Blog

Why you need a Risk Assessment

In this podcast, Dave Hodgdon and Steve Ripper from PCG talk about the importance of a risk assessment. They explain how a risk assessment can help you spot vulnerabilities. Then, they outline how it can help you create a plan to improve your IT in a way that supports your business and protects your reputation.

Dave Hodgdon: Welcome to PCG Tech Tuesday. This is your host, Dave Hodgdon. My guest today is Steve Ripper, PCG engineer. Steve, how’re you doing today?

Steve Ripper: I’m good, Dave. How are you?

Start a Risk Assessment by Identifying Your Objectives

Dave: I’m awesome. We have a great topic today. Today’s topic is about what a risk assessment covers and the value it brings to your business. This has been top of mind for many of our clients at PCG.

We pretty much know a risk assessment is a smart cybersecurity approach that starts with assessing your risk and about 69% of businesses have not identified and documented their cybersecurity threats. Steve, what do I need to do to get started?

Steve: Well, you need to decide, you need to make the decision that you need to do it, and that can come in many forms. Maybe you got breached, maybe you had an event, maybe you have a cyber insurance claim or form that you’re filling out. Maybe you have a compliance issue that you’re trying to meet. Maybe you want to do business with the Department of Defense.

Really, you’ve got to decide what brings you to the risk assessment, it can be any of them, and then you need to schedule it with a third-party vendor. We do this, PCG does these, and so we’ll schedule the time with you and then we’ll figure out when we’re doing the questionnaire. When we ask the questionnaire, we’re going to ask like 60 to 80 questions. They’re going to touch on many things like, “Where are you at with your backups? Where are you at with your cybersecurity?” Things like antivirus, “What do you do with your documents? Are you doing physical security?”

Consider How You Handle Your Data

Dave: I think that’s a big one, Steve, what do you do with your documents?

Steve: Sure.

Dave: In today’s world, a lot of the cyber insurance agents, how are you handling your data? A lot of people, they don’t have that answer down.

Steve: Yeah, and I think when you’re doing the risk assessment, that question alone really brings the people who are doing it into it. They understand that this is really encompassing everything. They’re expecting a question about antivirus, but they’re not expecting a question about what are you doing with all the paper, all the hard copies that are just… When we ask that question, “Are you disposing of it properly? Are you hiring someone like Iron Mountain to make sure? Are they signing an attestation that they got rid of it for you?”, they start to understand, “Wow, all right, so this is encompassing everything. Do I have video cameras? Do I have door security? Where are my servers?”

It really covers all of the things. It’s not just about the typical stuff you see like MFA and things like that, but it really covers everything from, “Are you doing background checks on your employees?” They take a step back from that one, “Wait a minute, my employee’s been working with me for 30 years.” Doesn’t matter. You still need to be checking in terms of to meet the requirements for whatever you’re setting out to do. These are things along the steps and controls that you need to meet to make sure that you’re doing and you’re in a good security posture.

Defense in Depth: Assessing Security of Business Practices

Dave: I see. It’s the way you just said, it’s more of a business, just not the IT of my business. You mentioned the background check. From an HR standpoint, do I have security cameras if there’s something there? What’s my remote workforce policy people, working from home, my mobile device management? I think we want the listeners to understand it’s more than just IT, it’s having a disaster recovery plan.

Steve: Yeah, it’s the all-encompassing process. We call that in the security department, we call it “defense in depth.” Do you have it everywhere? Are you locking the door at the front of your building? But are you also putting controls on the server where your data is inside the building and everything in between that?

The Value of an Independent Risk Assessment

Dave: I kind of see this, Steve, as similar to going to the doctors for a physical or having a tax audit. Talk to us. What do you feel about that?

Steve: Yeah, so it’s like that because a lot of times for the risk assessment, we don’t really have time to go and dig deep into every one of your systems. You can do that, and we can dig deeper if you want that, but usually your MSP or your IT department might do that for you.

It’s really an independent audit, and so the audit very much follows a question process. What we tell people all the time is that, “Listen, no is an answer. It may not be the answer you want to give, but it’s absolutely an answer. If you don’t know the answer to this question, that tells us as much about it as yes. It does.”

