According to IBM’s annual Cost of a Data Breach Report 2021,
(https://www.ibm.com/security/data-breach), data breaches cost companies 4.2 million dollars last
year. A breach in your security management system could send your business into bankruptcy.
You may have security controls in place to protect your information, but are they sufficient to
withstand the millions of cyberattacks that happen every second of every day?
The key to understanding if your layers of security are effective is by performing a
cybersecurity gap analysis. A security gap analysis is not just the concern of the CIO or even the
CISO. You need your entire organization to be cybersecurity aware.
A security gap analysis identifies areas of your network that are vulnerable to attack and will help
you educate your staff. It reveals the measures employees can take to protect both themselves
and the company.
In this article, we’ll cover step-by-step what a risk gap analysis is, the main causes of
cybersecurity gaps, and how to perform a security gap analysis for your organization.
What is risk gap analysis?
A risk gap analysis compares your current practices against cybersecurity’s best practices.
It examines side-by-side what your business has with what you should have and shows you
where vulnerabilities exist in your network.
The Key steps of the gap analysis process
A risk gap analysis shows you where your system is weak and where it needs shoring up. It
provides insight into the level of vulnerability for each gap so that you can decide the priority of
what needs to be corrected first, second, etc.
Here is how to do a risk gap analysis step-by-step.
Choose an information security standard
There are a few security standards to choose from, like NIST 800-53, ISO 27001, and PCI DSS.
The industry you’re in, and the type of data you hold may have bearing on which security
standard you choose.
It is recommended to hire an independent cybersecurity consultant to perform this analysis.
Sometimes you are too close to the technology to evaluate it objectively.
Evaluate people and processes
Examine both your team and your processes. Collect information on your IT systems, networks,
application usage, security policies, and current workforce.
Interview team members
Are they adhering to administrative network controls?
For example, has everyone been trained to know what to do when they suspect an email they
received is phishing them? Is your system set to the proper level of control to prevent your staff
from receiving phishing emails in the first place?
Compare your current security controls to industry standards.
In this step, your network applications, server applications, and security controls should be
measured against the framework you chose.
This phase demonstrates what your security protocols do when your system is attacked. There
are tools you can use to test the strength of your antivirus protection, firewall, and anti-spam filter,
as well as penetration testing.
Then you can create a list of what your security protects and where it fails. This step is critical to
discovering the areas that are the most vulnerable to hackers.
Now that you know where the cybersecurity gaps are, it’s time to figure out how to address them.
What security training does the staff need? What technical assessments need to be performed,
and on which section of the network?
No company can protect itself 100% from cybersecurity attacks. However, meeting 80% of
cybersecurity compliance requirements is a reasonable goal.
What is the difference between gap analysis and risk assessment?
A cybersecurity gap analysis and a risk assessment are two different things.
The cybersecurity gap analysis tells you how far short your system is from industry standards. It
tells you the difference between your system’s desired level of performance and its existing
A cybersecurity risk assessment tells you what attacks can happen and evaluates the risk to your
data associated with those attacks. It helps you decide which cybersecurity controls to put into
action to defend against them.
What are the main causes of cyber security gaps?
Weak passwords like “Password” or “123456” allow hackers easy access to your data.
Cybercriminals use programs that can run through millions of easy to moderately secure
password choices in seconds. Ensuring your staff members choose strong passwords is a vital
element in the development of your security processes.
Unfortunately, some criminals may be hiding in plain sight.
An all-too-common cybersecurity gap is hackers stealing passwords that a coworker has written
down, left in plain sight, and uses for multiple accounts and/or applications.
Even though you want to trust the people you work with, it’s still a wise choice to remove
temptation by keeping credentials secret. You have no way to predict what a disgruntled
coworker may do.
Other causes of insider cybersecurity gaps are slip-ups like copying the wrong person on a
need-to-know-only-based email or losing a laptop while traveling.
All software is vulnerable to cybersecurity attacks.
Software providers regularly update their applications when they discover a new susceptibility.
When the exposure is fixed, they release a patch, and ignoring these updates or putting off
installing them endangers your network.
Hackers actively seek systems that are still unprotected from this particular attack.
One of the problems with putting off regular cybersecurity software updates is that it makes your
system ripe for a cybercriminal to install malware.
All they have to do is find the gap in your security, and they have several ways to steal from you.
One way malware is used is to track what a user types into their computer with a keylogger.
Malware can also be used to install ransomware which locks down your system. A hacker will
demand payment to restore access to your system and data.
You don’t know what you don’t know. You do your job day after day on the same equipment, and
before you know it, the routine takes over, and you stop paying acute attention to protocols.
You know cyber threats are out there, but you don’t think they will happen to you.
You’ve heard of phishing. You don’t click on links in unexpected emails. You slowly become less
aware of cybersecurity threats.
That’s why regular user awareness training is vital.
