With increasing digitalization and more complex IT environments, it is becoming more and more difficult for companies to maintain an overview of the status of their information security and possible IT risks. In order to help companies pragmatically achieve the necessary transparency in this matter, we have developed the usd Cyber Security Check based on our many years of experience as auditors.
Jan Kemper, Managing Consultant at usd AG, has been advising and auditing companies of various sizes and from various industries on payment and IT security issues for many years. We asked him about the importance, procedure and best practices of the Cyber Security Check.
Jan, why is it important to you to help companies gain more transparency in their own cyber security?
Jan Kemper: A general and comprehensive overview of their own IT risks and vulnerabilities is incredibly important for companies. Only those who know these can identify effective countermeasures. Otherwise, a company restricts its security measures to individual areas and processes, ignoring critical IT risks.
There are, of course, numerous contractual or regulatory requirements that oblige companies to regularly review their information security and data protection processes. However, these are usually rather specific and thematically selective. I would therefore definitely recommend every company to cover the IT landscape as broadly as possible and also to shed light on areas that are not covered by external requirements. For this reason, we have decided to offer such an audit of the general security level for companies with the Cyber Security Check.
You talk about IT risks in particular. In your experience, why is it worth taking a detailed look at IT processes?
JK: Nowadays, IT processes and business processes are closely intertwined in companies. If risks in the IT environment are not addressed, these business processes can be severely impaired. Ransomware, for example, can cause long-term outages that have a significant negative impact on critical business processes for the affected company.
How do you approach a Cyber Security Check for businesses?
JK: Our Cyber Security Check consists of assessments and workshops. Since every company is structured differently, there can be very different reasons for a check and the objectives can vary accordingly. The basis for each check is therefore first a workshop in which we define the objectives together with the customer. Based on this, the scope of the cyber security check can vary greatly. Typical questions include: Should subsidiaries also be included and possibly the subsidiary of the subsidiary? To what depth should the check be carried out in each case?
Following the audits themselves, we categorize all identified risks and prioritize them depending on their respective criticality. We present this result to the company and coordinate the next steps with the contact persons.
What are the specific audit objectives and subject areas of a cyber security check?
JK: Based on the company’s objectives, we bring individual recommendations on which categories and dimensions should be audited. Based on our long experience in the consulting and audit environment, we have selected suitable best practices and controls from various internationally recognized standards that best reflect the objectives of the check.
The recommended criteria can be supplemented by the customer’s security policy, if required, so that the audit can be performed specifically against this. Either this makes up the largest part of the audit catalog or a combined approach of the internal guidelines and external best practices is agreed upon.
Are there any topics that are particularly relevant for each company?
JK: For an initial basic check, I generally recommend covering the topics of asset management, service provider control and continuous vulnerability management. This means that both technical and organizational measures are taken into account. As a rule, I also advise including awareness measures and checking the handling of privileged accounts. In addition, there are reviews of the configuration of systems and software development for security aspects.
In certain cases, however, a different approach is recommended, focusing on specific topics such as business continuity or disaster recovery. We then examine these topics in particular depth.
Why should a company opt for a Cyber Security Check instead of one of the well-known information security certifications such as ISO 27001?
JK: This depends on the goal or rather the motivation of the company for the audit. If the primary objective is to identify prevailing top risks, for example, it is not necessary to establish a complete information security management system as required by ISO 27001 certification. The Cyber Security Check helps the company to determine the status quo of its IT risks – flexibly and without a limited scope or catalog of tests.
Of course, this does not preclude combining both objectives. A cyber security check is a very good way for companies to get an initial impression of how they are already positioned for certification planned in the medium term. If desired, we can address the goal of a future certification in the workshop and then align some of the test criteria of the Cyber Security Check with it.
What happens next for companies after the check?
JK: What happens next depends primarily on the results and the initial goal. As a follow-up to the check, we can, for example, develop targeted measures for identified weak points or design a cyber security strategy based on the results, or review the existing strategy. It is also a good idea to repeat the cyber security check at a later date to verify progress or confirm that previously identified risks have been eliminated or reduced. All these measures contribute to anchoring cyber security in the company in the long term.
In the usd webinar “Status Check of Your Cyber Security“, Jan Kemper shared his practical experience and showed possible approaches and procedures for the Cyber Security Check. You can find the recording here.