Every new year, individuals resolve to improve themselves somehow, by, say, vowing to lose weight, watch less TV, save money, or, most commonly, read more cyber security blogs. For individuals and our host of foibles, there are dozens of beneficial ways to accomplish self-betterment, most equally vital.

For organizations, with a culture of continual improvement, and in an environment in which cyber attacks and malware are a growing threat to your increasingly digitally-dependent work, one resolution should rank above all:Improve the organizational security posture through a third-party cyber assessment

Make this your corporate new year's resolution, if nothing else.

Understand, cyber security isn't just about securing your company's web site or avoiding the minor inconveniences of all those emails purportedly from needy Nigerian barristers. Breaches can cause the loss of sensitive data like trade secrets, customer accounts, or personal health information, leading to loss of competitive advantage, hefty fines and foul publicity. Even seemingly minor malware can represent a major drag on productivity, both personal and technical, when taken on the enterprise level.

As everything your organization does depends some way on its technical infrastructure, an ounce of prevention can stave off massive failure down the road, just as changing engine oil promotes engine life and visiting your dentist twice a year promotes good dental health. 

In 2014, make a third party cyber assessment, a simple one-day or two-day checkup, as a requisite part of your IT hygiene.

Why an Assessment? I Haven't Been Breached and Am Compliant

If an organization has not suffered any type of data breach or security compromise in the past, it is easy to get complacent. If there have not been any security incidents in the past, why expend any precious budget to build defenses against seemingly phantom attacks?

Ignorance is the weakest defenses to use after a security incident actually occurs. (The threat data is out there. Start with Verizon's comprehensive report  or the Ponemon Cyber Security Institute's) There are plenty of world class forensics companies ready to evaluate how and why an organization is compromised. The greater challenge is to construct a resilient and multi-layered defense that prevents data breaches in the first place and removes the need to conduct forensic investigations.

A focus on audits and compliance often overlooks obvious cyber security infrastructure flaws. Being compliant with government (e.g., FISMA) or industry regulations (e.g., HIPAA) does not mean the appropriate security controls are in place and have been deployed properly. Only a rigorous cyber security assessment can do that.

This isn't a scare tactic, but a statement of fact.Vulnerabilities exist in your organization and it may take you months to find them, if ever. According to the Verizon Data Breach Investigation Report, more than 62% of breaches take months or longer to be discovered. How can an organization protect against something if it is not aware it exists? In the world of cyber security this means uncovering and identifying vulnerabilities. These are typically flaws in software or hardware that allows unintended activities to occur. Running anti-virus software is only one piece in an integrated defense strategy. Identified viruses which have signatures developed for them -- and therefore are in anti-virus suites -- are an initial starting place. Unidentified malware however, may still exist somewhere on the enterprise networks.Vulnerabilities Exist in Your Organization

Scanning for each and every connected end point device is necessary to identify where to look further for potential malware.  Software scanning products can then be used to compare against databases of vulnerabilities identified ‘in the wild’ by cyber security vendors.

Time for Consultation: Why Assessments Should Be Third Party

No matter how well-intentioned or diligent, your IT team is busy with any number of immediate-timeline, mission-critical activities. It may be break-and-fix work, maintaining network uptime, rolling out new functional capabilities, testing software applications, or any of the long, long list of activities your department must perform. All of these are necessary activities, demanding time and attention from the limited resources of an IT staff and day to day business demands often get attention before ‘softer’ strategic objectives that may not be immediately measurable. 

Third party consulting firms, however, won't be caught up in any day-to-day issues. They can remain laser-focused on improving cyber security posture without the worry of interruption by a malfunctioning laptop or a problem with the mail server. They can remain focused on objectives that might otherwise be pushed down the project activity stack. If you think of cyber security in the familiar fortress analogy, you don't want to allow your walls to be breached because your soldiers and sentinels are inside fixing a stove.

Further, simply because your IT staff understands technology no longer means they may be appropriately qualified for cyber assessments. As threats and technology evolve, cyber security is becoming an increasingly specialized discipline, just as many other disciplines have evolved. For example, podiatrists don't treat their own heart conditions, instead referring themselves to a cardiologist. Intellectual property lawyers aren't likely to represent themselves as defense attorneys. Architects probably aren't going to install their own heating equipment. As IT diversifies and cyber threats grow stronger, a third party whose sole focus is remediation of cyber attacks and has demonstrated performance doing so, represents a tremendous value-add to your organization.

Asking Tough Questions

A third party firm will also not be afraid to challenge the status quo and ask the right questions, questions which might be invaluable yet lost to politeness within an organization. For example, existing security policies can be in place, but are they truly followed in operations? Yes, employees are trained not to click on email from unknown users, but can they resist a well formed phishing attack? Strong passwords are required for all users, but do they write login credentials on yellow post-it notes on their monitor?

Unauthorized software is not allowed on protected end devices, but has this restriction been compromised by malware that performed successful escalation of privileges?

A third party firm will be able to ask the hard questions that may prove embarrassing to someone or some group.

Assessment Sizes and Flavors

Getting started with a technical cyber security assessment is a small investment of time and resources. When NJVC defines an engagement, there is a checklist of questions used to evaluate what portion of an enterprise IT infrastructure should be considered.  The objective is to select an appropriate network subdomain that can be scanned and evaluated and begin to determine what may be lurking. The intent is to identify what is unknown in one portion of the enterprise, before extending to the entire organization. 

This initial engagement typically involves only a single cyber engineer armed with an appropriate software toolkit. With sufficient privileges, this initial evaluation can be conducted remotely, but most often it is far more advantageous to have that engineer onsite able to interact with in-house staff as needed.  An initial scan can be conducted in as little as a single day onsite.

Identifying Security Gaps

Invariably, gaps are identified where sufficient cyber defenses are not in place to remove or counteract unauthorized software. Identifying and maintaining an adequate baseline of authorized software can be used to identify potential malware. Once identified, a mitigation plan can be formulated to contain or eliminate vulnerabilities.

Over time, enterprise vulnerabilities can be prioritized and enhanced protections of key corporate data assets can be put into place first, before moving to mitigate less likely attack vectors.

Eventually, the digital enterprise which your organization depends on so vitally will be afforded the level of protection and hygiene appropriate to its importance.

If a journey of a thousand miles begins with a thousands, the journey to cyber security begins with an assessment, the first movement to a secure IT environment is with resilient, multi-layered defense. Once an organization knows where it is vulnerable, it can begin to plan out how to mitigate identified risks and maintain a sound defensive posture throughout 2014 and beyond.

Stay vigilant and have a truly happy new year.