Completing a frequent risk assessment is critical to any cyber security policy. To help you get started here are the steps we follow:
What information assets are critical to your business?
What kinds of risk could they be exposed to?
What legal and compliance requirements is your business subject to?
How would you continue to do business if you were attacked?
How can you manage these risks on an ongoing basis?
Have you put in place the right security controls to protect your equipment, information, IT system and outsourced IT services?
Do your staff know what their responsibilities are? Do they know what good practice looks like?
If you are attacked or something goes wrong, how will you deal with it and get back to business? Who will you turn to for help?
Are you reviewing and testing the effectiveness of your controls?
Are you monitoring and acting on the information you receive from them?
Do you know what the latest threats are?
Are you a target?
Consider whether your business could be a target, this will indicate the level of risk your business is exposed to. Ask around to see whether any of your suppliers, major customers or similar businesses in your area have been attacked, so you can learn from their experiences. This is often difficult as there is a counterproductive culture in security that encourages organisations to hide what has happened and the experience and knowledge gained as a result; to tackle this it is best to take a positive, open minded and collaborative tone in your approach.
Know whether you need to comply with personal data protection legislation and Payment Card Industry compliance
Think GDPR and PCI. If you could face a significant fine or other affect as a result of a breach you should be familiar with this and your obligations under any legislation or compliance framework.
Identify the financial and information assets that are critical to your business, and the IT services you rely on.
Knowing what is at risk is crucial. What data, software and services do you rely upon. What is there value to your organisation and how would their loss affect you, your clients and your suppliers. Think criminal activity; reputation damage, fraud, embezzlement, espionage and bribery.
Assess all your IT equipment including mobile and personal IT devices.
Assess all the IT equipment within your business, including mobile and personal IT devices. Understand the risks to all of these things by considering how they are currently managed and stored, and who has access to them.
What level of password protection do you have in place.
Assess the level of password protection required to access your equipment and/or online services by your staff, third parties and customers, and whether it is enough to protect them.
Are your staff appropriately aware? Does everyone understand their role in keeping the business secure.
Ensure that your staff have appropriate awareness training, so that everyone understands their role in keeping the business secure. Cyber security isn’t limited to systems and software, any user can be the victim of exploitation or external pressure and should be aware of the risks. Decide whether you need to make an investment, or seek expert advice, to get the right security controls in place for your business.
Seek advice from accredited security consultants.
Consider who you could turn to for support if you are attacked, or if your online services are disrupted in some way. Define what your recovery procedures would be, and how you could keep your business running, particularly if you trade online.
Consider who you could turn to for support if you are attacked and define what your recovery procedures would be, and how you could keep your business running.
It's important to have confidence in the support you have in places, the processes and procedures for recovery and what you would do to continue operating while the attack is dealt with and systems checked, recovered and brought back.
You may like to consider whether cyber insurance could protect your business against any impacts resulting from a cyber attack.