IT security covers the integrity of computerised business systems, as well as the protection of privacy, sensitive information, and commercial secrets. Few would doubt the need to assess security, nor the problems that can arise from overlooking it. 

However, researchers recently identified that one in three companies had no controls in place to deter hackers. Equally worryingly, more than six in ten cyber attacks (62 percent) singled out small businesses. According to Consultancy UK, computer systems in SMEs are usually more accessible to hackers.

If those alarming statistics illustrate nothing else, it is the importance of cybersecurity. Regardless of the current status of an organisation, it is always worth double-checking that protection is adequate – and, preferably, in line with professional standards.

In a previous blog post entitled 15 Ways To Protect Your Business From A Cyber Attack, we described straightforward, practical steps for SMEs to boost cybersecurity and protect against breaches. Now, in the information and tips below, we show how security assessments can also add value. As well as the salient points, we show how they improve defences and safeguard vital data. If you are an IT decision-maker with responsibility for cybersecurity, read on.

What Could Happen Without Proper Security Measuressection_1

By themselves, anti-virus, firewalls, and encryption techniques do not deliver sufficient protection. With only these dated and somewhat limited measures in place, the stark truth is that computer networks (and, consequently, stored data) will probably be susceptible to security breaches and cyber attacks. What is more, if current trends are anything to go by, it is simply a matter of time until any given business receives unwanted attention from cybercriminals.

Reports of costly data breaches include Equifax, the credit reference agency. In 2017, hackers exploited web vulnerabilities and stole confidential customer details. Similarly, in Australia, a hacker sabotaged Distribute.IT’s web servers, hosting systems, trading network and backups. Although the infiltration lasted only around thirty minutes, the miscreants deleted 4,800 valuable client accounts. Damage to reputation and customer confidence was such that the impaired business had to close within a year.

Notably, small companies are far from immune. Quite the opposite: they are equally or more vulnerable. For most SMEs, the business, financial and regulatory effects of data breaches can be severe. As many as one in six SMEs (16 percent) assess their protection only after incidents. If these sole traders, partnerships, small firms, and growing companies had invested a relatively small amount of time and effort in prevention, the outcome could well have been different.

Perhaps unsurprisingly, more than nine out of ten data breaches involve innocent human error that, unfortunately, has far-reaching consequences. Apart from the loss of privacy, the miscreants, fraudsters, and cyber-criminals involved might perpetrate damage via external and internal network components, as well as guest and remote networks.

Moreover, assessments are not one-off. Periodic reviews should carry the same weight as regular inspections on passenger aircraft, for instance. In short, security assessments are crucial in modern, digital businesses.

How Legislation and Regulations Affect Business IT Securitysection_2

In some cases, third-party assessments are necessary, whereby experts from outside an organisation work with its in-house IT staff to evaluate internal security policies, procedures, and measures. Third-party assessment techniques include reviews and testing. Objectively, the external assessors investigate and establish whether the computer systems comply with legislation and regulatory frameworks.

In all cases, the aim is to mitigate security threats and protect the organisation’s business systems. Checks include applications, patches, and updates to network hardware and infrastructure, including cloud computing. Additionally, preventive measures and security policies should adhere to the terms of the Data Protection Act 2018, which implements the General Data Protection Regulation (GDPR) regime within the UK.

Other international standards include compliance with the Payment Card Industry Data Security Standard (PCI DSS), which applies to companies of any size that accept electronic payments. Specifically, if your business takes debit or credit card payments and either stores, processes or transmits customer cardholder data, you should use a secure hosting service provider that is PCI-compliant.

How IT Professionals Conduct Security Assessmentssection_3

To prevent data breaches and ensure your organisation stays ahead of threats to your company computer systems and data, IT security specialists will pinpoint any gaps in defences. The risk-based assessment looks at firewall performance, updates and patches for relevant system firmware and software, the existence of malware and any other risk that might affect safe operations. The approach is, in essence, to balance the cost of protective measures against the potentially larger financial toll of a data breach.

Essentially, computer security assessments involve checks, tests and evaluation of the following areas:

• Preparedness, taking into account existing policies and measures.
• Vulnerability and threat assessment, including levels of severity.
• Risk assessment of future attack(s) to company systems: an objective evaluation carried out by a specialist team, using procedures based on qualitative and quantitative models.
• Penetration testing, sometimes referred to as a pen test, along with other specialised security tests.
• White box testing, where the analyst has full knowledge of the company systems.
• Grey box testing, where the potential hackers possess only limited information.
• Black box testing by ethical hackers with no prior knowledge of the company system(s).
• Physical security attributes and policies, including access control to premises and computer installations.

An integrated approach will address the risks inherent in network technology, business processes and individual staff members. One straightforward illustration might be the type(s) of network data protocol in use. Dated installations could still be using obsolescent, insecure communication methods such as FTP (File Transfer Protocol), Telnet or SNMP (Simple Network Management Protocol). In contrast, secure, modern-day equivalents such as FTPS, HTTPS or SFTP use stronger encryption and additional authentication.

How Qualitative Severity Rating (QSR) Works

Textual descriptions of risk tend to be subjective. To standardise QSR reporting, consultants often use the Common Vulnerability Scoring System. An open industry standard, the CVSS assigns a grade to the severity of vulnerabilities. Subsequently, the gradings enable prioritisation of responses and resources, per the threat(s) detected.

CVSS Assessment Scale 

In the CVSS, four rankings between low to critical record the assessed severity of security issues:

• Critical. Attacks in the critical category could involve unauthorised access to view, modify or destroy highly confidential information. Attackers may falsify financial transactions, delete data or damage the target system. Consequently, critical attacks tend to have catastrophic effects on confidentiality, integrity and system availability. Probably, financial loss, significant reputation damage and serious legal or compliance-related fines will result. Critical threats, therefore, require immediate attention.
• High. Attackers might gain access and view, modify or destroy business information. Possible problems include false transactions, deleted data and compromised systems. Attacks in the high category could have a significant impact on privacy, integrity and availability and cause financial loss, reputation damage and other effects. Accordingly, an immediate remediation plan is necessary to address the underlying security weaknesses.
• Medium. In the medium category, vulnerabilities often have a noticeable impact. Attacks could involve cybercriminals poring through commercial information or private records and carrying out unauthorised operations – though not usually business-critical ones. As well as possible service downtime, medium-level attacks lead to confidentiality, integrity and availability issues, along with financial loss. A timely remediation plan is recommendable although, at times, business pressures may necessitate other courses of action.
• Low. Low-level threats mean that the possible impact is unlikely to be noticeable. However, security weaknesses do not exist in isolation and could enable wider attacks. Accordingly, low-level vulnerabilities should receive due consideration and, where appropriate, their remedies form part of scheduled improvement programmes.

What Post-Assessment Options Managers Might Consider

On completion of the initial assessment, managers then study the findings and evaluate the measures necessary to resolve or mitigate any issues detected.
Options include:

• Security enhancement.
• Reallocation of existing resources.
• Deployment of additional or new resources.
• Acceptance of the risk based on information about the likely threat(s) and cost of potential measures.
• Project cancellation, in the case of the most potentially severe or costly risks.

How To Stay Up To Date

In today’s ever-changing business landscape, the role and importance of computer security assessments are clear. We invite you to stay up to date and check our upcoming informative blog posts and other events, designed to support Scottish businesses.

Here at Onestop IT in Edinburgh, our team of expert IT consultants specialises in helping SMEs to access enterprise technology solutions. If you are looking for the best practices at an affordable price, contact us today. We support businesses throughout Scotland and will be delighted to discuss your security requirements with you.