An IT security risk assessment is a tool businesses of all sizes can use to identify gaps and vulnerabilities that could expose you to an outside threat.
In other words, it allows you to see from a third-party perspective what is and isn’t secure within your environment. It’s a great way to protect yourself from a potential breach or attack.
At The KR Group, our security risk assessment – Purple Team Hive Assessment — is for just about anyone who wants a plan to make their IT environment harder for attackers to infiltrate.
When you do decide to pursue a security risk assessment, there are a few steps you’ll need to take before the project starts:
- Realize you need a security risk assessment.
- Answer questions about your IT environment.
- Ask any questions you have about the assessment.
- Schedule the start of the security assessment.
Once you complete these steps, your security adviser can begin the actual analysis of your network and start working to help you achieve a stronger security posture.
Step 1: Realize you need a security risk assessment
While we believe everyone can benefit from a security risk assessment, that doesn’t mean you and other customers see the value right away.
Unfortunately, one of the biggest drivers for businesses to invest in a security risk assessment is an attack. When they realize how vulnerable their network is after it’s been exploited, they want to ensure it won’t happen again.
However, that’s a reactive approach to cybersecurity. The best way to address your security issues is to be proactive and invest in a security assessment before a breach happens.
We have many resources on the reasons you should consider a security risk assessment. Mainly, it boils down to the fact that responding to a breach will cost you more than even the most comprehensive security risk assessment.
Step 2: Answer questions about your IT environment
To develop a plan to analyze your specific IT environment, your security adviser needs some information from you, so they’ll ask you a series of questions. These include:
- When is the last time you had a security risk assessment?
- Why are you looking for a security risk assessment?
- Do you have cybersecurity insurance?
- What is your perceived level of risk?
- Do you perform regular phishing campaigns?
- What systems are mission-critical to your business?
The most important question in the interview is what systems are mission-critical. Your answer to this question will determine how your security adviser prioritizes remediation efforts and determines your level of risk.
All of your answers to these questions give your security adviser insight into how familiar you are with your security posture and how to tailor an assessment to meet your needs.
With the answers to those questions in mind, your security adviser then drafts a statement of work for you to sign. However, once you agree to the assessment, there is still another series of questions for you to answer regarding the specifics of your IT environment.
These questions are designed to gather information about your admin credentials, important hostnames, internal and external IP addresses, subnet ranges, wireless info, remote access information, and email aliases.
The defensive side of the security team needs this information to assess security from the user side, but it will be kept from the offensive side of the team since they’re trying to exploit this information.
Step 3: Ask your security adviser questions
Your security adviser shouldn’t be the only one asking questions before the start of the assessment.
It’s your company’s IT environment that’s being analyzed, and we want you to be as invested – if not more – in the outcome as we are. We encourage our customers to ask questions at any time while we’re preparing or conducting the assessment.
Some of the common questions we receive include:
1. How much does a security risk assessment cost?
This is by far the most popular question our security team is asked, but its answer isn’t straightforward. The total cost depends on many factors, such as how many sites and nodes (points of technology, such as desktops, servers, firewalls) you need to be analyzed.
We do help you estimate how much an assessment will cost your business in our article, “How Much Does a Security Risk Assessment Cost?”
2. How long is the assessment going to take?
For a comprehensive security risk assessment, you can expect it to take at least two to three weeks for your security adviser to look over the entirety of your environment, identify your vulnerabilities, rank them, and provide risk reduction recommendations.
Other types of security risk assessments don’t take as long, though. For example, a teleworker risk assessment, which only looks at security in regards to your technology for a remote workforce, will only take 8 hours of assessment.
3. How will the assessment impact the availability of their systems?
The good news is it shouldn’t. If for some reason your security adviser needs to temporarily bring a system offline, they will give you advanced notice and be as brief as possible.
4. Do you resolve the issues you find during an assessment?
While security advisers do provide sound remediation recommendations, the labor to solve them is out of the scope of a security risk assessment.
However, this doesn’t mean you have no guidance on solving the issues revealed during the assessment. Your report will include all vulnerabilities discovered, rank them by risk, and then provide suggestions for addressing them.
Step 4: Schedule the start of your security risk assessment
Once all questions have been answered on both sides and you’ve signed off on the statement of work, the final step is scheduling the assessment and making sure you’re ready for it to begin.
Traditionally, this meant finding time for the security adviser to come on-site. Since COVID-19 has limited on-site activity, the entirety of a security assessment now takes place remotely. That doesn’t mean your security adviser doesn’t need accommodations, though.
For a remote assessment, your security adviser needs 100 GB of space on your virtual server (VMware, Hyper-V, Citrix) for their tools. They’ll also send you wireless adaptors to plug into your virtual machines to perform the same functions they used to while on-site.
Once all of this is set, your security adviser can begin looking for the vulnerabilities and gaps in your IT environment.
Getting started with a security risk assessment
Once you realize you could benefit from a security risk assessment, ask and answer questions with your security adviser, and schedule the start of an assessment, the actual work of the security assessment can begin.
During a comprehensive security risk assessment, this is where your security adviser will look at all the areas of your IT environment from offensive and defensive perspectives.
To accomplish that, there are many more steps in the security assessment process.
To help you walk through the phases of a security risk assessment, we have an article you can read and a free infographic for you to download. They will walk you through what to expect during each phase of a security risk assessment.