What is included in a Cyber Security Risk Assessment?
Discovery Consultation. An in-person or video consultation attended by You and one of Our representatives in which we ask a series of discovery questions to familiarize ourselves with Your hardware, software, equipment, network, IT system, configuration, infrastructure, products and processes constituting Your IT environment (Your “IT Network”). Discovery consults are typically 30-60 minutes in length.
Install Remote Access Tool. Following the Discovery Consultation, We will install a remote access software that allows Our team to access and scan your network for malware and vulnerabilities.
Scan for Personally Identifiable Information (“PII”). PII refers to any data that can be used to identify an individual. Examples include your addresses, email, phone numbers, IP addresses, banking credentials, login IDs, account details and more. Our scans determine where personal and sensitive data is located and what it contains so that we can make recommendations as to how you can ensure compliance and avoid breaches or loss.
Scan for Exposure to Known Vulnerabilities. We use trusted scanning engines to perform a vulnerability scan of your servers, cloud systems, websites and endpoint devices, in order to identify cybersecurity weaknesses in your digital infrastructure and make recommendations as to what steps You may take to avoid costly data breaches.
Scan Equipment and Compare with CIS/NIST Standards for Security. CIS/NIST benchmarks are a set of best-practice cybersecurity standards for a range of IT systems and products developed by cybersecurity experts and industry research institutes. Our review analyzes whether Your IT Network is in line with the recommended baseline configurations to ensure compliance with industry-agreed cybersecurity standards.
Run Phishing Test. In this test, We create simulated phishing emails and/or webpages to be sent to You without advance notice, in order to determine Your security weaknesses. These simulated attacks are designed to help You understand the different forms a phishing attack can take and its identifying features, and to help You avoid clicking malicious links or leaking sensitive data in malicious forms. An overview of the test results with suggestions for improvement will be provided in the Risk Assessment Report.
Perform Dark Web Scan. Our dark web scan checks the dark web for your information among lists of stolen data, such as usernames and passwords, Social Security numbers, and credit card numbers. This data is usually stolen during data breaches and is bought and sold on the dark web. If we discover your data on one of these sites, our report will advise you of the necessary next steps to protect your organization and data in the future.
Run Software as a Service (SaaS) Scan. This scan allows us to scan Your network perimeter, identify potential threats relating to SaaS solutions currently in use, and provides a report of possible security risks.
Evaluate Equipment and Infrastructure. We take a detailed look at your hardware and infrastructure to identify vulnerabilities and bottlenecks such as outdated hardware and equipment, connectivity and integration problems, and other issues that prevent Your IT Network from running at its highest uptime potential. We will make recommendations for troubleshooting network elements that cause inefficiency, or may recommend a complete network overhaul if necessary.
Present Results and Recommendations. We will provide You with a Risk Assessment Report outlining the findings of the risk assessment, including an executive summary and detailed reports of the scans performed. You can use this Risk Assessment Report to make strategic decisions on managing the identified risk moving forward. Our recommendations will include tasks and items which in Our opinion are required to bring the Environment up to the standards recommended by Us. We will also make a recommendation as to the monthly reoccurring services to maintain the environments security and provide for quick and safe recovery in the event of a breach or issue.
Our Process – The Data Gathering: The CyberSecurity Risk Assessment
Cost and Time Requirements: It takes an average of 10-14 business days to complete a cybersecurity risk assessment. Cost of $1500 for first 15 devices (or users, whichever is lower), then $100 for each additional device/user (server or workstation). We have a 15 device/user minimum for all risk assessments.
Time is not a friend of most assessments as things or results can change rapidly. As result aging, they can lose their relevancy. On top of this, our assessment staff may need to redo the assessment (labor) if too much time passes (30 days is the normal limit from the start of the assessment process). Most review meetings are scheduled 7-14 days after the start of the cybersecurity risk assessment.
In a co-managed IT environment where internal IT resources collaborate with external partners, conducting a cybersecurity risk assessment with a 3rd party brings invaluable advantages to enhance overall security posture. Here’s a compelling reason:
Maximizing Objectivity and Independence: Collaboration between internal and external IT teams is essential for a robust co-managed IT environment. However, internal IT teams may inadvertently develop blind spots due to their familiarity with the organization’s systems and processes. By engaging a 3rd party for a cybersecurity risk assessment, you introduce an independent perspective and objective evaluation.
This impartiality ensures that potential vulnerabilities, threats, and weaknesses are identified without internal biases or preconceived notions. The external perspective helps uncover hidden risks that may be overlooked by those deeply embedded in day-to-day operations. As a result, the organization gains a comprehensive understanding of its cybersecurity landscape, enabling more effective risk mitigation strategies.
Moreover, regulatory bodies and compliance standards often recommend or require third-party assessments to ensure a higher level of scrutiny and impartiality. Demonstrating a commitment to transparency and accountability through an external evaluation can bolster stakeholder confidence and help meet regulatory compliance requirements.
In summary, conducting a cybersecurity risk assessment with a 3rd party in a co-managed IT environment is a strategic move to enhance objectivity, identify blind spots, and fortify the overall security posture of the organization. It’s an investment in proactive risk management that not only aligns with industry best practices but also contributes to a more resilient and secure digital infrastructure.
We understand things can happen. Due to the time sensitive nature of a cybersecurity risk assessment, we provide 1 reschedule as a courtesy. The rescheduled appointment should be no later than 7 days from the original date of the cybersecurity risk review meeting. On the 7th day, the timer for your credit promotion will begin.
The assessment credit is lost and a new assessment will need to be completed. The new assessment will be bound by the same timeliness requirements of the original assessment.
As time passes, your credit will lessen. The schedule is as follows: 100% credit of cyber security risk assessment costs if service agreement is signed within 72 hours of risk review, 75% credit within 7 days, 50% credit within 14 days, 25% credit up to 30 days and no credit if after 30 days.