Cyber attacks and data breaches are on the rise. According to the 2019 Hiscox Cyber Readiness Report, 47% of small firms (less than 50 employees) and 63% of medium sized firms were victims of a cyber attack in 2019. But even with daily reports of new breaches, companies are regularly surprised when they find out just how vulnerable they are to cyber attacks. And unfortunately, a lot of companies will not realize this until it is too late and they join the ranks of these statistics. These companies fall victim to a cyber attack and face the consequences of losing business and spending huge sums to recover, if they recover at all.
When preparing to invest in your cybersecurity position the most useful tool is an assessment. Assessments will provide you with a baseline for your risk, uncover blind spots and vulnerabilities in your systems and measure the effectiveness of your security program. You can use this baseline to develop a strategy to mitigate, transfer, or manage that risk and will be able to make more intelligent decisions on where to invest your time and budget, focusing on the most significant priorities first.
These assessments help you identify the weaknesses in your cyber security strategy before someone tries to exploit them. Windes works with thousands of businesses and we understand a variety of industries such as healthcare, finance, professional services, manufacturing, transportation and AEC. Using our industry specific knowledge we are well suited to asses risks that are unique to your industry. We can customize this process to a businesses of any size or industry and with any budget.
Our comprehensive cybersecurity assessment includes:
- Cyber Risk & Resilience Review
- Risk Ranked Vulnerabilities
- Information Security
- Discover Vulnerabilities
- Business Continuity
- 12 Month Tactical Plan
- 18-24 Month Strategic Plan
Would you rather know about the vulnerabilities in your system before the cybercriminals exploit them? Penetration testing is a simulation of what would happen in a real world cyber attack. Our white hat hackers will execute a suite of different attack scenarios that will take find and take advantage of the gaps in your network security. After a penetration test, you will know the different ways that a hacker could disrupt your business, steal your information, or ransom your data.
Penetration testing can help identify many of vulnerabilities and attack vectors that are common to many businesses including the following:
- SQL Injection
- Packet Sniffing
- Spoof communications
- Buffer overflow exploit
- Integer overflows
- Enterprise DMZ Breach
- Linux stack overflow exploit
- Injectable Shellcode
- Dlmalloc Heap Overflow exploits
- Window Kernel Rootkits
User Risk Assessment
It would be nice if we could eliminate all of the discoverable exploits with software or hardware tools, but the reality is that finding technical vulnerabilities is only the first step. It is generally accepted in the cybersecurity community that the weakest link in most company’s network security is the people that use it. Social engineering is responsible in part for the majority of the most successful and newsworthy hacks.
Social engineering is when a hacker uses interaction with a person to obtain the access needed to compromise a system, either by tricking that person in to providing information or taking an action that opens the door to the attacker. Phishing is the most common form of social engineering attack. Phishing uses emails, social media, or malicious websites to try and collect private data from users. Often the hacker will then use this information to establish credibility with the user to get them to reveal even more sensitive data.
For instance, an attacker may pose as the IRS in an email to solicit financial information from a person. The attacker may ask outright, or direct the person to a malware site, or even ask that the person download a document which has malicious malware in it. The key, of course, is that the victim believes the attacker to be who they claim to be and that the person hands the information over voluntarily.
All this has significant consequences to an organization. It only takes one employee to click on the wrong link or open the wrong email and your entire business could be at risk.
To illustrate how much of a threat phishing attacks alone pose to every company:
- 95% of successful attacks on enterprise networks are phishing based
- 76% of businesses have been a victim of a phishing attack in the last year
- 30% of phishing emails are opened by the target
- 43% of breaches are attacks on small and medium businesses
This illustrates why our cybersecurity assessment includes an assessment of user risk. These assessments can include tests of user passwords, called brute force attacks, to see if users’ passwords are too simple. They also include simulated phishing attacks to determine whether or not a company’s employees are aware of the red flags that indicate a phishing email and know how to respond appropriately.
Cyber Risk & Resilience Review
To ensure maximum security efficiency, a cyber risk and resilience review should include an assessment of your technology, processes and your people. Our complete cyber risk and resilience assessment is based on the internationally recognized NIST and ISO cybersecurity frameworks. We review over 130 controls across 12 domains and follows a specific process:
- Gather existing policies and procedures
- Gather information on existing processes
- Team role and structure review
- IT and cybersecurity capability review
- On-site data gathering
- SWOT assessment
- Regulatory framework mapping
- Final report deliverable
- Maturity model scoring
- 3 year strategic roadmap
In today’s world the most important assets for most companies exist in a digital format: personal identifiable information of employees and customers, proprietary business processes, customer lists, business research and data, intellectual property, and the work product their employees produce. Information security is about protecting these things.
Information security plans primary focus is the confidentiality, integrity and availability of data. It is imperative that companies have designed and implemented appropriate safeguards for their important business data. This should include:
- Identifying valuable information and assets
- Evaluating the systems and controls already in place
- Evaluating risks, identifying threats and vulnerabilities
- Analyzing how to prevent and mitigate risks
- Designing and implementing security controls
- Constant monitoring and making adjustments when necessary
- Business Continuity and Redundancy Protocols