Top 10 cyber security questions to ask your IT team or supplier

By Graeme Freeman, co-founder, Freeman Clarke

Cyber security is an issue for every mid-market CEO.

It is a complicated and fast-moving area, and a major breach can sink a business. Even in less dire situations, a security issue can consume the entire management effort and render operations impossible for a protracted period. The legal impact and reputational damage can be lasting and significant.

And yet most breaches we see are the result of basic failures which could have been easily addressed – in fact, the vast majority of cyber attacks can be thwarted by relatively simple steps. For CEOs then, the question is whether your team and suppliers have the ability and experience to put these basic measures are in place.

The answers (or non-answers) to the following questions will help you assess the situation. Asking these questions will also serve as a starting point for making improvements.

1. Do we have a clear strategy framework for cyber security?

Your approach should start with basic questions about how much cyber security matters to your business. Consider the likely breach scenarios and business impact and assess whether your company’s effort and investment in cyber security is consistent with this. How do the steps you take and the money you spend compare with the best, or with the worst? Have you made informed choices? Ensure you have a senior expert to set the policy and to be accountable.

2. Do we have basic housekeeping measures in place, and do we get them right every time?

Basic cyber security measures include a complete list of assets as well as documenting that all these assets – including mobile devices – are properly managed. The most basic points to ask about: AV and patching, full disk encryption, spam filtering, phishing prevention, management of removable media, and basic data loss prevention. All these measures must be up to date all the time, every time.

3. Do we have security accreditations? Do we need any to comply with industry regulations, or insurance requirements, or contractual obligations?

UK Cyber Essentials and Cyber Essentials Plus are excellent starting points. We suggest accreditation to CE+ as a basic starting point. UK CAF framework or US CSF framework are also sensible basics. For companies who want or need a more encompassing framework, ISO27001 is the recognised standard. (If you’re unfamiliar with these standards, see our latest cyber security report.)

4. Do we have a principle of least-access?

If a user only has access to the data they need for their job, then compromising their account has limited impact. On the other hand, many breaches occur because there are too many powerful or overprivileged accounts with access to sensitive data. Movers and leavers must be properly managed – we often see doors left wide open when administrators leave or change roles, but access is not tidied up.

5. What are we doing about back-ups?

Backups are still as vital as they’ve ever been. Many cloud systems provide backup as part of the service. But not always, and the quality varies. Often cyberattackers first sabotage your backups, so you need to ask if they are physically separate (‘air-gapped’) and locked (‘immutable’). Make sure that restore tests are part of your routine.

6. What’s our plan in case of a cyberattack?

Don’t wait until after it happens – plan for it. Make sure you’ve got adequate cyber insurance and that you’re compliant with the policy. And definitely make sure that in the case of a cyberattack your managers know what to do, where to find information, and how to contact trusted advisors – even when systems are down!

7. Do we have independent vulnerability assessments or penetration tests, and have we assessed or managed all the findings?

It’s critical to use independent experts to conduct continuous vulnerability assessments or at least regular penetration tests. Rather than ask your own team or existing MSP to make this assessment always use a third party – and don’t always use the same one. If you have any kind of custom software, or if you have built APIs for your customers, it’s critical to ensure the third party has the necessary technical expertise to conduct the test. A good starting point is to check compliance with the OWASP Top 10.

8. Do we have an IT risk register, and are we reviewing the risks on a regular basis?

A sensible starting point for all planning and activity is a list of possible risks. Creating this list is an opportunity for a wider group to understand the possible scenarios and impacts and then to decide who owns the risk and an appropriate response, even if it’s ‘do nothing.’ The responses can include preventative steps or plans for mitigation in the event of a breach.

9 Are the leaders of the business creating a culture of security?

Most breaches occur because people fail to take basic steps. It might be a powerful system administrator who lacks training or discipline, an ordinary user duped by a phishing email, or the CEO who writes his or her password on a post-it note. Leaders need to create a culture where regular training is expected and welcome; where users have a healthy suspicion of an email from an unknown source; and where it’s ok to challenge an urgent request for a cash transfer.

10. Do we have the necessary physical security?

Criminals can bypass many cyber security mechanisms if they gain access to your premises, so check that your business is taking the basic steps – building passes, a clear desk policy, and locked server rooms. Staff need to know not to leave office laptops and phones unattended or unlocked, in public.

Ensuring security is becoming more difficult. Cloud and ‘as a service’ offers are now ubiquitous, so IT is no longer something you can point to in a server room. Ownership of various services may be spread amongst many different people in the organisation, each with their own logins and credit cards. Despite this growing complexity, cyber security needs to be drawn together under a single strategy, with a single owner, who has the expertise to know what they’re doing, and the seniority to get it done.

Your job as CEO is to ensure that all these services and people are as secure as possible. Don’t assume your IT team or suppliers are on top of it – make sure they are by asking these questions and following up on them. And if you’ve got questions about the security of your mid-market business, get in touch.