Turning Security Assessment Guidance into Action
Security Assessments are a logical first step for organizations looking to improve their cybersecurity practice. Many clients who sign up for these assessments know they have security shortcomings and fully expect to receive a long list of vulnerabilities and recommendations in the final report. However, the vigor with which customers address the vulnerabilities identified in their Security Assessments varies widely. Some clients immediately start implementing the report’s suggested changes in sequence and on an aggressive schedule. For others, however, the list of recommendations can seem daunting and time-consuming, and the report is sometimes set aside in favour of day-to-day tasks. Procrastination in the face of complex or large scale tasks is understandable, particularly when routine tasks compete for a security team’s available time.
However, there are potentially dire consequences for organizations that do not address their cybersecurity vulnerabilities. Unfortunately, we have seen some of those worst-case scenarios firsthand, with clients contacting us in a panic after suffering a data breach that exploited a vulnerability identified in a previous Security Assessment.
For our part, iON tries to help our customers promptly act on our Security Assessment recommendations in a few different ways. During orientation sessions with clients, we establish that the assessment represents a starting point, not a finish line. We also put the cost of addressing security shortcomings in perspective by pointing out the costs of recovering from a major data breach. According to a recent survey, the average cost of a data breach in Canada in 2021 was $6.75 million per incident1. While this is a staggering sum, it is unsurprising when one adds up the costs of incident response services like containment, forensic and dark web analysis, malware eradication, and service restoration, as well as the losses in revenue from operational shutdowns. Needless to say, when compared to a major breach, the costs of preventative measures are miniscule.
We have also refined our final report format to further help clients take action sooner. Virtually all cybersecurity consultants provide reports that include a list of vulnerabilities ranked according to a combination of business impact, difficulty of remediation, and/or likelihood. However, our final reports also include suggested steps for remediating each vulnerability, using existing resources wherever possible. This component of our reports requires additional time and effort, but our customers have consistently provided positive feedback for the detailed, actionable remediation guidance we provide. We also offer a road map that focuses on the top three most highly ranked findings that, once addressed, will yield the most significant and immediate improvements to the client’s security practice.
To achieve a smoother transition, iON also recommends administrators and managers pre-emptively inform staff that changes are forthcoming and explain that the changes are necessary to improve the organization’s network and data security. In our experience, clear communication with end users about the desired outcomes consistently results in a greater sense of buy-in from employees.
iON can help with the remediation process through follow-up services like Technology Selection consultations to find the tools best suited to address gaps in the existing security technologies. After major remediations are complete, we can conduct Penetration Testing to evaluate their effectiveness. Setting a date for follow-up services helps to reinforce the timetable for initial remediations and prevent them from being postponed.
If you’d like to learn more about iON’s Security Assessment service, please reach out to us at firstname.lastname@example.org.
You might also like
The Benefits of Penetration Testing – Putting Your Cybersecurity Practice Through its Paces
For many organizations, conducting penetration tests on their systems is looked on strictly as a means of complying with industry regulations. Others consider pen tests an expensive exercise that provides little value because they don’t perceive themselves as likely targets of cyberattacks or they simply don’t see the need for somebody else to evaluate their…
Helping Where We Can – iON Donates $10,000 to Two Vital Charities This Holiday Season
Community involvement has been an important part of the iON Code since Day One, and in light of the unique difficulties currently facing many Canadians, we are pleased to announce two charity donations we’ll be making in the coming days. First, we will be topping up the $1,500 contribution to Food Banks Canada announced at our annual Customer Appreciation Holiday Party in Calgary to the sum of…
The Perimeter and Beyond – Maximizing ROI in your Next-Gen Firewall
Historically, firewalls have served solely as the core component of an organization’s perimeter defense, providing network layer access control, logging, and network address translation (NAT) to segment networks. Next-gen firewalls (NGFWs), however, can do much more. These devices are very different from the routers you buy for your home and do more than just protect the perimeter. In an effective cybersecurity practice, NGFWs are tightly integrated with other components of your organization’s security stack, providing valuable data outputs that enable greater visibility and…