By Sebastiaan Rothman – Manager: Cloud Security & Compliance at Altron Karabina
The age-old adage of prevention is better than cure is becoming more and more relevant as organisations both transition to the cloud and manage the ever-increasing perimeter of people working remotely.
To remedy your security woes, the questions you need to answer include: Do you know what your cybersecurity posture is, do you know where the gaps are that you are not considering, are you sure you are taking all the elements in your business into account when you are crafting your policies?
A cybersecurity assessment is not only an invaluable tool to help identify gaps in your security posture, but also help identify opportunities for improving business processes and create better awareness of elements related to cybersecurity.
Despite many companies and partners offering security assessments as a service, it is important to have the right advice when embarking on this journey.
Understanding the business drivers for cybersecurity, strategy, relevant regulations, and legislation all inform on what the right type of assessment is for an organisation.
As complicated as such an assessment could be, it can also be very simple. Getting started is usually the hardest part.
One of the biggest challenges we have seen is that organisations do not know what is going on with their own internal processes and policies.
Business, technology, and cybersecurity are so far removed from one another that there is a lot of overlap in what is being done, or worse, gaps in basic controls.
To view an organisation’s policies and processes through a wide lens ensures that you not only take technology and products into consideration but that you look at the business and operational impact of not having controls in place.
Misconfiguration a concern
The State of Cloud Security 2020 survey, by Fugue, found that 84% of cloud engineering teams that have transitioned to remote work are concerned about security vulnerabilities introduced as a result of new access policies and the various devices used to manage cloud environments.
Twenty-eight percent of these respondents admit that they have already suffered a breach because of cloud misconfigurations, remaining a top cause of data breaches in the cloud.
Understanding what the state of the environment is in, measured against an accepted benchmark or framework could highlight many of these misconfigurations.
It allows security and cloud engineering teams to address potential risks and minimize the chance of the cloud environment being a viable attack vector for organisations that are forced to transition to the cloud without having done their due diligence.
Organisations that are more mature in the cloud space can also benefit from regular cloud security assessments.
Through a continued evaluation of their security posture, these organisations can identify policy violations or simply measure the efficiency of existing controls.
Introducing control in the environment varies as business changes. Although usually facilitated by a piece of technology it needs careful consideration to ensure the operational impact is minimal while still closing the security gap.
The Center for Internet Security (CIS) Controls, formally known as the Critical Security Controls (CSC), is described by the SANS Institute as a recommended set of actions for cyber defence that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks and is a good benchmark for assessing your security controls.
By doing an assessment against the CIS Controls provides organisations with a view across 20 controls that make up a comprehensive security landscape, highlighting areas where organisations are doing well, and areas where they can perhaps invest some more time and resources to correct.
One of the biggest benefits of doing a cybersecurity assessment is identifying opportunities to better align with formal and accepted security frameworks.
While the industry in which an organisation operates usually prescribes the relevant compliance standards and regulations required to operate, it is best to align with industry-accepted frameworks.
For instance, aligning with the NIST Cybersecurity Framework (CSF), allows organisations to ensure that efforts are applied in the right places, at the right time.
Bringing cybersecurity into focus for everyone in the organisation is critically important.
Cybersecurity is not just about bad guys trying to break into your system and stealing your data but extends much further beyond this.
It also includes governance-related topics like consistent and up-to-date documentation, ongoing cybersecurity awareness training, inventory management and incident management processes and procedures.
Cybersecurity assessments highlight these focus areas and allow security, technology, and business teams to collaborate better in improving the state of their cybersecurity efforts and help mitigate the risks associated with migrating to and operating in the cloud.