Below are the top five common threats and associated vulnerabilities that IT Governance consultants have encountered during the cyber reviews and cyber health checks that they have conducted so far in 2017:
1. Inadequate protection of data
- Stored on unsecure or unsuitable platforms;
- Not encrypted in storage or transit; and
- Not securely disposed of.
- Organisations don’t know what data they hold or where it is stored.
- Access controls are poor.
- Staff are often unsure of how to handle different types of data.
- There are no data exfiltration controls.
- The overriding attitude is one of General Data Protection Regulation (GDPR) what?
2. Inadequate incident management
- Poor incident detection capabilities;
- No incident reporting process; and
- No simple incident response plans.
In addition, staff are unsure of who to report incidents to.
3. Third-party risk
- Address or assess risks from third-party suppliers; or
- Carry out regular audits on their third-party suppliers.
- Some suppliers have unlimited access to resources and data.
- Suppliers’ employees are not security vetted.
- Confidentiality and non-disclosure agreements are non-existent.
4. Inadequate technical defences
- Out-of-date or inadequate vulnerability patching;
- End-of-life hardware;
- Poorly configured security hardware and anti-virus software;
- Unsecure networks;
- Not conducted penetration testing or vulnerability scans; and
- An inadequate network perimeter and device monitoring.
5. Inadequate training
- No or inadequate security training for staff;
- A lack of staff security awareness communications; and
- No updates warning staff of the current threats.
Where to start
The list goes on and in our experience many organisations are still not getting these basics right, so where do you start?
Many organisations are still not getting these basics right. To avoid making the same mistakes, you should schedule an evaluation of your current cyber security posture. .
Engaging IT Governance to conduct a Cyber Review or Cyber Health Check will allow us to flush out your organisation’s cyber risks, vulnerabilities and threat exposure, and provide you with recommendations for improvement.
- Cyber Review: Evaluate your cyber security risk posture with this entry-level cyber review. It includes an evaluation of your organisation’s cyber security posture and a documented summary of recommendations for improvements. Find out more >>
- Cyber Health Check: Easily identify your current cyber risks with our on-site cyber health check. This three-phase Cyber Health Check combines on-site consultancy and audit, remote vulnerability assessments and an online staff questionnaire to identify your current cyber risks, covering people, processes and technology. Find out more >>