Cyber Security: Take the self-assessment – Results

You have scored <33% 

You scored less than 33%.

Perhaps you underestimate the cyber security risks you face or think you don’t have the budget to implement appropriate measures. Don’t worry: you can implement effective cyber security whatever your budget or level of technical knowledge. 

You have scored between 33% and 66% 

You scored between 33% and 66%.

You’ve clearly implemented some measures to address the cyber security risks you face, but could be doing a lot more. 

You have scored >66% 

You scored more than 66%.

You clearly take cyber risks seriously, but you could improve the maturity of your cyber security posture so that cyber security is fully embedded in your organisation. 

Find out more about the measures you should be taking to reduce the risk of IT failures, cyber security incidents and data breaches:

1. To what extent has your organisation implemented malware protection?

Malware (malicious software) is a broad term used to describe any file or program intended to harm a computer – whether by stealing your data, encrypting your files, spying on your activity or taking control of core functionality.

To minimise the risk of malware, your organisation should:

  • Keep software up to date, with signature files updated at least daily;
  • Configure software to scan files automatically upon access. This includes when files are downloaded and opened, and when they are accessed from a network folder;
  • Ensure software scans web pages automatically when they are accessed through a web browser; and
  • Ensure software prevents connections to malicious websites.

2. Has your organisation ever scanned its systems for vulnerabilities? 

The majority of cyber attacks are automated and indiscriminate, looking to exploit common network and software vulnerabilities – such as insecure operating systems and network architecture, coding errors, or software responding to requests in unintended ways – rather than specific websites or organisations. Identifying those vulnerabilities allows you to close the gaps that cyber criminals could otherwise take advantage of to get a foothold in your systems. 

3. Does your organisation ever carry out patch management? 

Once vulnerabilities are made public, cyber criminals will try to exploit them. If you don’t update to the latest versions of software or apply patches as they are released, any security weaknesses in your systems will remain exploitable. 

Similarly, if you’re using outdated software that’s no longer supported by its vendor, security flaws will not be addressed. A patch management programme will ensure the timely testing and installation of updates and help make sure that, by using the latest versions, you are less vulnerable to attack. 

4. Do your staff regularly receive security awareness training? 

Malware is often spread by drive-by downloads or phishing campaigns, which masquerade as legitimate communications from trusted senders but contain links to malicious sites or have infected attachments that drop malware. 

As technological security practices improve, people remain the weakest part of any system. (After all, it’s far easier for a cyber criminal to induce you to give them access to your system than it is for them to hack it.) 

Regular staff awareness training will help your security practices become embedded in the working practices of the whole organisation, thereby reducing your risk of attack.  

5. Is your security team competent and properly trained? 

Without the internal resources necessary to secure their networks, many organisations find themselves struggling to cope with the ever-evolvingthreat landscape. 

However, the demand for appropriately qualified security personnel far outstrips supply: according to a 2018 (ISC)2 study, there is a worldwide shortage of 2.93 million cyber security professionals. 

This is why it is so essential to train your security team. Understanding cyber threats is not enough; organisations need qualified and experienced staff to implement and deploy effective security measures – and who better than your existing team? 

6. How often does your organisation carry out security monitoring?

The speed at which you identify and mitigate security incidents makes a significant difference in controlling your risks, costs and exposure, so analysing network activity to identify suspicious behaviour – such as unauthorised system changes – should be part of your everyday activities.

Automated detection will allow you to take corrective action against threats at the earliest opportunity and monitor the ongoing effectiveness of the security controls you have in place.

7. Have you identified your data breach risks and how a breach would impact your organisation and its data subjects?

Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, organisations that control the processing of personal data – known as data controllers – must report personal data breaches to their supervisory authority if there is likely to be a risk to data subjects’ rights and freedoms. Where feasible, this must be done within 72 hours of becoming aware of the breach. Failure to do so leaves organisations open to the possibility of administrative fines of up to €10 million or 2% of annual global turnover – whichever is greater.

A comprehensive risk assessment will help you identify and assess the risks that are relevant to your organisation and environment, and establish the potential impact of a data breach on both your business and data subjects.

It will also help you implement suitable measures to treat and manage those risks.

By following a proven risk assessment process and framework, you will be able to identify and assess the risks you face, and establish the potential impact of those risks on the confidentiality, integrity and availability of data – as required by the GDPR.

8. Does your organisation have any information security policies in place?

A best-practice information security management system (ISMS) encompasses people, processes and technology, recognising that technological solutions are of little use if staff do not use them properly.

Moreover, such policies are a useful way of demonstrating compliance with the GDPR, whose accountability principle requires data controllers and processors to be able to show that they have taken appropriate technical and organisational measures to address the risks to the personal data they are processing.

9. To what extent has your organisation implemented a comprehensive risk management programme?

Evolving information security threats require an adaptive response, which is why an approach based on regular risk assessments is mandated by so many best-practice frameworks, standards and laws.

An information security risk assessment is designed to provide an accurate snapshot of the threats facing your organisation’s information security at a given point.

This can then inform the design of security controls, meaning the measures you implement are based on the risks you actually face, so you won’t waste time, effort or expense attempting to protect your information from threats that are unlikely to occur or will have little material effect on your business.

10. Do staff know how to escalate a security incident to the appropriate person(s) within your organisation?

It’s essential that all staff are aware of their security responsibilities and report potential attacks as soon as possible. Time is very much of the essence when you suffer a security incident, so you should establish a process for escalating them and ensure all staff are trained in how to deal with them.

11. Do you have a systematic, organisation-wide information security programme in place?

Maintaining the confidentiality, integrity and availability of your information assets requires an effective information security programme that covers the whole organisation, such as an ISMS that complies with the international standard ISO 27001.

This is an enterprise-wide approach to information security management that covers people, processes and technology, and is based on regular risk assessments.

12. Is the board committed to information security and does it take an active interest?

Cyber risk is a business risk, not just a technological one.

Everyone in the organisation, from the board downwards, must recognise that information security is their responsibility. Everyone who has access to data must know how to protect it. Everyone who uses the Internet must understand the risks. Everyone must default to security instinctively.

Good security and effective working practices must go hand in hand. This can only be achieved through a security culture – which in turn depends on board-level support and leadership.

13. How often does your organisation carry out internal security audits?

You should not imagine that once you’ve implemented security policies, trained your staff and introduced technological solutions that your work is done. It is not.

Information security threats are continually evolving; your response must adapt accordingly.

Regular security audits will allow you to determine if the measures you have put in place continue to be appropriate to the risks you face, and that you continue to meet your legal and regulatory obligations.

14. Has your organisation established governance structures and processes to make sure there is appropriate accountability and oversight?

Governance is the key ingredient that binds all the core elements of cyber security and risk management. Without it, executive teams and the board remain uninformed and unaware of their organisation’s risk exposure – despite being held accountable for cyber risk management.

For the vast majority of organisations, it is useful to appoint someone to oversee cyber security matters. You don’t necessarily need a chief information security officer – just someone to take responsibility for the everyday security and compliance matters that your organisation needs to manage.

Accountability is a matter of legal obligation as well as sound business sense. The GDPR requires organisations to be able to demonstrate their compliance. For many organisations, this requires the appointment of a data protection officer – a clearly defined role that reports to the highest management level in the organisation.

This website uses cookies. View our cookie policy