Safeguard Your Business,
Mastering Cybersecurity Risks

Peer based cyber security risk assessment reveals the common security flaws and how to overcome them.

12 November 2023

Peer based cyber security risk assessment

Introduction:

The ever-evolving digital landscape has brought about immense opportunities for businesses to thrive, innovate, and connect with customers. However, it has also introduced a new breed of threats and challenges that demand our attention and vigilance. In a recent study, our technical consultant conducted an extensive cybersecurity risk assessment across more than 100 small and medium-sized organizations, shedding light on their current cybersecurity preparedness and potential areas of improvement.

Watch Probrand’s Mark Lomas present his take on these findings and the actions you need to take today

Methodology:

Technical consultants visited and assessed over 100 organizations, conducting a deep review of their network infrastructure, software assets, and cybersecurity tools. Some of the organisations assessed were SMBs with no IT team, and the assessment was conducted with a Managing or Financial Director, others were large enough for an IT person and the assessment was undertaken with that contact.

A comprehensive risk assessment document was created, which assigned risk indices to key security parameters and defenses employed by each organization. These indices represent how susceptible each organization is to different cyber threats.

Key Findings and Implications:

Email Security

Email Security:

Findings

  • 28% of organizations have no apparent email filters
  • 72% employ robust offsite email tool like Mimecast to block a significant portion of spam and phishing emails
  • 58% of admitted that impersonated emails, often used in phishing and whale phishing attacks, are not entirely blocked
  • Some have fallen victim to these scams, leading to financial losses

Implications

Poor email security invites phishing attacks, risking financial loss, data breaches, and reputational damage. Business Email Compromise (BEC) can lead to unauthorized fund transfers, while data breaches result in legal and financial consequences. Ransomware disruptions, regulatory non-compliance, and compromised relationships further underscore the need for robust email security.

Key actions

  • Implement Robust Filters: Use advanced email filters to catch phishing and spam.
  • Employee Training: Educate staff on recognizing and avoiding phishing attempts.
  • Multi-Factor Authentication (MFA): Enable MFA for an added layer of protection.
  • Regular Security Audits: Conduct frequent audits to identify vulnerabilities.
  • Encrypted Communication: Use end-to-end encryption for sensitive information.
  • Update Systems: Keep email platforms and security software up-to-date.
  • Incident Response Plan: Have a plan for responding to email security incidents.
  • Backup Critical Data: Regularly backup essential data to mitigate data loss risks.
  • Access Control: Limit access to sensitive emails based on job roles.
  • Vendor Security: Ensure third-party email service providers maintain high-security standards.
Firewall

Firewall Security:

Findings

  • 15% are not aware of, or have no apparent firewall to protect against internet threats
  • 85% of organizations have firewalls that cover essential protocols and web sites, scan for viruses, malware, intrusions, and more
  • Only 75% of them have implemented logging for traffic analysis, a critical tool in verifying data breaches and responding effectively

Implications

Whilst the majority have adopted firewalls, 15% still haven’t! That aside, not having implemented logging for traffic analysis leaves an organization blind to potential cyber threats. In the event of a security breach, the absence of detailed logs hampers the ability to identify the extent of the attack, hindering effective response measures and exposing the organization to prolonged vulnerabilities and legal consequences.

Key actions

  • Deploy a firewall to cover the basics – if you firewall is older than 3 years old, replace.
  • Implement Traffic Analysis: Invest in and deploy traffic analysis tools.
  • Training and Awareness: Train staff on the significance of traffic analysis.
  • Policy Development: Develop policies for regular traffic monitoring.
  • Incident Response Plan: Establish an incident response plan for immediate action.
  • Continuous Improvement: Regularly update and refine traffic analysis processes for ongoing effectiveness.
VPN

VPN Security:

Findings

  • 25% of organizations do not ensure their VPN appliances are situated in a Demilitarized Zone (DMZ) so do not scan incoming traffic
  • Only 43% have implemented logging
  • Most organizations rely on managed VPN services for better security

Implications

Having no VPN security exposes organizations to several risks. Firstly, without proper encryption, sensitive data transmitted over the network is vulnerable to interception. Additionally, lacking VPN security increases the likelihood of unauthorized access to internal systems, posing a threat to sensitive data and confidentiality.

