Security Self Assessment

Cyber security costs time, money and patience and a never ending cycle of risk identification and treatment. It sometimes feels as though the business is there to prop up the IT department rather than the other way around.

However, if information is the life blood that feeds the organisation’s metaphorical body, IT systems are the beating heart. Making security part of the DNA will ensure that:

There is compliance with legal, regulatory and contractual obligations.
There are marketing advantages: who doesn’t want to work with a business that puts customer security first?
There is optimisation of business assets, because a good security posture requires you to precisely define which systems will do what, how and when and who will be accountable for such things.
There are significant savings, because the financial consequences of a cyber security incident are crippling. There are; investigations, consultancy fees, credit monitoring services, legal expenses, fines, and money spent on repairing reputational damage - to say nothing of the interruption to services.

As such, why not take our quick self-assessment to see if your business is in good shape:

Scoring system

1 point per question.
You either meet or do not meet the criteria introduced by each question – it’s all or nothing.
The higher the score, the better, but bear in mind that even full marks does not mean that you are without risk. However, it might mean that the business is less likely to experience a security incident or the impact of such an event is more manageable.

For sole traders:

Are business accounts protected by unique, strong passwords?
Are business accounts protected by 2 factor authentication (e.g. a pin sent to a phone)
Do you regularly update your devices, software and apps?
Do you use antivirus or a firewall?
Can your mobile devices (laptops, phones and tablets) be tracked, locked or wiped remotely?
Do you know how to encrypt the data on your devices?
Do you use a Virtual Private Network (VPN) when working online?
Do you have a working backup of all data, which is stored separately from your devices?
Have you had any training on how social engineering might be used to attack your business?
If the IT systems on which you depend, are no longer working, have you work-arounds to keep your business afloat?
If you are a victim of cybercrime, do you know that this should be reported to Action Fraud to get free advice and support?

Threshold:

Less than 8 points suggests that your security posture may be flawed and your business at risk.

Please see here for a few quick fixes.

For businesses with under 30 employees

Are business accounts protected by unique, strong passwords?
Are business accounts protected by 2 factor authentication?
Do employees only have access to data they absolutely need to perform their job role?
Are IT accounts removed or disabled when an employee is redeployed or leaves the business?
Are IT systems and employees devices regularly updated (including hardware, software and apps)?
Are IT systems and employee devices protected by antivirus?
Are IT systems protected by a firewall?
Are IT systems and employee devices encrypted to protect data the business feels is sensitive?
Can employee devices (laptops, phones and tablets) be tracked, locked or wiped remotely?
Do employees use a Virtual Private Network (VPN) when working online?
Do you have a working backup of all critical data and systems, which is stored separately from your devices?
Do you regularly deliver cyber security training to all employees and test the efficacy of this programme? Training must include:

+ Handling Data the Business Feels is Sensitive.

+ Password Security and Using 2FA.

+ Reporting Security Incidents.

+ Responding To Security Incidents.

+ Social Engineering.

+ Updating Devices.

13. Has your organisation a tried and tested plan to continue to operate without IT services?

14. Have you checked whether the security controls of your business partners or any web services you employ is

+ Adequate for your needs.

+ Built into service level agreements or contractual agreements.

+ Meet GDPR standards.

15. Are IT systems and employee devices wiped of business data if the device is to be repurposed or recycled?

Threshold:

Less than 11 points indicates that your security posture may be flawed and your business at risk.

Please refer to some of our other articles for plenty of top tips and security advice!

For businesses over 30 employees

1. Does the organisation use a Risk Management Framework? For example:

+ ISACA Risk IT Framework.

+ ISO 31010:2009.

+ NIST RMF.

+ OCTAVE.

2. Does the organisation use a cyber security framework? For example:

+ CSA CMM.

+ Cyber Essentials.

+ Cyber Essentials Plus.

+ ISO 27001:2017.

+ NIST SP 800-53 r5.

+ PCI DSS.

3. Does the organisation use a widely recognised Incident Response Framework such as:

+ CERT.

+ ISO 27035-2.

+ NIST SP 800-61.

+ SANS INSTITUTE.

4. Does the organisation procure or develop IT products using industry standard evaluation criteria such as:

+ Common Criteria.

+ ITSEC.

+ Software Capability Maturity Model.

Conclusion

Sometimes, it is the smallest of problems that completely undermine your security. Employing one or more industry standard frameworks, should be an aspirational target for all of us. A framework will help any organisation – no matter its size:

Determine business goals
Determine which assets (hardware, software, data, processing & infrastructure) supports these business goals
Determine what controls and processes should be put in place to reduce the level of risk to these assets to an acceptable level.
Determine how these controls and processes will be monitored and managed moving forward.
Determine how the business should respond to a security incident to keep the show on the road, recover services and protect reputation, market position and profitability.

Ultimately, each framework will help the organisation to demonstrate due care and diligence when it comes to regulatory compliance and protecting the sensitive data it handles.