Live Chat Now
Available
Give us a call

Send us a text

855.890.3001

855.890.3001

What is a Cyber Security Assessment?

By Steve Smith

The information presented here is true and accurate as of the date of publication. DeVry’s programmatic offerings and their accreditations are subject to change. Please refer to the current academic catalog for details.
 

May 18, 2023

7 min read

 

To defend against cyberattacks and safeguard critical data systems, public and private-sector organizations of all sizes need to make cyber security a top priority. With a cyber security assessment, which is sometimes referred to as a cyber security risk assessment, organizations can get a clearer picture of their vulnerabilities and risk level in terms of data loss due to cyberattacks and the long-term effects of those vulnerabilities.

 

In this article, we will take a close look at why organizations should conduct assessments, who benefits from them and the different types of assessments that serve a range of cyber security objectives. We will also present a step-by-step guide to performing a cyber security assessment. 

What is the Objective of a Cyber Security Assessment?

Cyber security assessments should be an integral part of your overall risk management strategy, helping you to avoid both long and short-term risks. Conducting a cyber security assessment can help you identify potential security threats and vulnerabilities and show you exactly where your organization needs improvement. 

Here are a few more reasons why such an assessment is a good idea:

    • Safeguard against data breaches: Protection against security breaches and the data loss that could result from them is a primary reason to conduct a cyber security assessment. A data breach involving the compromise or loss of customer data, financial information or intellectual property can have devastating short and long-term consequences, like a loss of revenue and potentially irreparable damage to your organization’s brand. 

  • Provide a template for future assessments: Since this type of assessment is not a one and done test, performing your first assessment will lay the groundwork for a standardized and repeatable process that can be done on a regular basis, regardless of staff turnover or changes in operational processes.

  • Avoid application downtime: By reinforcing cyber security protocols and recruiting professionals with ample cyber security training, you can make sure customer-facing systems are functioning normally and are available when they need them. 

  • Avoid regulatory issues: Stolen customer data could be deemed the result of failure to comply with regulations. One example of this are the rules and regulations required by the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule was enacted to create standards for keeping individuals’ health information private while allowing information to be shared between healthcare providers. Penalties for non-compliance with HIPAA’s Privacy Rule can range from $127 - $63,973 per violation.

Who Benefits from a Cyber Security Assessment?

Because of the variety of different types of cyberattacks and the reasons cybercriminals carry them out, companies of any size can benefit from a cyber security risk assessment, especially as their information security policies evolve. Private-sector businesses that process and store huge amounts of data like e-commerce, banking and healthcare may be the first to come to mind, but this is not exclusively a private-sector business concern. Public entities like state and local governments need to be concerned about cyber security as well. 

A 2021 survey from identity management company BeyondTrust showed that work-from-home initiatives, cloud adoption and increased use of IoT (Internet of Things) in the public sector are among the most concerning cybersecurity trends in government, as identified by senior security professionals across the United States, due to public sector IT teams embracing digital transformation and cloud services in in an effort to create more agile and cost-effective operations to better serve their constituents.

The survey states that while these moves toward modernization have boosted productivity, they have also created new vulnerabilities for cybercriminals to exploit which pose considerable challenges for cyber security teams. 

Types of Assessments

Just as different diagnostic procedures are used to identify problems in different systems in the body, different types of cyber security assessments employ their own approaches to serve different security objectives. A sampling of these include:

  • Third-party risk assessment: This type of assessment is conducted to measure the level of risk that can come with third-party relationships, such as with vendors who have remote access to an organization’s data.

  • Social engineering assessment: Social engineering tactics are ways malware and spyware are often delivered, typically through emails. The goal of this kind of assessment is to audit the level of cyber security awareness throughout an organization by trying to covertly access data or a network via its employees. By evaluating their knowledge of cyber hygiene and ability to spot social engineering attempts, a plan can be developed to improve cyber security education if it’s needed.

  • Vulnerability assessment: These assessments are among the most frequently performed tests in the industry and are usually automated. Their function is to detect flaws within networks, code, data or applications. When vulnerabilities are found, security patches or updates are implemented.

