Vulnerability Assessments

Identify risk and vulnerabilities

What are you trying to protect? 

What are you willing to risk?

What are the odds?

I cannot forget the story about the jar of candy. There is a huge reward if you take a piece and eat it. The problem is, one of the pieces is poison. many pieces of candy would have to be in the jar before you would be willing to take a chance? The act of choosing how many candies need to be present defines how much risk one is willing to accept.  

RiskTool's pre-populated assessments cover a wide range of topics. Assessments are designed to be "assigned" and represent a point in time regarding how a particular risk is measured or vulnerability to risk is measured. The system is also designed to allow customers or their consultants to create their own assessments and measurement statistics. We encourage you to conduct your own assessments but are on hand to assist when needed.

There's a common misconception that small businesses are rarely a target for hackers because of their smaller size and lack of valuable data. Any information stored on your systems might be interesting to criminals.


Here are the top five cyber threats:

1. Ransomeware - This is a form of malware (malicious software) that attempts to encrypt (scramble) your data and then extort a ransom to release an unlock code. Most ransomware is delivered via malicious emails.

Here are some steps to protect your company:

• User awareness - Users should be very cautious of unsolicited emails, particularly those that ask for a prompt response. Some organizations can quarantine emails.

• Malware protection - Install and maintain anti-virus and malware protection software.

• Software updates - Keep your applications up to date. Patching is one of the single most effective ways to protect your computer

• Data backups - Well-managed data backups can allow you to recover from an unencrypted version of a file. Regularly test your backups.

2. Phishing - Phishing is a term used to describe an attempt to obtain sensitive information while posing as a trustworthy contact. An example might be an email appearing to be from your bank or financial institution, credit union, online service, etc.. Spear phishing is a highly targeted attempt to gain information from a specific individual. Phishing emails are designed to be convincing, frequently with perfect wording and genuine logos. A form of spear phishing, called whaling, is where a fake email from a CEO pressures a CFO into making an urgent payment. 

Here are some ways to protect your organization:

 Trusted companies simply do not ask for sensitive information.

 Be suspicious of all emails. Verify if needed.

 Train your employees.

 Communicate company policies about financial transactions and other activities. 

 Use anti-malware software.

 Have spam filters turned on and check them regularly, in case they have filtered an innocent email. It's simply not good business to be an isolationist when trying to conduct business and promote relationships.

3. Data leaks - Cybersecurity in the office may seem to be overly cautious, but understanding cybersecurity needs extend well beyond the office. The use of smartphones and tablets is widespread. Portable storage devices are everywhere as they are a useful tool for the backup and transportation of data. These features also help data thieves.


Here are some steps to prevent data leaks:

Require mobile devices to have passcode locks.

 Turn on GPS tracking and the option to remotely wipe the device if it is lost.

 The use of encryption software is highly recommended when using portable
storage devices.

• Protect your mobile devices and paperwork at all times.

4. Hacking - Gaining illegal access to IT systems offer criminals a lucrative financial incentive. Gaining access to bank account information or credit card databases have an obvious financial reward. However, intellectual property is also a source of significant value and the target for many government-sponsored actors. The use of social engineering allows criminals to gain insight and trick people into revealing user credentials.

The most widely used methods to protect a network from hacking is the use of network firewalls and IP filtering, layered data access security, procedures for providing and removing access, and user awareness and training.

5. Insiders - If you have employees (full-time, part-time, or as contractors), the possibility exists they could leak data by mistake or on purpose. The damage from a document leak cannot be overstated.


Try to mitigate the size of any data leak by:

Educating employees and outside vendors (business associates) to be alert to issues and minimize careless mistakes.

Limiting how much data the extended staff has access to. The principle of ‘least privilege access’ should be applied to IT systems. Provide staff with a minimum level of access to do their roles.

• Controlling the use of portable storage devices, such as USB memory keys, portable hard drives, and media players.

• Consider monitoring logs, using spyware, or assessing staff behavior (who is copying what).

RiskTool can help address each of these threats.

In addition, Insurance Carriers can use RiskTool as a platform to build a community of policy-holders. This community can then collaboratively and actively share resources and information to lower risk, or the vulnerability to risk, resulting in a higher probability of lower loss ratios.