The most cost-effective way to identify information security and cyber security vulnerabilities is through cyber maturity assessment

How do Estonian companies evaluate their information security and cyber security posture in general??

Mihkel Kukk:A survey, which we carried out with the Estonian business daily Äripäev, shows that companies consider their situation good. This may be because there is not very much information available based on which they can assess their current state of information security. Businesses often assume that everything must be fine because nothing has happened. However, they do not necessarily have many supporting facts or arguments.

Our experience shows that an audit or testing may reveal all kinds of issues the company was unaware of. In other words, the actual situation is often slightly different from the perceived one.

Igmar Ilves: Even if a company does not think that its information security posture is perfect, they still tend to believe that its level is satisfactory. This may be because the company thinks that there haven’t been any incidents. But here’s the thing with security incidents: not all of them are detected.

Indeed, many criminals want to hack into your system so that you will not notice it at all, or at least not immediately. Looking at the underwater part of the iceberg will show the actual situation and whether there have been any incidents. In real-life situations with clients, we've seen that even though everything looks fine on the surface, there are footprints, so to speak, which prove that someone has actually hacked into their system.

In short, it's generally believed that the security posture is better than it actually is, although it depends on the company, as the situation is better in some areas than others. But the general tendency is that if nothing has happened, people think that everything is fine.

How have companies’ perceptions of their situation changed over the past few years? Have they become more aligned with reality?

Kukk: I would rather say that there has been a shift in awareness. This is reflected in KPMG’s globally conducted surveys, which show that company managers have already become aware of cyber security risk as one of their key risks. However, it is a bit like in the field of investment, where awareness and actions don’t necessarily match. While everyone knows that it’s important to invest, not everyone has taken action. Even if a company has classified cyber threats as its number one risk, this is often not followed up adequately by relevant actions.

IT audits, risk assessments and technical penetration tests are among the tools used to assess an organisation’s data security and cyber security posture. How does a manager or another company representative decide which of these services, to what extent and in which order would be reasonable to use?

Kukk: The most cost-effective way to identify the biggest deficiencies is through a cyber maturity assessment (CMA). This is one of the main objectives of our CMA service – to show clients where they should start enhancing their information security. In some companies, the situation may indeed be very good: all procedures are documented, and policies and regulations are in place, but recovery, for example, is neglected. Through a CMA, you will find out in which area(s) you may have the largest gaps and which areas should be tackled next.

Maturity assessment is similar to an IT audit, but it is simpler, quicker and cheaper for companies. A regular IT audit based on ISO 27001 is many times more costly. A CMA would serve as a basis for planning the budget and the next activities, be it implementing new technology, penetration testing, introducing additional software, or something else. It will help you get the big picture and plan your next steps.

What is the difference between an IT audit, a penetration test and an IT risk assessment, and how much time do they require?

Kukk: One of the differences is that when assessing the level of maturity, we don’t collect evidence, as we assume that it's in the company’s interests to provide adequate and truthful information. On the other hand, an IT audit requires us to look for real evidence to back up each argument so that it can be included in the report. Anyone who wants to assess their level would have no motivation to embellish the situation; otherwise, the service would not make much sense.

An IT audit requires collecting considerably more evidence, and drawing up a report will therefore be more time-consuming, hence a higher cost of the service. A penetration test is going one step further – it is a much more technical service where one has to understand what will be tested and why. There is no point in testing just anything. This work involves competent penetration testing specialists and is quite expensive.

It is always reasonable for a company to conduct a risk assessment at some level. You need to look at the company as a whole, analyse its business processes and impact assessments – this usually takes more time and resources. This is not something that larger companies can do quickly. It is usually a matter of months, but for some larger organisations even a matter of years to conduct a more extensive and in-depth analysis and review the risks.

Ilves: Once a company is aware of the importance of cyber security, the next question will be in which area they should invest resources. Companies often have competent employees, such as a Chief Information Security Officer or a Chief Information Officer, who would know where resources should be allocated to enhance cyber security. Our experience shows, however, that these decisions are sometimes made based on people's gut feeling.

This is where CMA – the information and cyber maturity assessment – can help a company’s key personnel. We will hold an interview with them where they will provide us necessary information as honestly as possible. By analysing the information received, we will get an indication of the areas in which the client could allocate funds in the future.

But as I said, we don’t collect any evidence, and consequently, the results of a CMA cannot be perfect. Yet it is certainly better than spending money randomly or doing nothing. We’ve had cases where the company being assessed thought its systems were well protected. A penetration test showed, however, that this was not the case, quite the opposite, and we essentially had to take over their systems from day one. This does not make the CMA service any worse, however. Indeed, we always take into account that the results of a CMA may be misleading as the company’s key personnel may not be aware of all the shortcomings.

