Assessing Cyber Risk in the Modern Threat Landscape

Top managers recognize cyber risk assessment and mitigation as an essential topic on their agendas. Many executives, however, are far removed from the day-to-day challenges of monitoring, detecting, and responding to evolving cyber risks, making it difficult to guide their organization towards cyber maturity.

Transcript: Hello everyone. And welcome to today’s webinar, assessing cyber risk and the modern threat landscape. My name is Carly east, senior copywriter and content strategist for that course core technologies and your hostess for today’s webinar. Before we get started. There are a few housekeeping items I’d like to go over.

All participants are automatically muted and all sound should be coming through your computer speakers. If you run into technical difficulties, like the slides aren’t progressing, or the sound is cut off, we ask that you first refresh your browser. If the problem continues, please submit a comment via the chat box on the upper left-hand side of your.

And we’ll do our best to troubleshoot. Speaking of the chat box, we will be hosting a Q and a session at the conclusion of this 30 or 40 minute webinar. So please feel free to submit your questions throughout the entirety of the webinar. We try to get to the questions in order as they come. This webinar is presented by course CA technologies nationally ranked as one of the top it and cybersecurity providers, helping clients to leverage technology as a competitive business advantage course at the technologies brings cohesion to your technology strategy, addressing all your it insecurity needs from one integrated partner.

Next I’d like to introduce to you our presenter today. If you joined us for our most recent webinars, you’ll recognize the voice of Ross, Phillip Huck, our chief information security officer. Ross focuses on helping clients to identify information security, risks, and implement administrative procedural and technical controls to mitigate threats.

Ross brings over 20 years of experience in the computer network security industry, as both an engineer and a consultant to the table. And we’re grateful he sharing his time and expertise with us today. Um, all right, Ross, I think we’re ready to go ahead and get to. Great. Thanks, Charlie. All right, buddy.

This is Ross, Phillip chief information security officer here at Corsica technologies. Today, we are going to be talking about approaches that organizations can take. To, uh, addressing and mitigating cyber risk within their environments. And before I get into the meat of the presentation, I just want to point out there’s really no singular right way to approach doing a risk assessment.

Uh, different organizations will handle this process in very different way. Uh, for example, uh, larger and enterprise class organizations unique, literally take a college level course for maybe a couple of courses to learn all the information you’d need to know in order to conduct really sophisticated risk assessments.

Like what tends to happen at that level. Uh, that’s not what I’m going to be talking about. Uh, what I’m going to be discussing as we go through this presentation is a risk assessment method that I really like for small and midsize businesses. I think it’s really approachable. And it’s the type of thing that you can get through without the need for a lot of high-end it, talent on staff.

Uh, also I’ve only got 30 minutes for the presentations, so that means I can really just kind of hit the highlights here without getting too far into the weeds. So with that, uh, I want to start out by talking about some key definitions. Um, when I talk to people about risk assessments, I find a lot of times these terms get used interchangeably.

So just for the purpose of this presentation, we want to make sure everybody’s on the same page with what I mean, when I talk about risk and threat in vulnerable. So risk is of course the potential for loss damage or destruction of one or more of the assets that we are needing to protect. So, um, you know, just the, uh, the, the chance that something negative is going to happen to our server or our data or something like that.

Uh, there are a lot of different ways that we can handle. Uh, we can mitigate risk and, you know, kind of the classic example of that, you know, at least with cyber security risk is, you know, deploying in other software and firewalls and intrusion prevention. You know, a lot of technical controls that can be implemented to mitigate cyber risk.

Uh, we can also accept our cyber risk, which means we just live with it. We don’t do anything about it that we could avoid the risk, which generally involves, uh, discontinuing whatever activity, uh, is causing us to incur that risk to begin with. And lastly, we can transfer risk and kind of the classic example of that is where we go out and purchase cyber liability.

Uh, in terms of threat, uh, this is basically a process or an individual that magnifies the likelihood of something negative happening to one of our assets. Uh, for example, an attacker, uh, sending our employees. You know, messages or trying to hack in to our environment, um, frets don’t necessarily have to be human.

Um, you know, they can be weather related, natural disasters, you know, fires, tornadoes, floods, earthquakes, uh, but for the purpose of this presentation, I’m only going to be focusing on, uh, cyber security. It’s primarily talking about a human threat. And lastly III vulnerability. This is basically a weakness in our infrastructure networks for applications that is threat actor that I can try to exploit to cause some undesirable consequence.

