10 Common IT Risk Assessment Gaps & 10 Proactive Cybersecurity Tips

In a recent live webinar, Common Gaps Found During IT Risk Assessments, Omega’s Security Operations (SOC) team, featuring cybersecurity veterans Maryne Robin, CISSP, and Kyle Phillips, CISSP, shared their unique perspective of the cyber risk assessment process, revealing the top 10 blind spots that often leave organizations vulnerable to cyberattacks. This article unpacks the essential learnings from the webinar and outlines 10 actionable steps you can take to fortify your security posture and mitigate future threats.

10 Most Common Security Gaps Discovered During Cyber Risk Assessments

Gap #1: Lack of IT Security Governance

Problem: Missing or outdated IT security policies, unclear leadership (CISO), or no designated security leader.

• Action: Develop and implement clear IT security policies covering acceptable use, access control, and data protection. Appoint a Chief Information Security Officer (CISO) to spearhead security efforts. Regularly review and update policies to align with evolving threats and regulations. Establish a formal incident response (IR) plan with defined roles, responsibilities, and procedures.

Gap #2: No Tracking of Known Technology Risks

Problem: Failure to monitor and track existing technology threats.

• Action: Implement a risk register to identify, assess, and document potential security risks associated with your organization’s technologies. This should include issues your organization has faced in the past, emerging threats, and common risks in your industry. Use pre-built risk register templates and customize them to fit your specific environment.

Gap #3: Not Conducting Tabletop Exercises or Testing Incident Response Plans

Problem: Lack of preparedness for security breaches due to untested incident response plans.

• Action: Conduct regular tabletop exercises to stress-test your incident response (IR) plan. This will help identify weaknesses and areas for improvement before a real incident occurs. Refine response strategies to minimize damage and recovery costs following a security breach.

Gap #4: Not Conducting System Account Audits

Problem: Lack of insight into inactive, unauthorized, or privileged accounts that pose security risks.

• Action: Conduct regular audits of system accounts, focusing on user identities, groups, and permissions. Identify and remove inactive or unauthorized accounts. Review access privileges for active accounts to ensure they are appropriate for job roles. Implement controls to prevent unauthorized account creation, enforce strong password policies, and limit the use of shared accounts and administrative privileges.

Gap #5: No Established Operating System Baselines

Problem: Inconsistent system configurations create a larger attack surface and increase vulnerability.

• Action: Develop and implement operating system (OS) baselines that define secure configuration settings for all devices in your network. Utilize configuration management tools like mobile device management (MDM) or Golden Image to enforce baseline configurations and ensure consistency across devices. Follow security benchmarks established by organizations like Microsoft or CIS Controls to establish secure configurations.

Gap #6: Not Maintaining an Application Inventory

Problem: Lack of awareness of all applications used within the organization, creating blind spots for security vulnerabilities.

• Action: Maintain a comprehensive inventory of all applications used in the organization, including sanctioned and unsanctioned software. Regularly assess the security posture of all identified applications. Third-party application patching is essential (and often overlooked).

Gap #7: Not Performing Third-Party Penetration Tests

Problem: Failure to complete a penetration test or a simulated attack that tests the effectiveness of your security safeguards.

• Action: Hire a third-party vendor to conduct routine penetration tests on your environment to identify security weaknesses. Ensure this vendor is different from the one used for vulnerability assessments or your managed service provider (MSP). Regular independent penetration testing simulates real-world attacks, uncovering vulnerabilities beyond standard assessments, and is crucial for regulatory compliance and cyber insurance requirements.

Gap #8: Lacking Formal Security Threat Detection Capabilities

Problem: Limited ability to identify and respond to security incidents due to a lack of advanced security tools.

• Action: Invest in security information & event management (SIEM) and managed detection & response (MDR) tools to collect and analyze security logs, enabling proactive detection of suspicious activity. Move beyond conventional anti-virus solutions and explore more robust endpoint security options that offer features like endpoint detection and response (EDR) with automated moving target defense (AMTD).

Gap #9: Not Regularly Educating or Training Employees on Cybersecurity Awareness

Problem: Failure to provide or mandate routine education and training on cybersecurity threats and best practices.

• Action: Implement a comprehensive security awareness training program for employees, covering topics like phishing red flags, password hygiene, and data security best practices. Conduct regular security campaigns (e.g., phishing simulations) to keep employees vigilant and informed about evolving threats.

Gap #10: Inconsistent (or Non-Existent) Third-Party Vendor Management Practices

Problem: Potential security risks introduced by third-party vendors due to a lack of oversight.

• Action: Establish a vendor risk management program to assess the security practices of third-party vendors before entering into agreements. Consider any potential regulatory requirements related to vendor risk management. Regularly monitor vendors’ security posture and reassess their risk profiles. Omega’s vendor due diligence whitepaper offers essential guidance for thoroughly examining third-party information security practices.