The urgency of having a solid IT security structure is demonstrated by two simple facts: the first figure comes from the 2021 Clusit report, which shows both a 12% increase in attacks compared to last year, and an rise in the costs associated with a cyber incident, which could reach between EUR 20 and 25 billion in 2024; the second point concerns the experiential burdens on people's lives in terms of job losses, including even more serious consequences such as bankruptcy. Unfortunately, these unpleasant situations are often dealt with in haste rather than with due precision and caution, resulting in grossly inadequate IT security solutions that do not aim for long-term security. On the contrary, a good IT security solution requires a well thought-out process starting with a proper Security Assessment.
What is a Security Assessment?
The Security Assessment is simply the first step towards an effective cyber security system. Technically, it is an analysis of the status of a corporate’s security, and represents the starting point for the evaluation and identification of potential risks, conducted on the basis of a precise methodology. The assessment performed by HWG consists of three phases:
“These are the Vulnerability Assessment & Penetration Test, the Email Threat Scanner (ETS) and the IT Security Risk Assessment.” says Francesca Tommasi, IT Consultant. "Initially, vulnerabilities in the company are assessed by looking for entry points that could be used by an attacker. Technicians intercept a vulnerability and try to use it to get into the system, thus establishing its level of criticality". Penetration testing is an essential step, as vulnerabilities are very frequent. Engineer Tommasi gives the example of unpatched systems: "When a new version is released, a piece of software or an application may have bugs. The manufacturer then requires the supplier to fix it by allowing the download of patches; if not applied, the risk is to give the attacker the opportunity to exploit the breaches and damage the system. Unfortunately, this is not a so rare case, because of the additional effort to be make to install them, as those are not operations that take place automatically”.
The second aspect of the Risk Assessment involves the Email Threat Scanner (ETS), a specific solution for Microsoft Office 365 that scans email, the tipical vector by which the greatest number of threats reach their destination. The year 2020 was negatively marked in this aspect specifically because of the global pandemic. Working from home (and therefore through less protected networks) actually fostered a surge in phishing messages asking users to take action to combat the pandemic by clicking on fake fundraising links or downloading attachments that turned out to be gateways to insert malware into infected machines.
IT Security Risk Assessment (ITSR)
The last aspect of the assessment methodology used by HWG is based on the international security standards ISO 27001 and NIST Security Framework 800-30, and results in a detailed Security Assessment Report on all controls carried out in the company. "We have an excel file as a reference in which we list all the checks referring to the ISO and NIST standards," continues Tommasi, "and we identify the maturity level of the company in relation to the check indicated in the file. If the maturity level does not match but turns out to be lower than it should be, we need to identify the remedy that will allow us to reach that level. This leads us to draw up a plan, a detailed roadmap , to inform the company about the actions to be gradually take, in order to remediate the damage, through Operations, Governance and Technology areas».
Once the document is delivered, the decision is left to the company. If it chooses to rely on HWG, it embraces a three-year support programme divided into different activities (Support of a Virtual CISO, Poc/Tender Creation, System Hardening Quotation), each of which proceeds in stages (there is a Start-up phase, a Follow-up phase and a Phase-out phase).