Cybersecurity Gap Assessment: The Top 3 Findings by Security Experts

Nolan Forrest
Cybersecurity Gap Assessment: The Top 3 Findings by Security Experts

A cybersecurity gap assessment (also known as a gap analysis) is the logical first step for any organization wondering how to keep themselves safe.

Every day, business leaders are waking up to find out the worst has happened. Malicious actors from shadow organizations have hacked their network, stolen their data, and are now holding them at ransom. Many of these organizations had been following security frameworks, monitored their networks, and followed best practices… or so they thought.

Cybersecurity Gap Assessments: what is the point?

Performing a thorough Cybersecurity Gap Assessment is so important for the simple fact it does just that – it determines all the gaps in your security, letting you know where you are most vulnerable. We have performed hundreds of gap assessments, and in only a few short hours have been able determine our clients’ weaknesses.

Our gap analysis can cover most of the major security frameworks, and dives deep into each organization’s security practice. The gaps we find can span across the entire organization and vary from organization and industry, but there are some common mistakes that seem to pop up more often.

Credential Issues for Initial Users

Like most issues that pop up, this one has multiple parts.

For every new employee, your team is creating a new account and never looks back. Hey, that’s fine – its part of the gig. But more frequently than we’d like to admit, there are new employees that fall through and now you have a dormant account sitting out there prime for abuse.

An easily guessed password, the inability to force a new password when account is first used, or reuse of the same couple password variations are all common mistakes we see our clients making. Correcting these issues can come down to simple change of habits: set up a workflow with HR to routinely check for orphaned accounts and create a long and difficult password so the user’s first thought is “how do I change this?!”

Perfect vs. Good

All too often, companies get caught in a horrible trap when building a plan or writing policy. They are too worried about getting the first draft perfect and end up unable to get the project moving at all. An often-great example of this is policy writing. Policy writers can get so focused on the perfect draft that they find themselves placing the policy on the back burner.

I always recommend that when drafting a policy, start with a simple bulleted list or an outline – then walk away for a little! When you’re ready, come back and review the outline written so far and begin adding substance to the policy. Remember, policy writing takes time and is rarely good on the first try!

Practicality of Inventory

“Inventory management? In a dream world! That doesn’t work here!”

Yup, heard that… but guess what? It really doesn’t have to be a dream. Inventory Management is more useful and possible than you think. Many organizations write off management of their inventory because of poor success in the past, or just perceived impracticality. It doesn’t seem like a big deal at first, but over the long-term, as your cybersecurity program matures, attackers start to find new ways of getting to the “unmanaged” or “forgotten” devices.

There is no better time to start than now! Good inventory management can help ensure all devices are receiving the proper updates, controls and monitoring that is needed!

You’ve completed the Cybersecurity Gap Assessment, what’s next?

We typically handle our Cybersecurity Gap Assessment with two, 2-hour phone calls. From there, our team builds out a custom report that details all of strengths and opportunities for improvements as it best fits for your company’s challenges. The report also contains a high-level roadmap to help your team prioritize their remediation efforts.

When you’re ready, the next step on your security journey is to work with a real Red Team and do a Penetration Test.

Our Pen Testing services employ a team of ethical hackers that will test every corner of your organization to see if they can’t hack themselves in. Do you think you have the controls in place to stop us?

Nolan Forrest

Nolan Forrest, Practice Lead, Red Team

Nolan Forrest is a cybersecurity expert with a history of helping organizations, both large and small, determine their security gaps and build elite defenses. He is CDI’s Red Team Practice Lead and spends time assisting organizations as a Virtual Chief Information Security Officer (vCISO).