The CMA service is certainly valuable, and its price and speed of delivery are attractive compared to alternative services. A CMA is better than randomly testing some systems just to tick them off the list. Such an approach would not be cost-effective. Understandably, companies want to cut costs, so they need to allocate their resources to where the risks are the greatest. This is where the CMA service can be very helpful.

So what is CMA, what processes does it involve, and how will the client benefit from it?

Ilves: As regards IT auditing, IT risk assessment and technical security testing, we follow a hands-on approach, i.e. we conduct interviews with a company’s staff, check the effectiveness of its security measures, break down its systems, review configurations, etc. CMA, on the other hand, is simpler because it is based on interviews only. We have five different focus areas and more than a hundred questions that essentially cover the stages of preparing for security incidents.

The first focus area to be covered when starting a CMA is planning. This includes questions on information security policy and governance. Next, we will focus on protection, where we address specific security mechanisms, both in the area of IT and in the context of physical security, for example. However, if an incident does occur, the next step will be to detect it as soon as possible. At this stage, we will discuss how to detect an incident when it has passed the company’s lines of defence. This is why the third stage is called ‘detection’.

The next focus area is response, where we analyse, among other things, whether the company has defined a set of responsibilities and procedures for incident management. This means, for example, that if you get a call in the middle of the night about a detected server intrusion, then what will happen next: who will be contacted and how quickly, who will arrive at the incident site, who will manage the incident, etc. In our interview, we ask whether the client has developed different scenarios for various situations.

The final part of the assessment focuses on restoring the previous situation, hence the title of the focus area – ‘recovery’. If, for example, a server has been attacked and taken down, we will check whether the company has documented who needs to restore the service and how quickly.

So these five focus areas cover all the stages of preparing for a cyber-attack. There are many questions on each topic, and the more honestly the client can answer, the better. The questions are based on a range of international standards and best practices and cover all key aspects of information security.

Once this two-hour interview is done, we will analyse the responses received. If any questions remain open, we will contact the client again. Some questions have a yes/no answer, but not all. We also take into account the specific characteristics of a particular client. For example, some security measures may not be 100% operational, but to the extent of, say, 80%.

Once we have conducted the interview, covered all the focus areas and analysed the responses received, we will produce a report based on the above. It is divided into several parts. First, we will determine an aggregate score based on the results achieved in each of the five focus areas, with 0% being the worst possible and 100% the best possible score. According to the percentage obtained, the aggregate score will be evaluated as ‘very good’, ‘good’, ‘satisfactory’ or ‘with deficiencies’.

The aggregate score provides a relatively simple and clear indication of the company’s overall information security posture. The aggregate score also indicates the client’s ranking among similar companies in terms of information security. Let’s assume that a company receives an aggregate score of 65%, but the average aggregate score of competing companies is around 75%. This shows the company that they will certainly have to improve their posture.

Next, we will look at the individual results for the five focus areas I mentioned earlier, i.e. planning, protection, detection, response and recovery. Similarly to the aggregate score, the results of each of these focus areas are expressed as a percentage.

While determining the aggregate score and the individual scores for each focus area, we make sure that we take into account the specificity of the company, i.e. its field of activity, size and other aspects.

Incidentally, the number of companies who have received a CMA evaluation of ‘very good’ is rather small, between one and five percent of our clients.

The final chapter of the report contains recommendations to the company on how to improve its security posture. This is where we highlight the main issues and the actions that should be taken to improve the situation.

For example, sometimes we can see, based on the CMA results, that the company has an information security policy in place and it has defined the corresponding procedures and processes, but the company’s staff does not actually follow these. Then we can make recommendations to improve the situation and provide an estimate of how much time and money it could take to implement them.

To sum up, the CMA interview and the resulting report will address all major focus areas of information security and cyber security, providing a descriptive assessment of the company’s current information security posture as well as recommendations for the next steps to be taken in this area.

To whom are the interview questions usually addressed, to the IT manager or a senior manager?

Ilves: Well, we could say that the questions should go to the Chief Information Officer or the Chief Information Security Officer, but we do not necessarily know the exact positions in the client’s company/organisation and how the responsibilities are allocated. We meet many of our clients for the first time while providing the CMA service. Our approach is to send all the questions in advance and ask the client to involve the members of staff who are in a position to answer them.

