The first part of any cyber security audit is to assess risk. Risk is anything that could damage infrastructure, cost money from lost revenue, or threaten intellectual secrets. If you’re a small business owner and need to improvise, here are the steps to perform your own cursory review.
Review Your Network Resources
Before you can start assessing risk, you need to review network resources. One mistake many business owners make is to only audit resources that they think could be a risk. Assess everything connected to your network, the bad guys certainly will!
For instance, printer memory can be used to store hidden malware, or the stored files scanned and printed by employees could be stolen by a clever hacker. Printers are normally considered benign resources, but they can be used in an attack.
Always document every resource even if you think it has no risk. Remember to include even the most innocent resources like printers, IoT devices, internal hubs and routers, and unused desktops.
Identify Possible Threats
This part of the assessment should really be done by a professional, but it’s still possible to do a cursory review of your resources. For instance, you know that malware often infects individual desktops, so they pose a threat to your security.
The hard part with this step is properly identifying risk. Using the printer example, you might not realize that printer firmware must be upgraded to defend against attacks. In addition to being a possible source for document leaks, printers can also be used in DDoS attacks (http://www.securityweek.com/printer-vulnerabilities-expose-organizations-attacks). To understand resources that pose a risk, you need to understand cyber security.
If you have a limited understanding of cyber security, you can still do a high-level risk assessment. Just remember that even the simplest network component can still pose a threat if it has an IP address on the network, stores any sensitive data, and/or allows users to access it over the network.
Rate Each Risk and Impact
Not every risk is a high priority. With this step, you rate each risk as low, medium or high. This helps to prioritize where you should focus most of your effort initially, and you work down your list to the medium and low-risk resources.
Perimeter routers are high risk unless patched with the latest firmware and properly configured. A router with outdated firmware would be a high-risk, high-impact resource that should be a priority.
Low-risk items are resources that don’t impact much when compromised. Documents containing information already available to the public might be low risk. This drive would be low risk and low impact should it be compromised, so you should rate it low on the priority list.
Analyze Your Protection
Most organizations know cyber security is necessary, so you probably have some protection in place, such as firewalls and antivirus software installed on desktops. This step also takes a professional, because you might think you have protection in place but I guarantee you that any competent hacker will get through. Hence, why PeopleSec guarantees our services.
Analyze any cyber security protection in place, because it reduces risk. This step might affect your priority because you could have a high-priority item that already has the best protection. This type of resource would then be a lower priority.
Calculate Your Risk
Identify all resources an adversary could utilize. When you’re doing a cursory review to qualify risk, you won’t have a number to work with but rather an overall outlook on risk versus impact. Follow these steps, and you will have started a basic risk assessment.
After you finish these steps, you should have an overall outlook on what type of cyber security your business needs. A professional will still want to go through your resources and do his own risk assessment. Performing audits gives you a gauge on just how much of a target your network could be for an attacker.