Over the last year, the security community has managed numerous challenges across all industries, including an election, an ongoing pandemic, the SolarWinds supply chain breach, numerous public Microsoft Exchange exploits, an increase in business email compromise, and a rash of ransomware. Challenges have been escalated to the boardroom where executives are realizing improvements to risk awareness are needed, along with liaison support between the technical capabilities of IT and the security department. Although CISOs can expect cyber literacy of boards to improve over time, the disconnect between executives and IT will continue to exist.
A cybersecurity assessment can play a significant role within an organization and help ‘sync-up’ executives and the technical owners of security. A comprehensive cybersecurity assessment is critical for determining whether your organization is prepared to defend itself against a range of threats. The goal of an assessment is to identify vulnerabilities in the current landscape, minimize gaps in security, and ensure your internal teams and vendors are aware of best practices to make risk-based decisions on implementing controls. It also aims to keep key stakeholders and board members in-the-know on the organization’s cybersecurity posture, making it possible to make more informed decisions about how security strategies can be implemented into day-to-day operations.
What exactly is a Cybersecurity Assessment?
A cybersecurity assessment allows an organization to compare its cybersecurity posture to a known, established, and peer reviewed baseline. Assessments can be based on many different frameworks, including the Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) Cybersecurity Framework. This type of assessment is designed to address the essential components of cybersecurity, including authentication, detection, protection, response, and recovery. It provides a rating on the controls that exist within an organization that can be susceptible to cyberattacks. These ratings can also be leveraged for an organization to design a comprehensive cyber defense strategy. Unlike the scope of an Enterprise Risk Assessment, a cybersecurity assessment reviews the policy, design, and reporting of controls related to information security and does not include an audit of control performance (see “Scope Considerations”).
At Elliott Davis, we leverage a propriety scorecard based on the Center for Internet Security Critical Controls to perform many of our assessments (see “Example Cybersecurity Assessment Scorecard”). It leverages a grading scale (A for excellent and F for failing) that assists an organization in identifying areas that may be deficient and need attention. This framework prioritizes the controls in order of importance to help organizations determine where to focus attention and resources. Our industry experience allows us to also identify issues that may exist outside of the framework or where we see real-world attacks occurring against existing customers.
For example, we recently assisted a firm with a business email compromise (BEC) incident where a vendor was deceived and made a payment to a third party posing as the firm. Fortunately, some best practice recommendations had been implemented, such as multifactor authentication (MFA), which enabled them to prove no involvement in the scam. Another assessment completed at a healthcare organization highlighted that while the IT team had an effective backup plan, the time to restore from backups was much longer than management anticipated. In this short review meeting, management approved an additional line item for a more robust backup and recovery system to restore functionality in an acceptable window for business operations. This is an example of an organization perhaps not asking the right questions of its technology team. In this case, instead of asking “Do we have adequate backups to recover from a cybersecurity event?” the better question would have been, “How fast can we recover from a cybersecurity event?”
Most organizations don’t have an unlimited budget for information risk management, so it’s best to limit focus to the most business-critical assets. By identifying the loss scenarios, an organization can determine if the cost of incident prevention is higher than downtime or loss of reputation. In such cases, it’s worthwhile to consider an alternative control or prevention method that makes the best financial sense. Additionally, it’s important to remember that the level of risk facing an organization’s assets and the threat landscape are constantly evolving. A one-time assessment only provides analysis of the current landscape; therefore, routine cybersecurity assessments can help organizations ensure security controls are keeping up with emerging threats and continuously providing the best protection possible. Many customers complete annual assessments or for merger or acquisition purposes. Our customers also need assessments when investing in a third-party application or during growth spikes when new vendors may be added to the supply chain.
