There are few issues as serious for your business as cybersecurity. Just one sinister event can cost you more than just money—it can also cost your hard-earned reputation with customers, shareholders, and other members of the community. With cyberattacks on the rise and data breaches an increasing reality for businesses, the first step in any security policy is measuring the risk.
In this guide, we cover the following methods of measuring your company’s cybersecurity risk:
- Penetration testing
- Web app testing
- Digital forensics
- Employee training
- Incident response
You didn’t start this fight, but it’s up to you to finish it.
Related reading: What is a cybersecurity framework and should you have one?
Penetration testing, sometimes called pen testing, is a simulated cyberattack on your own network. Pen testing is used to proactively search for weaknesses in your network’s defense. The following methods of penetration testing are all valuable and simulate different types of attacks:
- External testing – Targets the company assets and resources visible on the internet, such as the company website, email and domain name servers (DNS)
- Internal testing – Simulates a malicious attack by an insider, such as what might happen if an employee’s credentials were stolen in a phishing attack
- Blind testing – Tester is only given the name of the target, giving the company a real-time look into what an actual attack would be like
- Double-blind testing – Security personnel are not given prior notice of the simulated attack, ensuring that their response is exactly as it would be in a real-world breach
- Targeted testing – Tester and security personnel work closely together, appraising one another of their movements in real time
The question of when and how often you should test is not one to be taken lightly. It is important not to do a pen test when a system is undergoing major changes, as these changes and fluctuations make it more difficult to accurately to assess the system. How often you run pen testing depends on factors such as budget, size, and infrastructure. However, keep in mind that pen testing is not a one-and-done type of program.
Related reading: 5 reasons why penetration testing is important for your organization
Web app testing
Before launching a website or any major changes to your website, it is imperative to test the site. Web application testing techniques check for browser compatibility, load testing, usability and more. Here are some of the basic testing methods used for web app testing:
- Functional testing – Tests all the links, forms and other functional features on all the web pages
- Usability testing – Designed to check for how user-friendly the site is: Does the navigation make sense? Do the pages, sitemaps, animations, and help files all load quickly and work properly?
- Interface testing – Tests whether the web server, application server, and databases communicate properly and verifies handling of any user-generated error messages
- Compatibility testing – Checks for browser compatibility, operating system compatibility, and mobile browsing
- Performance testing – Sometimes called load testing or stress testing, determines how many users can access a page at the same time without “breaking” the page
- Security testing – Checks the security of web applications, such as proper access restrictions on secure pages
Once web application testing is completed, live testing should also be completed for websites and web-based applications.
Related reading: How to measure cybersecurity effectiveness—before it’s too late
Security Information and Event Management, or SIEM, is software designed to both track IT activities and give you insight on them. The software collects and aggregates log data that is generated throughout the IT infrastructure. It then identifies incidents and events, categorizing and analyzing them before providing a series of reports or alerts (as appropriate). Do you still need a SIEM? Many larger corporations rely on SIEM as a foundation for their security operations.
As SIEM continues to develop, there may be a future with machine learning and AI integration. (For more on artificial intelligence and cybersecurity, check out how AI is transforming cyberdefense.)
Related reading: What is SIEM software? How it works and how to choose the right tool
Digital forensics is a branch of forensic science that focuses on investigating digital devices and attempting to recover associated data. Any device that stores data, such as a computer, smartphone, tablet, or hard drive, falls within the scope of digital forensics.
In an IT environment, digital forensics can help investigate a data breach that results in theft or compromised corporate or consumer records. It can uncover critical details and activity and even support the prosecution in court.
Related reading: All about being a digital forensic examiner
You have worked hard to assemble a great team of employees, and it shows. But at the end of the day, they are still human, and people are ultimately the weakest link in cybersecurity. According to Verizon’s 2018 Data Breach Investigations Report, 90% of successful data breaches start with user errors.
All of this points to the importance of regular employee training and communication regarding cybersecurity, as well as occasional assessment. Faux phishing campaigns can be delivered to employees to monitor user responses, test the organization, and raise awareness. These simulations or drills can be especially effective when used in conjunction with employee cybersecurity training.
Related reading: Biggest cyber security breaches of 2018
The final piece of the puzzle is incident response. This is the process your organization follows when things go wrong. When a breach, data loss, or threat occurs, an incident response is conducted. If you partner with a managed service provider (MSP) for your cybersecurity needs, they may be responsible for managing the incident response process. (Read more about things to consider when picking a cybersecurity partner).
Related reading: 10 cybersecurity trends to watch for in 2019