According to the 2015 Information Security Breaches survey carried out by PWC 90% of large organisations suffered a security breach over the previous year, up from 81% in the 2014 report. For smaller companies that figure rose even faster rising to 74% from 60%. For a brief and simple Cyber Security Risk Assessment IFSEC have launched a tool that is available for anyone to use.
Based on the NIST security framework (shown below) it asks a number of questions relevant to each section. Going through the questionnaire a total of 27 questions were asked, and as they were put in plain language anyone could quickly complete them and generate a results page with little difficulty. This is not going to solve all your cybersecurity problems, or even give you a roadmap of how to go about solving then, but it does deliver an awareness and indication of where your business is currently.
The IFSEC press releases infers that it tells you how vulnerable your company is to hackers, but this is hardly true as the questions are asked at such a high level and are phrased as Yes or No questions where the truth is more likely to be a percentage. For example you might have established an information security policy and governance but is it implemented and followed 100% and is it any good or even up to date?
What the tool does do is allow business leaders to benchmark themselves against the cybersecurity framework developed by the National Institute of Standards and Technology, U.S. Department of Commerce (NIST). The framework was developed in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity, issued by President Obama in February 2013. In the UK, the government has produced the cyber Essentials Scheme and one wonders whether IFSEC will produce a similar questionnaire based on this, although it has a more technical bent than the US version.
IFSEC organised an annual conference in the between 21-23 June at Excel, IFSEC
International. Gerry Dunphy, the Event Director, IFSEC Portfolio, UBM EMEA commenting on the tool said: “Cyber security should be right at the top of every business’s agenda. The ever-increasing number of connected devices, smart buildings and exponential growth of data make it necessary for all businesses to protect themselves. The Cyber Security Assessment is a useful tool for anyone to check that they are developing and deploying effective cyber security measures.”
FFIEC CyberSecurity Risk Assessment tool
The IFSEC Cybersecurity Risk Assessment tools is not the only one out there though. For those CEO’s who want to take this more seriously there are additional tools out there. Earlier this year the Federal Financial Institutions examination Council (FFIEC) launched a Cybersecurity Assessment tool which is far more comprehensive but would take significantly longer to complete. The tool follows the NIST framework but is far more granular than the IFSEC version
It is very useful that these tools are available, though when completing them companies need to be honest about the answers. One of the good things about the UK government scheme is that the cyber essentials plus scheme is independently audited and while self accreditation is good it is far better to have an independent valuation of your cybersecurity strength. What will be interesting is to see whether next year the PWC survey reveals an even greater number of security breaches or if the number drops. There are a growing number of high profile security breaches being made public (such as Healthfirst)and it will probably not be long before someone has irreparable brand damage or finds that he fines imposed are punitive.