Recent Cyber breaches and attacks have proven that Cyber Security is a real and present danger to most companies. Information Technology’s role in Business and organisations has changed significantly in the last 10 years.
Companies rely on Information Technology (IT) to be able to conduct business, render services and to manufacture products.
Even traditional Non-IT reliant companies (mining, Manufacturing etc) are increasingly connecting Operational Technology (OT) networks to their IT Networks and thereby exposing SCADA (Supervisory Control And Data Acquisition) and other manufacturing systems to the risks associated with Cyber threats.
The 2018 Allianz risk Barometer shows that the biggest risk currently facing companies is Cyber-Security/Cybercrime and Business interruptions. In another study conducted by Ernest & Young in 2018 it perfectly illustrates the increased risk faced by Mining companies from Cyber threats.
So how do companies who sometimes not even have a full time CIO, go about tackling the Cyber Security Problem?
They usually rely on IT vendors and outsource partners to supply off-the-shelf software and hardware solutions (firewalls and endpoint security solutions), which might not adequately address the risk and still leave the company vulnerable.
The King IV code, principle 12, places the responsibility for Information security with the Board/Governing body, including mitigation of Technology and Information risks faced by the organisation.
An organisational information security review would give the Board of Directors adequate information about the Information risks the company face, the impact should these risks not be addressed as well providing a roadmap for implementing a Cyber Security program and capability.
So why Choose a Cyber/Information Security review over a Security Audit or a Penetration test?
None of the options to address the Information/Cyber Risks, other than a Organisational Security Review, is fit for purpose. Buying software seems like the easiest solution, but software alone won’t ensure Cyber security, and would most likely take time to customise, would need a time period to test, and then it should be correctly installed and updated.
A Penetration test (or Pentest) is a very technical and expensive exercise, where a security expert tries to hack into your system, this a very thorough and specialised service, which uses 100’s of very expensive resource hours.
A Pentest for a company who is only starting to address the security risks, this approach is like using a baseball bat to swat a fly, it will work, but is the cost worth it?
A security Audit, normally conducted by a Financial Audit Company, measures a company’s security practices and Governance structures in relation to a specific Security Standard.
The auditor check and verifies if the company is compliant with statutory regulations and the chosen security standard the company has implemented.
For a company wanting to establish an Information security function, they might not have enough Policies, procedures and other controls in place to justify a Security Audit.
None of the options mentioned until now will provide the executive management team or IT operations with a good baseline understanding of their cyber risk with a roadmap on how to cost effectively start addressing key concerns.
An Organisational Security review will be able to identify the major information and Cyber risks a company has, by incorporating a hybrid approach of vulnerability testing, reviewing the Policies and procedures, evaluating the current Cyber Security readiness, and then to perform a Gap analysis to determine the best, most cost-effective Cyber Security solutions available for the company.
CS-IT believes in the Pareto Principle, that 80% of your Risk can be mitigated by addressing the top 20% of the causes.
Cyber Security solutions should be tailored to each company according to their own needs, risk appetite and budget.