If I ask you, “Are your backups going offsite, Dave?”, you say, “I don’t know,” that tells me a lot about what’s going on. I’m going to make a recommendation that you should either find out, and if you find out that you’re not having them offsite, then you should make that happen. That’s a remediation that should happen.

 

Dave: Just like your background check, you know that you’re doing it, and you’re checking it all off. It’s something you should do. I kind of feel the risk assessment is a very important part for companies that have a current IT in-house or MSP, having that third-party risk assessment is a great way to dot your i’s and cross your t’s. Talk to me about that.

Steve: Yeah, your IT department’s working hard, but there’s going to be some things in the playbook that we’re running on the risk assessment that they just may not have thought about. It’s not a referendum on the job that they’re doing. It’s more to try to uncover gaps and then get those gaps filled.

I’ve been in the position where I’ve been as an MSP doing it for a company and that company, a client of ours, hired somebody else to just do the risk assessment, and it’s a waste of time for me to be upset about that, or get an ego about it, or a competition. I took the report they did and then said, “Okay, we need to do this,” and went and remediated them because that’s my job in the process.

Cybersecurity NIST Framework

Dave: Right. Let’s talk about what we follow on the risk assessment. What exactly is the cybersecurity NIST framework?

Steve: The way I’d usually describe NIST is just simply that if the bad guys have a playbook, if the bad guys have a plan for what they’re doing, they’re going to try to phish you, they’re going to try to break into your firewall, they’re going to try to use open ports, they’re going to try to use scams to get at you. If they have a plan for what they’re going to try to do, maybe use a zero-day vulnerability that came out, we have a plan, too.

We’re not making it up. That program is called NIST. It’s a framework that has been designed by the industry that tells us, that leads us through the controls that we should be asking so that we’re not making it up. We’re not just going, “Yeah, we should ask them about the paper. What are they doing about the hard copies?” No, this is a codified list of questions that we’re following, and so that it leads us to make sure that we’re not missing anything.

Dave: What exactly do the letters N-I-S-T stand for?

Steve: I’m going to look at my notes, Dave, because I always fumble on it. You know I know what it is, but I always fumble on what it is. It’s the National Institute for Standards and Technology, NIST.

What Is Phishing?

Dave: Yeah, so it’s not something we just, it’s made up, but that is the key, that it’s a process, it’s a standard that we follow. You used a word earlier, just so the audience listens, you said they’re going to “phish” me. What do you mean? Am I going out fishing?

Steve: No, no. In my industry, we love to use words and then change them a little. We put the “P” in front of “phishing” instead of the F, the P-H. Phishing is literally the art of sending you an email that pretends to be something it’s not like, “Hey, your password for Office 365 is going to expire,” and if they sign, then the link will bring you to a page that looks just like the Office 365 login, and then when you go to sign in, they got your username and password.

That’s where the phishing has come from. They’re phishing for your credentials to try and then be you. By far, it’s the most common form of attack that we get notified of, get tickets for, “Hey, I got phished. I did fall for it. I typed my stuff in. What happens now?”

Dave: So the goal is not to get on that hook. You don’t want to get phished, right?

Steve: No, no, you don’t.

5 Elements of the NIST Framework

Dave: You don’t want to be that person. Let’s talk about… NIST is really working on five key, I call it the framework, the categories, and I think from a simplistic, how the audience hears, let’s break those five categories down and a couple examples of each. Let’s talk about the first one, identify.

1. Identify

Steve: Yeah. Identify, it’s the beginning of the process in the NIST form. It’s like, what do we need to protect? The idea is that if we don’t know where your data is or who. Where is the machine that’s doing accounts payable and accounts receivable? That’s an absolute target.

CEOs are targets. Dave, you’re a target, you’re a favorite target, so we need to identify what it is we need to protect because if we don’t know what we need to protect, then how do we know what to do in the next step?

2. Protect

Dave: Bingo. Exactly. All right, so identify that, that’s a huge part, what the assets, and ultimately, it’s your data. You’ve got to protect your data and your people. The second big one is protect. Let’s talk about protection.

