When you see your doctor for a medical check-up, the results are kind of predictable, and not very actionable – lose weight, get more exercise, and avoid stress. A cybersecurity health check can be much more insightful and actionable, and I recommend that your company does this regularly.
A cyber security diagnostic includes:
1) Focus on the important stuff. Does your company have a document classification scheme that allows you to identify the relatively small proportion of highly sensitive information, thereby allowing you to take special measures to protect it?
2) Awareness. Do your staff appreciate the threat, understand the common techniques used by hackers, and follow your company guidelines on good practices?
3) Prevention. Do you have an adequate set of products in place (firewalls, anti-virus software, URL blocking etc.) to avoid an intruder finding an easy gap in your defenses? Are these devices properly configured to work together? Do you have good processes to oversee your defenses? Have you conducted an independent penetration test to see how this works in practice?
4) Detection. How good is your security architecture at detecting a successful intrusion? Do you have the skilled staff and processes to see these alerts buried in all the noise of thousands of security events every day?
5) Reaction. Do you have skilled staff who can respond promptly to an intrusion, and minimize the impact? Do you have an incident response plan for a significant event that addresses all the consequences (operational, legal, PR etc.). When did you last hold a practical test of how well that plan copes with a real event?
6) Day-to-Day operations. Do you understand the strengths, weaknesses and improvement plan you should be following? Is this dependent on a few key staff members? How trustworthy are they with your sensitive assets, and how would you cope with one of them leaving suddenly?
Whether it be your personal health, or the health of your company cyber security controls, you should always seek the advice of an experienced professional who does this work all the time. They will recognize the symptoms of a problem much quicker than someone close to you, and they have a deeper knowledge of your choices in dealing with a problem. Just as a general practitioner may advise major surgery and a specialist may come up with much less intrusive solutions, the same is true in cyber security. There is a great deal of nonsense and misinformation surrounding this topic, and an expert specialist may be able to help you avoid wasted spend and painful consequences. Companies that undertake a cyber security health check are generally dismayed by the findings, but a year later they are in much better shape and spending less on this issue than they were before because they took the medicine prescribed for them.