Have you ever lost something and then later realized it was right there in front of you the whole time?  Have you ever proofread a sentence that you wrote only to find out later that there was a word missing?

While both of these situations are highly annoying, neither is tremendously serious.  You might get a bit embarrassed, but then you shrug it off.

It’s human nature to sometimes miss things.  We all do it.  But when it comes to your cybersecurity, an oversight could cost your reputation, time, money, and business regardless of how well meaning or talented your team is.

So, when was the last time your team presented you with an assessment?  As someone who takes security seriously, I’m sure you’re well aware of how vital assessments are for any organization.

But the thing is, assessments will only take you so far if they’ve been created in-house.  There’s a lot of moving pieces and your IT team is dealing with day-to-day issues that come at them pretty fast.  Maybe on Monday your team did an update on your system with plans to fix any holes immediately, but something came up.  Maybe a new printer was installed, and it was such a small thing that no one bothered to double check what got shut off or altered.

Even the smallest changes can open the door for hackers.  That’s why having a routine assessment of your network done is important and will give you peace of mind that the security tools you are investing in are working.

Your IT team (or managed service provider) may present you with an assessment they created in-house.  This is a terrific first step, but when they analyze the report, they face challenges.  Scientific research clearly shows that this analysis can contain blind spots, the same blind spots that cause us to overlook objects that may be right in front of us.

No matter how good the analysis may be, your team is now going to have to proofread their own work.  And that’s a problem.

Why?

Blind spots.  They may accept a lot of risks within your environment simply because they already acknowledge that those risks are there. They are so close to the problems with your network that they might not see a bigger implication for accepting those risks.

Think this couldn’t happen to you?  That’s exactly what every victim of cyber-attacks thinks:

Recently, our incident response team had to help a business recover from a network-wide ransomware attack. All 50 computers and servers were locked up in the attack. When the forensics team came in to find out the root cause of the ransomware event, they found that there was a port on the network that was left open to the outside world. This means that someone was able to get in without any security alerts going off. The company had invested in security tools and those tools were working.

This is a real-life, RECENT situation where the IT team had recently evaluated the network and an automated report had pointed out an issue with the port being open. But the IT team didn’t really think much of it.

Why?

They were in the middle of completing a project and here’s what happened:

  • They were 4 weeks into a 6-week project to migrate a couple of servers.
  • One of the technicians had opened the port to get the work done.
  • When they had an automated scan of the client environment completed and saw the port open, they merely accepted the finding without taking any action.
  • The 6-week project ended up lasting longer and when it was eventually completed, that port remained open.
  • The technician already had proof of running an automated scan, which had been used as validation that there was no serious threat left from the project.
  • But because he overlooked that one open port, that client ended up getting hit with a business-stopping ransomware event.

But, hey, there’s cyber insurance, right?

Even if their cyber insurance kicks in to compensate recovery costs, think about all of the other costs not covered.

  • A team of nearly 50 people were unable to work for nearly a month.
  • What about payroll?
  • Client trust?

We’re talking about lots of additional pain that isn’t covered by insurance.

Remember, this business DID have an IT team who had been running automated reports.

The problem?  They simply accepted findings.  They didn’t push to get those issues resolved.

If that team had presented you with a third-party evaluation of the environment, they would likely would then have to explain why that port was open and figure out how to resolve the issue.

Do you think that IT team wanted to cause a ransomware event? Of course not.

They thought they were doing the right things, just like your team is trying to do the right thing.

But automated reports can easily create a false sense of security. Your team could just as easily do what this team did.  They could see an issue and accept the risk becaue they’re in the weeds and might have a biased view of the results. A third-party assessment will help identify blind spots and resolve lingering issues.