Okay. So why do we care about assessing risk? Why don’t we just go out and buy a bunch of security, software and security appliances and deploy them throughout our network and call it. Well, you know, you could do that, but how do you really know that those things are adequately addressing the risk that your organization faces?

And that’s really the point of this presentation is to walk us through, um, uh, the pretty, uh, approachable method that shows us how teammates that determined. Uh, we know that as an organization, our resources are limited, right? We don’t have unlimited budget. Um, I don’t know about you guys, but you know, every day I get know probably 30 marketing emails from vendors advertising, the latest, greatest security software or appliances, or, you know, all kinds of stuff that promises.

Yeah, the magic bullet that everybody needs for their cybersecurity problems. Well, nobody has got sufficient budget to just buy all those things. So that means we have to be judicious and we have to be efficient about the, uh, security safeguards that we select. Um, to implement throughout our environment.

Um, secondly, doing your risk assessment gives us a common language that we can use for our it department and our security team and our legal department, uh, our organizational leadership and regulators, um, all these stakeholders. Uh, this is a great way to provide a common language that they can use to communicate and make sure that this.

Ideas and concerns are understood and addressed throughout the risk management process. A third, doing a risk assessment helps us evaluate our risks in our existing safeguards, uh, using the concepts of D. And reasonable safeguards. Um, if we have any folks with legal backgrounds on the call or a regulatory background, these terms ensure very familiar to you.

Um, a lot of times we find that laws and regulations really don’t prescribe that, um, organizations use specific type. Uh, technical controls. And the reason for that is the market for these security safeguards really changes very rapidly. There are always new technologies being invented and brought to market, and we don’t have to rewrite the laws and regulations every time there’s new pre-admit, uh, Uh, in the, uh, security marketplace.

So, uh, in general, when you have, you know, like HIPAA high tech, for instance, it requires thought, uh, uh, covered entity, um, exited to care with protecting, uh, health information Phi. Uh, so they’re not going to necessarily tell you exactly how to go about doing that. You just know you have to do it. So by doing a risk assessment, Nick here, again, this is a great way to demonstrate, uh, it’s an organization that we were thinking about and really striving towards exerting.

Do you care for the information, the assets that we need to protect? And lastly, if we’ve got any 18 folks on the call, this is going to be an important one for you. I’m doing a risk assessment is a great way to help cost justify expenditures for cybersecurity safeguard. Um, I talk with a lot of, um, 80 personnel who they really understand the value, uh, bringing in things like, uh, managed endpoint detection and response, for instance, but they have a hard time articulating a value, uh, to senior management with the organization who ultimately has to be on board because they’re the ones writing the check to purchase that, uh, that safeguard.

So, uh, what I’ve found is that by running. This risk assessment process. This is really a supplying, but Jack did evidence now that an it department, or really anybody in the organization can use to help justify expenditures on, uh, improvements to their security. Yeah. All right. In terms of a risk assessment frameworks, I’ve got four of them on the screen here.

None of these are four that are pretty popular ones that I’ve seen. Um, uh, organizations use. There are a lot more than four of them out there, but we’ve got an ISO framework, NIST fair. Uh, actually the one that I’m going to be focusing on throughout this presentation. He is the CIS risk assessment method.

Uh, CIS stands for center for internet security and this risk assessment method that they’ve got. Um, I think it was really great, you know, like I say, for small and midsize businesses, um, very approachable, very usable without, uh, needing a lot of in depth, um, a team skill. So that’s why I chose that for this presentation.

So in the coming slides, we’re going to be running through what using this, uh, CIS. Uh, it looks like. So what is the CIS risk assessment method? Uh, this is actually something that is free for anybody to retrieve. And I put a Piper lake on the screen here where you can go to get the CIS Ram, but basically you have to register for it, of your name.

You have a whole dress on and so forth, but this comes to you as an Excel workbook. That’s got a bunch of tabs across the bottom. And the idea is, uh, is that this is a tool that we are going to progress through and provide, um, some information about our organization. And then the output of this tool is going to be a prioritized list, according to the CIS critical controls, which I’ll talk a little bit more about here.

Uh, giving us a portrait prior to tries list of areas that we need to focus on, uh, to address our highest cybersecurity risks. And then yeah. Kind of work our way down from there. All right. So why don’t we use this CIS uh, risk assessment method on it really involves four high level steps and in the coming slides or drill down into more detail on each of these, but basically we’re going to start by developing what we call our impact.