Key actions

  • Enable Multi-Factor Authentication (MFA): This adds an extra layer of identity verification
  • Update VPN Software: Patch vulnerabilities and ensure all security features are in place
  • Encrypt Data Transmission: Use strong encryption to secure data transmitted over the VPN
  • Implement Detailed Logging: Monitor VPN activities and investigate potential security incidents
  • Deploy Role Based Access: Only grant VPN access to personnel based on roles and responsibilities
Authenticator

Multi-Factor Authentication (MFA):

Findings

  • 64% of VPN users had no MFA enabled, posing a substantial risk
  • 45% of users now use number verification when using the Microsoft Authenticator App

Implications

Enabling MFA is increasingly required for cyber insurance policies. Not having MFA enabled poses a significant risk, as it allows unauthorized access with compromised credentials, making accounts vulnerable to cyber threats and security breaches. Why make it even easier for the criminals, just enable MFA.

Key actions

  • Enable MFA Across Platforms - especially for critical systems – often it’s free to do so!
  • Educate Users: Provide training to employees on how to use MFA
  • Use Authenticator Apps: Consider using MS Authenticator apps for stronger authentication
  • Regular Audits: Periodically audit MFA settings to ensure continuous protection
  • Policy Enforcement: Make MFA a mandatory policy, especially for sensitive systems
Microsoft 365 (MS365) Security

Microsoft 365 (MS365) Security:

Findings

  • 43% of organizations had no MFA enforced to access their MS365 environment
  • 78% did not secure data for third-party cloud services, HR and financial systems with MFA

Implications

The findings indicate the majority are still overlooking the importance of protecting sensitive information in their 365 environment as well as their 3rd party apps and services – where sensitive data exists. Neglecting Microsoft 365 security risks data breaches, phishing attacks, and compliance violations, potentially leading to financial losses and reputational damage. Prioritize securing your tenancy to mitigate these risks effectively is absolutely critical.

Key actions

  • Implement Multi-Factor Authentication (MFA) for all users
  • Regularly monitor and improve the Microsoft Identity Security Score
  • Enforce strong password policies
  • Limit admin access and use dedicated admin accounts
  • Educate users on cybersecurity best practices
Backup and Disaster Recovery

Backup and Disaster Recovery (DR):

Findings

  • 25% of organizations still store backups on their network without an air gap
  • 15% only back up selected data, which may lead to longer recovery times

Implications

In short, most are failing to have adequate backup and recovery solutions and practices in place to recover their business when the worst happens. Poor backup and recovery practices expose businesses to extensive data loss in the event of a cyber attack or system failure. It can result in prolonged downtime, affecting productivity and revenue. Without a robust DR plan, organizations risk irreparable damage to their reputation and financial well-being.

Key actions

  • Review, define and implement a robust disaster recovery plan
  • Ensure regular offsite backups to prevent data loss
  • Invest in reliable backup solutions – preferred is to backup entire virtual servers
  • Regularly test the recovery process for effectiveness
  • Seek professional guidance to enhance backup strategies and resilience against cyber threats
Patch

Patching:

Findings

  • A surprising 29% of organizations had no patch management in place
  • 43% are not automatically patching common third-party apps, exposing further vulnerabilities

Implications

Patch management involves the systematic process of acquiring, testing, and applying updates or "patches" to software applications and systems to address vulnerabilities, enhance security, and ensure optimal performance. Patch management is critical in maintaining ongoing security. Having no patch management in place at all is commercial suicide, and without auto-patching on third party apps the exposure to further vulnerabilities is increased.

