Proactive risk assessments should be a part of every organization’s overall security strategy. However, for many teams, they may seem too resource-intensive to prioritize. The lack of security staff is a primary cause. By one estimate, there will be 3.5 million open security jobs by 2021.
Understaffed security teams most often use risk assessments to respond to business-related triggers, such as an M&A process. Or, in other cases, compliance regulations drive security mandates. However, if done proactively, risk assessments can help avoid security incidents that can result in lost data, as well as financial and reputational damage.
Here are three tips to optimize the risk assessment process.
There’s no need to reinvent the wheel when it comes to risk assessments. There are many publicly available tools online that can serve as a starting point. For example, NIST provides risk frameworks and tools by industry. To illustrate, a government organization might use NISTIR 8062 to evaluate the privacy and risk management within federal systems. From there, NIST provides worksheets on Github to help teams conduct the process.
These worksheets cover areas such as:
Other frameworks, like OWASP’s Mobile Security Project, contain security checklists, testing guides, mobile app security requirements, top 10 threat lists, and more -- which may aid in the risk assessment process.
When starting from the basis of public data and frameworks, teams can more efficiently conduct their risk assessments.
According to ISACA, risk assessments should start with a comprehensive catalog of the organization’s valuable IT assets. These assets should include:
Mobile applications are one of these critical assets that shouldn’t be overlooked—but often are. According to Verizon’s 2020 Mobile Security Index, 43 percent of organizations admitted they sacrificed mobile security in the past year, and those that did were twice as likely to experience a breach.
Even though a vast amount of traffic, revenue, and sensitive data flows through mobile applications, organizations often prioritize the protection of their servers and networks over their mobile endpoints. Apps are particularly vulnerable because they exist outside the secure network after they’re published and downloaded. This is when they escape the developer’s control. After an app has been published, hackers can execute any number of attacks if proper security protocols are not implemented.
As careful as the organization may be about its own cybersecurity risks, third-party technology may throw some teams for a loop. According to The Ponemon Institute, third-party breaches account for over half of all data breaches in the U.S. These types of attacks can have serious consequences for both the vendor and the organization itself.
In the mobile application example used above, a developer may choose to use a third-party payment processing service within a company’s app. Not only should the application itself be evaluated for risk, but also all of its dependencies. Beyond third-party vendors alone, this includes software components such as libraries.
Once the risk assessment is complete, proactive security should not stop. Development teams should embrace a secure software development lifecycle, and continuously integrate security within each app iteration. Mobile app security tools like Guardsquare can help developers in this process by hardening applications, which protects them against reverse-engineering and tampering.