1. Conduct a Comprehensive Risk Assessment

There is a new attack somewhere on the web every 39 seconds. Every business should be performing security reviews across all their infrastructure, from end-point devices to cloud platforms.

A risk assessment involves identifying potential cyber threats and vulnerabilities, assessing the likelihood and impact of each threat, and developing risk mitigation strategies. The main steps to a cybersecurity risk assessment are:

1. Identifying risk
2. Analysing and evaluating risk
3. Prioritise severity levels of risk
4. Document all risks

Many free resources and templates help you perform risk assessments, including the UK government's website.

 

2. Review Access Controls

A user access review (or audit) evaluates all permissions and accesses of every personnel in your company. This review ensures that only authorized personnel can access sensitive data and systems. Reviewing access controls involves evaluating the effectiveness of existing controls and identifying areas where employees can obtain access to more sensitive data than they require for their work.

Don't just look at internal access. Do your third-party suppliers or vendors have access to company data? If so, it's important to evaluate what they have access to and the risks associated with each third-party access.

 

3. Perform Vulnerability Assessments

This involves defining and identifying all vulnerabilities in your organisation's computer systems, applications and networks. Once you've performed this, you can categorise each vulnerability and prioritise them based on the likelihood of an attack and the severity of the impact it would cause.

Vulnerability scanning is a low-cost way to automatically look for the most common security issues without employing specialist security testers. There are all sorts of vulnerability scanning tools and services on the market. The NCSC (National Cyber Security Centre) has published a handy and detailed guide to vulnerability assessments.

 

4. Review Security Policies and Procedures

Every business should have documented security policies and procedures that outline how employees should handle sensitive data, what security measures are in place, and what to do in case of a security incident. Your company's cyber strategy must be clear of jargon and easy to understand so it can engage with all the teams across the business. Reviewing these policies and procedures helps ensure they are up to date and effective, as well as ensuring vigilance around your staff towards cyber security and protection.

 

5. Conduct Penetration Testing

Sometimes known as 'pen testing', a penetration test is an ethical cyber hack of your computer systems and network to identify security vulnerabilities and weaknesses. The simulated cyber hack goes through the same process and uses the same techniques that a hacker would, producing a breakdown of all the vulnerabilities a hacker could exploit.

 

6. Review Backup and Disaster Recovery Plans

A business continuity (or disaster recovery) plan ensures a company can still operate after a major disruption or disruption, such as a fire, network outage or a cyber security incident. The step-by-step process ensures your business is well prepared to deal with unexpected events and continue running efficiently and you can recover lost or stolen files.

A business's backup and disaster recovery plans should be reviewed and tested regularly to ensure that they are effective and, when the day comes, you will come out the other side.

 

These six ways to perform a business cyber review will help identify potential cyber risks and vulnerabilities and ensure your business's information systems and data are secure.

PSP's cyber professionals have 40 years of combined experience developing IT and cyber strategies for businesses. Learn more about our Cyber security service here where we can provide your organisation with a clear understanding of your cyber risks and an easy-to-understand cyber protection plan for your business.

7^th March 2023