Criteria. So impact criteria. Uh, these are gonna have to be, um, high level of kind of conceptual, uh, factors within our organization. Things like our mission and our operational objectives and the obligations that we have, uh, to provide service as an organization. And, uh, this is going to allow us to define what these things mean to our organization.

And then later on when you use the CIS Ram tool, we are going to be providing information that, uh, tells the tool how well we think we’re projecting each of these factors. Uh, and that’s going to help it highlight, um, additional, uh, safeguards and controls that we might need. Um, also as part of the first step, we’re going to be doing things like defining impact scores, likelihood scores, and risk acceptance criteria are going to more detail on that here.

The next slide. Um, the second stop are going to be estimating our inherent risk criteria. Uh, step three is evaluating, uh, risks and step four is recommending additional safeguards to mitigate our gaps. That’s let’s trip in the next slide. A little bit more detail on this first step here. Developing impact criteria.

All right. So in the first, uh, in this, uh, CIS. Process. Um, I think it’s helpful to really think about risk as the product impact and likelihood. So even though this is a mathematical formula, this is still a very qualitative type of calculation, um, impact, uh, considers um, some very high level of factors again, uh, that our organization.

Um, it should be able to find Sarah, you know, what’s our organizational mission, what are our objectives? Um, uh, operational objectives and financial objectives. And what are our, uh, the obligations that we have to deliver service. Uh, we are also going to be working with impact scores. These are basically levels of magnitude, so you can take a bit think of it as a.

Uh, like a numerical scale, for instance, of, um, uh, potential levels of impact that organization may feel, uh, if we have a cyber risks. On the network and same concept for likelihood scores, it’s a scale. Uh, but, uh, it’s where we are going to, uh, build, understand how likely given cyber threat is to happen in our environment.

So, uh, let’s go to the next slide. We’ll see how we’ll use all this information and how we can predict, uh, into the CIS. So, as I mentioned, uh, the tool itself is an Excel workbook. And, uh, basically we are going to progress through a series of tabs across the bottom and supply information in to the tool.

That’s going to use what we tell it. She’d give us what is called it, risk register. Um, that’s kind of the, the output that we’re getting from the tool and the risk register is going to be again, not prioritize list, uh, uh, the areas where we are, um, But having to contend with the most risk and kind of work our way back from there.

So step one, this first screen is the. And the first thing we need to do is go across the table. It’s going to be on the second row here and we need to tell it, what is our organizational mission. Uh, we need to list and operational objectives that we have, and it’s important to me that there’s really no limit to the number of objectives we can enter here.

Uh, same thing with our obligations, uh, what I’ve got on the screen here. This is a very basic. And then I put together for you a fictitious healthcare provider. So in their case, you know, for their mission to improve patient health, and that’s probably a fairly common, uh, uh, mission for a lot of healthcare providers, operational objectives for about TD profitable, what was helps to be profitable, um, for financial objectives.

I’ll talk a little bit more about those here coming up in a minute. And, uh, our obligations are to do. To patients. Okay. So we’ve primed that information, uh, that is specific to our organization into this CIS Ram tool. Now, if we look at the left most column, We’ve got a, what we call impact score. And if you guys remember from the previous slide, I talked about how this is basically a scale that we’ve got, um, uh, uh, levels of severity assigned to you.

And, uh, the CIS Ram tool run out of the box. It comes with these three on the distraction, customized. I believe if you want to be more granular. So if you, if you want to have, you know, five levels or seven levels, um, I believe that the tool accommodate. Uh, but just for the purpose of clarity, I’m keeping three in here.

So what this is telling us is that we are going to define different tiers of potential impact to our, uh, mission and operational objectives and obligations. So on and so forth in terms of whether event is, uh, acceptable to. Whether it’s unacceptable to us or whether it’s catastrophic. To us. And then in the rest of the table, um, you can kind of follow how this aligns here.

So if we look at the mission column, okay, we’ve defined what our machine is to group patient health, and now we’re going to input. Okay. If we had a cyber incident that we determined to be acceptable, What impact would that have on our mission? So in this case, it’s acceptable, we’d still achieve our mission.

Great. If we were to have E cyber event that, uh, we’re categorized processes, unacceptable. What impact would that have on our mission? Well, yeah, in a case like that, yeah. We might have to go out and purchase some additional safeguards or change policies and procedures, or we might have to do a little bit of scrambling, but at the end of the day, yeah, I would still achieve our mission.