With over 100 cybersecurity assessments completed, we have gathered the top recommendations organizations need to act on or remediate. As illustrated in the “Most Common Recommendations” graphic below, we have found that updating software and hardware inventories is the most common finding, however all seven areas we typically identify are critical to the posture of an organization’s security. Many customers don’t realize how fundamental it is to have a solid understanding of the hardware and software in use to adequately protect it. Many of these recommendations are not high-cost budget items, they simply take some time and focus to complete.
One of the biggest benefits of an assessment or scorecard is its ability to synchronize those that are protecting security with the executive team. The simplicity of a scorecard showcases areas where uptime is critical and outlines business continuity risks. It aligns executives with the impact an attack may have on daily business performance. Simply, an assessment provides an executive summary to help leadership and directors make informed decisions about security. It can also play a vital role in protecting the organization against business email compromise, ransomware, and other common attacks.
Assessments Use in Battling High-Cost Business Email Compromise Situations
Much of our attention is spent on helping clients that are experiencing firsthand and secondhand business email compromise (BEC) issues. Most recently, another firm turned to us after experiencing a business email compromise incident with a supplier. While the company had the proper controls implemented, it lacked logging and historical data to absolve the organization from fault. This firm is now completing an assessment to improve its overall posture. In a separate example, a strategic investment firm’s client recently wired $350K through a compromised email account. After a cybersecurity assessment, the firm’s scorecard identified areas of risk that could lead to exposure and a roadmap to remediation. The firm also has restored customer confidence that it is aligning with industry best practice.
According to the Federal Bureau of Investigations, BEC “is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business,” (Source: fbi.com). The FBI received nearly 20,000 complaints of BEC in 2020, measuring $1.86 billion in reported losses. How does BEC work? There are different scenarios that criminals or scammers utilize. Attackers can infiltrate networks and email platforms and gain access to legitimate corporate emails, including those for billing and invoicing. Attackers make it extremely difficult for finance and accounting (or any employee) to identify fraudulent requests or transactions. Spoofing is also used to fool victims by creating slight variations to legitimate email addresses. An example here shows two emails addresses that look almost identical to a quick read “firstname.lastname@example.org” vs. email@example.com (notice the missing “t” in Elliott). Scammers often register domains that are remarkably close to legitimate supplier domains to send fake invoices and request payment instruction changes. Finally, phishing emails are used frequently to trick victims into revealing confidential information which provides criminal access to bank accounts and other sensitive data.
As shown in the previous graphic, our top 7 recommendations to organizations include implementing Multi-Factor Authentication (MFA). MFA is an electronic authentication method for access to website or applications such as email. Users will only gain access after demonstrating knowledge (i.e., password), possession (i.e., authentication via mobile phone), and inherence (i.e., level within an organization). MFA can significantly reduce the likelihood of organizational accounts being compromised. Since the remote business model will continue to gain popularity, MFA is one of the most powerful tools an organization can leverage to protect its security posture. Furthermore, organizations should not rely solely on native email security. While providers have improved offerings, built-in security from cloud email providers should be a base of an organization’s security stack. Finally, always remain skeptical! Attackers are intelligent and enjoy taking advantage of busy employees who may fail to recognize an attack. Training employees to look for signs of malicious activity is more critical than ever. Organizations with built-in workflow policies, i.e., phone call confirmation with a vendor for a business wire transaction, will be best positioned to prevent worst case scenarios. A cybersecurity assessment provides insight to BEC during the “organization controls” analysis with the review of an organization’s implementation of security awareness and training.
In the future, we expect executives and board members to become more cyber-savvy, but in the meantime, a cybersecurity assessment can provide the missing link between IT, security professionals, and their executive team. It provides a means for an organization to answer critical questions, including: What are our internal and external vulnerabilities? What is the impact of those vulnerabilities if exploited? What cyber-attack would have the most impact on our ability to do business? What are we doing to empower our employees to make better decisions? A cybersecurity assessment can help organizations answer these questions and be in a better position to design a comprehensive cyber defense strategy.
We Can Help
Vist our Cybersecurity & Data Privacy page for more information or to contact our team to see how we can help.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.