fb pixel bcp.crwdcntrl.net

What Is A Cybersecurity Risk Assessment?

Posted on by Bob Paradise
21
Jun

As a business owner in the construction industry, you need to understand the value technology like computers, peripherals and software can bring to your business.

But it’s also equally important that you understand the dangers. For you to know where and how you can “go wrong” and inadvertently open your network and data up to viruses, hackers, and ransomware.

This is the essence of Cybersecurity, and the focus of a Cybersecurity Risk Assessment.

It’s important you understand how to keep your network, computers and data safe. You don’t want to be the victim of an attack.

When your network and data are compromised, the issue must be isolated. 

Depending upon how widespread the issue is, a portion of your network may have to go down for hours or, more likely, days.  The issue has to be cleared up. Holes have to be closed.

Basically, what I’m saying is … it’s a nightmare! You don’t want to go through it.

What you want to do is get ahead of it and do everything you can to be proactive and protect yourself.

That’s why I’ve put together this simple guide to generally understanding what is included in a  cybersecurity risk assessment.

When you want to ensure you are doing everything you can to protect your business and have a robust solution that proactively keeps you safe, and is also able to repair any issues quickly and easily in the event of a network security breach – you need to reach out to us at Attain Technology.

The Parts of a Security Risk Assessment

So, you know that you want a security risk assessment because you want to be safe. But what are the basics of a security risk assessment and what does it entail?

A security risk assessment will give you an idea of your level of protection and preparedness in the event of a network or data breach. You’ll have an idea of where you are vulnerable and what you can do to protect yourself.

A Security Risk Assessment covers two essential areas: Employees and Computers and other peripherals also known as hardware. Computers/Hardware is made up of software and data.

And while the structure for a cybersecurity risk assessment varies from each Managed Service Provider (MSP),  the basic structure looks like this:

  • Employees
  • Computers/Hardware
    • Software
    • Data

So let’s discuss these and I’ll share the important things you want to look for and check to make sure you are protected.

Employees

Even though the damage hackers and software exploits do are all bits and bytes in your computer network, your employees are the front line and your first line of defense.

In 2020, almost two-hundred million (200,000,000) businesses were hit with ransomware attacks. That’s about half of all businesses in the world. And the average cost of the downtime as a result of the attack was around two-hundred and eighty thousand dollars ($280,000).

$280,000! Can you imagine that? Do you have an extra $280,000 just lying around for trivial things like being hacked and having your data (and business) ransomed back to you?

This shouldn’t be the Wild West! Technology is supposed to streamline processes, speed up workflows, enable real-time connections and make work easier. But instead, bad actors, we’ll call them criminals, want to kidnap your business and hold it hostage, or delete all your data just for fun.

Your employees, if they know what to look for and what to do, they can stop 70% – 80% of your intrusion attempts.

That’s why you need to have a cybersecurity policy … so they know what to do.

Have a Cybersecurity Policy

The first thing you must have is a clear, simple cybersecurity policy, that you can distribute and train. We make this easy for you.

What it includes will depend on a couple things like, how restrictive you want to be with technology, and what is required for each team member to perform their role?

Some examples of this are your policies on social media use while at work. We can help you decide what is best, but maybe you decide you don’t even want to allow sites like Facebook to be visited from your network. 

What is acceptable use of technology? Can your employees bring their own device? If you give them a device, what can they install on it? 

What software is on each machine? Is it up to date and maintained? 

What type of authentication requirements do you want to have? Do you want to use two-factor authentication, do you want to use a hardware key fob, a dongle with a random number generator or other device that limits access to the network?

You have options. It’s important to understand your options. Reach out to us and we can provide guidance here.

Train Your Employees on Cybersecurity

Yes, I’m mentioning training your employees again. It’s that important. Remember, your employees are your front line of defense.

26% of ransomware attacks in 2020 happened because employees didn’t have any clue that they shouldn’t open a link in an email from someone they don’t know and never heard of.

What? There’s an Indian Prince who wants to give me $5,000 if I send him $100 in good faith first? Let’s click the link and find out what this is about …

They can’t click that stuff. It’s a trap! 

