Information Security (data protection / GDPR / cyber security, call it what you will) is about managing the risks to the confidentiality, integrity or availability of the information your business relies upon to operate. And then, being able to demonstrate to your customers (or clients), suppliers and staff that you are doing the right thing to manage those risks, with the aim of engendering trust.
Unfortunately, when tech companies build new hardware or programmer’s write new software one of two things can happen. Either despite their best efforts and extensive testing and evaluation prior to release, something gets missed and a hole gets left in the security architecture of the device or application. Which is why freelance “bug hunters” can earn large sums ($100,000 to $250,000) from organisations such as Microsoft, Apple and Google for identifying such flaws. Alternatively, because the rate of change in the tech world can be extreme, the pressures to bring new product to market as quickly as possible and before someone else has the same good idea, can be intense. So, the development of appropriate security gets overlooked or abandoned in the rush to market. This is why, whether at work (or at home, with your personal devices,) you’re often being invited to patch or upgrade.
Consequently, one of the most obvious and often used means of compromising a business’s data, in order to steal identities, money or intellectual property, is by exploiting these vulnerabilities in the organisation’s IT systems. But how do you identify these, so you can protect your business and the data it controls or processes. Well in the first instance, these risks are hopefully a prominent entry on your business’s information security management risk register? And then secondly, the mitigation you might like to apply to manage these risks would be the conduct of a vulnerability assessment of your IT network.
It’s unlikely that most businesses, unless very large and sophisticated, will have such capability in-house. Aside from which is you self-tested it would be akin to marking your own homework and you wouldn’t ask your bookkeepers or finance team to audit your annual accounts, now would you? So, the reassurance of having an independent third party do the work should not be underestimated.
One common excuse business often uses for prevaricating with commissioning a vulnerability assessment, is that it sounds expensive. The good news is that it isnt. The costs are proportionate to the size and complexity of the system, so are even well within the means of SMEs, and as one astute client recently remarked, citing Stelios Haji-Ioannou, founder of EasyJet, “if you think health and safety is expensive, try an accident.” (And for accident in this situation read data breach)
The output should be a report, which identifies the existing vulnerabilities, grades the level of risk associated with each vulnerability and suggests appropriate remediation to close down that vulnerability. This you can share with your IT support team and they can then carry out the corrective actions to better protect your business and its information / data. Just one cautionary note at this stage. We don’t suggest merely passing the report to your IT support team. As some of the findings might reveal that some of the vulnerabilities ought to be already being managed as part of your service. In which case a careful commercial conversation might be in order?
But at the same time, we advocate that clients never lose sight of the purpose of the report, which should be to improve your security rather than merely finding a stick with which to beat your IT support providers.
So, in summary what are the benefits:
- You can relatively quickly and easily enhance (probably significantly) the protection of your business and its data.
- Having a vulnerability assessment report will be go a long way to demonstrating (to regulators, customers, suppliers and staff) that your business it trying to meet its obligations under the regulations.
- Provide reassurance that your IT team haven’t dropped the ball and enhance their knowledge of security matters, so they can provide you with a better service going forward.
For more information, or to answer any queries you may have as a result of reading this, please contact us.
Loading...