Um, if we had a cyber event that we would classify as kind of straw fit. Uh, we would not be able to achieve our mission, kind of the classical example there, you know, you hear about a lot of organizations who, uh, suffer ransomware attacks and they’ve gotten their backups and they lose all the data. All of those just go out of business, right.

They can’t survive at that type of event. So that’d be a catastrophic occurrence there. And then we’re going to do the same thing with our operational objectives, but do the same thing with our financial objectives. And in this particular example, Uh, I just picked out some, uh, hypothetical dollar ranges.

So, uh, what we’re showing here, uh, for financial objectives is that for this organization, if a cyber event were to occur, um, that they would classify as acceptable. Um, total damage to the organization would be less than $20,000. Um, a cyber event between 20 K and $1 million that would be classified as unexciting.

And the cyber event that costs more than the million dollars that will be catastrophic. And again, I mean, that’s really has to be customized for your organization. There’s really no singular, um, uh, true scale to use. And in fact, um, you don’t necessarily even have to bring financial figures into this. Um, I’ve just got in there, not in there as an example, but it’s an option in the CIS tool.

It’s not actually required. Okay. So basically what we’ve completed in step one is priming this tool with the background information that it needs to know in order to progress through its calculations and give us thought risk register at the end. Now that’s going to highlight the areas where we are most risky.

So now we’re on the step to you. So where we are estimating what we call it, inherent risk criteria. So when I say inherent risk, a little, what I’m talking about is what is the maximum potential negative impact that we would experience if we were not protected? Against that threat. So you’re kind of viewing this through the lens of, uh, backing out any, um, the existing safeguards that you have, uh, w what’s the maximum damage of that you could incur without any of your existing protections in place.

So an example of that, like if you’re a bank. And you’ve got a database that stores login credentials from a thousand of your customers. But for example, your inherent risk would be the sum of all the dollars in those customer’s accounts. Right? Because if an attacker gets in and cleans up those accounts, well, how much money have you lost?

You know, without. Uh, existing protections. Well, you know, the sum over what all those accounts were, um, within the CIS Ram tool, um, it it’s giving us, um, uh, the ability to use what it calls inherent risk scores, and you can kind of see here, and this is just a quantitative scale in a 1, 2, 3 medium five.

And we’re going to see how we use these numbers here in the tool. So if we go to the next. All right, so here, we’ve got another table. And again, this is the second step of this CIS Ram process. And if we look at the columns here over on the left, we’ve got Nicole on for what we call asset class. Yeah, we’ve got devices, applications, data.

These are all the different categories of assets that we’ve got within our environment. So devices, you know, these are our servers, uh, workstations, laptops, um, uh, competing devices that are, uh, Our users are our employees use to get their, uh, day-to-day tasks done, uh, applications of courses or the software applications that they’re using to do their work data.

Um, yeah, you know, this is, uh, uh, data, I wonder, you know, confidential data or just general use data it’s information that our employees, our, our, uh, uh, generating and storing and processing and tracking. As they do their work every day, but network, um, you know, this is kind of a plumbing, um, that, uh, makes our, uh, technology environments work so that Mister organizations, uh, you know, firewalls routers and switches and wireless access points, um, network could be able to pieces and parts that may call that stuff.

Together. And then finally, we’ve got users. These are our employees, um, uh, not a technical asset, but they’re still very much an asset. So what we’ve got here, um, if you remember, uh, from the last slide we’ve got this scale of potential impact scores and right out of the box, uh, the tool has 1, 2, 3, that which courts bundled the medium and the high.

So what we’re doing here in this table is going through. And trying to make a determination about, uh, the importance of each of these asset classes to these different criteria across the top. So if we look at the mission impact column, we are saying that, okay, if we had a cybersecurity incident that affects our devices.

So again, our servers on our workstations or laptops, Do we think that’s going to have a low impact to our ability to fulfill our mission. Do we think it’s gonna have a medium impact or do we think it’s going to have a high impact in this hypothetical example? Um, the self care providers said to, to that they know that they, uh, uh, you know, take server backups or server can be restored and, uh, workstations and laptops can be re managed.

Uh, not too much time, but if it ever came to that, so, and then, you know, basically just trying to write down the rows here, um, for mission impact and making a determination about the relative importance. But each of these asset classes, um, T that, that mission, then they’re going to do the same thing for their operational objectives and financial objectives and their obligations.

