Cybersecurity

Security relates to the protection of valuable assets against loss, misuse, disclosure or damage.  In this context, “valuable assets” are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium.

The information must be protected against harm from threats leading to different types of vulnerabilities such as loss, inaccessibility, alternation, or wrongful disclosure.  Threats include errors and omissions, fraud, accidents, and intentional damage.  In order to protect the information from threats,  you need to form a layered series of technological and non-technological safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls.  These safeguards should address both threats and vulnerabilities in a balanced manner.

The objective of information security is “protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity”.  While emerging definitions are adding concepts like information usefulness and possession – the latter to cope with theft, deception, and fraud – the networked economy certainly has added the need for trust and accountability in electronic transactions such that for most organizations, the security objective is met when:

• Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from failures (availability);
• Information is observed by or disclosed to only those who have a right to know (confidentiality);
• Information is protected against unauthorized modification (integrity);
• Business transactions as well as information exchanges between enterprise locations or with partners can be trusted (authenticity and non-repudiation).

From:  ‘Information Security Governance: Guidance for Boards of Directors and Executive Management’ (IT Governance Institute)

So how do you know if you are doing enough to manage our cyber risk to a reasonable level? This is not an easy question to answer without a bit of unpacking. The three important factors for you to ask yourself are:

Your cybersecurity posture can be a complex network of controls and security systems put in place to keep your assets safe and secure. We can help you understand your existing cybersecurity posture within the context of your business strategy and priorities so that you can build a more robust cybersecurity system. The first step is to appraise your current systems. A cybersecurity risk assessment tool can get you started.

The depth of cybersecurity risk assessment should match the size and complexity of your business and systems. 

For many small to medium organizations with less formal processes and controls, Welch offers an easy to complete cybersecurity self-assessment based on the well-known NIST Cybersecurity Framework and the Centre for Internet Security (CIS) Critical Security Controls.  This cybersecurity assessment is user friendly, asks questions in easy-to-understand language, and usually takes less than twelve hours to complete.  We will support you throughout this self-assessment by helping you plan the assessment, interpret the questions, and review your findings and recommendations. We will work with you from beginning to end, so you can begin to make improvements based on the cyber risks that matter to you. 

If you have a larger, more complex business and technology environment, Welch provides cybersecurity evaluation, audit, testing, and roadmap development advisory services that we will customise to your specific business, risk and compliance concerns and requirements.