Cybersecurity Risk Assessment Common Findings: Configuration of Enterprise Assets and Software

What are the most common findings of a cybersecurity risk assessment, in regards to the configuration of enterprise assets and software?

In the video below, Mike explains why IoT devices and USB drives are the most common gaps found in CIS Control #4, when vendors are hired to perform a formal cybersecurity risk assessment.

Want Mike’s recommendations on the best companies to quote for a cybersecurity risk assessment, for your organization? Click the button below and ask him today.

About Mike

Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.

Transcript

Your company is looking into doing a formal cybersecurity risk assessment. I think that’s a great decision, but what you’re probably wondering is, “Before we jump in, are there some simple things that we can definitely knock off the list right away without having a formal company come in and do the full assessment?” What that’ll do is it’ll allow that formal assessment to go deeper, as opposed to just picking off the easy stuff that you could have done very simply right out of the gate. It’ll help you get to more of the advanced stuff, so you’re making sure you’re getting the most bang for the buck if that’s something your company’s paying for.

Well, that’s a great idea. Let’s find the most common findings with a cybersecurity risk assessment. I’ve done a video series on this, and today, I’m going to be talking about CIS control number four. What are the most common findings when it comes to control number four, which is a secure configuration of your company’s software assets and physical assets?

Ask Mike about Risk Assessment Vendors

But before I get too deep into that, just a quick plug. If you’d like to know my recommendations on the best cybersecurity risk assessment companies to quote for your organization, don’t Google it. Just contact me, via email or by phone (714.593.0011). I’m a broker for all the major service providers out there, and it won’t cost you anything. More information on that at the end of the video.

It’s not the obvious stuff

Okay, so what are the most common findings of a cybersecurity risk assessment when it comes to CIS control number four, which is a secure configuration of enterprise assets and software? What are the things that companies find when it comes to this category that they find time and time again with organizations when it comes to looking at this specific category and the risks that companies are leaving themselves open to?

Well, there’s some obvious ones in there that companies are already pretty much doing is making sure all the software they have is configured the same way, and it’s updated regularly. Companies usually do a decent job at that type of stuff, so they’re not using an outdated software with the wrong configuration on it. That’s fairly common that companies have that under control.

IoT and USB Drives

One thing that is the most common, though, when it comes to this control is actually having a secure configuration policy for IoT devices and USB drives.

Those are two areas that, a lot of times, companies really don’t have a procedure for or really don’t have a policy or a way to continue to check on that, and you can Google it in terms of like, “Hey, what’s a good policy to have for IOT devices?” One of them might be have them all log into a separate Wi-Fi network than the rest of your devices. That might be one thing that you might have that might be a fit. There’s a lot of different things that might fit for IOT devices.

Same thing with USB drives. USB drives, maybe the policy is they aren’t allowed, and they’re blocked, or maybe that you have something set up to not let them autorun when they plug in or that they’re automatically scanned, and only certain people can plug them into their devices, and certain people can’t.

In Summary

But do you have a written procedure for both of those items? That is the most commonly overlooked area when it comes to CIS control number four is companies do not have a written procedure when it comes to the secure configuration of IOT devices and USB drives.

Ask Mike about Cybersecurity Risk Assessment Vendors

I hope that was helpful. Again, if you’d like my recommendations on the best companies to quote for your organization for a formal cyber security risk assessment, don’t Google it. There’s hundreds of options out there. You’ll probably end up with the wrong ones. Instead, just contact me by email or phone (714.593.0011).

I’m a broker for all these companies. I’ve been in business for over 18 years. I think it’s 19 now, and I’m happy to help you. This is something I do every day, and I’ll ask you a few questions that’ll help me kind of narrow the field. Then, I’ll introduce you to the right companies and oversee the quoting process. The nice thing is those vendors pay my company my broker fee, so you, as an organization, do not have to pay me for my recommendations. Isn’t that great? So, there’s no excuse not to at least reach out and see what I have to say.

I hope this video, again, was helpful. If it was, don’t forget to hit the like button down below and subscribe to the channel. That would be a big favor to me. I’ll catch you on the next one.