What Is a Cybersecurity Risk Assessment?
The Russian attack and other recent high-profile cyberattacks have underscored how critical cybersecurity is to the government, and there may be an urge on the part of some agencies and lawmakers to simply spend money on IT security solutions to shore up defenses. While that will surely be needed, agencies first need to assess their vulnerabilities to determine the best solutions to acquire and implement.
Cybersecurity threat assessments are critical to those efforts, and they often start with a comprehensive gap assessment, which is a broad overview of an agency’s security posture, and can be conducted internally or with a trusted third party.
As Waris Hussain, a senior security solution architect with CDW, notes in a CDW blog post, analysts will conduct vulnerability scans, review architectures, conduct penetration tests and incorporate threat intelligence information into their work during these gap assessments. “The result is a set of recommendations for improving an organization’s technical controls and business processes for cybersecurity,” he writes.
As NIST notes in its Risk Management Framework for Information Systems and Organizations, “Risk assessment at the organizational level leverages aggregated information from system-level risk assessment results, continuous monitoring, and any strategic risk considerations relevant to the organization.”
Agencies should assess the totality of risk from their operations and use of their information systems, as well as connections with other internally and externally owned systems and risks from vendors.
“For example, the organization may review the risk related to its enterprise architecture and information systems of varying impact levels residing on the same network and whether higher impact systems are segregated from lower impact systems or systems operated and maintained by external providers,” the NIST document states.
What Are the Benefits of a Security Risk Assessment?
There are numerous benefits to conducting a cybersecurity risk assessment. One is that such assessments can identify organizational vulnerabilities that need to be remediated. These are sometimes the “low-hanging fruit” of IT security issues.
As Mikela Lea, a principal field solution architect with CDW, notes in a blog post, some of these common vulnerabilities or patterns of behavior include continued reuse of weak passwords, a lack of incident response capabilities and misconfigured multifactor authentication deployments.
Another issue that often comes up in IT security assessments, she writes, is a failure to meaningfully implement a separation of privileges. “Our penetration tests also demonstrate that once we gain access to any user account, we are almost always able to use that account to gain administrative privilege,” she notes. “Tricking a receptionist into falling for a phishing attack almost always allows us to gain full access to back-end systems. Organizations must implement extremely strict access control policies that implement a need-to-know requirement and lock down access tightly.”
Conducting a risk assessment for cybersecurity can also help an agency know whether a new investment in cybersecurity tools is justified, and if so, help provide a justification for that. “Added security usually involves additional expense,” an ISACA blog post notes. “Since this does not generate easily identifiable income, justifying the expense is often difficult. An effective IT security risk assessment process should educate key business managers on the most critical risks associated with the use of technology, and automatically and directly provide justification for security investments.”