Steve: Yeah, so protect is where we’re actually doing some things like maintenance. Maintenance is under the protection group. Training, so when I stand in front of people and I’m training them on what to watch for, literally when I explain to you all what phishing was, that’s training.

By making you aware, I’m making you a part of the defense, and that goes under the protection heading. When we’re doing permissions, when we’re saying that people can see this but can’t see that, even though they’re trusted employees, that’s part of the protection. Antivirus, absolutely part of the protection, right?

3. Detect

Dave: Right. Another big one is detection. Similar as around your house, we have many services in our house to detect certain issues. What are some options on detection?

Steve: Detection, that one is very much like how if protection is the wall around the building, or the wall around your house, detection is the alarm system, or your dog, think of it that way. It’s how we’re actually detecting what’s going on. Intrusion prevention.

If you have a security guard walking around your building or you have security services, that is detection, because if we can’t detect what’s going on, then we can’t do anything about it. We don’t know. Dave, you know this, especially for larger companies, a lot of times the hackers are in the company for months at a time. If they don’t get picked up in detection, then they’ll just sit in there and they’ll keep growing data, they’ll keep trying to figure out new ways to monetize what they’re getting, so you’ve got to have detection.

Dave: I think a lot of the listers could… Most of us have a security system, so you know your building’s being monitored. If there’s a door open, or there’s some motion, you’re getting the contact from the security system, so that detection is a key point. It’s looking for some oddities.

Steve: Then just really quickly to throw in, Dave, EDRs, right?

Dave: Yeah.

Steve: Edge detection and response. These are programs that we can put in on PCs that will do behavior, like if something’s happening on your machine outside of antivirus that shouldn’t be happening, a file is being created a thousand times, or parts of your password file are being accessed, it will do something about it. That’s a common tool that we use for this.

4. Response

Dave: That’s a big one. We promote that. If someone’s trying to be you in Wisconsin, but you know you’re in South Carolina, so that EDR is a huge component. Fourth big one is about response. Talk to us about response.

Steve: Response. If we’re using the house analogy, that’s the police. You’re going to call the police if somebody’s in your house. Who’s the response for your company? Well, it’s PCG. You’re going to call us and say, “What do we do? Something has happened. I got phished, I think I know I got phished, I got the page, I signed in, nothing else happened. But now, I’m not getting any email, I’m not getting any new email.”

Something happened. I’m going to call PCG. We’re going to look at your mailbox. We’re going to kick them out. We’re going to change your password. If the server gets ransomware, your whole directory gets locked up, what does that look like? You come into work, you go to get the J drive, or the S drive, and you can’t, it literally isn’t accessible, but you-

Dave: That S drive’s big.

Steve: Right, so you think it’s an IT problem, but then you go out to the server and there’s a big screen on it that says, “We want to hold your data. We’re going to extort you because we encrypted your data.” Then, you’re going to call us and we’re going to work with you to determine what we should do. We don’t really want to pay them, we don’t want to have to, so we’re going to recover the data from backup. Whatever we’re going to have to do to roll it back to not have to give them what they want, that’s going to be the response part.

Dave: We really want listeners to understand the response is the key part that your team is ready. If something happens, just like anything, a lot of people have a will. Should something unexpectedly happen to you, you have a will, you have things planned out.

Same thing with the responses that your team knows to contact the FBI, your attorney, you’ve got PCG on the line, your insurance is up-to-date. Your team’s not panicking, so the key right there is to have a plan. The fifth big one is the recover. Talk to us about recover.

5. Recover

Steve: Yeah, so recover is literally how did that happen? The postmortem is another word we use for it. What happened there? Cyber insurance plays a big part in this. Hopefully you have cyber insurance. That’s one of the questions. When we do the risk assessment, “Do you have cyber insurance? Do you have over a million dollars of coverage? Do you have the right amount of coverage?”

Because when you’re getting to that point of the recovery, you’re going to want to engage your insurance. You’re going to want to work with us. We’re going to want to do an analysis of why did that happen, how did they make that happen, and what can we do next so it doesn’t happen again?

