At COMPASS, we perform cyber security risk assessments for a wide range of clients across a diverse set of industries. These organizations range in size from a handful of employees to over fourteen thousand. Some clients are in highly regulated industries such as healthcare and financial services while others are in less regulated industries such as academic, construction or wholesale distribution. Although our client base is highly diverse there are common findings we encounter on almost every single engagement. These findings are consistent whether our clients have in-house information technology (IT) employees or use a 3rd party outsourced IT vendor. As you review this top 10 list, you can perform a mental assessment of your organization and see how many of these may apply. They are grouped by our approach to cyber security risk management which focuses on the 3 pillars of cyber security – people, policy and technology. The top 10 most common findings are:
- Lack of an employee cyber security awareness training program. Employees are the weakest link and training them on topics such as phishing emails, social media, and password management is critical.
- Approximately 25% of employees fall victim to mock phishing exercises. Mock phishing exercises are one of the most effective and personal methods for testing your employees.
- Lack of Incident Response Plan tabletop exercises. Security incidents will occur at some point and if you do not prepare in advance and practice, the actual response will be chaotic and disorganized.
- Information Technology staffs generally lack the time and expertise to focus on cyber security. Cyber security is a broad area that requires highly specialized skills across a wide range of subject areas.
- Most organizations have ad hoc policies (if they exist at all) that are not uniform or widely understood.
- Policies are typically dispersed throughout the organization in different formats and templates.
- Most policies are severely outdated and have not kept up with new technologies (ex. mobile devices, social media, cloud computing).
- Most organizations lack a comprehensive and thorough patch management process which leaves them open to hundreds (if not thousands) of technical vulnerabilities.
- Organization’s networks have evolved in a haphazard manner over time resulting in primarily flat architectures.
- Organizations have done a good job of investing in their network infrastructure but have done a poor job of taking full advantage of security control functionality and settings.
Based upon our experience it is likely that most of the above findings are relevant to your organization to some degree. It is important for organizations to regularly assess not only their technical infrastructure, but also their organizational security awareness and policies. Organizations that fail to perform periodic assessments risk leaving themselves exposed to hackers who can exploit these vulnerabilities or negligent insiders who expose data unintentionally. If you would like to discuss the top 10 assessment findings and how they apply to your organization, please contact COMPASS or tune into The CyberGuide for more information.