects, who have the domain knowledge and technical experience to understand the importance of an asset, should be part of your assessment teams. Sometimes, project or business managers may have to be included.
We suggest creating multiple teams and assigning a set of departments or projects to each one. The architect or manager in each team can evaluate the assets, and the security analyst can assess their vulnerabilities and threats. Both evaluate risks and security controls.
Step 2: Discover Assets
Use automated tools to discover assets quickly. However, assessing risks for every asset separately is inefficient and even unnecessary. Instead, group them logically by type or function, and assess the risk for the entire group.
For example, a cluster of database servers hosting a critical database can be assessed as a whole rather than assessing every node individually.
Step 3 : Assess Vulnerabilities
Use automated vulnerability assessment tools designed for the type of asset being evaluated. But be aware that organizational vulnerabilities — like sloppy employees who write passwords on sticky notes — also exist.
Step 4 : Analyze Threats
The growing set of technical and non-technical threats makes this a critical step. Plus, every class of asset has a different set of threats with different likelihoods. The security analyst in an assessment team should be experienced and skilled at threat management and aware of the latest security news and threats.
Step 5 : Evaluate Potential Risks, Impacts, and Likelihoods
The assessment team can evaluate the technical impacts — like downtime or data loss — of a threat exploiting a vulnerability and the likelihood of them actually occurring. However, they may not know the full set of business or legal impacts. That’s why management and legal teams should also get involved in the risk analysis stage.
Likelihoods are typically quantified using priority labels like high, medium, and low.
Step 6: Select Security Controls
Once the impacts are known, select a suitable set of security controls — like configuring authentication or data encryption — to prevent or minimize them. Just like risks, management and legal needs to review and expand on these.
Step 7: Prepare a Security Assessment Report
A security assessment report tabulates all the assets, threats, vulnerabilities, risks, impacts, likelihoods, and controls.
While spreadsheets may be sufficient for simple assessments, we recommend using governance, risk, and compliance (GRC) software to create these reports. The software allows assessments to be updated and tracked, providing an accurate state of your current security policies at all times.
Security Assessment Methodology
So, now you know the basics of how to conduct an assessment. But an effective security assessment involves hundreds of little details. Experienced security groups have prepared reporting standards, analysis frameworks, and security methodologies to conduct them systematically.
We strongly recommend that your security team study these before planning an assessment:
- National Institute of Standards and Technology(NIST) Cybersecurity Framework
- NIST SP 800-30 Guide for Conducting Risk Assessments
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations
- ISO/IEC 27001:2013 Information security management systems
When Should You Do Security Assessments?
A security assessment is a point-in-time evaluation of your security. But new vulnerabilities and threats emerge daily. We recommend that you conduct internal security assessments whenever the following events occur:
- Whenever new security threats and vulnerabilities are discovered in the wild, update your vulnerability scanning and threat-hunting tools to detect them.
- When you acquire a new client or business partner, your assets may be a threat to them and theirs to you. Re-evaluate your threats, vulnerabilities, and risks for both cases.
- When regulatory compliance mandates an assessment
Another factor to consider is the worst-case scenario. If you have a data breach or infiltration, how long is acceptable to your business for it to go undetected? That should become the upper limit on the gap between your assessments. Keep in mind that a long gap between a breach and its detection may be perceived as either incompetence or a cover-up and severely damage your company’s reputation.
You can keep your security assessments up to date using automated workflows for asset discovery, vulnerability scanning, threat hunting, and security control policies.
How ThreatKey Can Help Your Security Assessments
ThreatKey secures your cloud and third-party services by continuously detecting and automatically remediating any security problems we find. We secure your subscriptions to services like AWS, Google Workspace, Microsoft 365, Box, GitHub, Okta, and Slack. Many more popular services like Salesforce and Zoom are on our roadmap.
A very useful feature of ThreatKey is automated cloud asset discovery. All the entities of your cloud and third-party services are treated as assets. We use our system-of-record technology, coupled with API-based agentless scanning and log ingestion, to ensure full discovery of your cloud assets. You can use these discovered cloud assets as a starting point for your security assessments.
Our service monitors these cloud and third-party services in real-time for misconfigurations and other vulnerabilities. It reports any problems it finds to you. With your permission, it can automatically remediate them too. Such automated vulnerability scanning and reporting for cloud assets can be integrated with your security assessments to save you time.
Security Assessments Are Critical to Your Business
Security assessments are vital tools that help you foresee dangers to your business and keep your IT assets safe from cyber threats. Plus, they’re simple to implement — there’s no reason to avoid them.
ThreatKey’s features further simplify security assessments for your cloud and third-party services. Try ThreatKey for free today.