New! Artificial Intelligence for Business videos, podcasts, and more...

Go behind the scenes: What is a cybersecurity risk assessment (CRA)?

It’s becoming increasingly vital for organizations in the financial sector to develop a cybersecurity posture. Bad actors are increasingly more advanced and more skilled in their efforts to infiltrate and compromise financial systems. One proven method to keep continuously improving your resilience and protect critical assets is to conduct a Cyber Resilience Analysis (CRA).

Generally speaking, your security threat assessment will look at three main components: 

  1. Conduct an Internal Vulnerability Assessment

Imagine you have a fence around your backyard. It keeps your dog contained to your property while keeping unwanted skunks out. From time to time, you likely will walk around the perimeter of the fence while you’re throwing the ball for your dog. You’re making sure all the fence posts are in working order and there are not any weaknesses in the fence line. 

This is what we do when we conduct an Internal Vulnerability Assessment. The network is your “fence” that you want to identify information security risks and make sure it’s doing its job. 

  1. Conduct an External Vulnerability Assessment 

Now from time to time, you’ll walk around the outside of your fence to look at your property from the outside looking in. You also take this opportunity to look beyond your property to notice the other houses, people and animals in your neighborhood. 

This is what we do when we conduct an External Vulnerability Assessment. We think like outsiders and identify risks from their perspective. 

  1. Conduct a Penetration Test (Pen Test) 

When you’re walking around the outside of your fence and you notice a small hole developing under your fence, you’d likely stick your hand in it to see how deep the hole is and imagine what has been digging. You’ll measure the hole to see if your dog could fit through that size of a hole. 

When we do pen testing of your network, we’re looking for holes or other places of vulnerability. The white hat hacker is seeing how deep he could go in that area and how much information he could “get away with.” 

Note: You can conduct a vulnerability test without going the extra step of doing a pen test. But it’s impossible to conduct a pen test without doing a vulnerability test. It’s like trying to measure the size of a hole from across the yard.  

Security Risk Assesments greatly benefit an organization. Not only are they required by most of the compliance frameworks you’re likely obligated to follow, but they also help you create a more secure perimeter around your information and your customers’ privacy. 

[ Schedule a meeting to review CRA packages. ]

What’s the difference between Risk Management and a Security Risk Assessment?

An assessment is done at a fixed point in time and reflects the state of your security and systems at the time of the assessment. Risk management is the list of tasks that you complete in order to reach compliance and to have a better result during your next assessment. 

What type of security assessment do you need? 

Work with your MSP in a strategic planning meeting to understand the assessment and testing required by the compliance frameworks you are subject to. If the different frameworks require multiple assessments, your MSP partner will develop a risk assessment process to help you prioritize, complete, and document those assessments. Next they’ll help you complete the tasks to address the vulnerabilities identified in your assessment. 

Many businesses will include this element in a business strategy session, where they consider the improvements and innovations they want to incorporate next and then complete a security assessment to make sure they have the infrastructure required for the desired business improvements. 

If the assessment goes poorly, will I be fined for being out of compliance? 

In our experience, when an organization receives a complaint or falls victim to an attack or data breach, as long as they’re taking every effort to continually reach for compliance, the regulatory bodies are understanding and helpful. 

Opening your organization to an assessment may feel like a risk, and you may feel like you should have “everything in order” before you call a provider, but the reality is, it’s impossible for you to know all of the regulatory compliance standards on your own AND to know what steps you need to resolve any issues that arise. Working with a partner in a strategic planning session is a proven way to ensure that your organization is continually improving their security posture and reaching toward compliance. 

Schedule a call with us today to determine which assessment might be best to protect your organization against cyber threats.

[ This article is part of our Guide to Proactive IT Strategy. ]

InfoSystems is an IBM Platinum Partner

Meet with one of our IBM specialists to ask questions and talk about IBM Storage, IBM Security, IBM Watson, and other premier solutions from IBM.

Share this post