Get free consultation
Use technology to build the business you deserve
IT security covers the integrity of computerised business systems, as well as the protection of privacy, sensitive information, and commercial secrets. Few would doubt the need to assess security, nor the problems that can arise from overlooking it.
However, researchers recently identified that one in three companies had no controls in place to deter hackers. Equally worryingly, more than six in ten cyber attacks (62 percent) singled out small businesses. According to Consultancy UK, computer systems in SMEs are usually more accessible to hackers.
If those alarming statistics illustrate nothing else, it is the importance of cybersecurity. Regardless of the current status of an organisation, it is always worth double-checking that protection is adequate – and, preferably, in line with professional standards.
In a previous blog post entitled 15 Ways To Protect Your Business From A Cyber Attack, we described straightforward, practical steps for SMEs to boost cybersecurity and protect against breaches. Now, in the information and tips below, we show how security assessments can also add value. As well as the salient points, we show how they improve defences and safeguard vital data. If you are an IT decision-maker with responsibility for cybersecurity, read on.
By themselves, anti-virus, firewalls, and encryption techniques do not deliver sufficient protection. With only these dated and somewhat limited measures in place, the stark truth is that computer networks (and, consequently, stored data) will probably be susceptible to security breaches and cyber attacks. What is more, if current trends are anything to go by, it is simply a matter of time until any given business receives unwanted attention from cybercriminals.
Reports of costly data breaches include Equifax, the credit reference agency. In 2017, hackers exploited web vulnerabilities and stole confidential customer details. Similarly, in Australia, a hacker sabotaged Distribute.IT’s web servers, hosting systems, trading network and backups. Although the infiltration lasted only around thirty minutes, the miscreants deleted 4,800 valuable client accounts. Damage to reputation and customer confidence was such that the impaired business had to close within a year.
Notably, small companies are far from immune. Quite the opposite: they are equally or more vulnerable. For most SMEs, the business, financial and regulatory effects of data breaches can be severe. As many as one in six SMEs (16 percent) assess their protection only after incidents. If these sole traders, partnerships, small firms, and growing companies had invested a relatively small amount of time and effort in prevention, the outcome could well have been different.
Perhaps unsurprisingly, more than nine out of ten data breaches involve innocent human error that, unfortunately, has far-reaching consequences. Apart from the loss of privacy, the miscreants, fraudsters, and cyber-criminals involved might perpetrate damage via external and internal network components, as well as guest and remote networks.
Moreover, assessments are not one-off. Periodic reviews should carry the same weight as regular inspections on passenger aircraft, for instance. In short, security assessments are crucial in modern, digital businesses.
In some cases, third-party assessments are necessary, whereby experts from outside an organisation work with its in-house IT staff to evaluate internal security policies, procedures, and measures. Third-party assessment techniques include reviews and testing. Objectively, the external assessors investigate and establish whether the computer systems comply with legislation and regulatory frameworks.
In all cases, the aim is to mitigate security threats and protect the organisation’s business systems. Checks include applications, patches, and updates to network hardware and infrastructure, including cloud computing. Additionally, preventive measures and security policies should adhere to the terms of the Data Protection Act 2018, which implements the General Data Protection Regulation (GDPR) regime within the UK.
Other international standards include compliance with the Payment Card Industry Data Security Standard (PCI DSS), which applies to companies of any size that accept electronic payments. Specifically, if your business takes debit or credit card payments and either stores, processes or transmits customer cardholder data, you should use a secure hosting service provider that is PCI-compliant.
To prevent data breaches and ensure your organisation stays ahead of threats to your company computer systems and data, IT security specialists will pinpoint any gaps in defences. The risk-based assessment looks at firewall performance, updates and patches for relevant system firmware and software, the existence of malware and any other risk that might affect safe operations. The approach is, in essence, to balance the cost of protective measures against the potentially larger financial toll of a data breach.
Essentially, computer security assessments involve checks, tests and evaluation of the following areas:
An integrated approach will address the risks inherent in network technology, business processes and individual staff members. One straightforward illustration might be the type(s) of network data protocol in use. Dated installations could still be using obsolescent, insecure communication methods such as FTP (File Transfer Protocol), Telnet or SNMP (Simple Network Management Protocol). In contrast, secure, modern-day equivalents such as FTPS, HTTPS or SFTP use stronger encryption and additional authentication.
Textual descriptions of risk tend to be subjective. To standardise QSR reporting, consultants often use the Common Vulnerability Scoring System. An open industry standard, the CVSS assigns a grade to the severity of vulnerabilities. Subsequently, the gradings enable prioritisation of responses and resources, per the threat(s) detected.
CVSS Assessment Scale
In the CVSS, four rankings between low to critical record the assessed severity of security issues:
On completion of the initial assessment, managers then study the findings and evaluate the measures necessary to resolve or mitigate any issues detected.
In today’s ever-changing business landscape, the role and importance of computer security assessments are clear. We invite you to stay up to date and check our upcoming informative blog posts and other events, designed to support Scottish businesses.
Here at Onestop IT in Edinburgh, our team of expert IT consultants specialises in helping SMEs to access enterprise technology solutions. If you are looking for the best practices at an affordable price, contact us today. We support businesses throughout Scotland and will be delighted to discuss your security requirements with you.