Cyber Security Risk Assessments

it governance Cyber Security Risk Assessments 10 Steps to Cyber Security Cyber crime facts that should scare you: FACT 1 In 2011, UK organisations suffered 44 million cyber attacks causing damage between £18bn and £27bn 80% of these attacks could have been prevented FACT 2 In 2012 87%) + (93% of large of small firms in the UK experienced a cyber security breach FACT 3 Average cost of a cyber security £65k £35k breach for a small firm is between £35k and £65k FACT 4 More than 70% 70% of investors are interested in reviewing public company cyber security practices Almost 80% would likely NOT consider investing in a company with a history of attacks 80% So, how do you protect your business? Follow the UK's Cyber security 10 Step Framework 01 OTO 10 Risk Areas to help you assess your cyber security strengths and weaknesses Ask Yourself 1 Board-led Information Risk Management Regime Do you have an effective risk governance structure in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance? (12% 26% of the worst security breaches were partly caused by senior management giving insufficient of boards have not been briefed on any security risks in the last year (and 19% have never been briefed) priority to security Ask Yourself 2 Secure Home and Mobile Working Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest? 8% + (33% of large of small organisations haven't taken any steps to mitigate the risks associated with staff using smartphones or tablets Ask Yourself 3 User Education and Awareness Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks? 54% 42% of organisations see their own staff & contractors of large organisations don't provide any ongoing as a greater threat to data security security & computer systems than outside attack awareness training to their staff (and 10% don't even brief staff at induction) Ask Yourself 4 User Privilege Management Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs? (36% (10% of the Worst by deliberate security breaches misuse of systems by staff in the year were caused by inadvertent human error Ask Yourself Removable Media Controls Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems? Only 50% + (29% of large of small organisations have implemented mobile device management of large organisations have trained staff on 23% the threats associated with mobile devices Ask Yourself 6 Activity Monitoring Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyse network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities? 85% (20% of breaches of organisations are unsure whether took weeks to discover or not their organisation has been attacked Ask Yourself Secure Configurations Do you have a technical vulnerability patching programme in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorised devices and do you have a defined baseline build for all devices? 79% 96% of attacks were not highly of hacked organisations were victims of opportunistic attacks 001 difficult Ask Yourself Malware Protection Do you have an appropriate anti-malware policy and practices that are effective against likely threats? O Do you continuously scan the network and attachments for malware? 41% +(47% 00 of small of large businesses suffered 20TOIO a data breach as a result of infection by viruses or malicious software (28% of virus infections or disruptive software have had a serious impact Ask Yourself 9. Network Security Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls? 98% 81%)E of breaches involved of breaches involved external hacking agents Ask Yourself 10 Incident Management Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have a incident forensic capability and do you know how to report cyber incidents? 76% +(91% of small of large organisations had a malicious security incident in 2012 of incidents were 92%) discovered by third parties Protect your Business from Cyber Attacks IT Governance Cyber Security 010 Consultants can carry out a robust assessment of your performance in each 01 of these 10 areas, providing a tailored, 10 immediately usable 001 1010 01010 1010 action plan Call us on 0845 070 1750 or email us at [email protected] Sources: Information Security Breaches Survey 2013 NAO Landscape Review 2013 Verizon 2012 Data Breach Investigations Report IT Governance Group Global Headquarters: IT Governance Ltd Unit 3, Clive Court Bartholomew's Walk Cambridgeshire Business Park Ely, CB7 4EA United Kingdom. governance www.itgovernance.co.uk O IT Governance Ltd Infographic by www.e-xanthos.co.uk SOTTO TTT0