Commercial Integrator May 2021 - 15

THE SERVICE DESK

Cybersecurity in 2021
With COVID still lingering and folks opting to work from home to avoid potential exposure, we are just
now coming to terms with the impact the year had on cybersecurity. by Angel R. Rojas, Jr.
FOR MANY BUSINESSES, the rush to
maintain productivity while meeting the
challenges of a world amid a pandemic
meant compromises in cybersecurity.
Cybersecurity always begins with assessing
the risk. We cannot address any situation
until we know the extent of the problem
and the details that surround it. For some industries, there's a basic regulatory template
that provides a framework for conducting a
risk assessment.
General business can follow the National
Institutes of Standards and Technology
(NIST) Cybersecurity Framework (CSF) or,
if a more formal protocol is required, the
NIST 800-171 framework provides a more
thorough set of controls to assess against.
For regulated industries such as medical
and financial, the choice of framework may
not be an option but for others, the NIST
CSF will cover the basics and provide a great
baseline. The key takeaway here is: every
business should be assessing its risk regularly.
Businesses in the technology field should
be looking at NIST 800-171, at minimum,
and paying close attention to what controls
their clients are required to apply so they
can meet or exceed those standards.
When conducting this assessment on
your business and client businesses, be
sure to collect evidence supporting each
claim. This is also a great time to update
your documentation!

Evaluate and Decide
With a fresh risk assessment on hand, take
each deficiency and rate it by impact, cost,
and difficulty. This will result in an easy to
sort list that will help you make some decisions about how to tackle the problem.
Impact refers to the odds of this risk
coming to light weighed against simply
accepting it for now. Keep it simple by
using a scale of high/medium/low to rate
the impact. A high-impact risk means high
likelihood of being exploited and/or something that cannot be ignored.
Some great examples of a high impact
commercialintegrator.com

CM2105 pp14-15 AVaaB-Service Desk.indd 15

- though this may seem simple in theory, it
can be challenging to implement based on
the systems used by the organization.
Once you have rated each risk using the
criteria above, I recommend you create
another list with all the items that are high
impact, low cost, and low difficulty. Then,
create a list for high-impact, medium cost
and medium difficulty. Those are likely going to be the first risks you will mitigate.
There is important psychology behind
this. You'll want some quick wins to give
you fuel to tackle the tougher ones.
risk would be missing patches or no
anti-virus being used. Medium impact risk
will be something that you could argue is
not needed right away but should be on
the roadmap for the next four to six months,
such as multi-factor authentication.
Finally, a low impact risk would be something that is very unlikely or may not immediately impact your environment. An example
of a low impact risk is having documented
system build processes and checklist.
While necessary and an excellent
control, it can be developed over the next
twelve to eighteen months and does not
need to be immediately addressed.
Cost is simply how much in time and
money each risk will take to mitigate. You
can use a simple scale similar to impact or
can actually fill in dollars/hours depending
on your sophistication. This is a planning
tool, so you don't need to be specific, just
close enough to make good decisions.
Difficulty is the final criteria I recommend
you use to rate each risk. Again, a high/
medium/low scale will be fine for our
purposes here and it refers to how difficult
each of the mitigations will be to implement
in your organization.
For example, we could all agree that full
biometric authentication to sign on to a
computer is an optimal way to authenticate
a user, but for a small office this could be
difficult to implement.
Another example would be matching
passwords against a known exploited list

Close the Gap
Now that you have a few lists to work from,
begin to close the gap. Remember that
you'll have some easy, inexpensive, quick
fixes that will keep you motivated. Commit
to implementing one to two per week
(more or less depending on your situation
and the size of the list) and the process
should stay on track.
Bear in mind, this is NOT a guide on full
compliance or professional risk assessments. This is intended to get you started,
bringing you into the shallow end, so you
can get some exposure to the process if
you have never done so.

Rinse and Repeat
Finally, this is an iterative process of continuous improvement. Do not let this be the end,
but rather let it be the beginning and make it
a part of your culture so that, with each pass,
your overall situation is improved.
Perhaps you are not where you need to
be to perform a full-on risk assessment the
next time you do it but that's not the point
- you will be miles ahead of the folks who
read this article and decided they'll start on
it next year.
Angel R. Rojas, Jr. is the
president and CEO of
DataCorps Technology
Solutions, Inc. He has been a
member of The ASCII Group since 2017.
MAY 2021

Commercial Integrator

4/12/21 10:32 AM

http://www.commercialintegrator.com

Commercial Integrator May 2021

Table of Contents for the Digital Edition of Commercial Integrator May 2021