Conduct a Cyber Resiliency Risk Assessment

Assess your cybersecurity practices based on regulatory requirements, industry frameworks, and any risks specific to your business. Cybersecurity assessments help you understand your organization’s vulnerabilities and what you can do to secure your information.

Once an organization has decided as to which security or compliance framework they want to use to align their cybersecurity strategy, a resiliency assessment should be the initial first step. Firewalls, IDS systems, two-factor authentication, and private VLAN have been around the enterprise security landscape for 25 years. Many corporations deployed these initial security controls based on their needs at the time, not necessarily as a global architecture road map. The cybersecurity threat landscape is constantly evolving. What was considered an attack 20 years or even three years ago has been replaced with updated threat vectors that require newer security capabilities.

Why perform an assessment first?

How does an organization know if the existing security investments they deployed are working as advertised? Are their legacy devices configured properly? Do these security devices have the most current firmware? Are they using SIEM technology to monitor their logs? In most cases, due to company downsizing, outsourcing, or employee attrition, many of these existing security controls are probably no longer even working.

A front-end, initial assessment performed by EVEE Consulting can help identify your current security capabilities. The assessment will provide a sense of the gaps and your resiliency to myriad threat vectors, such as ransomware, malware, and password spraying. Many of these new vectors may not be detected by your current security controls. The initial assessment will help determine the “hot spots” within an enterprise and help associate a contextual risk to determine priority levels and the overall impact to the organization prior to any new security deployment.

What adaptive controls should you deploy?

Should clients deploy an adaptive control prior to completing an assessment? It depends on the client’s framework and overall security strategy. If a client is in a regulated environment, such as FEDRAMP, HIPAA, or PCI, or if they are aligning to the ISO 27001 standard, the best advice is to run an assessment to determine priorities. As an example, if, during the initial assessment, the EVEE team determines that the highest level of vulnerability is at the endpoint, the organization may decide to deploy CrowdStrike, Cylance, or BitDefender. These are market-leading, proven technologies that have demonstrated, across thousands of clients, to have made a positive impact on preventing attacks on endpoints.

If you are in a regulated market sector, then the client should work with EVEE Consulting to develop a priority strategy for deployment of known capabilities, such as CASB for cloud security, multi-factor authentication, and Zero Trust/SASE remote access. After these proven technologies have been deployed, it is important to execute a post-deployment vulnerability test to determine if the known technologies are functioning correctly.