  • Penetration testing: Often called ethical hacking, this assessment is used to test the weaknesses found in the vulnerability assessment. Using the same methods a malicious hacker would use to gain access to a data system, penetration testers scope out a company’s security structures and simulate an attack to identify where security needs to be strengthened.  

  • Cloud security assessment: Essential for organizations using SaaS (Software as a Service), IaaS (Infrastructure as a Service) or PaaS (Platform as a Service), a cloud security assessment identifies risks and threats to cloud-based assets. It focuses on uncovering vulnerabilities in cloud infrastructure and neutralizing them using various access control management and governance measures.

How Do I Prepare for a Cyber Security Assessment?

A cyber security risk assessment should begin by reviewing documentation, analyzing your infrastructure and systems, and interviewing data owners, management and other employees, followed by a step-by-step approach:

1. Determine Information Value and Prioritize Assets

This step is important, especially for businesses with limited budget and resources. Define standards for determining and prioritizing the value of information in your systems. Criteria could include asset value, business importance and legal standing. Ask the following questions to accomplish this:

    • How useful is this information to attackers or to our competitors?

    • If lost, could the information be recreated? How long would that take, and how much would it cost?

    • If information is encrypted, do you have a backup? 

    • What are the potential financial or legal penalties associated with the loss or compromise of this information? 

    • What impact would loss or compromise of the information have on our company’s daily operations?

    • What is the time required to bring devices and software back online? What does the potential business disruption look like?

    • What about long-term impact? What reputational damage could the loss or exposure cause?

Work with your stakeholders to create a complete list of all your important assets. This includes assets that produce revenue, as well as those that ensure data integrity to your users. 

2. Identify Threats

Once you’ve identified and prioritized your organization’s assets, identify threats such as occurrences, individuals, entities or actions that could potentially impact your network and data systems. Examples of some of these threats are:

    • Data leaks which could occur as the result of poor configuration of cloud services or weak security policies and authentications standards. Here is where the loss of sensitive data like customers’ personal information could lead to a devastating loss of customer trust, revenue and reputation.

    • Insider threats, such as the misuse of information by authorized members of your team can also have devasting effects such as financial or reputational damage, regardless of whether it was intentional or accidental.

    • Service disruptions caused by a cyberattack could have sudden and two-fold consequences, resulting in a loss of revenue and potentially motivating your customers to take their business elsewhere. 

3. Identify Vulnerabilities

Even the smallest vulnerability can be exploited by a cybercriminal. Identify vulnerabilities by conducting audit reports, vulnerability analyses or software security analyses. To resolve software-based vulnerabilities, make sure that you have patch management taken care of with automated updates. At this stage, you should also make recommendations to address physical vulnerabilities and defend against exploitation of your computing system or keycard access.

4. Document Your Results in a Risk Assessment Report

Capture the information you’ve collected throughout your assessment in a report that will help management make well-informed decisions on policies, procedures and budgets. The report should describe the value, risk and vulnerabilities for each threat, the likelihood and impact of occurrence and mitigation recommendations. An extensive risk assessment report will help you communicate clearly with senior-level stakeholders, helping them to understand what the risks are, how they were discovered and what security controls and processes must be implemented to help prevent or combat them.

5. Implement and Monitor Security Controls

Based on the information in your risk assessment report, the new security controls can be implemented. These could be achieved through technical measures like hardware, software, encryption and two-factor authentication, or non-technical ones like management of key card access. To ensure optimal performance, new security measures should be continuously monitored to ensure they remain secure and are performing as intended. 

Thinking About a Career in Cyber Security?

If you’d like to learn how to help organizations protect their critical data, we can help. At DeVry, the hands-on learning opportunities built into our Bachelor’s in Information Technology and Networking Cyber Security Specialization are designed to help you gain familiarity with network security testing, risk factor analysis and other techniques used to safeguard systems against cyberattacks. 

Our Future Cyber Defenders Scholars program offers eligible students access to events and training sessions hosted by leading industry organizations, as well as access to job search resources, internship opportunities and apprenticeships. 

8-Week Class Sessions

Classes Start January 6, 2025
Related Posts