Assessing Your Risk Tolerance

Companies need to know what their risks are, and what it’s going to cost to ensure the appropriate level of cybersecurity

istock 175454347 002

The most frequent customer request is help us understand what security challenges we face, says Jesse Dunagan, Senior Professional Services Engineer, Neustar, Inc., a global information services provider with more than 19 years of network management and security experience, more than 2,500 enterprise and government customers of its security offerings, and managing more than 10% of all global DNS (website) traffic. “Each customer is going to have their own unique reason for doing the assessment. Some customers are just going to check a box. Some customers are just trying to understand what their risk is.”

What they all have in common is the need to know what their risks are, and what it’s going to cost to ensure the appropriate level of cybersecurity, says Dunagan. “We give the appropriate information to the management that allows them to make risk-based decisions on how they’re going to spend their money and allocate their resources.” Some companies must ensure they are in compliance with government regulations, while others just want to know what their external threats are, he adds.

Effective cybersecurity is a moving target, one that is constantly changing, and varies from customer to customer. Malware and cyberattacks such as ransomware are growing exponentially, i.e., more than 390,000 new malicious programs are registered every day, the average cost of a data breach is $4 million, and it typically takes between 175 to 227 days to identify a breach, and 52 to 88 days to contain that breach.

“Approach and assessment are at the heart of proper protection, and organizations must embrace strategies that include cross-organizational understandings and establish accurate risk profiles,” says Dunagan. Cybersecurity risks can be broken down into four broad categories:

-external malicious such as third-party attacks from criminals, hackers, and nation states;

-internal malicious, including sabotage or theft by employees and partners;

-external unintentional, such as natural disasters; and,

-internal unintentional, which is the biggest issue, problems caused by human error by employees and partners.

“Protection is only as good as the assessment,” he says. “Without the right assessment, organizations will put in the wrong solution.” Customers are looking for choice, he adds, such as Neustar’ portfolio of products -- a combination of DNS, DDoS, cybersecurity offerings -- and professional services. This breadth provides customization and flexibility options that ensure the appropriate levels of protection.

Depending upon the customer’s requirements, Neustar’s professional services security assessments can include:

-a vulnerability assessment that identifies potential security holes in your network and applications, including patch levels, router configuration issues, and other potential problems;

-penetration testing, a more in-depth test that determines how deep your potential vulnerabilities may go;

-assessments for wireless networks, data systems, and social engineering (both physical and remote); and,

-full-service load testing, web performance analysis and optimization, scripting assistance, advanced alerting, and API development and integration.

Once your vulnerabilities have been assessed, Neustar’s engineers will propose processes that can keep your network secure, escalation paths for handling problems, methods of identifying and mitigating risks, security alerts and other things you can do to set up your infrastructure securely, while meeting your risk requirements. “It really comes down to experience and subject matter expertise,” says Dunagan, “having the people who really understand and have been there.”

Copyright © 2017 IDG Communications, Inc.