Cyber security is an essential investment for your business, but it can be a struggle to know where to focus spending in order to achieve the most tangible improvements.
As your business grows, so too does its attack surface. New systems and devices can create new security risks. This fact, combined with the rising sophistication and persistence of hackers, can also mean that the controls you’ve relied on to protect your business for so long are no longer reliable. The only way to understand and improve the effectiveness of your cyber security is test it regularly
Here we consider four important ways to help assess your business’ cyber security.
The first step to understanding the effectiveness of your business’ cyber security is to perform an audit. One of the best ways to do this is through the government-backed Cyber Essentials scheme. Cyber Essentials is an annual assessment designed to help mitigate common security threats such as malware, social engineering and hacking.
To achieve certification, businesses are assessed on core security controls such as access permissions, up-to-date virus protection, patch management and the secure configuration of systems and devices.
There are a huge range of benefits for completing Cyber Essentials, and they go beyond a simple assessment. Achieving Cyber Essentials certification will help to demonstrate to clients and partners that your organisation take security seriously. Additionally, since 2014 business needs to be Cyber Essentials certified in order to bid for government contracts.
Regular vulnerability scanning using specialist software helps to identify core vulnerabilities in your network and systems so that they can be remediated before being exploited by cybercriminals.
Vulnerability scans typically take just a few hours to perform and should be conducted on a regular basis, both inside and outside a network. Scans can be scheduled by individuals without minimal security expertise however assistance may be required to interpret the results and address any exposures identified.
Penetration testing differs from vulnerability scanning, in that assessments are human rather than software led. Penetration tests are conducted by skilled ethical hackers and can help to uncover and address hidden and complex vulnerabilities that software tools can miss. For example, a skilled pen tester is more likely to identify system and application specific flaws such as authentication and session management problems, as well as input validation errors.
“With threats constantly evolving, it’s recommended that every organisation commissions penetration testing at least once a year, through any of the many different forms:
Regular pen testing not only helps to improve your understanding and knowledge of your business’ cyber security, but it also fixes any vulnerabilities before they are exploited by cybercriminals. It also supports PCI DSS, ISO 27001 and GDPR compliance – which is essential in the digital age of today.” Simon Monahan,Redscan
There are different types of penetration testing, ranging from network testing, which focuses purely on your network and assets, to web application testing, which can identify vulnerabilities affecting websites, microsites and portals. Penetration testing can also be performed to assess employee awareness of social engineering attacks such as phishing and vishing.
The duration of an average pen test is 2 to 3 days, which includes time for the ethical hacking team to produce a final report and provide feedback. Consult with cyber security experts to help scope an assessment that will be most beneficial for your business.
The most advanced cyber security assessment is known as a red team operation. Red teamoperations are designed to simulate real-world cyber-attack and for this reason are conducted over an extended period of time, typically one to two months.
Less focused on uncovering vulnerabilities, a red team operation uses an intelligence-led approach to accurately assess the effectiveness of in-place security controls to prevent, detect and respond to attacks. They are especially valuable in helping businesses to assess how their employees react to cyber incidents.