Cybersecurity Assessments: Why Your Company Needs One and Where to Start

PDF

On May 28, 2024, Xantrion and Maynard Nexsen hosted an insightful webinar on the critical importance of cybersecurity assessments for businesses. The session, featuring Brandon Robinson (Maynard Nexsen), and Darren Nyberg (Xantrion), and moderated by Heather Hoopes-Matthews (NP Strategy), provided in-depth expertise on why your company needs a cybersecurity assessment and how to get started.

View this webinar on-demand.

Below are the key takeaways from this informative discussion.

Why Your Company Needs a Cybersecurity Assessment

Cyber threats are constantly evolving in sophistication and frequency, making it imperative for businesses to be proactive about cybersecurity readiness. Our panelists underscored several proactive and reactive reasons why companies should consider regular cybersecurity assessments:

• Proactive Reasons:

• Evolving Cyber Threats: Cybersecurity threats are becoming more sophisticated, necessitating proactive measures to safeguard data.
• Cloud-Based Platforms: The increasing use of cloud services demands that companies understand the unique risks associated with these platforms.
• Policy Improvement: Regular assessments help in refining company policies and procedures for better alignment among employees.

• Reactive Reasons:

• Regulatory Requirements: Compliance with statutory and regulatory standards is crucial.
• Investor or Customer Pressure: Increasing demands from investors or customers for robust cybersecurity measures.
• Post-Breach Actions: Learning from past incidents to prevent future breaches.

Understanding Cybersecurity Assessments

A cybersecurity assessment is a comprehensive review of an enterprise’s cybersecurity program, evaluating risks and vulnerabilities. Brandon Robinson emphasized that such assessments help businesses decide where to allocate resources to reduce risks and improve their cybersecurity posture. Key aspects covered in an effective assessment include:

• Logical Access Policies and Procedures
• Data Backup and Recovery Procedures
• Incident Management Policies and Procedures

The panel highlighted the importance of having a clear and concise cybersecurity strategy, noting that the insights gained from these assessments can drive meaningful improvements in organizational security measures.

Types of Cybersecurity Assessments

Darren Nyberg explained the different methodologies for conducting cybersecurity assessments, discussing their strengths and weaknesses:

• Self-Assessments: Often inaccurate due to outdated or biased information.
• Automated Scans: Typically provide incomplete information, missing crucial data on cloud-based applications.
• Third-Party Reports: The gold standard, where experts conduct thorough assessments that provide a holistic view of technical and compliance risks.

Brandon stressed that the ideal assessment involves collaboration between legal and technical experts to ensure a comprehensive understanding of the risks and the best mitigation strategies.

Frameworks and Regular Assessments

The panel discussed the importance of using recognized frameworks, such as the National Institute of Standards and Technology (NIST) framework, for conducting cybersecurity assessments. They emphasized that regular assessments are essential to keep up with evolving threats and technologies.

• Common Language: Frameworks provide a common language for understanding best practices.
• Regular Updates: Continuous assessments help in regularly updating policies and technologies to reduce risks.

Real-World Case Studies

Two case studies were shared, illustrating the real-world implications of cybersecurity assessments:

1. Registered Investment Advisor: A 60-person firm with $13.5 billion in assets that underwent a cybersecurity assessment to remain compliant with evolving regulations and threats. The assessment revealed sound technical protections but highlighted significant gaps in policies that needed addressing.
2. Business Email Compromise (BEC): A small manufacturing facility fell victim to a BEC attack, losing significant funds due to inadequate policies. The incident underscored the importance of having rigorous procedures and policies, as well as Multi-Factor Authentication (MFA) and other technological measures, to help prevent or mitigate such an event.

Conclusion

The webinar concluded with a consensus that cybersecurity assessments are not just preventive measures but strategic tools that can substantially reduce the risks and costs associated with cyber incidents. Heather, Brandon, and Darren collectively advised businesses to consult with their IT, legal, and compliance teams, and to bring in relevant experts when needed to ensure a comprehensive cybersecurity assessment.

In an age where cyber threats are an everyday reality, the insights and guidance from our panelists provide a valuable roadmap for companies looking to strengthen their cybersecurity posture.

View this webinar on-demand.

We thank all the participants for joining us and encourage those who have not yet conducted a cybersecurity assessment to consider doing so at the earliest opportunity. Stay tuned for more webinars and updates on how we can help you secure your business in this ever-evolving digital landscape.

For more information, or to register for future webinars, please visit our website.