What is the Right Amount of Cybersecurity?

Most companies are unaware that their level of Cybersecurity is not adequate.  In fact, the rate at which cyber threats are evolving, organizations should be evaluating their Cybersecurity practices annually.

How do you know your organization has the right level of Cybersecurity in place?  We can help.

Information security touches all aspects of the business environment. Strong information security enables trusted digital relationships with customers, vendors, partners, employees and regulators. Weak information security means your valuable information assets are not protected from hackers/ adversaries. You could be susceptible to:

  1. System or network breach including ransomware;
  2. Data exposure to unauthorised parties;
  3. Loss of trust with customers;
  4. Sanctions from regulators;
  5. Damage to reputation; and,
  6. Financial loss.
One in five businesses have been affected by cyber threats.

Almost half of those attacks were linked to large businesses, 29 per cent at medium-sized companies and 18 per cent at small businesses.  It can happen to you! 

Source: Statistics Canada

Security relates to the protection of valuable assets against loss, misuse, disclosure or damage.  In this context, “valuable assets” are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium.

The information must be protected against harm from threats leading to different types of vulnerabilities such as loss, inaccessibility, alternation, or wrongful disclosure.  Threats include errors and omissions, fraud, accidents, and intentional damage.  In order to protect the information from threats,  you need to form a layered series of technological and non-technological safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls.  These safeguards should address both threats and vulnerabilities in a balanced manner.

The objective of information security is “protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity”.  While emerging definitions are adding concepts like information usefulness and possession – the latter to cope with theft, deception, and fraud – the networked economy certainly has added the need for trust and accountability in electronic transactions such that for most organizations, the security objective is met when:

  1. Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from failures (availability);
  2. Information is observed by or disclosed to only those who have a right to know (confidentiality);
  3. Information is protected against unauthorized modification (integrity);
  4. Business transactions as well as information exchanges between enterprise locations or with partners can be trusted (authenticity and non-repudiation).

From:  ‘Information Security Governance: Guidance for Boards of Directors and Executive Management’ (IT Governance Institute)

       

Are you doing enough to manage your Cyber Risk?

So how do you know if you are doing enough to manage our cyber risk to a reasonable level?  This is not an easy question to answer without a bit of unpacking.  The three important factors for you to ask yourself are:

How important are our information and technology assets to our business success?

What cyber threats, intentional or not, are relevant to us and cause major damage?

How important are our information and technology assets to our business success?

Your cybersecurity posture can be a complex network of controls and security systems put in place to keep your assets safe and secure. We can help you understand your existing cybersecurity posture within the context of your business strategy and priorities so that you can build a more robust cybersecurity system. The first step is to appraise your current systems. A cybersecurity risk assessment tool can get you started.

       

Which Cybersecurity Risk Assessment is right for you?

The depth of cybersecurity risk assessment should match the size and complexity of your business and systems. 

For many small to medium organizations with less formal processes and controls, Welch offers an easy to complete cybersecurity self-assessment based on the well-known NIST Cybersecurity Framework and the Centre for Internet Security (CIS) Critical Security Controls.  This cybersecurity assessment is user friendly, asks questions in easy-to-understand language, and usually takes less than twelve hours to complete.  We will support you throughout this self-assessment by helping you plan the assessment, interpret the questions, and review your findings and recommendations. We will work with you from beginning to end, so you can begin to make improvements based on the cyber risks that matter to you. 

If you have a larger, more complex business and technology environment, Welch provides cybersecurity evaluation, audit, testing, and roadmap development advisory services that we will customise to your specific business, risk and compliance concerns and requirements.

       

What will you get out of Cybersecurity Risk Assessment?

You get a big picture understanding of your cybersecurity in the context of your business priorities, where you can determine where you need to make improvements to avoid risks.

Get Started with the Cybersecurity Risk Assessment

Simple Assessment

Do you have a small to medium organization with less formal processes and controls?

Complex Assessment

Do you have a larger organization with more complex business processes and controls?