So really what we’re doing here is we’re telling the CIS ramp tool, how important each of these asset classes. To our mission and our objectives and our obligations. Uh, so again, you know, priming it with some information that is specific to our, um, operating environments

right now we’re on to step number three, where we are actually evaluating the risks that we are likely to face.

Okay. Now in, uh, this stop where we are evaluating risks, this is where we now start thinking about all the existing safeguards that we have. And the environment. So very few organizations are starting from scratch, right? You know, most organizations, they already have a firewall they’ve already got antivirus.

You know, they’ve already, uh, got any number of security safeguards deployed throughout the environment. So here is where we are, um, uh, telling the CIS Ram tool. The degree to which our existing safeguards help to offset the risks, but it’s going to be calculating and, uh, pretty simply, uh, these, uh, safeguard maturity scores that we’re going to be working with here in the stop.

Now, this is just a numerical scale, you know, one through five. So level one, that’s the lowest level. That means that a given. Uh, yeah, we just don’t have, right. You know, it’s just not implemented. Um, it’s, you know, we can’t extract any value from that type of safeguard all the way up to level five, which means, yeah, we’ve got to deploy it.

We’re monitoring it. We’re managing it. It’s, you know, we may, where we can, it’s doing what it’s supposed to, uh, work we’re well protected there. And then we’ve got all, uh, levels in between.

All right. So this one we see on the screen is a representation of, um, the, uh, the final output of CIS Ram tool. And this is, uh, greatly condensed. Um, so when you run through the CIS Ram, your risk register is actually going to be fairly large. And, um, just to, you know, for clarity and to fit it on the screen here was just a snippet of what that might look like.

But this is organized according to CIS safeguard. So, um, some of you may be familiar with the CIS critical controls. This is essentially a long list with all the different technical and, uh, also administrative and procedural controls that an organization. Um, it would be, uh, well to implement. Um, these are all things that are recommended by experts to help an organization improve its security posture.

So this risk registry table that we’re getting out of the CIS ramp. Is going to be organized according to you, CAS safeguard, and based on all the information that we have encrypted into the tool so far, you know, telling it the, uh, you know, the importance of our different asset classes to our mission objectives and so on and so forth that combined with our safeguard maturity score, which you remember from the last slide, uh, is, uh, how.

Our existing safeguards, um, help to implement thought, uh, uh, CIS. Um, the under result, if you look all the way over to the rage, we wrote this column called the risk level. And very simply we’ve got a green dot, the yellow dot or a red.in there. So know pretty self-explanatory red.is where the tool has determined that our organization is weakest and really needs to focus its protections.

So depending on the information that. In to the tool throughout the process, you may have a whole bunch of red dots. You may just have one, you may have none, but this is really what we’re looking to get out of this risk assessment process. It’s really the opportunity to identify, um, through some structured process.

What we surely be focusing on to address risk in our organization. So in this hypothetical example, we’ve got a red dot there for, um, uh, addressing unapproved software. So what that means is, you know, maybe in our environment, all our employees have local admin rights on our machines, right? So there’s nothing to stop somebody from going out and installing whatever software they want.

On their own systems outside of, uh, the visibility of our it department. So, um, in that particular example, yeah, that would be why, um, uh, the tool calculated a high risk score, high risk level for that particular item. All right. So once we have generated that risk register for our organization, uh, 3d CIS Ram tool, uh, the next step is to figure out what you can implement for additional safeguards to address the risks that were highlighted.

So, this is where, um, we identify, you know, pick out all those red dots, yellow dots, the team from that risk register and make a decision about how we want to address those risks. Um, I’ve got a hypothetical example here. Like, you know, we’ve got our own software development team and, uh, they’re creating software that we use internally.

Or maybe we’re even selling that software is a product. We’re hosting it as a service, but let’s say our suffering development team just isn’t well-trained and they’re turning out these vulnerable web apps. Um, what we can do as an organization to address that risk. Yeah. Pretty much simply provide training for them.

Uh, we can also implement technical controls, like the web application firewall. Um, to keep the hackers out and prevent them from exploiting these web apps. Um, there are generally numerous ways that you can approach addressing any of these highlighted risks. They don’t necessarily have to be technical things.

