Cyber Security Risk Review | Information Security Assessment
An information security assessment enables evaluation of risks, gaps and vulnerabilities in the organization’s IT assets. Through such a survey the organization can reduce its exposure to cyber threats such as industrial espionage, sensitive data breaches, data theft by a malicious insider, leaking of trade secrets to competitors, hacking and total shutdown.
Force Majeure’s information security and cyber threat survey team consists of veterans of elite Intelligence & Cyber units, anti-fraud experts, information security and cyber investigation experts. With the organizational knowledge built over more than a decade of involvement in the cyber world, our experts conduct in-depth information security assessments out of hands-on, day-to-day familiarity with cyber threat scenarios facing organizations, businesses and companies.
It is important to note – in order to prevent conflicts of interests and for the sake of providing precise, tailored recommendations to every company and organization, Force Majeure abstains from associating itself with any Information security companies whatsoever. It neither provides nor implements cybersecurity and information security systems. This approach ensures we remain vendor-agnostic and deliver objective, professional information security advice.
For an initial consultation on cyber risk assessments call 972-3-6259898
Cyber risk assessment – our record
The practical experience we have accumulated in the world of cyber investigations enables us to identify processes, systems, settings and policies which are bound to result in breaches of information security, harming the organization’s business, its assets and reputation. This experience comes from investigating cyber criminality of all kinds – stealing from an employer, intellectual property theft, industrial espionage, cyber incident response and management on behalf of insurance companies and so forth.
As is the case with conventional burglaries, fraud and crime – information security vulnerabilities are the “open door tempting the saint”. With the exception of cases where a cyber attack against a specific company is ordered by a business competitor or disgruntled employee, cybercrime organizations look for “soft targets” and easy money. Under these circumstances, a company, factory or institution that leaves itself open to attack is easy prey, and they will inevitably be at a substantially greater risk of cyber-attack and sensitive data breach.
The value of the information stored in an organization’s IT systems is usually much greater than the value of it physical assets, which most companies carefully protect. This includes trade secrets, personal correspondences, customer and employee details. A logical information security assessment enables a company to receive precise indications regarding the state of the information security in the organization, including through exposing critical defects in need of immediate remediation before the breach is discovered by cyber criminals or anyone within the organization that would abuse the trust the organization has bestowed on them and the privileges they have been granted.
Information security assessment – Summary Report
Once the risk assessment is complete, the company is provided with a summary report and recommendations for hardening its information security. This includes means such as establishing or refreshing information security procedures, recommendations on deployment of cybersecurity tools appropriate for the nature of the organization, raising executive and employee awareness and so forth. The recommendations will focus on the features the tools must have, not on a specific manufacturer or brand behind the tools.
Cyber security risk review steps
Step 1 – Mapping of technology, assets and evaluation of current information security policy
Technologies and information systems the user uses within the organization – servers, communication components, branches.
Digital assets – trade secrets, sensitive databases, agreements, tenders and classification of the sensitivity level.
Subcontractors and service providers.
Evaluation of interfaces between applications.
Evaluation of the existing security means.
Evaluation of backups, restorations and disaster recovery.
Mapping of environmental controls such as security cameras, access control systems, floating floor etc.
Evaluation of the information security procedures within the organization – granting and revoking permissions, blocking of removable devices and file types.
Evaluation of past dealings with cyber incidents.
Monitoring and control policy.
Step 2 – Conducting a comprehensive infrastructure security assessment to assess gaps
In-depth evaluation of the network, including: permissions, critical third-party software, databases, security tools and information security.
Evaluation of the firewall rules.
MDM – Mobile Device Management – configuration and policy.
Random sampling of endpoints.
Step 3 – Findings from the Information security assessment | Cyber risk assessment
A summary report, reflecting an up-to-date situation picture and containing the information security and cyber findings and exposures found, recommendations for corrective actions while prioritizing the improvement recommendations according to their urgency, in coordination with the IT department, the board of directors and the company management.
A risk assessment is valid to the day it is carried out. In order to maintain a high level of cyber security, it is worth considering the appointment of an external Chief Information Security Officer (CISO), who will supervise the retention of the level of information security in the company. It is sometimes necessary to appoint a Chief Information Security Officer due to various regulatory requirements for privacy protection.
Note: Only the major highlights of the initial steps in the above risk assessment are presented here and they should be treated as examples only. A risk assessment is individually tailored for each organization, its information security needs and its unique characteristics.
The human factor in cyber security
As part of a risk assessment, the organization’s information security procedures are reviewed and if necessary they are updated to comply with current requirements and if this is also required, then they are adapted to comply with standards such as ISO standards of information security, EU privacy protection regulations – GDPR etc.
However information security procedures alone, even if properly communicated and deployed, cannot do the job – international studies on information security and cyber, as well as our experience over many years in the field, prove that the human factor is the weakest link when it comes to information security. Therefore we will recommend, in every summary report, that information security training be provided for the company employees to raise employee awareness.
Physical risk assessment
A physical risk assessment is sometimes required as a complementary element for conducting a logical risk assessment. This is necessary for checking whether the organization has physical security vulnerabilities which could jeopardize the organization’s security by enabling document theft, planting of bugging devices or other devices for industrial espionage, and so forth. The physical part of the risk assessment is conducted by security experts and security officers.
Risk review – a worthwhile investment
The cost of dealing with a cyber disaster through a cyber incident response team – IR / IRT – or a cyber investigation intended to find evidence which will enable suing or convicting the perpetrator, is immeasurably more costly than preventing the attack in the first place (“An ounce of prevention is worth a pound of cure”). The risk of individual and class-action lawsuits is also continually increasing, where the defendants may be members of the board of directors and executives. On top of that, regulatory enforcement is continually escalating in Israel and worldwide, exposing organizations that have failed to comply with minimum cybersecurity requirements to extremely high penalties.
Our many years of experience have proven that the cost of an investigation, or of managing a single cyber incident is immeasurably more expensive than the cost of an information security assessment and adaptation to the information security standards, penetration tests, CISO, and all of the information security tools the organization will need to procure.
The required investment in cyber security is less than one-thousandth of the cost of dealing with a cyber attack