These 6 pertinent questions will allow you to identify an initial baseline of capability, rapidly...

6th June 2024

Six questions to ask your Cyber Security Team or MSP;

Q1. What and where is our most critical data or system(s)?

Why? Identification of your most critical data and / or system(s) is crucial to then understanding;

• Who has control.
• Who accesses.
• Who or what requires access.
• 3rd parties that have access and / or store your data.
• Locations(s) of your data or system(s)?

If this information is not readily available, how secure is your critical data or system(s)?

 

Q2. How strong are our access controls?

Why? Strong access controls provide one of the first lines of defence for your end users, clients, data and systems. At minimum the following should be implemented;

• Multi-Factor Authentication (MFA)
• Single Sign-On (SSO)
• Banned Passwords lists
• Minimum Complexity requirements
• Conditional Access

If some or all these controls aren’t in place, is it because;

• Legacy systems are holding you back?
• Legacy working practices?
• Poor implementation?
• Lack of awareness?
• Lack of budget / utilising what you already have effectively?
• Client requirements?

What is the plan to fix these issues?

 

Q3. How do we monitor threats and incidents and alert on them?

Why? Strong monitoring across all systems, services, users and data allows insight and cross correlation to threats and incidents before they cripple the company, breach accounts, exfiltrate your data and/or scramble your data.

Without effective monitoring there’s little hope of catching a threat or incident before it has irreversible consequences. Selectively monitoring parts of your system is not advised, unless truly unavoidable; the greater insight the greater chance of mitigation.

 

Q4. How broad is our attack surface?

Why? Identifying the full extent of your organisations attack surface is critical to understanding;

• Who requires access?
• Which systems reside where?
• Who controls those system(s) and data?
• What needs to be monitored and protected?
• What vulnerabilities, risk and residual exposure may be present?
• What risk mitigation efforts are required?

Remember; your attack surface may also include 3rd party suppliers and online platforms that provide business functions or hold critical data.

Explore our Attack Surface Mapping if you require assistance?

 

Q5. What do we patch and how often?

Why? Applying software patches, system updates to End User Devices (EUD’s), servers, networking equipment and mobile devices allows any known vulnerabilities that may be present to be mitigated.

Software updates should be centrally managed and where practicable “auto update” enabled. Servers are typically patched on a regular cadence (ideally monthly) following software update testing.

Reporting should be readily available to the current patch status and thus residual vulnerabilities that remain to be addressed and a concise plan produced to address these.

 

Q6. Can we recover from a disaster?

Prove it! At some point your company will experience a disastrous event, to what extent that affects the company and its operations (or not) is largely down to the controls in place and how effective monitoring and response has been.

Thorough planning must be in place to provide guidance and oversight to what actions to take in a range of scenarios.

Disaster Recovery (DR) testing is crucial to identifying gaps in processes, data holdings, control, infrastructure, 3rd party dependencies and your ability to recover.

Whilst table top exercises and written disaster recovery plans are an excellent start, you’ll only know whether you can recover if you test those plans. Therefore make sure you can Prove it!

Explore our Cyber Security Maturity Reviews if you require assistance?

 

How effective are your cyber security team or Managed Service Provider (MSP), now you’ve assessed them against these 6 relatively basic questions? What confidence does that give you?

If the in-house team faltered;

• Are they struggling with the burden?
• Do they have the necessary resources, tools, leadership and knowledge available to them?

If the outsourced managed cyber security faltered;

• well that’s a bigger problem!

KEEP can assist in-house teams and/or review outsourced managed cyber security providers and replace/improve capability where necessary.