A thorough cyber risk assessment is foundational to a robust information security program (ISP). Without one, you risk leaving gaps in your defenses or spending time and money on things you don’t need. Consequently, this assessment is a key requirement of all the versions of the NAIC Insurance Data Security Model Law adopted by the states. If you’re not a tech expert, however, you may wonder what to check.
A colleague, Fred Karlinsky puts it simply, “You need to know where your data lives and how it walks around.” After all, we live in a world where – more than ever – we can work from anywhere. There are four main areas to review: hardware, software, data assets, and access needs. In this series, we’ll look at each of these areas to discover best practices for risk assessment, starting with hardware.
Defining “Hardware”
When mapping hardware, you need to include ANY device that connects to your data network or uses your Wi-Fi. This includes obvious things such as servers, routers, desktop computers, and laptops, but also printers, scanners, security/surveillance systems, etc. Physical security measures also fall into this category.
The hardware assessment should also include Internet of Things (IoT) devices such as smart thermostats. A colleague once shared the story of a hack that began with a “smart” vending machine that used the company’s WiFi to transmit re-stock orders to the supplier. If you can’t trust the Coke machine, who can you trust?!?
What to Check
You should be able to answer the following questions about your hardware:
What is the item and how does it connect to your wider IT system?
Where possible, make note of the model and serial numbers as well as the device’s current location. Remember that techs often upgrade hardware over time with increased memory, improved graphics or sound cards, etc. So don’t necessarily rely on labels that appear on device cases.
How old is it, and what shape is it in?
Once a system is up and running stably, there’s a big temptation to NOT TOUCH ANYTHING! After all, if it ain’t broke, why fix it, right? This can be especially true for businesses with a limited IT budget. But all hardware has a limited service life. Waiting until a device is on its last legs – or completely dead – can result in longer downtime and greater costs than scheduling system improvements.
What are its vulnerabilities?
I’m not talking about vulnerabilities to cyber threats quite yet. Many devices work optimally at certain temperatures, require airflow for temperature regulation, or are vulnerable to damage from water or condensation, vibration or sudden impact, and power loss (especially brownouts). For example, ILSA once had to shut off our servers for several days during a Texas heatwave. The servers were fine, but the HVAC system that kept them cool froze up. Not taking such conditions into account can greatly reduce the service life of a device.
What is being done to maintain it?
The “it’s-working-don’t-touch-it” mentality can also come into play here. But simple maintenance measures such as blowing the dust out of CPU cases can greatly extend devices’ lifespans.
Is it still supported?
Even if an older device still works, you may need to replace it if you can no longer get parts for it or if newer software doesn’t recognize it.
The Workplace Beyond Your Walls
Another important thing to keep in mind is that if employees are accessing your systems remotely, their personal devices should be subject to the same assessments and inspections as your company’s hardware. Include them on your hardware map, indicating that they are employee-owned.
Even if the employee follows best practices, other family members (especially children) who have access to the device can introduce cyber vulnerabilities. For an example of how such interference can catch you out, check out this video of a Texas lawyer who faced an embarrassing situation with video conferencing filters. No real harm resulted in this situation, but DIY software or configurations can introduce serious vulnerabilities.
Consider Getting Help
Bringing in outside specialists can be very helpful in the risk assessment process. They can offer additional expertise, as well as an unbiased set of “new eyes” to look over your current cybersecurity status. After all, it can be easy to be lulled into a false sense of security if there hasn’t been a cyber event in a while. For companies on a limited budget, there are firms that offer free assessments in hopes of securing a contract to address them. Many cybersecurity firms also post checklists and other helpful tools on their websites.