Cybersecurity Risk Assessment Common Findings: Data Protection

What are the most common findings, when a 3rd party performs a cybersecurity risk assessment for a company, specifically in regards to data protection?

In the video below, Mike explains a few easy things your company can implement for data protection, that’ll make you look good when you eventually have a formal cybersecurity risk assessment.

Don’t be afraid to ask Mike today, for his recommendations on the best cybersecurity vendors to quote for a formal risk assessment. Click the button below right now.

About Mike

Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.

Transcript

Your company is thinking about doing a cybersecurity risk assessment. Before you do, you’re thinking, what are some of the most common findings companies have when they do a cybersecurity risk assessment? Is it something that we could just handle ahead of time? It’s obvious stuff, that I don’t want to get embarrassed if I do one of these risk assessments. They’re like, “why didn’t you even do this?”

 Maybe some companies want to knock some of that stuff off, before they get the formal risk assessment.

Well, that’s totally understandable. That’s why I’m making this video series. It’s on the most common findings, of a cybersecurity risk assessment. Some of the stuff is easy, and you can do upfront before the formal risk assessment. I do still think a formal risk assessment is necessary.

By no means am I trying to say, you should do this risk assessment on your own. Because there’s no way I can cover all this stuff in a video series. After all, I am a salesperson. I’m not a cybersecurity engineer, or an ethical hacker, or things like that. You definitely want to do a formal one on your own. If you could knock some of this stuff off. Some of the easy stuff ahead of time, it’ll let the risk assessment organization focus on the real stuff. That is difficult to implement. That you really need to focus on. That you need some extra help to do so. That’s the point of this video series.

We’re using the CIS Framework

I’m using the CIS framework, as a basis for the video series. In this video in particular, I’m going to talk about data protection. Which is the third control of the CIS framework.

Get a personal recommendation on vendors

Before I get too deep into the video, just a quick plug. If you want to know which companies, your organization should be quoting for a cybersecurity risk assessment. Don’t just look it up on the internet. Reach out and contact me via email or by phone (714.593.0011). I’m a broker for all the major service providers out there, and at no charge to you. I can give you some great recommendations. More on that at the end of the video. As always, if you like the video, please hit the like button down below, and subscribe to the channel. It would really be a big favor to me.

Have a policy

The most common findings of a cybersecurity risk assessment, using the CIS framework. Control number three, which is data protection.

The most common findings around data protection, are simply that companies typically don’t have a policy in place, for identifying, classifying, storing and protecting, getting rid of, deleting data.

They don’t know how to… Not that they don’t know how, but they haven’t taken the time to just at least classify.

What are the different types of data, that are sitting within our organization? Classifying the different types, and identifying what is some of the sensitive data that we have hanging around. How are we storing it? How are we disposing of it? Who has access to it? Do our employees know how to treat it? All that stuff. That’s the most common finding. It sounds really simple, but once you start diving in, it is a little bit detailed. You do have to have a policy in place. For instance, a lot of companies because they don’t have a policy, employees might be doing things. They have information on a sheet for their HR information.

Here’s an example

Maybe HR asked them to fill out a form, and that form has their social security number on it, all this different stuff. They just scan it, and email it to the HR department. Well, that’s a lot of sensitive information going over email. Maybe they take a picture of it with their cell phone, and text it to the HR department. Well, if you’re really worried about your company’s cybersecurity in your risk, you want to make sure employees know that’s not a good idea. That is not a secure way to transfer, PII or PHI information. That’s really sensitive. Employees need to know that stuff. The HR department needs to know that stuff. Everyone needs to know that stuff, and everything’s similar. What are the remedies to this? How do you get started? Well, first is to create a policy. In that policy, obviously you’re identifying the different types of data out there, and creating a normal policy.

Then what?

Once you create the policy, you definitely want to revisit it, and review it every single year. You want to be checking it every single year. With that policy, you want to make sure that you’re training all of your employees on that policy.

User Access

Another good thing to do, is to make sure you’re also controlling user access to certain types of sensitive data. Making sure that if there are certain types of data out there, that only certain employees have access to it.

Where it’s stored

Another good idea to do, just the simple thing you can do right out of the gate is once you identify the sensitive data, identify where it’s being stored, and encrypting those devices. You’re encrypting laptops, or anything that a user might be using, or have sensitive data sitting on. Make sure that stuff is encrypted.

Summary

Those are some of just the basics. There’s a lot more to data protection than that. Those are just some of the things that I would call low hanging fruit. That you could handle upfront, without hiring a formal cybersecurity company to come in and do a risk assessment. Tell you that you need to do, that’s something you could do right away. Create a policy, review it annually, train everybody on it. Encrypt the information, when it’s sitting on certain devices. Make sure users don’t have access to sensitive data, if they don’t need access to that data. Decide who really needs the access and who doesn’t, that type of stuff. That’s just easy stuff to do right out of the gate. That’ll save you some money in the risk assessment, and give that risk assessment company more time to spend on the important stuff.

Don’t be afraid to ask me

I hope that was helpful. If you want to know my recommendations, on the best cyber security companies to quote for a risk assessment. Don’t just Google it. There’s hundreds, if not thousands of options out there. You don’t want to end up with the wrong company. Contact me via email or phone (714.593.0011), and just ask.

Based on your requirements, I’ll recommend the small handful companies that you should be quoting. Make sure I give you some introductions to those companies, oversee the quoting process, and all that good stuff. The nice thing is, those companies pay me my broker fee. You don’t have to pay me a dime for it. No reason not to at least reach out, contact me, ask me for my opinion on this stuff. Hope this was useful. If so, don’t forget to hit the like button down below, and subscribe to the channel. I’ll see you on the next video.