Cyber Security Risk Assessment: 10 Steps to Cyber Security

Cyber crime facts that should scare you:
Fact 1: In 2011, UK organisations suffered 44 million cyber attacks causing damage between £18bn and £27bn. 80% of these attacks could have been prevented.

Fact 2: In 2012, 87% of small + 93% of large firms in the UK experienced a cyber security breach.

Fact 3: Average cost of a cyber security breach for a small firm is between £35k and £65k.

Fact 4: More than 70% of investors are interested in reviewing public company cyber security practices. Almost 80% would likely NOT consider investing in a company with a history of attacks.

So, how do you protect your business?
Follow the UK’s Cyber security 10 Step Framework, 10 risk areas to help you assess your cyber security strengths and weaknesses.

1. Board-led information risk management regime
– Do you have an effective risk governance structure in which your risk appetite and selected controls are aligned?
– Do you have appropriate information risk policies and adequate cyber insurance?
– 12% of the worst security breaches were partly caused by senior management giving insufficient priority to security.
– 26% of boards have not been briefed on any security risks in the last year (and 19% have never been briefed)

2. Secure home and mobile working
– Do you have a mobile and home-working policy that staff have been trained to follow?
– Do you have a secure baseline device build in place?
– Are you protecting data both in transit and at rest?
– 8% of large and 33% of small organisations haven’t taken any steps to mitigate the risks associated with staff using smartphones or tablets.

3. User education and awareness
– Do you have Acceptable Use policies covering staff use of systems and requirement?
– Do you have a relevant staff training programme?
– Do you have a method of maintaining user awareness of cyber risks?
– 54% of organisations see their own staff and contractors as a greater threat to data security and computer systems than outside attack.
– 442% of large organisations don’t provide any ongoing security awareness training to their staff (and 10% don’t even brief staff at induction)

4. User privilege management
– Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts?
– Do you monitor user activity, and control access to activity and audit logs?
– 36% of the worst security breaches in the year were caused by inadvertent human error.
– 10% by deliberate misuse of systems by staff.

5. Removable media controls
– Do you have a policy controlling mobile and removable computer media?
– Are all sensitive devices appropriately encrypted?
– Do you scan for malware before allowing connections to your systems?
– Only 50% of large and 29% of small organisations have implemented mobile device management.
– 23% of large organisations have trained staff on the threats associated with mobile devices.

6. Activity monitoring
– Do you have a monitor strategy?
– Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points?
– Do you analyse network logs in real time, looking for evidence of mounting attacks?
– Do you continuously scan for new technical vulnerabilities?
– 85% of breaches took weeks to discover.
– 20% of organisations are unsure whether or not their organisation has been attacked.

7. Secure configurations
– Do you have a technical vulnerability patching programme in place and is it up-to-date?
– Do you maintain a secure configuration for all ICT devices?
– Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?
– 79% of hacked organisations were victims of opportunistic attacks.
– 96% of attacks were not highly difficult.

8. Malware protection
– Do you have an appropriate anti-malware policy and practices that are effective against likely threats?
– Do you continuously scan the network and attachments for malware?
– 41% of small and 47% of large businesses suffered a data breach as a result of infection by viruses or malicious software.
– 28% of virus infections or disruptive software have had a serious impact.

9. Network security
– Do you protect your networks against internal and external attacks with firewalls and penetration testing?
– Do you filter out unauthorized or malicious content?
– Do you monitor and test security controls?
– 98% of breaches involved external agents.
– 81% of breaches involved hacking.

10. Incident management
– Do you have an incident response and disaster recovery plan?
– Is it tested for readily identifiable compromise scenarios?
– Do you have a incident forensic capability and do you know how to report cyber incidents?
– 76% of small and 91% of large organisations had a malicious security incident in 2012.
– 92% of incidents were discovered by third parties.

Protect your business from cyber attacks, IT governance cyber security consultants can carry out a robust assessment of your performance in each of these 10 areas, providing a tailored, immediately usable action plan.