The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency released a new module in its Cyber Security Evaluation Tool Wednesday to allow businesses to assess their exposure to ransomware and their preparedness for defending against an attack.

The Ransomware Readiness Assessment is a desktop software tool that guides network operators through a step-by-step process to evaluate their cybersecurity practices. Applicable to both information technology and industrial control systems, RRA allows users to comprehensively evaluate their cybersecurity posture using recognized government and industry standards.

The RRA is based on a tiered set of practices to assess how well an organization is equipped to defend and recover from a ransomware attack. The assessment provides an analysis dashboard with graphs and tables that present the assessment results in summary and detailed form so that action can be taken. “The RRA also provides a clear path for improvement and contains an evolving progression of questions tiered by the categories of basic, intermediate and advanced,” CISA noted on the CSET wiki.

“This is a positive first step and CISA is on the right track to helping businesses and organizations provide more holistic security,” Sascha Fahrbach, cybersecurity evangelist at privileged access management company Fudo Security sp. z o.o., told SiliconANGLE today. “This new tool will certainly assist various industries in expanding their know-how about ransomware and assessing their readiness towards this threat.”

Security teams need to use the information, data and other elements of this tool and structure that knowledge into an organization’s security policy and strategy, Fahrbach added. “Security should not just be a box-ticking exercise, and although helpful, there are many other layers and steps that must be implemented to safeguard vital industry and IT infrastructure,” he said.

Jerome Becquart, chief operating officer at identity platform provider Axiad IDS Inc., noted that using the tool will prepare businesses for zero-trust security, which was recently highlighted in President Biden’s executive order.

“By assessing their ability to control access to their corporate resources, businesses can identify gaps in their security infrastructure,” Becquart explained. “For instance, many organizations have started enforcing multifactor authentication in parts of their ecosystems, but haven’t secured all their use cases, which could leave vulnerabilities open for hackers to strike.”

Image: CISA