Cybersecurity is about managing cyber risks to an acceptable level, rather than implementing a checklist of requirements. Here are some of the top questions about cybersecurity every business leader should think about.
1. How do we currently prevent penetration and prevent damage?
Which baseline protections are in place? A defence in depth approach will show where controls are lacking and which quick wins are out there.
Defence in depth is a basic approach to consider. It does not assume a single attack vector and leverages overlapping systems designed to provide security, even if one of them fails. For example, an anti-virus coupled with an intrusion detection system (IDS).
2. How is the leadership informed about the current level of cyber risks and their business impact to the organisation?
It’s important to have visibility on the current state of cybersecurity and threat development. Executive management must be able to control the heading and speed based on objective fact. Considering how fast new threats emerge, an annual security report would not suffice.
3. Is cyber risk part of our enterprise risk management?
Cybersecurity is a process, not a product. It is about managing cyber risks to an acceptable level, rather than implementing a checklist of requirements.
As with any other type of risk, cyber risk involves people + process + technology. Ideally, your risk management includes cyber risks as well. When included, cyber risks should be measured on par with non-cyber risks.
When it comes to managing remediation costs, don’t focus on ROI and stick to basic cost-benefit analyses. It makes more sense to say, “Here’s what we stand to lose if these measures aren’t implemented”.
4. Do we follow the right cybersecurity framework(s)?
Each industry has its own set of cybersecurity frameworks, some of which are even mandated by law. Adherence to the right framework can also be a business enabler, especially when you’re in the services industry.
If you deliver a cloud-based service, having a SOC2 certification may be mandatory in order to do business with banks and insurance industries. There are also many other globally acknowledged frameworks for information security and cybersecurity.
5. Do we know which cyber risks are introduced to us through our vendors? And how well are they in control of their security safeguards?
The quickest way to lower your cyber risk through vendors is to only do business with vendors that have security certifications. Example certifications would be SOC2 compliance for SaaS providers, to the more generic ISO27001 for Information Security. Often this is not realistic, but preferring a vendor that has this will allow you time to assess how well the non-certified vendors handle their security.
As with all things security-related, this is about context. It’s not only the sensitivity of the information you process through the vendor, but also what access the vendor has on your infrastructure.
This access can be misused in mainly two ways: It can be used to extract valuable company information from your infrastructure, but also, this access can be a conduit through which to attack your customers.
6. Is there adequate staff and cybersecurity education?
How many of your staff will click that evil link in that phishing email? New threats are evolving continuously, and all it takes is a click of the mouse to give an attacker access to your infrastructure.
To prevent this from happening, adequate cybersecurity training is key, and there are many (even free) ways to assess how well staff can detect possible threats. The effectiveness can be measured periodically, for example four times a year, or continuously.
Besides training non-technical staff, it is imperative to continuously develop your cybersecurity staff to enable them to keep up with the latest developments.
7. Cyber incident response plan: How mature and how often tested?
Failing to plan is planning to fail. With today’s advanced threats, it’s a good bet to assume you will be breached.
How this breach plays out depends on how well you prepare. The type of breach, the threat vector, the impact, can all differ, so an incident response plan for each likely scenario should be drawn up.
Be clear who leads this. The person responsible should have exceptional communication and organisational skills. This person will also be the point of contact for internal and external interactions.
Important questions to answer in the plan: How do we engage with law enforcement? How do we inform our clients, investors, and general public? How do we limit the damage? Who is part of the cyber incident response team, and which roles are required?
8. Is our organisation protected from emerging threats?
“Every minute, we are seeing about half a million attack attempts that are happening in cyberspace,” said Derek Manky to CNBC’s Harriet Taylor in “Biggest Cyber Security Threats 2016”. In 2017, we are seeing increasingly creative hacks.
In the past, cybersecurity was through to be the responsibility of the IT department. This is no longer the case, and more businesses are moving towards a dedicated cybersecurity team to monitor infrastructure and track threat developments.
9. How does our level or preparedness compare to our competitors?
A general rule of thumb for opportunistic thieves is they often aim for the low hanging fruit. They don’t touch the houses in the street that would negatively impact their risk of getting caught.
Doing a penetration test at the end of every project is a good thing to do. But if this is the only thing that is done, it’s comparable to only having someone check if you locked your front door. No lights, no cameras, no alarm system, and nothing there to track any unwanted visitors. So when you do get burgled, you will have no idea what has been stolen or left behind, or if the thieves are still roaming through your house.
Having a strong set of cybersecurity measures will make you a less interesting target. And even if you were specifically targeted, it will make it harder for an attacker to breach your infrastructure and remain undetected for long.
10. Is our cyber risk exposure aligned to our risk appetite?
Cyber risk is commonly defined as the exposure of the organisation and their affiliates to harm or loss resulting from breaches of or attacks on information systems.
To answer this question, one must have cybersecurity risk management in place, as well as treat intelligence and collect objective numbers around the effectiveness of implemented security controls. The aim is to annually review the balance between appetite and exposure, and base decisions around this.
Secure your environment today
As the above points demonstrate, the risks associated with system vulnerabilities are substantial. Instead of waiting for your information to be exploited, systems corrupted and brands damaged, you can take the initiative and protect yourself.
We can provide you with in-depth reports into weaknesses that attackers could exploit in your specific system. With this valuable insight, we can then help you secure your systems in the areas of development, use and infrastructure.
Visit our Security Testing section to find out how we can close these loopholes for you.