By this day and age many organizations have already done multiple threat and security assessments for their existing IT environments. For some busy organizations this then becomes the endpoint; victory is declared and the assessment’s work is then filed away and forgotten, until the next audit is called for, whenever that might be.
When security and threat management is a discrete task, inevitably it becomes part of a continuum of tasks that blend in with everything else the demanding world of IT requires. Sadly, this then evolves into a serious problem.
When a threat assessment is done, it is a snapshot at that point in time. Even the most aggressive assessments will fail to assess 100% of the threats, and in the end, subsequent work to mitigate those threats only will deal with a smaller percentage of what was captured and analyzed. Then, filing it all away for one, two or three years simply compounds the problem.
The fact of the matter is that the threat environment is constantly evolving. Aspects that were minor concerns two years ago may be headlining issues now. A security staff, or an organization that feels they are “on top of the threat” may only be kidding themselves. Further complicating the picture is that if mitigation steps aren’t taken or are haphazard or weak, the erosion continues unabated. Eventually the negative effects appear.
In reality, a threat assessment or similar analyses can only be considered a baseline at that point in time. Two seconds after that analysis is completed, the information is becoming stale!
The trick here is to recognize the perishable nature of the information in the assessment, and instead of taking a snapshot, the organization needs to adopt a change in its practices to include periodic re-assessment of the threat environment.
With a small to medium business, this is further complicated by the scarcity of security resources, forcing a situation where many organizations are only weakly defended. Indeed, “don’t tell me, I don’t want to know…” may seem to be a strategy until a breach occurs and someone answers for the data loss.
Like it or not, Cyber Security is becoming a way of life. Any organization doing business on the Internet must resolve itself to that fact.
Here are a few things that an organization can do to prevent this situation:
- Periodically review and refresh the threat and risk assessment; (Refresh the baseline).
- For those threats actively being mitigated, monitor their effectiveness
- For those threats on the “wait list”, review whether the environment has changed.
- Consult one of the many online information resources focused on organizational cyber protection. (For example, the National Institution of Standards and Technology (NIST) has a huge library of security standards – their 800- series.)
- Don’t be afraid to reach out for expertise in the industry, in fact – having an outside set of eyes look at your assessments and perhaps provide advice is a healthy security practice.
In the end, recognize that while assessing your organizations risk is a good thing, it is what happens afterwards that determines whether it was worthwhile or was simply a waste of resources.