Numerous breaches can be traced to an unsuspecting user permitting access to an attack on the
network. Annual cybersecurity training is no longer enough.
The speed at which technology is developing is exponential, and hackers are quick to take
advantage of this.
A best practice for cybersecurity training is two to three times a year.
What are the 3 types of data breaches?
There are three ways that criminals can hack your system: physical, electronic, and skimming.
Knowing the difference is important to your cybersecurity analysis because it dictates how you
defend your network.
This happens when someone (usually an employee) steals equipment or documents like laptops,
external hard drives, faxes, or credit card receipts. Then they use them to gain access to account
The way to prevent physical breaches is to destroy equipment and documents that are no longer
An electronic breach is a direct attack on the security system where you store, process, and/or
transmit financial data. Unauthorized access can be obtained through web servers or websites.
They commonly happen because your applications do not have enough cybersecurity protection.
The healthcare industry is a prime target for this type of breach due to the massive amount of
Personally Identifiable Information healthcare institutions collect, transmit and store.
The best way to protect against electronic breaches is to encrypt your data. That way, even if a
hacker gains access, they still have to decipher it before they can use it.
You may have heard about skimming in the news in conjunction with consumers whose credit
card information was stolen when purchasing gas at the pump.
Criminals can easily and quickly install an external device on PIN pads enabling them to gather
credit card information. Retailers are notably susceptible to this type of security gap.
To combat it, equipment used for gathering financial information should be regularly monitored
for evidence of tampering.
Gaps in cloud security
Filling the gaps in cloud security is a separate issue that you also need to look at.
Since COVID-19 hit, the gaps in cloud security have become more obvious. Working from home,
learning from home, and shopping from home exponentially increased the need for cloud
technology virtually overnight.
Cloud security is similar to network security in that it involves policies, processes, and controls,
but there is an added issue. The exchange of your information is transmitted through
There are three types of cloud environments: PaaS (Platform as a Service), IaaS (Infrastructure as
a Service), and SaaS (Software as a Service).
The most critical to your cybersecurity analysis is likely SaaS because they don’t have a
perimeter. This means that traditional cybersecurity measures that protect your network, like
firewalls, are not as effective in protecting the security of your cloud-based applications.
There are three things to keep in mind regarding cloud security.
- Most cloud providers use a shared security responsibility model. This means your provider takes responsibility for securing the application hardware and infrastructure, and you are responsible for the security of the data going through the application.
- Securing your network does not protect your data in the cloud. Your system has a perimeter that you can secure. Your cloud applications are not within your system’s cybersecurity perimeter.
- Your content filtering tool blocks inappropriate content from your system. It does not give you a high level of security, especially if you must comply with regulations like HIPAA and/or state laws. Consider doing a separate analysis for your cloud-based cybersecurity.
What is NIST gap analysis?
If you are a federal contractor working with the Department of Defense, the General Services
Administration, and/or the National Aeronautics and Space Administration, then it is in your best
interest to perform a specific information security gap analysis known as a NIST gap analysis.
The NIST 800-171 is a framework that will serve to verify you meet the government’s standards
and guidelines for protecting sensitive, controlled unclassified data and records. Adhering to this
framework allows data to be securely shared among multiple contractors.
Be prepared to take the time to go deep into the security analysis of examining your networks
and procedures. The NIST 800-171 standard has 14 points of information security protocols that
must be addressed to comply with cybersecurity standards.
It isn’t enough to complete the NIST gap analysis to your satisfaction. In order to bid on
government contracts, your organization must be certified by an independent, third-party entity
that rates your ability to not only protect sensitive data but also how seriously your organization
prioritizes the cybersecurity protection of controlled unclassified information.
The assessors use the Cybersecurity Maturity Model Certification (CMMC) as the standard by
which to judge your policies, procedures, and controls.
How to perform a security gap analysis
Here are some questions you can ask to get started on your own security gap analysis:
- Do you monitor changes to user privileges?
- Do you regularly assess those privileges, ensuring the appropriate users have the appropriate level of secure permissions?
- Do you have an organization-wide password strength policy?
- Do third-party organizations (e.g., vendors) have access to your network? Is it secure?
- Do you perform information security awareness training two to three times a year?
- Do you manage cyber assets (e.g., financial information, personally identifiable information)?
- Do employees travel with laptops or other removable devices? If so, are there information security protocols for traveling with equipment?
- Do you have a secure way to remotely backup your information security system (e.g., a VPN)?
- Do you have secure wireless networks?
An information security gap analysis is a critical element in your cybersecurity strategy.
Hackers become bolder every day. Your system should undergo a cybersecurity gap analysis at
least once every two years.
This will ensure that your network, team, and security controls are not only effective but also
This analysis helps eliminate your blind spots, shows you where your vulnerabilities are, and
helps you form a plan to prevent future cybersecurity breaches.