Outcome of Risk Assessments

Dave: All right, so the recovery is always how can you improve it? You mentioned about having the right cyber insurance in place and your time to recover. What can you expect from an outcome from this assessment?

Steve: Well, once we ask the questions, we’re going to go into what for us on our side report writing time because we’re going to absolutely do that. We’re going to give you a report that both shows how you answered all the questions. It’s going to be what we thought of it from our experience levels and we’re going to have a whole section on remediation, what we think you should do.

For example, when we ask you, “Do you have complex passwords and you’re expiring them regularly?”, and you say, “I don’t know,” or, “No, we’re not, I’ve had the same password for five years,” you can absolutely guarantee that one of the recommendations in the report that we hand off to you is, “No, no, you should be having complex passwords. You should be changing them every 90 days and we should have expirations and we should have lockouts and things like that,” so you’re going to get a detailed report that reports back on how you answered the questions, what we uncovered, and what you should do about it.

Using Your Risk Assessment Report

Dave: What a great example there, Steve, of how that is such, it’s a huge problem, but it costs nothing to fix that. The nice thing about the report is it’s showing that’s a red flag, that’s a huge alert, but you and the company have the ability through PCG, your current provider to very easily rectify that, so that’s a great one right there.

Steve: Dave, let’s be clear, some things will have a cost attached to it. There’s no avoiding that. If we need to implement MFA across the network and we need to implement a third-party solution to do MFA, we’re going to quote that as a cost to you.

If you need to segment a particular server, or devices, or data because your particular compliance needs the QE, the personal identifiable information, it needs to be segmented, that’s going to be a cost. But there are absolutely a lot of things also that are just some check marks and some boxes and some changes in the stuff you already have to just implement it.

Dave: Yeah, we’ve noticed over the last five, six years how security was a very small percentage of the client’s spend, but they’ve seen the uptick in their insurance, their cyber insurance of the certain services need in place. I think the best thing I’ve seen from the assessment is giving them the roadmap and the budgets so they can properly plan out. Security’s expensive. It’s not like we’re Fort Knox, or from a high-end HIPAA hospital, but as the business, the industry that you’re in, the goal is to give you your roadmap and a budget that you’re making the right steps to be in the right spot.

Steve: Then you should be doing your risk assessment every year so that… No one expects that you’re going to do every single thing on the list right away, we hope that, but we don’t expect it, and so if you’re doing your risk assessment as a yearly process, like you do a lot of other things in your business, which we’re going to get to in a second, then you can start to look at the risk assessment as, “What have we done since the last one and what do we still need to do?”

Common Issues Uncovered During Risk Assessments

Dave: I think that shows you, your vendors, your providers, because ultimately, it’s your data, so if you’re dealing with your clients, you’re dealing with the vendors, insurance, if you’re making the right steps to protect that data, they’re seeing that you care, and that’s ultimately it. Let’s talk about some common security issues that have come up during the risk assessment.

Steve: Yeah, I gave you a couple. I try to sprinkle them through. Password policies are a big one, MFA. MFA is the industry solution. MFA solution.

Dave: MFA?

Steve: MFA.

Dave: What’s MFA?

Steve: Come on, Dave.

Dave: What’s MFAs, Steve?

Steve: Multi-factor authentication.

Dave: All right, there we go. All right.

MFA and Password Management

Steve: It’s the industry, it’s my industry’s, our industry’s answer to the problem of how if they phish you, they get your username and password. But if you have an MFA set up on your Office 365, Dave, your Amazon account, your JetBlue account for buying plane tickets, if you have MFA turned on it, then even if you gave up your password, they can’t get into that account because they don’t have the device in their pocket, usually your smartphone, but you can do it by a device, a key fob, but usually your smartphone, they don’t have it, so they still can’t get in.

That’s our industry answer to that, so MFA’s a big one, password policies, training. Training. We want to get in there, we want to train so that you guys are a part of it. Then business continuity. Dave, I’m going to let you do business continuity because I don’t own a business. You do. Talk a little bit about business continuity.

Dave: Well, I want to go back to the MFA first because I-

Steve: Oh, you’re not letting that one go.

