by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
Small businesses are a common target for network and data breaches, so it’s important that you both secure and verify the security of your systems. According to the US Department of Homeland Security, small businesses represent one-third to one-half of all ransomware victims. An independent or third-party security risk assessment is an essential tool for analyzing and improving your security.
Security risk assessments are one proactive step to protect small businesses from the serious effects of a network breach. An independent assessment can provide greater objectivity and credibility to your security efforts, as well as an outside perspective on how to improve your internal processes. It also can lower your insurance premiums and spare you the expense of downtime.
Table of Contents
- Why you can trust us with your IT security risk assessment
- Why you should perform a third-party security assessment
- Who can do a security risk assessment?
- Why a third-party security risk assessment is important
- What does a third-party security risk assessment involve?
- What’s the difference between a vulnerability scan and penetration test?
- What should I do after a third-party security risk assessment?
Why you can trust us with your IT security risk assessment
E-N Computers has been providing managed IT and IT consulting services for over 20 years. Our clients include schools, libraries, and defense contractors like engineering and manufacturing firms. Here are some of our other security-related posts:
Why you should perform a third-party security risk assessment
Evaluating your security situation can help you avoid common causes of downtime, lower your insurance premiums, and protect your reputation.
- Based on industry estimates, downtime costs a small business doing $10 million in annual revenue up to $50,000 per day.
- Insurance companies are asking more questions about how companies protect their computer systems and sensitive data. Documentation about how your systems are configured, policies you have in place, and the results of an independent security assessment may help you secure coverage with lower premiums.
- Security breaches, especially those that lead to the exposure, loss, or theft of customer data often damage the company’s reputation and result in loss of business.
By proactively completing a security assessment, you will better understand the risks on your network and what steps you can take to improve your security posture.
Who can do a security risk assessment?
Your internal IT team may be able to complete a security risk assessment, if they have sufficient cybersecurity knowledge. However, many small businesses cannot afford to keep cybersecurity experts on their team. In that case, you might consider hiring an IT managed service provider that specializes in security. Such IT MSPs, sometimes called managed security service providers (MSSPs), offer a range of cybersecurity and compliance services, including security and compliance assessments. Alternatively, cybersecurity consultants can perform comprehensive security assessments including in-depth penetration testing.
In some areas, you may be able to get a free or low-cost security assessment from an industry association, government agency, or a university with a cybersecurity program.
Why is a third-party security risk assessment important?
Your current IT team is responsible for keeping your systems secure and monitoring them, and they can do a security assessment. But there are at least five reasons you should consider a independent or third-party assessment.
- Objectivity and impartiality: An external party can evaluate your security without the burden of organizational politics and history. We won’t sweep potential issues under the rug to make your security look good; our aim is to identify potential problems so that you can improve your security. Therefore, you can be confident in the accuracy and reliability of the assessment results.
- Detecting weaknesses: Third-party auditors are familiar with common problems across a variety of businesses. We are able to come in with fresh eyes and see your security as it is, providing a snapshot of potential problems that you can address.
- Enhancing credibility: A third-party assessment signals to customers and investors that you take security seriously and that you are committed to best security practices.
- Compliance: Third-party assessments are an opportunity to see what you might be missing when it comes to compliance requirements, such as those for HIPAA, DFARS/CMMC, or PCI.
- Improving internal processes: A third-party auditor will do more than tell you what’s wrong; we will provide insights and recommendations to improve your security posture.
Overall, third-party audits promote transparency, best practices, and accountability in your organization. They are also important to insurance companies, especially if you want cyberinsurance coverage. Requirements for cyberinsurance are quickly evolving because it’s a relatively new product, but many policies now require an annual third-party vulnerability assessment to maintain coverage.
Is it possible to get a discount on cyberinsurance? Some insurers offer a discount if you install an approved network monitoring tool. For example, we partner with Blackpoint Cyber, whose managed detection and response (MDR) solution can reduce your cyberinsurance rate by up to 30%.
What does a third-party security risk assessment involve?
Our security assessment has four components: an interview, a phishing test, a vulnerability scan, and a report.
