Join us for this second installment of our series, 5 Most Common Pre-Breach Mistakes Organizations make with Cyber Security. Last time we talked about Mistake One: Insufficient Information Security Independence. Today we’re discussing the second mistake, which is the inadequate use of outside assessors to help create a strong security plan.
Second Mistake: Poor Use of Outside Assessors
“In half of cases, the regulator is building his or her case off of some pre-breach, outside assessment that was done and wasn’t acted upon by the company.”
There is always a before, and an after. Sometimes, in the world of cybersecurity, it can feel a little more like ‘before and aftermath’ as organizations deal with fallout from a cyber breach. No matter what was lost – data, money, or both, any organization hit by a cyber attack should recheck their security from the inside out.
To do this, organizations often use an outside agency, or an outside assessor to help them think about and improve their information security. An impartial, outside assessor is always a good idea because having an unbiased outside opinion can be critical in identifying gaps in a security plan. There are three things that tend to happen with these assessments, time and time again.
The Three Issues With Outside Assessors, and their Assessments
First, the assessment that was selected wasn’t the right assessment for the issue at hand. This is problematic because the organization hasn’t fully considered their security exposure risks prior to the assessments, and they didn’t know what needed assessing in the first place.
Second, when the results of the assessments are presented, they are not acted upon- meaning nothing happens, internally, as a result of the assessment. This is a larger and more problematic issue, as the first request from any regulators or lawyers in the event of a cybersecurity event is: “Please provide us with a copy of each and every outside security assessment you had performed from day one to the date of the event.” If an organization had assessments that revealed multiple issues, which had suggestions to improve the overall security posture, and the organization did nothing to address the findings, that creates a very problematic situation.
A third aspect of the issue is not having those outside assessors and assessments performed under attorney-client privilege. Having an assessment done in this manner creates a document which does not have to be handed over to regulators or lawyers. Instead of handing your competitors a blueprint of your issues, keep those documents in-house.
Organizations are storing more data than ever before, mainly in the cloud. The number of computer-related things businesses have to protect has grown exponentially, which has expanded the attack surfaces for hackers. The problem is pervasive, and the criminals are incredibly successful in the attacks they generate. In order to fight back, organizations must be updated, informed, and ready to counter threat actors in real-time. Stay on the right side of cybersecurity percentages with Idenhaus – contact us today for more information on a proper IAM plan, and how to keep it updated.