This is the first in a series of posts that will aim to provide some initial guidance on the fundamentals of cyber security. During our time assisting many organisations with improving their security, the one thing that is common across all companies, regardless of size or type, is the lack of focus on Cyber Basics.
These posts will not be in any particular order, but will aim to cover what we feel are key basic elements of any cyber security strategy or improvement programme. The great thing is this guidance is applicable to any size of company or budget, no matter how small, but can equally apply to the large enterprise.
By focusing on these basics you can significantly improve your cyber maturity and help prevent over 80% of the common cyber threats active today.
Here we start with what we feel is the most overlooked aspect of any security activity, especially in smaller orgs; Identifying and Assessing the Risks. We decided to cover this first as it naturally fits as one of the first tasks to complete.
Start by asking yourself a question, do you know ALL the IT assets you have in the organisation?
An IT asset could be a PC, laptop, server, mobile phone, tablet, security device (firewall), network device (switch or wi-fi), printers, software or any internet connected smart device (TV, camera or speaker) etc.
If the answer is yes, then excellent you are in the very small percentage of organisations who do, and you are on to a great start.
If like most the answer is no, then your very first step is to create an inventory of all assets in your IT estate. The bottom line here is, if you don’t know about it, how can you secure and protect it!
This can be as simple as cataloguing everything in a spreadsheet or having a tool actively scan your networks to identify your assets, such as Lansweeper, SolarWinds, or Qualys.
These automated scanners are the preferred method, as they have the benefit of detecting assets that you may be unaware of, leaving further gaps in your security. Not all business budgets will extend this far though.
“If you don’t know about it, how can you secure and protect it!”
Your inventory should contain as much information about the assets for both hardware and software as you can find. Include items such as: Make & model, hostname, IP address, software & firmware versions, upcoming end of sale, life or support dates, vendor, serial numbers and location to name a few.
Once you have a list of your assets, it’s a good idea to identify which of those assets you deem most critical to the business. This will differ significantly from business to business, but will allow you to focus priorities, especially if you have a large number of devices.
For example use a simple method such as the High, Medium, and Low classifications to define which assets matter most, requiring greater attention to protect the device and the data it holds.
Critical assets in the High classification may be your authentication servers or a database that contains your HR or customer records. While a device classified as Low may be your user PC’s or mobile devices.
So you have created an asset inventory and decided which assets are most important to you, now is a good time to perform an initial Cyber Assessment.
Cyber assessments are a great first step in your journey to better cyber security. They provide numerous benefits:
Identify your gaps – one of the key steps in assessing your business is identifying the gaps in your current security. Gaps are holes in your security that can be exploited by the bad guys. Identifying the gaps is critical step to your overall improvement.
Assess your risks – once you have found the gaps in your security, the next step is to assess the risk that is posed by each gap. If you are new to risk assessments, keep it simple.
Using a High, Medium & Low scoring system, calculate the risk using the impact it could have on the business combined with the likelihood of impact occurring.
For example; a high impact gap that has a high likelihood of occurring would equal a high risk.
Baseline your maturity – completing your first cyber assessment will allow you to understand your current maturity level and create an initial baseline.
This baseline is your starting point and can be used to monitor and track your progress as your journey unfolds.
Prioritise actions based on risk – now your risks are identified you need to create an action plan. The action plan is where you start making changes to resolve the risks, plug your gaps and improve your security.
The best way to do this is via a risk based approach that focuses on prioritising the actions based on the calculated risk. Start by tackling the high risks first, once they are complete move to the medium risks and finally the lows.
This allows you to allocate budget accordingly, while dealing with the things that could have the biggest impact on your organisation first.
Continuously assess – our final step here is to realise that the cyber journey never ends; every day new threats appear and new vulnerabilities are discovered. Once you are on the path, its important to stay on it by continuously assessing your organisation.
Perform assessments regularly, we recommend at least on an annual basis. By carrying out periodic reviews, you can assess your progress and maturity improvements, as well as keeping on top of any new or emerging security gaps.
Cyber Assessments can come in different forms, from simple Q&As to full business and technical assessments.
If you have your own internal security team then look to define your own assessments and maturity model which are based on common frameworks available via the likes of NIST and CIS.
If you don’t, not to worry, your best option is to seek assistance from expert security professionals to assist you with the process, there are plenty of us out there to choose from so take your pick.
Above all, Keep it simple. Choose what’s best for you and tailor it to your needs.
This first post in the cyber basics series has looked into what we consider the initial steps to get you started on your journey to a new and improved security posture.
To summarise, follow these steps:
Look out for our future posts and hopefully they can help you become more secure.
Strap yourself in, you’re in for a bumpy yet enjoyable ride! 😊
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.