Running Cybersecurity Assessments May Increase The Risk Of A Breach

With the increasing frequency of cyber attacks in industrial sectors, all critical infrastructure organizations should be conducting cybersecurity assessments right now. But there’s a common part of the assessment process that is nearly always overlooked and adds tremendous risk to the organization: using email to communicate assessment tasks and collect responses on risks.


Here’s the problem with a typical cybersecurity assessment process

A risk management group decides what will be assessed. An assessment framework is chosen. NIST CSF is a common example, or many companies use frameworks they’ve developed themselves. Framework questions are organized in a spreadsheet and used to seek understanding if certain security controls are in place or not. The group figures out which employees and which suppliers or vendors need to answer the questions and then the spreadsheet is emailed out to everyone.

At this point, if an attacker had gained access to any one of these people’s email accounts they now have a spreadsheet that shows where the company is currently most concerned about having holes in their security posture. Depending on how the questions are worded and what notes are added, they also have context for how they should look for breach points. This information may or may not be enough for an attacker to do much of anything right now. But it certainly gives them a place to focus their attention and an idea of what resources they’ll need. And, if the email was sent out to everyone on a single list with email addresses exposed, they now know who else to start monitoring and phishing.

When the respondents receive the spreadsheet of security questions, they go to work adding their responses into the appropriate cells. Some controls may be in place, maintained, and up to date. Some controls may be in the process of being updated. Some are not in place. Of those missing controls, a note is added recognizing they’re not in place but detailing how the risk is mitigated by other compensating factors. And then there are the controls that are not in place, not mitigated, and not in any remediation or improvement process. All of these details are recorded in multiple spreadsheets and emailed back to the risk management group.


Think about this scenario for a moment.

By this point in 2021, it’s commonly understood by most that it’s not safe to email sensitive info like social security numbers, credit card data, or passwords. But around the world, every day, organizations large and small are emailing their most sensitive cybersecurity vulnerabilities around to each other in the company, and even externally if third parties are involved. Ironically, while all this is happening, everyone is aware that breaches associated with email system issues and weak passwords are some of the most common areas of intrusion. There may be a password needed to open the spreadsheet, but do you really trust Excel to hold off an attacker from Russia or China?

This is a major security risk that most companies don’t even think about. The very assessment that is used to help them improve cybersecurity measures is working against them from the moment it begins.



This is one of the many reasons why exists.

From start to finish, assessment information never leaves our customer’s secure account. The risk management groups that put questions together from industry standards or custom frameworks perform that work inside the platform. Assigning and sending questions to respondents happens inside the platform. Responses to questions with notes and validation information all happen inside the platform. You get the idea.

Every person involved has two-factor authentication enhancing the security of their login credentials. Suppliers and Vendors have restricted and limited views that only show them what they are meant to be involved with. All the data stored is encrypted by default. And, platform users can bring their own encryption keys, further guarding the data.

We’re a company that was created by risk management leaders that did the same things our customers do every day. We get how difficult the job is and understand that everyone’s trying to do their best. We started to be helpful for those that are protecting critical infrastructure. We’d love the opportunity to help your team.

Check out a quick 3 minute video demo here. While you’re at it, reach out to us for a more in depth tour of the product and get a free trial to kick the tires with.

Bill Lawrence

Bill Lawrence joins from the North American Electric Reliability Corporation (NERC) and currently serves as Chief Information Security Officer at During his 20-year naval career, Bill earned his Computer Science from the U.S. Naval Academy, a master’s degree in International Relations from Auburn Montgomery, and a master’s degree in Military Operational Art and Science from the Air Command and Staff College. He also has a Project Management Professional certification and several cybersecurity certifications, including a Certified Information System Security Professional certification.

Share this post


Recent Articles


A Letter from the CEO

Dear team, customers, and investors  The challenges ahead for us collectively in 2023 are numerous:  Global economic uncertainty.  The worrisome expansion of the Ukraine/Russia conflict. 

Read More »

Contact Us