Mind the Gap: The Importance of Gap Analyses

This summer has seen some extraordinarily huge issues concerning cybercrime and data breaches with ransomware. And one of the most significant tools in use worldwide has been exploited: file movers.

IT teams use file movers to transport files from one server to another or for backing up data or other internal uses. On July 10, a third party gained access to finance firm 1st Source Corp through the popular MOVEit file transfer tool, which 1st Source Corp used for secure file transfers supporting client services and internal operations. 

Other U.S. government agencies, including two Department of Energy (DoE) entities, were also impacted when hackers took advantage of a vulnerability in Progress Software’s MOVEit Transfer. Stolen data included personally identifiable information (PII) of thousands of people, including DoE employees, contractors, and vendors.

“This event, which includes millions of breaches over the past few weeks,” according to Scott Kuperman, Director of TeamLogic IT, “should serve as a cautionary tale to everyone. When it comes to cybercrime and cybersecurity,” he said, “we always look at it from three directions: personal, corporate, and industrial.”

Kuperman says, “Chances are, within the next week or two, millions of people will receive a letter — and perhaps you have already —  from some organization covering your healthcare, finances, or car lender saying your data has been breached because this is as wide-reaching a hack as you could get.”

It’s a pervasive issue, and while you can’t do much about a breach that’s already occurred, you can protect yourself in the future. And to protect their reputations and bottom lines, companies across all industries must take steps to implement robust cybersecurity measures. But where do you start — especially in a quickly-evolving digital world where cybercriminals are only a step behind the latest controls? 

Enter Gap analysis.

What is a Cybersecurity Gap Assessment?

If you haven’t done so recently, conduct a gap analysis as quickly as possible to identify possible risks before they escalate into full-blown threats. Gap assessments find vulnerabilities and weaknesses in cybersecurity infrastructure. Organizations with more sensitive data should conduct these assessments more frequently. 

These assessments usually include:

  • Gathering information on a company’s current information security posture.
  • Evaluating current cybersecurity strategies.
  • Identifying business and operations-critical assets, including data, networks, and systems.
  • Assessing overall security and cyber risks.

You can conduct an internal gap analysis — but if cybersecurity isn’t your company’s specialty, there are other options. Hiring an external third-party cybersecurity specialist will help you find and plug the gaps, strengthen your security defense, and verify you have the right policies and processes to manage the current threat landscape.

Conducting consistent gap analyses shows your organization’s board, clients, investors, clients, and employees your commitment to cyber security, which is even more critical for companies implementing robust environmental, social, and governance (ESG) policies.

Conducting an Effective Gap Assessment

In the industrial sector, what often happens is that everyone concentrates on their own technology or systems. But often, the ball is dropped regarding business agreements, third-party trade agreements, supply chains, and similar situations. And that’s where gaps can occur, especially among data shared across the board.

Gap assessments may look different depending on your industry or the type of data you handle. The NIST Cybersecurity Framework (CSF) is the original document from which industry-standard guidelines are adapted to surface security gaps or vulnerabilities affecting data sensitivity. PCI DSS and SOC 2 are two frameworks for determining compliance requirements. You can use their requirements as a guide for conducting gap analysis.


These gap assessments protect cardholder data (CHD) in transit or at rest. However, these recommendations also apply to conducting evaluations for any organization that handles highly sensitive data. To perform a gap analysis, you should:

  • Evaluate systemwide security to find gaps in networks that might have poorly-configured firewalls, web apps with broken access controls, or poor cryptographic algorithms.
  • Verify that the safeguards for protecting sensitive data align with industry standards and function effectively. Identify and mitigate any excess collection or storage of sensitive data — and check for any unsecured flow of potentially malicious “traffic” into any sensitive data environment.
  • Probe risk management for gaps that might result in data breaches or cyberattacks if not addressed. Look for threats and vulnerabilities like ineffective malware or anti-phishing software or gaps in identity and access management, which leverages user authentication to ensure that only qualified individuals have access to sensitive digital environments.
  • Review your company’s security policy for gaps in communication of security objectives or delegation of roles and responsibilities. 

SOC 2 Gap Assessments

Organizations required to report on System and Organization Controls (SOC) should use gap assessments to find areas of weakness that need remediation — and prepare for compliance audits. These gap analyses focus on evaluating risk management associated with financial, legal, organizational, and reputational risks as well as identifying:

  • A lack of sensitive data backups — or ineffective data storage.
  • Incomplete business continuity planning strategies and policies.
  • Inappropriate (or absence of) user access logging mechanisms.
  • Missing user identification and authentication procedures.

While SOC 2 doesn’t provide a prescriptive list of processes, controls or tools, it offers criteria for implementing robust security protocols. Companies can adapt these practices based on their own operations and objectives. The trust services criteria include:

  • Availability — maintaining infrastructure, information, and software and ensuring each has maintenance, monitoring, and operation controls. The criteria also assess — and mitigate — potential external threats and evaluate whether a company has maintained minimally acceptable network performance levels.
  • Confidentiality —verifying the company is equipped to protect data restricted to specific people or organizations. Data might include client data, intellectual property, embargoed new product releases and other confidential company information — or any information protected by agreements, contracts, laws, or regulations.
  • Privacy —  ensuring employees’ and customers’ PII is protected from unauthorized access.
  • Processing integrity — ensuring systems perform as intended and remain free from delay, error, accidental or unauthorized manipulation, or omission and that data processing operations are accurate, authorized, complete, and work as they’re intended.
  • Security — protecting information and systems against unauthorized access via firewalls and two-factor authentication, for example.

No matter what approach to gap analysis you choose, your company reaps multiple benefits. You’ll have greater operational visibility because you’ll know what normal operations should look like and have regular monitoring in place to raise alerts about unrecognized activity, unauthorized user access, or system configuration changes. Should a security incident occur, you’ll have the tools and processes necessary for identifying, assessing, and mitigating threats.

The average data breach cost is nearing $9.5 million in the U.S. — and they’re increasing in frequency. Can your business afford not to improve its security posture? 

Is your company due — or overdue — for its own gap analysis? 

We invite you to talk to the professionals at CREA United: an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more. 

Related Articles