Key actions

  • Initiate Regular Audits: Conduct thorough assessments of your software applications and systems to identify vulnerabilities
  • Establish Patching Policies: Develop and implement clear policies for acquiring, testing, and applying patches promptly
  • Automate Patching Processes: Utilize automated tools to streamline the patch management workflow and ensure timely updates
  • Prioritize Critical Vulnerabilities: Focus on addressing high-risk vulnerabilities promptly to minimize the risk of exploitation
  • Consider outsourcing patch management: Research MSPs offering IT support
Anti Virus

Endpoint Security (Anti-virus):

Findings

  • 98% ensure their endpoint security application is updated regularly
  • 47% did not have advanced features to detect ransomware and hacking attacks

Implications

Endpoint or anti-virus protection appears widely adopted, however, nearly half do not have advanced features enabled to tackle the fastest growing threat of ransomware attacks. The implications of lacking endpoint security are severe, exposing systems to malware, ransomware, and unauthorized access.

Key actions

  • Ensure your endpoint security software includes advanced features for detecting ransomware
  • Keep security software up to date for the latest threat intelligence and protection
  • Explore managed endpoint security services for comprehensive and proactive protection against evolving threats
Cyber Hygiene

Cyber Hygiene and Access control:

Findings

  • 52%/half of organisations allow users to have local admin rights
  • 50% of organizations do not review admin accounts periodically
  • Only 19% had a process to disable user accounts promptly when staff members leave
  • Shockingly, 69% used weak passwords, contrary to best practices

Implications

Allowing users to have local admin rights, is essentially giving all users the ‘keys to the castle’, risking security breaches, and with employee turnover increasing, it is surprising to find only 19% have the ability to quickly disable user accounts. This means ex-employees can access corporate networks, allowing them access critical data and files. With it, strong passwords are a simple, effective and rudimentary way of securing network access, without that, 69% of those assessed are wide open to the increasing threat vector.

Key actions

  • Implement Least Privilege Access: Restrict user accounts to the minimum level of access required for their role to minimize
  • Enforce Strong Password Policies: Mandate the use of complex passwords, encouraging a mix of uppercase, lowercase, numbers, and symbols for enhanced security
  • Establish User Account Management Processes: Develop and enforce processes for promptly disabling user accounts upon staff departure or role changes
  • Employee Training: Provide comprehensive cybersecurity training to educate users on secure practices and strong passwords
  • Regular Security Audits: Conduct periodic security audits to identify and rectify vulnerabilities in user account management and access control
Training

Training and Awareness:

Findings

  • 48% of organizations did not provide any form of cybersecurity awareness training for their end users.

Implications

Human’s are the weakest link in your defences. Neglecting employee cyber awareness training exposes an organization to heightened risks. Staff may inadvertently fall prey to phishing attacks, lack awareness of cybersecurity protocols, and become potential vectors for cyber threats. Investing in training is crucial to fortify the human layer of defense and mitigate security vulnerabilities.

Key actions

  • See John Scott’s Cyber Expo presentation on human error to understand more
  • Review providers and implement regular cybersecurity awareness training for employees
  • Simulate Phishing Exercises: Use simulated phishing exercises to test and educate employees on recognizing and avoiding phishing attempts to check your training is working
  • Promote Reporting Culture: Encourage a culture of reporting suspicious activities and mistakes, fostering a proactive stance against potential cyber threats

Conclusion:

The data collected from our cybersecurity risk assessment underlines the critical importance of robust cybersecurity measures in today's digital landscape.

Many organizations have significant room for improvement, particularly in areas like MFA, backup strategies, and endpoint security. Enhancing these aspects can mitigate risks, reduce vulnerabilities, and enhance overall cybersecurity.

4 Key take-aways

  • Prioritize the implementation of MFA across your organization, especially for VPN access.
  • Establish robust backup and disaster recovery strategies to protect against data loss and ransomware attacks.
  • Implement robust patch management practices for both operating systems and third-party applications.
  • Regularly review admin accounts and access control policies to maintain a strong security posture.

By acting on these recommendations, organizations can strengthen their cybersecurity defenses and reduce their exposure to an evolving threat landscape.

This report is based on a comprehensive cybersecurity risk assessment conducted by our technical consultant across more than 100 organizations. For more information on how to enhance your organization's cybersecurity, visit Probrand's Cyber Security Solutions.