Dave: Oh, I don’t want to let that one go. I want the users. They’re doing it already. A lot of times they’re talking to the banks, they’re sending them a code. I think people get that they’re getting some type of code sent to confirm it’s them. Ultimately, when you mention about using your cell phone, it’s a second way to confirm it’s you. It’s doubtful that that bad actor not only… He might have your password, but it’s doubtful he has your phone and that code.

Steve: Well, if he has your phone, he’s kidnapped you, you have a lot of problems.

Dave: We do have some problems right there.

Steve: But those are beyond PCG’s ability.

Business Continuity Plans

Dave: But going back to the business continuity plan, we want to bring that back to, as we talked about during the risk assessment, is having that plan, so my biggest thing from a business continuity plan is it’s your data. Should something go wrong, how long can you be without your data? Is it an hour? Is it two hours? Is it a day?

We’re really talking about the recovery time objective, so during the risk assessment, we want to understand that that becomes part of the plan to your business continuity, that not only whether your servers are on-premise or in the cloud, but if something should happen to those servers or the cloud, how quickly can you get up and running?

That business continuity also comes back to your employees, your staff, about you just being educated, so the business continuity plan is its own elephant. We’ll talk about it on an upcoming podcast, but that’s a big one.

Steve: Yeah, so what I tell a lot of customers is that when you’re talking about remediation, things you want to do before any bad things have happened, that’s usually done in dollars. We’re going to talk about how much is that going to cost to do the MFA, to do the password, to do segmentation, whatever.

But when we’re talking about business continuity, we’re always doing it in time units. How long could you go without having…? Could you wait for the server to be shipped here, Dave? “Yeah, we could wait.” But if you can’t wait three to five days…

Dave: Longer now.

Steve: Or as we saw two years ago when supply chain issues showed up, it could be very long. If you answer that question as, “I can’t wait a week for my database to be back up,” well, now, we’re talking about different solutions. There’s data-loss prevention, there’s business continuity methods in your backups where we can stand these types of servers up in the cloud while we’re waiting for the server to come on the truck. We talk about time, “Can you wait three hours? Can you wait two weeks and sometime in between?” We need to know that.

Dave: Yeah, there was an article I just read in Forbes last week that talked about the average $5 million business. If they were to lose their data…

Steve: Sure.

Dave: They’re approximately losing $50,000 a day. It’s an absurd number. Not only can their employees not work the customer service, but the big part of the article at the end, the company reputation, can you rebound?

Steve: Of course.

How Long Does the Risk Assessment Take?

Dave: Steve, one of the questions that always people need to know, how long is this going to take?

Steve: Two to three weeks. You give it two to three weeks. Scheduling-wise, we’re going to do a kickoff and then we’re going to do the question session that we talked about where we ask those NIST questions that are in those categories.

Then report writing. I would tell people that report writing, it’s just like brain dumping. It’s like it’s so painful, but we get through it. We write the report because we’re custom writing it, we’re writing it for your business. What we heard during the kickoff, how you answered the questions, what we know about you, whether you are a client of ours, or you just come to us fresh…

Dave: For a third party.

Steve: What we know about you, and we’re going to write that report, but give it about two to three weeks.

Dave: That’s the full timeframe. But from an actual engagement of the person itself, we need about two to four hours of your personal time to be involved there. I think the nice thing you’ll see about the risk assessment is it’s engaging what your business does, the type of industry that you’re in, asking the questions specific to you.

The ultimate end plan is to give you a plan. I think that’s the biggest benefit. You mentioned about repeating because the business is always changing, but a risk assessment is a great way to help with your technology roadmap, and whether you’re an existing client or you want a third-party risk assessment, we feel that’s probably one of the best things you can do for your business to protect your data, your reputation, and lower your cost for cyber insurance. Steve, great topic today.

Contact PCG to Talk About Risks Assessments

Steve: Thanks, Dave.

Dave: One thing, if anyone is always interested, if anyone wants a preliminary risk score of where they stand, that’s something one of our PCG security experts will help with, at least give you an idea where you stand, like a credit risk score. Thanks again for joining us today for PCG Tech Tuesday. Have a great day.