Why every business should have an independent security assessment
With cyber-attacks taking place weekly and our data constantly being misused you’d be right in thinking that it’s a scary digital world out there.
In my work with many big corporations, to keep them safe, I ask them to follow one golden rule… use independent and agnostic consulting.
But what does that actually mean in today’s digital landscape?
Firstly it means using a company that’s not influenced or controlled by others, especially vendors. You must take a hard stance on this to ensure that all advice provided is without bias.
Secondly, use a company that makes its own decisions, based on its own merit. Not because a particular vendor or third party is informing that company to influence your decisions.
It’s also important not to align with vendors and third parties, and make sure they don’t sell any products in their business.
At Thomas Cyber our advisory is based on threat and risk modelling. We don’t use compliance checklists (or any other list) with which we can invoke a shopping list for future work.
We can sit down and have those hard conversations with anyone because our number one priority is about protecting your business.
Recently The Australian National Maritime Museum was hit by a ‘trusted insider’ attack.
One of the many insights for this year is that the ‘trusted insider’ is one of the biggest threats for 2023. In the museum’s case, it was the trusted IT provider, who allegedly changed the bank accounts for payment processes inside the organisation, to have money sent to their own bank accounts.
The total amount taken was allegedly $90,000. Maybe not a large amount to a big corporation, but if you’re a small business, it could cripple you.
And what does it say when you can’t even trust your IT vendor to do the right thing?
While IT companies and cyber security companies are often thought of as the same thing, they are quite different.
IT companies provide products and services to support your digital needs. They also provide antivirus and other security tools as part of their offering, but these tools are not cyber security. They are merely tools to solve an issue and protect information-based business requirements.
Specialty cyber security companies specialise in assessment, validation and assurance activities through a risk management process.
Selecting the right cyber security company can be difficult, as most of these organisations offer products as well, so how can there be any impartiality when they have vendors they are associated with?
This is why you need an independent security assessment of your digital environment. That’s the only way you’re going to know the real posture of your IT environment.
Having an IT provider mark their own homework will inevitably lead to catastrophic outcomes because let’s face it, who’s going to admit they’re doing the wrong thing when they’ve just finished telling you that they are experts in what they do, and you’ve handed over a large sum of money.
An independent security assessment provides your organisation with the following:
Understanding the context and scope of the IT environment Context is king and will allow you and the organisation to understand how at risk your digital assets and information are.
Identifying the real threats to your organisation Not just what’s missing in terms of hardware and software (which is what most free IT security assessments provide).
A documented list of risks Know the associated recommendations to increase the security posture of your IT environment.
Once this assessment is completed, the implementation of the recommendations to your existing IT environment is important. Implementation will aid in increasing the security posture of the IT environment.
Sounds expensive right?
Wrong… When you employ someone who specialises in performing this service, it can be undertaken effectively and efficiently, and will be the best investment you ever make, knowing that the fate of the Australian National Maritime Museum won’t become yours.