FREQUENTLY ASKED QUESTIONS
Taking the intimidation out of cybersecurity
The topic of cybersecurity often brings up more questions than answers. Our goal is to turn tech speak into information that’s valuable to you and your business.
Unfortunately, recent threats have achieved a new degree of speed, coordination and sophistication. The University of Maryland found that malicious hackers now target computers and networks at a rate of one attack every 39 seconds. Meanwhile, average data breach costs jumped 9 percent to $4.24 million, the highest mark in the 17 years IBM has been publishing its Cost of a Data Breach Report. The U.S. government has emphasized ransomware prevention, putting such investigations at a priority level similar to terrorism.
Five to eight years ago, the answer may have been no. But today, everybody is a target. Malicious activity reaps high profits with low risk, so bad actors cast a very large net. They don’t care whether victims are large or small; all bring some sort of payoff. We’ve done incident response work for companies of six people.
To be sure, there is no point at which you can consider your organization completely done with cybersecurity. Any business faces some level of risk; the best you can do is to reduce vulnerabilities to an acceptable level. That means understanding changing threats and making sure you’ve adapted your best practices. Correspondingly, a good incident response plan and partner can prepare you to mitigate any damage from a breach.
Often, new clients approach us in search of a penetration test or Red Team engagement to find the holes in their cybersecurity measures. To be sure, those terms are buzz words these days. But we always start by asking whether they’ve ever had a cybersecurity assessment. Often, the answer is no, which would make a penetration test a waste of their time and money.
Typically, the best place to start is with a security risk assessment, which essentially checks whether their cybersecurity windows and doors are locked and whether their security team knows how to do those things. That provides the greatest initial value; once a baseline program is in place, a penetration test can be useful.
In a typical engagement, you will be assigned a project manager and start with a kickoff call that helps us understand your goals, the people involved, locations and timelines. We want to understand what’s important to you in your specific situation, rather than making assumptions.
After that, we lay out a path forward. That includes what you can expect next, when we will next meet, when to expect status updates, and goals for our meetings. We want to understand how best to communicate with you.
As much as we’d like to, that answer typically is no. First, we must do prep work, which includes setting up secure portals, making the proper contacts in your organization, and other kickoff efforts. Second, due to high demand, we typically are booked out several weeks in advance, though we may be able to do some of that prep work sooner.
If you’re facing a breach or some other emergency and need immediate help, we will give you an immediate response about whether we can help or whether we don’t have the capacity right now.
No. While we often recommend an endpoint monitoring tool, we aren’t interested in individuals but in an overall picture. Usually, such a tool runs for 30 days, collecting and analyzing file opens and sends, network connections and similar activity. That unintrusive analysis of the computers allows us to pinpoint signs of malicious activity so that we can handle them strategically.
We pride ourselves on our ability to communicate in a relatable fashion as much as possible, trading technical jargon for plain language. We even have been engaged to explain cybersecurity concerns in court — not an easy feat. When we provide assessments or reports, we typically include screenshots and step-by-step explanations so you can follow along with our conclusions. At the beginning of our engagements, we take time to learn about your concerns and your business priorities, allowing us to both communicate and offer recommendations effectively.
Absolutely. In addition to our deep knowledge of cybersecurity, we understand the specific regulations and requirements of various industry verticals, as well as how all those considerations fit together. Our proficiencies span sectors such as financial services, media & entertainment, industries that serve the public sector, health care, technology, law, and general industry.
Part of the advisory role we play is helping each client figure out its threats and risks, as well as the solutions that best align with business priorities. That includes helping clients assess the right budgets for their specific situations. When we analyze a company’s security, we provide a report about our findings, including the steps that could make the greatest impact. Sometimes, a company already owns security tools that it isn’t using effectively; other times, just a few added measures will close many of the security gaps. Our analysis examines all those options.
This is a common misunderstanding. Unfortunately, because of the increases in both the volume and cost of cybersecurity breaches, the number of insurers has fallen. As a result, the cost of insurance has increased — and so has the level of diligence that insurance brokers employ before they offer coverage. Insurers want to know that a potential client has an established cybersecurity program and is actively training employees about phishing and other threats.