Cyber Security Risk Assessment: 10 Steps to Cyber Security


Cyber crime facts that should scare you:
Fact 1: In 2011, UK organisations suffered 44 million cyber attacks causing damage between £18bn and £27bn. 80% of these attacks could have been prevented.

Fact 2: In 2012, 87% of small + 93% of large firms in the UK experienced a cyber security breach.

Fact 3: Average cost of a cyber security breach for a small firm is between £35k and £65k.

Fact 4: More than 70% of investors are interested in reviewing public company cyber security practices. Almost 80% would likely NOT consider investing in a company with a history of attacks.

[ad]

So, how do you protect your business?
Follow the UK’s Cyber security 10 Step Framework, 10 risk areas to help you assess your cyber security strengths and weaknesses.

1. Board-led information risk management regime
– Do you have an effective risk governance structure in which your risk appetite and selected controls are aligned?
– Do you have appropriate information risk policies and adequate cyber insurance?
– 12% of the worst security breaches were partly caused by senior management giving insufficient priority to security.
– 26% of boards have not been briefed on any security risks in the last year (and 19% have never been briefed)

2. Secure home and mobile working
– Do you have a mobile and home-working policy that staff have been trained to follow?
– Do you have a secure baseline device build in place?
– Are you protecting data both in transit and at rest?
– 8% of large and 33% of small organisations haven’t taken any steps to mitigate the risks associated with staff using smartphones or tablets.

3. User education and awareness
– Do you have Acceptable Use policies covering staff use of systems and requirement?
– Do you have a relevant staff training programme?
– Do you have a method of maintaining user awareness of cyber risks?
– 54% of organisations see their own staff and contractors as a greater threat to data security and computer systems than outside attack.
– 442% of large organisations don’t provide any ongoing security awareness training to their staff (and 10% don’t even brief staff at induction)

4. User privilege management
– Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts?
– Do you monitor user activity, and control access to activity and audit logs?
– 36% of the worst security breaches in the year were caused by inadvertent human error.
– 10% by deliberate misuse of systems by staff.

5. Removable media controls
– Do you have a policy controlling mobile and removable computer media?
– Are all sensitive devices appropriately encrypted?
– Do you scan for malware before allowing connections to your systems?
– Only 50% of large and 29% of small organisations have implemented mobile device management.
– 23% of large organisations have trained staff on the threats associated with mobile devices.

6. Activity monitoring
– Do you have a monitor strategy?
– Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points?
– Do you analyse network logs in real time, looking for evidence of mounting attacks?
– Do you continuously scan for new technical vulnerabilities?
– 85% of breaches took weeks to discover.
– 20% of organisations are unsure whether or not their organisation has been attacked.

7. Secure configurations
– Do you have a technical vulnerability patching programme in place and is it up-to-date?
– Do you maintain a secure configuration for all ICT devices?
– Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?
– 79% of hacked organisations were victims of opportunistic attacks.
– 96% of attacks were not highly difficult.

8. Malware protection
– Do you have an appropriate anti-malware policy and practices that are effective against likely threats?
– Do you continuously scan the network and attachments for malware?
– 41% of small and 47% of large businesses suffered a data breach as a result of infection by viruses or malicious software.
– 28% of virus infections or disruptive software have had a serious impact.

9. Network security
– Do you protect your networks against internal and external attacks with firewalls and penetration testing?
– Do you filter out unauthorized or malicious content?
– Do you monitor and test security controls?
– 98% of breaches involved external agents.
– 81% of breaches involved hacking.

10. Incident management
– Do you have an incident response and disaster recovery plan?
– Is it tested for readily identifiable compromise scenarios?
– Do you have a incident forensic capability and do you know how to report cyber incidents?
– 76% of small and 91% of large organisations had a malicious security incident in 2012.
– 92% of incidents were discovered by third parties.

Protect your business from cyber attacks, IT governance cyber security consultants can carry out a robust assessment of your performance in each of these 10 areas, providing a tailored, immediately usable action plan.
[ad#mo]