Further Reading

This section provides valuable information on various aspects of cybersecurity, helping you better understand and protect your digital assets. It provides a useful set of Q&A’s compiled to help you understand the landscape and minimise cyber risk.

Conducting a cybersecurity risk assessment is a crucial step in understanding and mitigating potential security threats to your organization.

Here are the key steps involved:

  • Identify Assets: Begin by identifying all your digital assets, including data, hardware, and software.
  • Identify Threats: Identify potential threats and vulnerabilities that could affect your assets. These could include malware, insider threats, or external attacks.
  • Assess Vulnerabilities: Evaluate the vulnerabilities in your system, such as outdated software, weak passwords, or misconfigured settings.
  • Calculate Risks: Assess the potential impact and likelihood of each threat exploiting a vulnerability. This helps prioritize risks.
  • Risk Mitigation: Develop a strategy to mitigate the identified risks, which could include implementing security measures, employee training, and incident response plans.
  • Regular Monitoring: Regularly review and update your risk assessment to account for changes in your IT environment and emerging threats.

A phishing email is a fraudulent message that appears to be from a legitimate source, often with the goal of stealing sensitive information. It may contain:

  • Deceptive Links: Phishing emails often contain links that lead to fake websites, designed to collect your login credentials or install malware.
  • Malicious Attachments: They can carry attachments that, if opened, can infect your computer with malware.
  • Social Engineering: These emails typically use psychological tactics to trick you into divulging personal or financial information.

To get rid of phishing emails:

  • Delete: Don't open the email or click on any links or attachments. Delete it immediately.
  • Report: Most email clients have a "Report Phishing" option. Use it to notify your email provider.
  • Educate: Train your staff to recognize phishing emails to prevent them from falling victim.

If you open a phishing email:

  • Disconnect: If you click on a suspicious link or download an attachment, disconnect your device from the internet.
  • Run a Scan: Use antivirus software to scan your device and remove any malware.
  • Change Passwords: Change your passwords, especially if you entered any sensitive information.

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, like the internet. Firewalls:

Firewalls:

  • Filter Traffic: They inspect data packets, blocking or allowing them based on specified criteria.
  • Block Unauthorized Access: Firewalls prevent unauthorized users and potentially harmful data from entering your network.
  • Log Activity: They record network activity, helping in analysis and incident response.
  • The three main types of firewalls are:
  • Packet Filtering Firewalls: These work at the network layer, filtering traffic based on packet information like source and destination IP addresses.
  • Stateful Inspection Firewalls: Operating at the transport layer, these keep track of the state of active connections and make decisions based on the context.

There are three main types of firewall as follows:

  • Packet Filtering Firewalls: Examines packets and allows or blocks them based on predefined rules.
  • Stateful Inspection Firewalls: Monitors the state of active connections and makes decisions based on the context.
  • Proxy Firewalls: Acts as an intermediary between internal and external network entities, forwarding requests on behalf of users.

A Virtual Private Network (VPN) encrypts your internet connection, providing anonymity and security. It's useful for protecting your data from eavesdropping on public Wi-Fi and accessing region-restricted content.

It depends on your needs. Some popular options include NordVPN, ExpressVPN, and CyberGhost. Choose one with robust security features.

While a VPN enhances your security, it doesn't offer complete protection against malware. You still need antivirus software.

Yes, you should use both antivirus and a VPN. Antivirus scans for malware on your device, while a VPN secures your internet connection.

Keep your VPN client up-to-date by following the instructions provided by your VPN service provider.

What is the meaning of MFA? MFA stands for Multi-Factor Authentication. It adds an extra layer of security by requiring users to provide two or more authentication factors before granting access.

MFA capable indicates that a system or service supports multi-factor authentication.

MFA is also referred to as Two-Factor Authentication (2FA).

MFA credentials are the various pieces of information or tokens used for authentication, such as passwords, fingerprint scans, or one-time codes from a mobile app.

Check your account settings within the specific service or application. If you've enabled MFA, it will show as active in your security settings.

Microsoft 365 (M365) is secure when configured correctly. Users should follow best practices, like enabling MFA and keeping software updated.

