How a Maturity Assessment Can Reveal Gaps in Cybersecurity Strategy

When it comes to cybersecurity, IT and business leaders often have a hard time seeing what’s right in front of them. 

When you’ve built out an IT environment yourself — and implemented cybersecurity tools and practices to keep data and systems safe — it can be extremely difficult to spot the gaps. That’s why external assessments can be so powerful. A fresh set of eyes can help uncover hidden vulnerabilities and ultimately lead to an effective remediation roadmap. 

In our CDW Security Maturity Assessment offering, we evaluate organizations’ environments against the Center for Internet Security (CIS) cybersecurity framework, which lends a measure of objectivity to the process. Through interviews with stakeholders, as well as optional penetration testing, we’re able to put together an accurate picture of where things stand and what improvements need to be made to ward off attacks. 

Here are three of the most common issues that pop up during our maturity assessments.

Cybersecurity fundamentals such as patch management may seem like blocking and tackling basics. But as any football fan can tell you, lackluster blocking and tackling can lose your team a lot of games. A solid patching and vulnerability management strategy can also reduce overall risk, but too often we see these key steps fall by the wayside. 

Many times, the problem boils down to weak processes. For instance, a security team will identify areas of vulnerability, but then will hand off remediation to another IT team that is already swamped with other (seemingly more urgent) tasks. As a result, the problems simply don’t get fixed.

Another security hygiene problem that frequently pops up is the lack of a strong policy governing local admin access. A business may furnish a laptop to an employee without restricting privileges, and then the employee’s child will download malware-infected games onto the device. Again, these are simple problems, but we see them over and over in our practice.

Decades after email became ubiquitous, we still see people creating passwords that our pen-testing teams can crack or simply guess in a matter of minutes. For example, we commonly see passwords that are just the current season and the year (for instance, “spring2021”). Even in organizations where IT leaders feel their cybersecurity posture is relatively mature, I often receive a blank stare when I ask if their password policy would allow for something as easily guessed as “summer2022.” The answer is usually yes. 

Along with more stringent password policies, organizations should strongly consider rolling out some sort of password vault to help employees manage their passwords. This not only reduces frustration for employees, but also prevents the all-too-common scenario where people email their passwords to themselves or even write their passwords on Post-it notes and stick them onto their monitors.

It’s almost startling to see how many organizations still lack identity and access management solutions such as multifactor authentication tools. This is especially concerning now that so many people are accessing resources from home. At a minimum, organizations should be implementing MFA for email and VPNs, to ensure that only authorized users can access systems from outside the corporate network. 

Cybersecurity is an impossibly broad topic, and I often hear people say they don’t know where to begin shoring up their vulnerabilities. One great place to start: a maturity assessment that helps IT and business leaders understand where they currently are, and where they need to go.

Story by Jeremy Wilder