Why a Risk Assessment is the Beginning of Security, Not the End!

Derek Boczenowski
Apr 10, 2018 9:30:00 AM

In the past several weeks, the news has been filled with multiple compromises and hacks. Panera Bread, Delta, and Under Armor just to name a few. One of the ones that has had the most impact is the ransomware attack on the City of Atlanta.

The SamSam ransomware that brought the city to its knees is destructive and very effective. It has effectively crippled services and the city has lost massive amounts of data, although many reports say they are still working to recover what they can, well over a week later.

The reason I bring this up isn’t to have another discussion about ransomware, or even to provide tips on how it should be handled. One of the biggest crimes here is that the city knew they had a problem at least 9 months ago and failed to take steps to prevent this exact scenario!

Many businesses undertake audits and risk assessments. The reasons are varied. Some are forced by state and federal regulations, some are looking to use a good report to give to prospective clients, and some just want to discover where they have gaps in their technology and security posture. The City of Atlanta had an assessment done, and some large issues were pointed out not once, but repeatedly prior to the attack. And yet the city did nothing!

Compass IT Compliance has dozens of risk assessments going at any one time. We take great care to provide guidance on what vulnerabilities a client might have, as well as how to mitigate those issues. Many of our clients work hard to close the gaps even before the ink dries on the assessment.

But for some, like the City of Atlanta, the discussion becomes a lack of time, or a lack of budget, or a mindset of, “It happens to other people, not to us”. And so when a compromise occurs, an organization can take a huge reputational hit when it is discovered the gaps were pointed out and could have been fixed, but were not addressed.

A risk assessment or audit is merely the first step in improving security. Just like on the back of the shampoo bottle that tells you to, “wash, rinse, repeat”, in the security and compliance arena, the instructions are to, “assess, remediate, retest”. Don’t allow the assessment to be something that checks the box for your compliance. If we can identify the gaps in your security, so can the criminals that want to exploit them.

It isn’t always easy. Sometimes it doesn’t just cost time, but also quite a bit of money if systems and processes have been neglected for an extended period of time. But I bet that if you ask anyone in the City of Atlanta government, I’m pretty sure that they would have found the time and the money to fix things if they had it all over to do again.

And as with so many other things, it all comes down to awareness. If you run up against a budget issue or time issue in your organization when it comes to fixing technology and security issues, show them the effect it had on the City of Atlanta.

If you need help with where to start, a great resource is our Critical Security Controls eBook. This eBook, which was just updated to reflect the changes in version 7.0, gives you a great baseline of where to start and the top controls to implement to mitigate your risk. Click here to download a copy today!

You May Also Like

These Stories on Risk Management

Subscribe by Email

No Comments Yet

Let us know what you think