They can be administrative or procedural, but as well. Um, and I know earlier in the presentation. Uh, I said, um, you know, it’s really important to go through this risk assessment process. You know, don’t skip over doubt, just, you know, start the process by going out and purchasing, uh, you know, security software controls to deploy.

Um, with that said of course, grid technologies through our managed, uh, Packages and our services that we’ve really got some great combinations, uh, technical controls, that address really many of the commonly flagged risks in that CIS, uh, list of critical controls. So, uh, chances are pretty good if you go through that risk assessment process and we’ve gotten a lot of red dots on there.

Um, it’s very likely that those are things of course could help.

Um, also it’s important. And I mentioned it at the beginning of the presentation to understand that there’s really no magic bullet. I really wish there was just a singular piece of software that we can deploy in an environment and have it take care of all our cybersecurity problems. Um, unfortunately that just doesn’t exist.

Uh, we have to have defense in depth. We have to have monitoring systems that give us the level of visible. Into the environment and across all the network, across the servers, workstations, laptops, all that we can’t control what we can’t see. So really the upshot of that is that, uh, you really have to have.

E M E sensitively designed cybersecurity and strategy can be using the right tools and techniques and making sure those things are being monitored, but to best protect your environments. Uh, something else I want to do, uh, mentioned on here is that sometimes implementing a new security safeguard could actually increase your organization’s risk in a.

Area. And I’ve got some examples of, uh, why that’s the case. So, you know, let’s say, um, as an organization, we go out and we buy a new, um, uh, you know, piece of antivirus software for instance. And, uh, we implemented. And it’s so restrictive, it’s quarantining, so many files stopping so many processes that it slows our productivity.

Well, you know what happens in that situation? You know, people by nature are going to look for ways to get around. That control. So they’re going to start funding ways to bypass it, which, you know, at the end of the day, um, now that safeguard isn’t providing the value to us, that we think it is, uh, another example, uh, stringent access controls for information that’s needed in critical situations.

So kind of going back to our healthcare provider example, um, yeah, you know, we have to protect the pH. But if we make users, uh, uh, have to pass multifactor authentication, biometric authentication, you know, all these different steps in order to get to it, know if we’ve got a patient who comes in and they’re in a critical situation.

Uh, if we are slowing down the doctors and nurses from being able to access that patient’s critical information, you know, what’s the upshot of that. We’re putting that patient’s life at risk, right? So we have to find a balance here, uh, with, uh, know, anytime we consider implementing a new safeguard. Did a careful job with considering potential negative, uh, implications for that?

Well, I want to get through the rest of the examples, but, uh, you know, just one of the, to point out that, uh, you know, there is, you know, for certain types of safeguards, especially on your vicious merits, some careful consideration or for the rolled out.

All right. Uh, in terms of, uh, the summary and next steps for this presentation. Yeah. So it really, uh, you’re able to, to take away from this thought, um, risk. The risk assessment process is really step one. Um, you should be running. This process before you make a decision about what types of safeguards you want to purchase or implement across the environment.

Um, the risk assessments really help us, um, combine the interests of all the stakeholders. So, you know, again, it personnel management regulators give them all a common language. Uh, that they can communicate with, um, risk assessments, uh, help us ensure and demonstrate that we are, uh, performing duties. For any sensitive data and assets that we are entrusted with protecting and, uh, yeah.

To learn more about Corsica technology has consulting and managed security services. Please reach out to us. Um, and do you help a lot of clients, uh, through, uh, uh, virtual or consulting services, perform risk assessments and, uh, uncover the areas where they need the most help and, uh, coordinate, uh, the mitigation of those risks.

And we are two questions. All right, everyone a quick, thanks to Ross for such an informative presentation. As a reminder, please feel free to submit any questions for us via the chat box and we’ll do our best to get to each of them. Um, if we’re unable to answer your question live today, we will make sure that a specialist follows up with you in the coming days.

We already have a couple of questions in the queue, so we’ll go ahead and get started with those, uh, Ross’ first question. Um, our company hasn’t had any issues with cyber attacks. Um, why should I worry about them? Sure. So I really quit, um, uh, those types of companies into two different buckets. Um, on the one hand, maybe you’ve been, uh, experiencing a lot of cyber attacks.

You just don’t know about. Right. You know, just by virtue of being connected to the internet and your employees, having email accounts and interacting with public websites. Now, chances are actually very good that you’re under attack, you know, pretty regularly. But if you don’t have processes and capabilities in place to actually monitor for those things, you know, maybe you’re being attacked and you just.

