Most information technology executives understand security risks and have adopted sophisticated BDR plans, intrusion detection products, MDM and similar products to secure their networks. We all know it can cost millions for companies to readdress a compromised network, both in terms of the infrastructure costs required to correct the original failure, and in the cost of fines and penalties related to compliance breaches.
"In order to maintain compliance, your organization must be able to document that it has taken action to secure network data"
However, fewer companies are aware of the unique benefits of network assessments. Although it supports a company’s overall security program, a network assessment is a separate and crucial discipline. First, let’s define a network assessment compared to other tool categories that most IT departments are familiar with, like network monitoring software.
Network monitoring mainly involves the performance and availability of individual network devices. An agent is typically installed on the device, or a probe is used to capture near real-time metrics, and a threshold violation triggers an alarm. Unlike network monitoring products that focus on the performance of individual devices, a network assessment tool looks more holistically at overall network health based upon the total issues impacting the network. A network assessment gathers a great volume of data from a company’s network, then analyzes and associates that information to uncover issues that place the company at risk, based upon the likelihood of an issue’s recurrence and the severity of its impact.
For instance, network assessment solutions review how users access computers on the network, what security rules apply to each user, what mobile devices have access to the system, and when and how often those devices log onto the network. They point out vulnerabilities and identify red flags that indicate misuse. A network assessment takes a granular, encompassing snapshot of the state of your network and it documents all configurations associated with the system. A cost-effective, comprehensive network assessment tool provides a baseline plus ongoing “change reports” that let an IT director know exactly what is happening on the network from quarter to quarter, or even month to month.
Internal vs. Outsourced Assessment
There are two schools of thought when it comes to leveraging network assessments. These services are often outsourced to a managed service provider (MSP). There’s tremendous value in having an independent company conduct a network assessment, since they are removed from internal politics and can provide an objective report. However, savvy CIOs or IT directors can purchase these tools for internal use, gaining a whole new set of benefits.
CIOs must put extraordinary faith in their IT managers. Some of the company’s most valuable assets are in their hands. So what happens if your IT director gets hit by a train, or leaves in a huff? Such unfortunate breaks in employee relationships happen more frequently than one would like to believe—especially the disgruntled employee scenario. Once the relationship with your lead IT personnel is jeopardized, it is sometimes next-to-impossible to regain control over your system. Companies whose IT management changes unexpectedly often find themselves locked out of their own networks, scrounging for passwords to which they suddenly no longer have access, and relying on consultants to restore their network sovereignty.
Make Sure Your Techs Are Performing
Network assessments help keep your IT managers honest—or at least allow you to establish concrete documentation of how your system is being run. With network assessments, a CIO or IT director can establish a baseline report and conduct “change reports” which provide a detailed analysis of everything that has taken place on the network since the previous report. Therefore, if a CIO requires his or her technicians to perform certain tasks or follow certain procedures, ongoing change reports will illustrate whether those tasks in fact have been carried out.
In addition, such reports are invaluable in the event of a disaster such as a fire, or even a theft. Data back-up is only part of the challenge to restoring a business network after such a compromise. Network assessment reports keep track of the computers on a network, who the users are and what they have access to, what security policies and rules are in place for each user and each workstation, and the configuration of each computer. This allows companies to recreate the network to the same specifications as it was functioning before the impact.
HIPAA and PCI Compliance
Other critical uses for network assessments are in industries that are subject to major government regulations—which come with financially prohibitive fines for non-compliance. These include HIPAA compliance in the healthcare market and PCI compliance in the retail and consumer markets.
Companies that accept credit card information, either via phone or online, are subject to PCI DSS regulations (payment card industry data security standards), and any caught out of compliance are subject to stiff fines. Penalties can amount to hundreds of dollars per transaction on a non-compliant network. In order to maintain compliance, your organization must be able to document that it has taken action to secure network data. Assessment reports serve as that documentation, providing proof that the network has been configured over time to maintain the security of its customers’ primary credit card information.
Similarly, organizations that collect electronic protected health information—or provide any kind of goods or services to healthcare-related companies—are subject to HIPAA regulations. The scope of these affected companies is in the millions.
Assessing Your Own Vulnerability
Network assessment tools can also conduct “deep-dive” internal vulnerability scans. It’s a known fact that security breaches most frequently are enacted from within. Beyond just network vulnerabilities, assessments can reveal whether anyone is accessing or transmitting data that they shouldn’t be. They can reveal when employees have gained access to otherwise restricted parts of the network. They can also identify whether former employees have accessed the system after they’ve officially left the organization— an all-too-common transgression.
Exchange or email assessment is another popular function of network assessments. Employees frequently create email groups according to department, or even per project. However, when employees move to different departments, their presence often lingers on obsolete email groups. An assessment of a company’s Exchange email system examines these groups, identifies employees from multiple and outdated lists, and discovers who has access to areas of the network that are no longer appropriate. Manual documentation of these processes is hugely time consuming and laborious.
In short, shrewd CIOs can gain huge advantages by leveraging network assessments and reports. It’s a lesser-hailed discipline that can have a tremendous impact on a company’s effectiveness.