Cybersecurity affects all companies of all sizes in all sectors. Threats are serious and evolving, and legal and regulatory requirements are growing. The damage businesses face mean IT Security is too big to ignore.
If you are already working with an IT Security provider that is just the beginning. Regular communication with your provider on cybersecurity is critical to protect your company interests and ensure accountability.
IT Security is the same as any other outsourced service. If you use an accountant you still check your bank balance. So just because you have an IT Security providing you must still take an interest in your security.
You may be thinking "I wouldn't begin to know what to ask". That is why we have put together 10 questions to ask your IT security provider.
What are the top risks my business faces?
According to Gartner, by 2020 30% of Global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals.
Your business needs to prioritise the real risks by identifying security gaps and the impact they can have on your business. You can then ensure the budget to manage these risks is assigned accordingly.
You should ask your IT security provider whether they have a solid understanding of the impact of the relevant legal, regulatory and contractual requirements related to cybersecurity.
Are you testing our systems before there’s a problem?
There are many tests that can assess the vulnerability of systems, networks and applications. An important element of any security regime should be regular penetration tests.
Pen tests are simulated attacks on a computer system with the intent of finding security weaknesses that could be exploited. They help establish whether critical processes, such as patching and configuration management, have been followed correctly.
Many companies fail to conduct regular penetration tests, falsely assuming they are safe, but new vulnerabilities and threats arise on a daily basis, requiring the companies to continually test their defences against emerging threats.
Are you conducting regular IT security risk assessments?
A risk assessment should provide your business with the assurance that all relevant risks have been taken into account. Also, there is a commonly defined and understood means of communicating and acting on the results of the risk assessment.
Without determining the risk associated with vulnerabilities, your business could misalign security efforts and resources. This approach not only wastes time and money but also extends the window of opportunity for criminal hackers to exploit critical vulnerabilities.
Advanced security operations teams use threat intelligence to understand potential threat actors’ capabilities and current activities and plans, and to anticipate current and future threats.
How do we demonstrate compliance with our cybersecurity?
An audit can support your businesses need to understand the effectiveness of its cybersecurity. If an organisation has chosen to comply with an information security standard such as ISO 27001, an independent review of its information security controls can be conducted by a certification body.
This can then be used as a competitive advantage when bidding for new business, as is the case with companies certified to ISO 27001.
Certifications can also provide compelling evidence that a business has exercised due care in protecting its information assets.
Do you offer an effective IT security awareness programme?
A large number of breaches are caused by employee error or negligence. The GSIS survey reveals that employees are responsible for 27% of all cybersecurity incidents.
Social engineering remains a common tactic whereby criminals can break into a network through underhanded methods, by exploiting vulnerable or uninformed employees.
The critical importance of an effective staff awareness programme cannot be emphasised enough. Research shows that traditional cybersecurity awareness measures can be greatly enhanced by a multi-faceted security programme that creates a total culture change and tackles persistent incorrect employee behaviours.
In the event of a data breach, what is your response plan?
Cybersecurity experts will agree that it is no longer a matter of ‘if’ but ‘when’ you will be breached.
The critical difference between businesses that will survive a data breach and those that won’t is the implementation of a cyber resilience strategy, which takes into account incident response planning, business continuity and disaster recovery strategies to bounce back from a cyber attack with minimal disruption to the business.
The board should also be aware of the laws governing its duties to disclose a data breach. The NIS Directive and the GDPR are both examples of legislation that will introduce corporate breach notification obligations.
Do we comply with leading IT security standards?
Examples include the leading international information security management standard, ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS) and the Cyber Essentials scheme (which provides basic cybersecurity protection against 80% of cyber attacks).
Certifying to leading international standards such as ISO 27001 means that a company employs proven best practice in cybersecurity, and presents a holistic approach to protecting not only information online but also risks related to people and processes.
A business may also opt for independent certification to verify that the controls it has implemented are working as intended.
Is our IT security budget being spent appropriately?
Setting an IT security budget is not just about having more money to buy more technology to patch cybersecurity holes. The key is to take a strategic approach to budget allocation in order to make a real difference to the company’s information security posture.
Increased security does not translate to increased technology. In fact, technology alone won’t protect your business from the ever-present threat.
Busineness need to safeguard their ongoing security status by prioritising what steps should be taken to keep compliant with current legislation and prioritise the prevention and treatment of attacks.
Do we have visibility into the network?
Poor network behaviour visibility can wreak havoc in an organisation. The IBM Cost of Data Breach Study 2017 revealed that the average time to detect a data breach is 191 days.
Many administrators do not have deep enough access to the network and security intelligence they need in order to have an accurate picture of what’s really going on and lack the tools that can quickly identify, interpret and act on threats.
IT and security teams should be empowered to maintain clear and continual visibility over the network.
When did you last test our recovery procedures?
Ponemon Institute’s 2017 Cost of Data Breach Study: Impact of Business Continuity Management revealed that business continuity programmes significantly reduced the time to identify and contain data breaches.
Effective business continuity management (BCM) helped save companies 43 days in the identification of a breach and 35 days in containing it.
BCM and disaster recovery plans must be regularly tested to establish whether the business can recover rapidly following an attack. Some of the ‘what if’ thinking should be establishing how vulnerable fallback options themselves are to cyber attacks.
For example, a malicious assault on your data may not be detected for some time and backup data may have also been compromised.
Outsourcing your IT security is a great way to protect your company. However, like with any outsourcing it's vital you pick the right company and you stay up to date with your security.
Take these questions to your IT security provider and if they can't answer them all or you don't like the answers you get it's time to move to a new provider.