Potential problems you might have with a security assessment and how a security adviser solves them
When you sign up for a security assessment, you’ll get a defensive and offensive overview of your IT environment’s security.
While conducting the assessment, your adviser will try to find vulnerabilities in your system. They’ll suggest ways to address them and prevent them from becoming serious problems.
Good security advisers are meticulous. They also acknowledge assessments are an ever-evolving process. They know there will always be room for improvement and customers are bound to have concerns and problems.
At The KR Group, there are three common problems we hear about security assessments.
- Problem #1: Security assessments can be expensive.
- Problem #2: Your security adviser will need access to your confidential information.
- Problem #3: The security assessment report review can be lengthy.
We’ve also found a way to solve each one of those problems, and in this article, we’ll discuss the best solutions for each one.
Problem #1: Security assessments can be expensive.
We’ve all been in the situation where we’re completely on board with a product or service, and then, we see the price tag.
A security assessment isn’t much different.
The KR Group’s Purple Team Hive Assessment costs at least $15,000 for 200 nodes (desktops, servers, firewalls, etc.) If you have 500 nodes across multiple sites, that price could be closer to $22,500 or more.
You might have been ready to sign up for a security assessment, but when you read the cost, you’re not sure if it’s in your budget.
Solution: There are other ways (although not as extensive) to assess your security posture.
If a security assessment is out of your price range, you can look at a less extensive security assessment.
We offer a Blue Team Hive Assessment, which makes up part of our full assessment. The Blue Team Hive Assessment only looks at your security posture from a defensive standpoint. However, the per-node fee is less than a Purple Team Hive assessment, which decreases the overall cost.
Another less expensive alternative to a security analysis is a vulnerability assessment mislabeled as a security assessment.
Vulnerability assessments aren’t as extensive as security assessments. In fact, they’re a tool used in a security assessment, but not the whole analysis.
If you choose a vulnerability assessment, you’ll pay less, but you won’t get the same value as a security assessment.
We recommend you do something, though. If you don’t, you’ll continue to put yourself at risk for the possibility of malicious attacks and losing proprietary information.
Problem #2: Your security adviser will need access to your confidential information.
We hope it bothers you a little when we request information to log into your hardware and software. (If it doesn’t, you’ll hear from us why it should.)
Of the two sides (offensive and defensive) of a security assessment, the defensive side requires access to your usernames and passwords to analyze the strength of your login credentials as part of the defensive testing of a security assessment.
The offensive side never sees your explicit login credentials, but they do perform a phishing exercise, which attempts to lure your users into entering their login information to a mock malicious website.
Your security adviser’s offensive team also tries to gain access to your network using similar strategies as hackers. If they are successful, it means there are gaps in your current security that could expose your information.
Solution: Your security adviser securely stores and destroys or returns confidential information.
Your security adviser will store your confidential information on an encrypted thumb drive and keep it at a secure location at all times. Once they complete your security assessment, they’ll return the thumb drive to you.
If your users fall for the phishing lure and enter their login information, the exercise will record if a user entered information. What information the user entered is not recorded, though.
Your security adviser will store any confidential information obtained throughout the security assessment on a laptop with an encrypted hard drive. Once they complete the security assessment, they’ll destroy all your confidential information.
Problem #3: The security assessment report review can be lengthy.
A trusted security adviser is passionate about improving your security posture and helping you maintain a secure IT environment. That passion should carry over to the assessment presentation and thoroughly explains your security posture.
Even if your security adviser gives the most charismatic presentation on your security posture, though, it can still end up being a lengthy presentation.
During the presentation, you’ll hear about all the security items analyzed as part of the security assessment. The presentation will review the highlights of what your security adviser researched and discovered in your IT environment.
It can make for a long meeting.
The good news is your security adviser can be flexible with the time and setting of the final presentation.
Solution: There is flexibility with the security assessment review presentation.
A security adviser can start out the final meeting with lunch so you won’t be distracted by thinking about how long it’s been since you ate.
If you think you’ll be most attentive in the morning, you can schedule the review to coincide with your morning cup of coffee.
Another option is to split the review up over two segments. A security assessment report review is full of information, discoveries, and recommendations. If you think you’d be better able to digest it over a couple of meetings, let your security adviser know.
The security assessment is about making you aware of the risks in your IT environment, so scheduling it to accommodate your needs benefits both parties.
Next steps when considering a security assessment
While the overall cost, required access, and final presentation might cause you some concern about security assessment, there are solutions to each problem.
You can consider a less extensive and cheaper assessment. You can ensure your security advisers handle your confidential information carefully. You can schedule the final review for when it works best for you.
We know this list doesn’t encompass all the possible questions and concerns about security assessments, particularly Purple Team Hive Assessments, though.
If you have additional concerns about if a Purple Team Hive Assessment is right for you, check out our flowchart.