To enhance your Office 365 Security Score, follow Microsoft's recommendations for improving security, which often include enabling specific features and settings within the platform.

Backup involves creating copies of data for safekeeping, while recovery is the process of restoring data after a loss.

Backup involves creating copies of data to protect against loss. These copies are stored separately and can be used to restore the data in case of accidental deletion, corruption, or other issues.

Recovery refers to the process of restoring the data from the backup. Recovery is necessary when the original data is lost or compromised, and the backup copies are used to bring the system back to a functional state.

Backup and recovery software is designed to safeguard and restore data in case of loss or damage. It creates copies (backups) of data, allowing users to recover it in the event of accidental deletion, system failure, or cyber attacks. The software manages the backup process and facilitates the restoration of data to its original state.

They include Full Backup (complete data backup), Incremental Backup (only changes since the last backup), and Differential Backup (changes since the last full backup).

RTO, or Recovery Time Objective, is a crucial metric in disaster recovery and business continuity planning. It represents the targeted duration within which a business process or IT system must be restored after a disruption to avoid unacceptable consequences. Essentially, RTO defines the maximum allowable downtime for a particular function or system, guiding the recovery efforts to ensure a swift return to normal operations. Achieving a low RTO is vital for minimizing the impact of disruptions and maintaining business continuity.

Recovery Point Objective (RPO) is a critical parameter in disaster recovery and data protection. It refers to the maximum acceptable amount of data loss measured in time. In other words, RPO determines the age of the recoverable files in case of a data loss event. For instance, if a system fails at 2:00 PM, and the RPO is set at one hour, the recovery process should bring back the data as it was at 1:00 PM. Achieving a low RPO is essential for organizations, especially those dealing with sensitive or critical data, as it ensures minimal data loss during recovery.

Yes, recovery is possible with effective strategies, but the process varies based on nature and severity of attack. Key steps include:

  • Isolate and Investigate: Immediately isolate affected systems to prevent further damage. Conduct a thorough investigation to understand the extent of the breach.
  • Restore from Backups: If you have robust backup and recovery procedures in place, restore affected systems from clean backups to a state before the attack.
  • Patch and Strengthen Security: Identify and patch vulnerabilities that led to the attack. Strengthen overall security measures to prevent a recurrence.
  • Communicate Effectively: Communicate transparently with stakeholders, customers, and employees about the incident, steps taken, and preventive measures.
  • Incident Response Plan: Having a well-defined incident response plan is crucial. It outlines roles, responsibilities, and procedures to minimize damage and recover swiftly.
  • While recovery is possible, proactive measures like robust security practices, regular backups, and employee training can significantly reduce the impact of cyber attacks.

Strategies include identifying and containing the breach, eradicating malware, and restoring systems and data.

The time for recovery varies depending on the nature and extent of the attack, and the preparedness of the affected organisation. It could range from days to months. Stages to consider:

  • Immediate Response: Initial containment and assessment may take hours to days, depending on the scale.
  • Restoration: Restoring systems from backups could take days, especially if large amounts of data are involved.
  • Investigation: Investigating the incident thoroughly might extend the recovery time by days or weeks.
  • Infrastructure Strengthening: Implementing long-term security measures and improvements can take weeks to months.
  • Business as Usual: Full recovery to normal operations might span from weeks to several months.
  • Timely detection, a well-defined incident response plan, and proactive security measures can significantly reduce recovery times. However, the aftermath of a cyber attack often involves ongoing security enhancements and continuous monitoring.

Patching is the process of applying updates or patches to software or systems to fix security vulnerabilities and bugs.

It involves identifying vulnerabilities, developing patches, testing them, and applying updates to secure systems.

They include Security Patching (fixing vulnerabilities), Feature Patching (adding new features), and Bug Patching (fixing software bugs).

Endpoint security is a broader approach to protect devices and networks, while antivirus focuses solely on detecting and removing malware.

Effective data loss management involves regular backups, encryption, and implementing data loss prevention strategies.

They are Network-based DLP, Storage-based DLP, and Endpoint-based DLP.

Strategies include educating employees on security practices, encrypting sensitive data, and monitoring data access.