And phishing emails like this were responsible for 54% of the successful ransomware attacks last year. This dumb email tactic is responsible for generating billions of dollars in revenue for criminal organizations around the world who are feeding off of businesses just like yours.

And know, it’s not enough to train your employees just once. Scams and intrusion techniques and cybersecurity threats are constantly evolving. You need to make sure you regularly train with relevant, updated materials.

Control Access to Your Network and Computers

Hey, it’s your business, you can hide what you want to. 

That’s why you should ask yourself if your interns actually need to be able to access your QuickBooks, or Sage accounting data. Maybe your receptionist doesn’t need access to your bids and estimates.

We can assign roles to each employee and only give access to tools and data they need in order to do their job and perform effectively. 

You should take advantage of this, because employees themselves are a big risk. And I don’t mean they intend to be malicious. Employees can accidentally delete data and mis-click and slip with their mouse in the wrong folder and move one folder into another and not know what happened.

If you give administrative privileges only to trusted staff and limit what employees can do by role, you gain an extra layer of protection.

Ask yourself, “Are my employees given access to data and tools by their role?” Yes, or no? If yes, what roles, and are they useful and functional? If no, decide what roles you have and the data and tools they need access to.

Use Multiple Layers of Cybersecurity Protection

Employees shouldn’t just turn on their computer and have access to all your data.

Actually, to be safe, your network should always be a little paranoid about computers that sign into it and access data.

I know that sounds harsh, but an employee can literally take their laptop home with them and install some game from a Facebook ad that plants a secret worm on their computer. Then, the next day, when that computer is plugged into the network, the worm is spread across the network infecting every computer.

That’s why you want to have multiple layers of protection that keep every computer clean and safe and ensure your network stays clean and safe.

Here’s how it is done:

First, you have to have a password policy that prevents easy to guess passwords like “password” or an employee’s daughter’s name and a number like “madison1.”

You want strong passwords that are super difficult to guess or use artificial intelligence to crack. You want a password like “*SG&$@JI[p.”

Then you want to monitor your employee accounts on the dark web to ensure their passwords, and your data, are not for sale.

Additionally, you want a solid firewall, a Virtual Private Network (VPN), and sophisticated anti-virus on every machine (endpoint) that doesn’t slow the computer down to a crawl.

You want to make sure you aren’t vulnerable to attack. To protect yourself even more, you should implement multi-factor authentication (sometimes called two-factor authentication (2FA)). 

Multi-factor authentication performs an extra check to ensure the person requesting access to your network is your employee.

And to top it off, you will want the constant ongoing network monitoring we provide to ensure you are proactively protecting yourself and encrypting your hard drives.

Because, if a hacker was somehow able to access your data and copy it to their computers, not only would we lock it down and lock them out, they wouldn’t be able to read the data they downloaded. They wouldn’t be able to sell it, or use it in any way.

So, the essential layers of protection I suggest you have in place are:

  • Strong passwords
  • Dark web monitoring
  • A strong firewall
  • A Virtual Private Network
  • Anti-Virus
  • Multi-factor Authentication
  • Ongoing network monitoring
  • Hard drive encryption

The more layers of cybersecurity protection you have in place, the safer, more protected you are. The odds of being attacked are never zero, but with these multiple layers of cybersecurity protection you can make yourself very unattractive to hackers and criminals.

Now, let’s move on to the second essential area: Computers/Hardware

Computers/Hardware

While your employees are your front line of defense and pose your biggest cybersecurity risk, everything you do in the above employee area is put in place to protect your data.

And while your employees interact with their computers and there is software like anti-virus installed on them, in this section we are discussing the software and data on each computer.

Keep Software Up to Date

Have you ever wondered why software developers put out new versions of their software all the time?

There’s two reasons: 1) Updates to the program and better functionality. Software developers love to talk about this. 2) Bug fixes – Software developers log all of these, even though they know they are telling hackers where to look if they want to break into someone’s network so they can steal data to sell.

Yes, hackers love to find vulnerabilities in old software because the software developers put big red arrows pointing out the bugs in those previous versions.

