Cybersecurity Assessments
Risk Assessments
Assessing risk begins with identifying a company's assets. Assets can be tangible (people, equipment, buildings, money, etc) or intangible (data, intellectual property, reputation, etc). Value is set for each asset in the inventory so that it is explicitly known what is at stake if an asset is lost. The asset inventory is then rank-ordered so that attention is proportional to the value of each asset. Starting with the most critical assets, threats to those assets are considered - what bad things could happen that would result in harm or loss to each asset. Risk scenarios are created to consider who might harm an asset, which asset they would harm, what their motivation might be, how they would gain access, and the time required to complete. Each of these scenarios are compiled into a repository (called a risk register) and each is assessed for likelihood and impact.
Risk Assessment Process?
Our approach to risk assessments is the following:
Introductory meeting to gather information about the company's goal and risk capacity, risk appetite, and risk tolerance:
Risk capacity is how much money a company can afford to lose if something bad were to happen.
Risk appetite is a goal on how much risk a company is willing to take on that is less than its risk capacity.
Risk tolerance is a measure of strictness to the risk appetite a company wants to be. (ex. If an elevator calls for a maximum weight of 1000 pounds, some people would not be comfortable loading an additional pound to that amount. Others might be okay with only loading an extra 5 pounds to the max. Whereas others might be comfortable loading an extra 100 pounds or more).
The introductory meeting also gathers information about how risk is currently being communicated throughout the company. We discover which people in the company are the best to participate in the risk assessment activities based on their knowledge, stake, and availability. We then lay out the roadmap of activities that will occur during the risk assessment. These include:
Asset inventory
Identification of threats
Identification of existing controls
Identification of vulnerabilities
Identification of impact
Risk assessment and results
We use a variety of quantitative and qualitative assessments depending on each client’s needs.
Why would I need a Risk Assessment?
Decisions are best made when considering all the pros and cons. With our impressive mathematics and data science resume, we can implement the techniques others talk about.
Vulnerability Assessments
Vulnerability assessments find open and unlocked doors to your company and data. They also serve to test to see how well your risk management program is performing. Vulnerability assessments are used to decide which additional safeguards to use.
Why is it valuable?
Having an idea of any weak spots in your systems helps guard against attackers using those against you. These vulnerability assessments give you a full view of your entire network and can determine the impact of an attack on your company and its data and develop a strategy against those attacks.
Penetration Testing
This is an authorized cyberattack testing your system’s defensive capabilities using modern and manual techniques to uncover vulnerabilities in your system. Essentially a fire drill.
How can this help me?
Understanding how someone could break into your system or how they could damage it will help you prevent it from happening. These types of tests also train your security team, teaching them what to do in case of such attacks.