Assessing cyber security risk: 10 questions organizations should be asking
Organizations today are wrestling with the difficult challenge of encouraging employees to innovate with data, while simultaneously managing the tricky security conundrum this can create. The same organizations are faced with the even bigger challenge of understanding and assessing the potential business interruption introduced by dozens of new potential threats that didn’t exist five or even 10 years ago.
Here are 10 questions organizations should be considering when assessing their risk in today’s cyber security landscape.
1. How Much Data has an Organization Got, and What Type of Data is it?
Many organizations that actively collect data don’t know what they’ve got or why they’ve got it, which is a dangerous situation to be in. So organizations need to be asking: is this business in the data collection business or not?
Case in point, many large retail organizations that have been collecting credit card-related data for years have recently begun outsourcing their credit card processing in a way that means that credit card data never touches their own network. This means reducing liabilities associated with credit cards while lowering risk.
2. What is the Security Culture?
Security culture is quite complex and pervades every element of a business. It’s definitely not just an IT issue or a function of your security department. It’s contractual and a function of purchasing and legal, and it starts at board level as well. What does the tone from the top look like when it comes to promoting a solid security culture?
3. What About Staff and Third Party Contracts?
If you’re looking at your own organization and trying to understand its approach to security, the people that you employ are very important. Companies that don’t think about this structural and cultural element of a business are more frequently the victims of attack.
Human error accounts for a huge amount of vulnerability, and it’s not even necessarily your own people. Often, organizations find themselves in weak positions because their software providers can’t patch systems because they may be using an older operating system or running some sort of custom software.
4. Does the Organization Have a CIO, CDO and CSO?
If an organization has senior people in these roles, it may be in a better position to make informed decisions surrounding data. Not every company can afford a chief security officer, but we’re starting to see more third party outsourced CSOs and security monitoring services, especially amongst small and mid-sized organizations.
5. How Long Has the Organization Been Around?
Age and size are important criteria when it comes to security. Younger organizations are more likely to have grown up with more security conscious workers, and are more likely to secure data in the cloud. Age and size may not be a problem if an organization is serious about its view to investing in the business for the purpose of security, robust infrastructure and training.
6. How Many Systems Does the Company Have?
Similarly to the point above, bigger or older organizations are likely to have more assets and less idea of exactly how many they have. This is a major concern, as it only takes one asset to become vulnerable for malware to be introduced.
It’s also critical to drill down further and look at whether an organization has systems that were built in isolation from one another. When an organization does not take a global approach to building its systems, they may be more vulnerable to threats.
7. Attitudes and Approaches to Security IT
Today, organizations should be very interested in understanding what percentage of revenue they spend on security related IT. It’s useful to watch if that percentage goes up or down in order to gauge how committed the company really is to security.
8. Are Products Secure?
It’s also useful to watch whether an organization is building security into the products it is creating. It’s understandable that companies want to get new products out to market quickly, but if they are not being built with security in mind, this is a real concern.
9. How is Outsourcing Handled?
Outsourcing is not a bad thing - it’s a fact of life. It is how a company manages its outsourcing relationships and its third parties’ access to its infrastructure that help us in assessing its vulnerability. Organizations should try to find ways to look at the ripple effect and the inherited risk from all third parties and their respective third parties.
10. The Infrastructure-to-Employee Ratio
In terms of large businesses, it’s also useful to apply an ‘infrastructure to employee ratio,’ which looks at the business from an asset perspective, investigating how a company invests in technology in line with the number of employees it has. If a business has a large number of employees but also invest significantly in its infrastructure regularly, this is a positive sign.
Cyber risk can no longer be considered just an IT problem. When assessing the immediate financial loss that might result in suffering some form of business interruption event, organizations are moving beyond IT and considering whether they have a proactive security culture, and whether they have put the right people in place to understand data and how to best keep it safe. It’s also about looking at the people within, the outsourced agreements and how these are managed.