Then, all hackers have to do is start scanning IP addresses for a specific port that software uses. Once they find it, they are in!

It really is as easy as that.

But to prevent this and prevent a hacker from just following a paint-by-number recipe to hack your business network, all you have to do is simply … keep your software up to date!

At Attain Technology, we automate this for you. We constantly monitor for new updates and we apply them for you and your employees.

Secure Your Data

You need to keep your data safe. It, after all, is the target of hackers and the prize that they want to ransom back to you. So, its security and protection are ultimately the most important part of a robust cybersecurity solution.

Securing and protecting data requires two things: 1) You know where your data is, and 2) it is backed up.

Where is Your Data?

I’ve found financial records for one business in three different folders on two different servers. And, these were recent files. Some, with the same name.

Let me ask you, which one is the right one? The one with the data they need?

They didn’t know either.

That’s a big problem! You need to have all of your data organized so you know what you have, where it is, and can access it instantly when needed.

That takes planning.

And what you get when you do this is certainty. You know exactly what your data is, where it is, and who has access to it. Because the more places your data lives, the more vulnerable and open you are.

But when you know the data you have, where it is and who has access to it, it makes it very easy to keep it backed up.

Protect Your Data by Regularly Backing It Up

Every industry has rules of thumb. In IT, systems administrators and systems engineers say, “If there aren’t at least three copies of the data in different places, it’s vulnerable.”

There has to be incremental backups daily, if not more often, and complete backups every week.

Once you have a backup, it shouldn’t be left on the computer it came from. 

And there shouldn’t just be a copy someplace on the network. You need 3 copies you can find and for redundancy you’ll want to have at least one of those copies on the cloud as well.

Having your data backed up will protect you from a range of different incidents like a ransomware attack or a virus.

One of the major benefits of using a Managed Service Provider like us at Attain Technology is we are able to perform multiple incremental backups every day so in the event of a cybersecurity ransomware attack, we can restore all your data from a backup that is as recent as an hour or two.

Another Level of Cybersecurity Protection

Premier level Managed Security Services Providers like Attain Technology can take your cybersecurity to an entirely new level.

Not only can we provide all the services we’ve discussed so far, but we have the ability to handle cybersecurity issues in real-time. If you were hit with a ransomware attack, we can lock down the attack and facilitate an “instant recovery” of your data and applications.

You don’t have to pay a ransom. You don’t lose any data. Your network doesn’t go down, and you can keep working.

We convert a nightmare event into a hiccup and a yawn.

In fact, we would make sure you are 92% less likely to experience any significant downtime from ransomware and are able to return to work quickly if you were hit by it.

Remember, the ransoms these criminals charge are expensive. But it’s nothing compared to the cost of downtime to your business from lost productivity. You aren’t just paying a team of people to sit around to do nothing, you also have to pay them to catch up once the network and data have been restored.

But with a robust cybersecurity solution where your network and data don’t go down and there is business continuity, it’s a non-event for you and your employees.

It’s something we can handle for you behind the scenes.

A Customized Cybersecurity Risk Assessment

You have to protect your network and data because your business depends upon it. So, understanding a cybersecurity risk assessment will help you identify where you are vulnerable and what needs to be done to protect your company. 

And it will help you understand our efforts to close holes and fortify any weaknesses.

As we discussed, there are two main areas of focus:

  • Your Employees
  • Your Computers/Hardware

If you use us, your business will be more secure than most others. Criminals are lazy by nature. So they will go after the easy targets … the low hanging fruit.

We protect you by making it much more difficult to penetrate your network and access your data than the next business.

Because your network and data are too valuable to lose, you will want to protect it and ensure it’s safe. When you work with us we will develop a customized plan to fit your needs.

There is a wide array of tactics and strategies to keep your company and data safe. We can guide you to the solutions that work best for you.

Bob Paradise

Bob Paradise has a track record of achieving success by utilizing his analytical and technical skills, along with leveraging diverse technology and cybersecurity solutions, to enhance business capabilities and reduce organizational risks.