About it. Um, on the other hand, you’ve got organizations who have actually done a really good job, uh, with devising their, uh, cybersecurity strategies and really, uh, uh, exhibiting that you care and making sure that their cyber risks are addressed. And they’ve got the monitoring, they’ve got the patrol and, uh, Uh, they’re well protected there.

So, um, in either case, I think, um, you know, you just go home every night and turn on the news or, you know, look at, uh, you know, pretty much anything online. There’s always breaking news about, you know, some, um, you know, big ransomware attack or data extortion. The stakes are just too high. Nowadays to say that, well, you know, we haven’t been attacked in the past, so we’re probably going to be good going forward.

It just doesn’t work like that. Um, you know, everybody is fair game as a target. Um, a lot of times the attacks are attacks of opportunity. Rather than targeted attacks. Um, you know, attackers will happen to notice that, Hey, you know, your, your web servers is very well protected and they’re going to compromise that lock up your environment with ransomware.

And now you’re in a position where you’ve got to contend with that. So, uh, yeah, really the takeaway is just because you haven’t had a cybersecurity problem in the past doesn’t mean you won’t. Yeah, great point Ross. Um, okay, next question. We’ve got an antivirus software package on all office laptops and desktops.

Um, will that be enough to keep our network safe? Uh, it might, um, you know, it probably won’t, but, um, you’re not going to know the answer to that. Until you actually run through a risk assessment process. Like what we just talked about in this presentation, uh, you know, if you’re an organization and I mean, you really don’t have any assets and you’re not dealing with any sensitive data, um, you know, maybe, uh, maybe is all you need, um, for your particular use case.

But yeah, you know, I can say. Going to know the true answer to that question, unless you really take a structured look, uh, the different, uh, types of cyber risks that your organization.

Okay, thanks Ross. Uh, this question goes back to a little bit earlier in the presentation. When you mentioned Corsica technologies, um, MSSP service packages. Uh, this person is wondering if the service packages are customizable to suit. Like their organization’s specific needs. Sure, sure. Um, yeah, we, we do offer a lot of customized services in consulting, um, around those services as well.

Um, what we try to do with our service design is really pick out, um, ways to address risk that, uh, such like all companies are facing. Nowadays, just by virtue of, you know, like I said, it being connected to the internet and have an email and so on and so forth. But yeah, we we’d definitely work closely with our clients to make sure that the controls and safeguards that we implement and configure it for them are working in a way that benefits their environment.

But to the greatest extent provides the most. Okay, thank you, Ross. Um, I think we have time for a couple more questions. Uh, the next one would completing a risk assessment through one of the frameworks that you listed count as due diligence for regulatory requirements. Should my organization be audited?

So just completing the risk assessment, it doesn’t really count as due diligence. It’s an important part of due diligence, but you’re going to have to show, you know, obviously that you did the risk assessment, but you’re also going to have to show, okay. Yeah. You’re actually taking action to mitigate or address the risks that were a Highland.

Through your risk assessment. So, I mean, it’s drawn on can be enough to just say, okay. Yeah, here’s all the areas that were risky and, you know, by the way, we haven’t done anything to address any of them. You have to share that you’re working towards improving your security posture. Okay, great. And then, uh, I’ve got time for one final question.

Um, if the risk assessment for your. Um, exists. What’s the value of using a partner or an MSSP, like you mentioned earlier to implement safeguards. Yeah. So those are really doing two different things, right? The risk assessment is showing you specifically for your organization where it is. In terms of being protected against cyber threats, uh, what, uh, manage this free services providers like course or can technology is provide is, uh, packaged and turnkey solutions that you as an organization can quickly implement to address.

There’s risks that were identified the three, the risk assessment. So yeah, I mean, one really follows the other here, in my opinion, it’s being able to, uh, again, get through a structured process, to arrive at a prioritized list of risks that you need to address and then turning to a trusted provider. If you can help you address those.

Okay, great Ross. Thank you. Um, I think that’s about all the time that we have for today for our attendees. If you didn’t hear your question answered, we will have a specialist follow up with you via email. After the webinar. Additionally, a recording of this webinar will be available to each of you, and you’ll be sending that via email by tomorrow or the next day.

One more round of thanks to our presenter for a great presentation and to our wonderful participants for joining us today. Hope everyone has a great and safe rest of your day.