Why conducting an organisational cyber-risk and readiness review can save you time, money, frustration
Recent cyber breaches and attacks have proven that cyber security is a real and present danger to most companies.
IT's role in business and organisations has changed significantly in the past 10 years. Companies rely on IT to be able to conduct business, render services and to manufacture products. Even traditional non-IT-reliant companies (mining, manufacturing, etc) are increasingly connecting operational technology (OT) networks to their IT networks and thereby exposing SCADA (Supervisory Control And Data Acquisition) and other manufacturing systems to the risks associated with cyber threats.
The 2018 Allianz Risk Barometer shows the biggest risk currently facing companies is cyber security/cyber crime and business interruptions. Another study conducted by Ernest & Young in 2018 perfectly illustrates the increased risk faced by mining companies from cyber threats.
So, how do companies who sometimes don't even have a full time CIO go about tackling the cyber security problem? They usually rely on IT vendors and outsource partners to supply off-the-shelf software and hardware solutions (firewalls and endpoint security solutions), which might not adequately address the risk and still leave the company vulnerable.
The King IV code, principle 12, places the responsibility for information security with the board/governing body, including mitigation of technology and information risks faced by the organisation. An organisational information security review would give the board of directors adequate information about the information risks the company faces, the impact should these risks not be addressed, as well providing a roadmap for implementing a cyber security program and capability.
So, why choose a cyber/information security review over a security audit or a penetration test?
None of the options to address the information/cyber risks, other than an organisational security review, is fit for purpose. Buying software seems like the easiest solution, but software alone won't ensure cyber security, and would most likely take time to customise, would need a time period to test, and then it should be correctly installed and updated.
A penetration test (or pentest) is a very technical and expensive exercise, where a security expert tries to hack into your system. This a very thorough and specialised service, which uses hundreds of very expensive resource hours. Regarding a pentest for a company that is only starting to address the security risks, this approach is like using a baseball bat to swat a fly; it will work, but is the cost worth it?
A security audit, normally conducted by a financial audit company, measures a company's security practices and governance structures in relation to a specific security standard. The auditor checks and verifies if the company is compliant with statutory regulations and the chosen security standard the company has implemented. For a company wanting to establish an information security function, it might not have enough policies, procedures and other controls in place to justify a security audit. None of the options mentioned until now will provide the executive management team or IT operations with a good baseline understanding of their cyber risk with a roadmap on how to cost-effectively start addressing key concerns.
An organisational security review will be able to identify the major information and cyber risks a company has, by incorporating a hybrid approach of vulnerability testing, reviewing the policies and procedures, evaluating the current cyber security readiness, and then to perform a gap analysis to determine the best, most cost-effective cyber security solutions available for the company.
CS-IT believes in the Pareto Principle, that 80% of your risk can be mitigated by addressing the top 20% of the causes. Cyber security solutions should be tailored to each company according to their own needs, risk appetite and budget. Should you like to know more about our cyber security reviews and roadmaps, please contact us via our Web page, or alternatively you can send me an e-mail at firstname.lastname@example.org.