I occasionally see advertisements from technology firms posing the question, “When was your last security assessment?” On the surface this may seem like a reasonable question, but in reality the whole logic of the question is flawed. A security assessment just gives a snapshot of your cybersecurity posture at a particular moment. However, the threat landscape is changing by the day, if not the hour, so the security-posture assessment is only truly valuable the moment you finish it. It is a snapshot in time.
To be truly confident that you have the best security posture possible, weekly assessments are recommended. Depending on the size of your environment, an assessment can take up to a day, so a more-frequent interval would be difficult to accomplish. Certainly, a good security-posture assessment of any interval gives you actionable items that need to be addressed, and that will help shore up your security; but by design it can’t address things that happen in your computing environment in the days and weeks that follow.
As with any assessment, IT-related or not, it is valuable only if the actionable items are addressed. In the world of cybersecurity, this falls to the internal IT team. I can think of numerous times when a company has had a security assessment and it receives a report with thousands of items that need to be addressed. The IT team has great intentions of remediating the findings—but let’s face it, you demand a lot from your technology employees and there is no way to get it all done in a timely fashion. It is the tyranny of the urgent for nearly every IT professional…and the urgent is your company being able to transact business while growing and innovating. If you are reading this and you are an executive or company owner, and you are honest with yourself, that is your expectation too…your people have to be able to do their job, and remediating immediate issues impacting business is the priority. Security-assessment reports end up being a forgotten paperweight on someone’s desk until the next yearly assessment is due…or a much worse case scenario plays itself out.
When the worse case plays itself out—and statistics indicate that it eventually will in your business if you haven’t implemented the right controls to prevent it—don’t be tempted to blame your IT team. Unless you maintain a very large team with a very large budget, you can’t expect your internal team to be experts on every threat landscape we face today, and even with a large team that might be a stretch. Recently a global aluminum manufacturer with a market cap of $70 billion was completely shut down by a ransomware attack. Given that, what chance do you have of protecting yourself against cyberattacks when you employ one or two IT professionals?
Your best chance is to engage a company that specializes in security solutions, and not a generalist IT company that has security on its line card of services. You need a firm that builds the foundation of all its offerings on security. Optimally, the services you receive from this provider should go beyond just monitoring your environment. The provider should be continually running security assessments and taking action on the findings; and while nothing is foolproof in this threat landscape, this will give you a fighting chance of not joining the companies and even government agencies that are splashed across the headlines every day. An incident response plan designed for your business is also a must. Symplexity is here to help with a fully featured security offering, and we would love to discuss it with you.