How confident are you in your business's ability to defend against cyberattackers? How confident are you in your business's ability to respond and recover from a cyber attack? These are questions that every business owner needs an answer for in 2021 as cyber threats become ever more prevalent and likely to impact businesses no matter how small or large they may be. A recent governmental study found that 43% of businesses experienced cybersecurity incidents in the last 12 months. Almost all of these attacks could have been prevented if there were fundamental cybersecurity controls and practices in place at these businesses. Given this climate, business owners must begin to ask themselves the questions we asked at the beginning of this article and get a good handle on the current state of their cybersecurity efforts before they become a problem.
If you do not employ any cybersecurity professionals in your business and feel that you would benefit from a reliable second opinion on your cybersecurity efforts, then a cybersecurity health check is what you need. It is what it sounds like too, a thorough and conscientious health check of your business from a security perspective, your IT infrastructure, and overall cybersecurity posture to see if we can detect the symptoms of any potential security risks. Ultimately, a cybersecurity health check is all about uncovering any potential weak spots in your security before the bad guys find them and take advantage of them. We look at your security processes, technology, and systems, focusing on the basics like patch management and asset inventory, ensuring your endpoint, servers, applications, and public-facing IT infrastructure is secured by best practice, and the experience gleaned from hundreds of engagements.
Good cybersecurity health checks go deeper than poking around your IT infrastructure, and they also take your people into account. Awareness of your cybersecurity health is critical to your business, and any food health check should also include your management's knowledge and awareness of key risk areas, incident response procedures, and risk management processes. They also involve taking a long, hard look at your supply chain and partners, the access they have to your IT infrastructure and systems. Given the current trend towards supply chain attacks, this is a strong area of interest for businesses right now and is often a place where many businesses fall short. Auditing your entire supply chain from a cybersecurity perspective is an arduous and time-consuming task; a good health check cannot do that for you, but it will take a close look at your supply chain from a risk perspective alongside any recommendations for improving supply chain security.
By assessing your people and your partners, as well as your IT infrastructure, we can build up a holistic view of the cyber risks your business faces and how prepared you are for handling those risks. A good health check provider can help you understand your current capability to manage cyber risk across different aspects of your business, including governance and strategy, incident readiness, response and resilience, and cybersecurity training across your team. A phased approach like this helps your business understand the true nature of its threat profile and assess your cybersecurity posture against that threat profile, resulting in a series of practical and actionable recommendations to assist you in improving the overall cybersecurity posture of your business and its ability to deal with cyber risks. The typical deliverables of a comprehensive cybersecurity health check should include a detailed report that compares your current state to cybersecurity best practices like ISO 27001, the CIS 30 security controls, and NCSC guidance; they should also describe your current cyber risk status and provide recommendations for reducing your overall risk footprint.
What Should A Good Health Check Cover?
Any comprehensive cybersecurity health check should include the following at a bare minimum. This rough guide covers the basics that any good cybersecurity practitioner would cover if they were to conduct a health check on your business. This is not an exhaustive list, but it provides a good overview of what to expect.
- Your IT Management & Governance - Ensure that your IT security goals directly align with your overall business objectives, review your security policies, procedures, and staff training, as well as evaluate your security incident response processes.
- Your IT Operations & Monitoring - Identify inadequate backups that can lead to catastrophic data loss in the event of a major incident, conduct testing of your business continuity and disaster recovery planning, and evaluate the effectiveness of your system event logging.
- Your Network Architecture & Administration - Analyze your network design, identifying out of date diagrams that can lead to your network assets leaving the business exposed to unknown risks,and looking for weaknesses that can allow access to sensitive data.
- Your Physical & Environmental Security - Evaluate the physical and environmental security of your IT environment to guard against theft or damage to resources, assess your environmental controls to protect against potential damage to IT resources (fire, water leaks, and power outages).
- Your System Security & Configuration - Analyze your system configuration and overall system cybersecurity, looking for vulnerabilities to both internal and external cyberattacks as well as employee error. Assess the level of your encryption of data at rest and the potential for the exposure of confidential to unauthorized third-parties.
- Your Systems Maintenance Processes - Evaluate system acquisition processes that can lead to weak controls or increased risk exposure through third parties and assess system retirement controls to prevent unauthorized individuals from accessing sensitive data (for example, hard drives thrown in the trash without being wiped first).
If you want to take a long, hard look at the state of your cybersecurity and begin to rethink the way you deal with it, then a cybersecurity health check is an excellent starting point, it will enable you to highlight the areas that urgently require your attention and form a solid foundation for your businesses new and improved cybersecurity program.