24 Jun The Top 5 Questions you Should be Asking about your Cyber Security
In one of our previous articles, we looked at the importance of cyber security in your organisation; the methods cyber attackers use, the fundamentals you should have in place to protect yourself from being attacked, and what to do in the unfortunate event you fall victim to an attack.
In this article, we’ll explore the top 5 questions you should be asking to ensure you have a complete and thorough cyber security posture within your business.
It is important that, while answering these questions, you know that you can be certain of the answer – false assumptions lead to gaps in security and could end up being the cause of a breach. Don’t accept being told that “all is good”; get supporting evidence of the implementation of processes, procedures, education, and verification from those responsible for them.
1. Do we keep a live inventory of our assets?
It’s important to maintain an accurate inventory of both physical and virtual assets. Without this, how do you know what needs to be protected? Your inventory should include, at least:
A list of Hardware and Software Licences – what purpose it serves, where it is located, as well as status information such as configuration, age, and version.
Data – you should know what data you have, where it resides, (including any backups), how often it is backed up, and how it is used. You should also have documented who has access to what, and what should happen in the event of a breach.
Keeping your inventory up-to-date is as important as having one in the first place. Not only will it help you in the event of a Cyber Attack, it can help with insurance and, if required, compliance.
2. Are my employees regularly and properly educated about cyber threats?
Cyber threats are ever-evolving. For this reason it is vital that your staff are regularly and properly educated. It is not enough to hand out information and then test them on their knowledge later on.
It’s far more important to teach them why they need to know the information, the consequences of not acting appropriately, and to then randomly test them to see their reactions when faced with a decision which could lead to an attack.
Random testing alone leads people to be more careful and less likely to take risks. Testing should be sneaky, but as realistic as possible without giving any warnings, and random so as to ensure it doesn’t become expected and staff do not become complacent.
3. How does our cyber security strategy address business risk?
You should know how technology in your business is accessed, leveraged, and the impacts of an attack on that technology. It is likely that your employees do not fully understand the impact on the business in the event of a major cyber incident.
You need to have the ability to recover from any cyber attack, but it’s also worth investigating if you have the ability to operate during an attack.
It is also important to know what the minimum continuity requirements are for your organisation, if you are prepared to meet them, and if your IT team can prove it.
4. Where are we most vulnerable to attack?
The sad reality is, it is impossible to prevent 100% of attacks. Knowing where you are vulnerable means you can better prepare. Ask your IT team, or company, what they know about your vulnerabilities and how they are monitoring them.
5. How quickly can we recover from an attack?
Many organisations do not have a plan for recovering from a major attack. Issues such as minimising downtime, preventing or minimising revenue loss, and managing your customers expectations are things that need to be considered before an attack happens.
Your plans must be kept up to date, they should be frequently reviewed and tested to ensure they can be followed.
Ask for evidence of the following:
Incident Response Plans – should include the latest test results and adjustments made since that that test. It should also detail who is responsible for what in the event of an incident. Your plan must have an owner who is responsible for testing, and keeping it up-to-date.
Disaster Recovery Plans – should detail how you will recover from a catastrophic disaster.
Business Continuity Plans – should detail how your business can continue to operate in the event of a disaster – both during and after.
Insider Protections – You need to know what protection you have from the threats within your organisation.
If these aren’t documented, and only exist in the head of a member of your staff, or IT team, then they don’t exist. You need to have documented policies and should ensure that they are understood by your employees, managers and anyone with a vested interest in your business.
So, why are these questions important?
Cyber security is a critical component for any business. If it isn’t in yours then it should be. Your gut instinct may work for sales, marketing, or other areas of your business, but when it comes to your security you need facts.
If you require any assistance, or would like an audit of your current cyber security practices do not hesitate to get in contact.
Apogee Solutions – Your Trusted IT Provider
Technology is pivotal to your business and we want you to understand the value it provides when working seamlessly with your operations. Apogee values transparency and simplicity – we provide the IT support you need when you need it.