We start with an interview, usually by phone or videoconference, to get a basic understanding of how technology is used in your organization, what the potential risks are, and what steps you take to mitigate them. During the interview, we ask:
- what type of sensitive information you handle
- whether you allow it to be emailed
- whether you allow it to be stored or transmitted through any web-based file-sharing applications
- whether backups are being tested and how often
- whether you receive security and phishing training and how often
- whether you have cyber or crime insurance policies and when you last evaluated your coverage
If you use Microsoft 365, we ask whether you:
- use it for email or file storage (OneDrive or SharePoint)
- have multi-factor authentication enabled, especially on any admin accounts
We also ask whether you have any of 16 security-related policies and whether employees sign off that they have read and understand them. Many companies might have one or two of these; it’s exceptionally rare for a company to have most of them. However, we discuss them because such policies are an important part of your security practices.
- work from home
- clean desk
- acceptable use
- data confidentiality
- mobile device
- bring your own device
- incident response
- backup and disaster recovery
- business continuity
- remote access
- IT asset disposal
- security awareness
- third-party access
- removable media
- user termination
Finally, we ask how you generally store your user credentials, how you rate your current security software, and how often you complete an independent security audit.
Phishing is an attempt to trick users into revealing sensitive information by posing as a trusted company. An illegitimate email, text message, or website may use threats or create a sense of urgency to motivate people to divulge confidential data like PINs, passwords, or banking details.
We perform a phishing test as part of our security audit. You provide us with a list of your users’ emails, and we send them a message mimicking a phishing email that asks them to click a link. The email is designed so that a discerning user will know not to click the link. If someone does click the link, they are recorded as having failed the phishing test.
While anyone can be the victim of a phishing attack, some are more attractive targets than others. People who regularly communicate with others outside the organization, process a high volume of emails, or handle sensitive information are most likely to be phishing targets. This includes CEOs, CFOs, Directors, HR and sales reps. We focus on testing the systems of these users to identify risks.
The purpose of a vulnerability scan is to automatically identify and report on known vulnerabilities that may exist in your systems. To run our vulnerability scan, we provide you with an executable file that you can run as a standard user on your company desktop. The program checks for security risks like:
- accounts without expiring passwords
- the same local admin account on multiple machines
- passwords saved in the browser
- reused passwords
- computers not running Windows Pro or greater
- whether your firewall appears to be analyzing traffic and blocking potentially malicious traffic
- unsecured personally identifiable information
- unencrypted drives
After completing the interview, phishing test, and vulnerability scan, we prepare a multi-part report that covers backups, accounts, Microsoft 365 (if you use it), patches, antivirus, firewalls, education, encryption, and surveillance (i.e. whether your alerts are properly configured).
We can also provide a Cyber Insurance Assessment that presents this information in the context of questions and requirements that cyber insurers and their underwriters have.
We can also provide a Cyber Insurance Assessment that presents this information in the context of the questions and requirements that cyber insurers and their underwriters have.
What’s the difference between a vulnerability scan and a penetration test?
Vulnerability scans and penetration tests are different in at least five areas: purpose, method, depth, reporting, and price. The table below provides an overview of the differences.
|Vulnerability scan||Penetration test|
|Purpose||List known vulnerabilities as a starting point for further investigation and remediation||Identify and exploit vulnerabilities and assess the amount of damage that could be caused|
|Method||Automated||Manual, by skilled security professionals|
|Depth||Looks for known vulnerabilities like missing software patches, bad configurations, and unsafe password practices||More comprehensive test that requires creativity and adaptation, and which can find emerging or novel attack routes|
|Reporting||List of identified risks and their pre-defined severity level, along with basic remediation steps||Detailed explanation of discovered vulnerabilities, methods used to exploit them, and their security impact. Detailed recommendations for mitigation and remediation included.|
|Pricing||$1,000 to $5,000||$5,000 to $40,000|
What should I do after a third-party security risk assessment?
Use the findings and recommendations from the report to make security improvements. Work with your internal IT, current managed service provider, or an IT consultant to harden your systems against attacks and receive appropriate alerts. Although we specialize in cybersecurity and compliance, you are not obligated to work with us to implement any of our recommendations.
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.