As there are quite a few questions and areas, one person can often not cover them all. It is up to the company to identify the staff with relevant competence, e.g. system administrators, someone responsible for physical security, etc.

How detailed are the questions, and how long does it usually take to answer them?

Ilves: The interview is quite intense, but it is based on KPMG’s methodology and is of high quality, as the interviewers are experts in their field. The questions are fairly detailed. It takes two hours or a little longer.

The client may also send us some of the answers before the interview, but it is not a requirement as far as the methodology is concerned. The purpose of sending the questions to the client before the interview is for them to know what to expect. For example, the CIO may not know the answers to all the questions, but they would have specialists in their team who would be much more knowledgeable about a specific topic. In this case, the CIO will either involve the person in the interview or get their answers in advance.

Do these questions depend on the field of activity, size and experience of the company, or are they the same for everyone?

Ilves: We have designed the questions in a way that ensures that all companies will benefit, regardless of their size. For example, in some cases, we include alternative questions. Many companies outsource IT management to a contractor, and they don’t have their own IT people. We take this into account and leave some of the questions out if they have IT people in-house. Generally speaking, it does not matter whether a company is small, medium or large – we take their size into account when conducting interviews.

Kukk: Should further questions arise during the analysis of the interview results, we will get back to the client. Once the report has been finalised, we will share it with the client, and there will also be an opportunity to discuss the results together. This will help the client to better understand the vulnerabilities that have emerged during the analysis.

Is it more of a technical capability assessment, or do you also look at the human factor, i.e. people as well as work and business processes?

Ilves: It is both. Processes and people are looked at under the focus area of planning. The area of protection, on the other hand, covers fairly technical questions, for example, regarding multi-factor authentication, VPN or routers.

Kukk: The interview is based on various international standards, which cover these different areas. Some may be very technical, while others are more focused on processes or people. We do not go into too much detail, but we do get an indication of whether certain areas have been addressed in a company and to what extent. Sometimes it can turn out that some processes have been implemented but not properly documented, for example. Even if the solution in place is only partial, we will at least get an idea of the current situation.

Still, what exactly will the company be asked??

Ilves: Under the focus area of planning, we ask, for example, about information security management, risk assessment, and hardware and software inventories. Technical measures are dealt with under the area of protection. For example, there are several questions regarding malware prevention, application security, data protection, security of email and internet use, etc.

Some questions are optional, such as those regarding the wireless network, because many businesses do not use it as their main network but it is only used by guests. Detection includes the monitoring and analysis of logs, the detection and analysis of security vulnerabilities, as well as conducting cyber-attack tests. Response deals with how preparations are made for security incidents and how the incidents are managed. Recovery concerns, among other things, recovery capabilities and back-ups.

After analysing all the answers, we will gain some insight into the company. Based on that, we can highlight ten key problem areas. Our job is not just to point out shortcomings but also to explain why addressing them is important.

We will present this report to the client if they wish. Additional questions may arise during the presentation, and the discussion will add value to the report. In addition, the report includes a recommended action plan outlining specific prioritised tasks and indicative time and costs involved.

Are there any issues that recur from one report to the next that must be frequently highlighted in the Estonian context?

Ilves: As a rule, companies have no information security policy in place, or it is incomplete. In addition, there are not very many companies that have carried out an IT risk assessment. Small companies, in particular, don’t understand the importance and benefits of a risk assessment. Almost after each interview, such clients note that we drew their attention to shortcomings that were right in front of them but which they had not noticed.

For example, a small e-commerce company may have only one IT specialist who may leave the company or fall ill unexpectedly. This is a big risk for such a company. So what to do? One possible risk mitigation measure would be to document all relevant information: the location of IT equipment, a description of connections, the management of users’ access rights, the location of emergency instructions, etc. This will prevent the only IT professional from taking all their knowledge with them when they decide to leave the company.

A fairly common problem in large companies, on the other hand, is that they often outsource the management of IT services and assume that their service provider will also take responsibility for IT security. Very often, this is not the case, however. The reality is that the company only receives the service that was agreed upon with the other party in return for an agreed fee.

When a company outsources IT services management, the contractor will do exactly that – grant user rights, install computers, etc. Although security is guaranteed to some extent, the contractor does not deal with IT security in a proactive and comprehensive manner unless this has been specifically agreed in the respective cooperation agreement.

What do clients usually do with the results of the report? Do you propose follow-up activities, or do you also offer additional services?

Ilves: The first reaction is often silence. They will think about the issues they hadn’t been aware of but which emerged during the CMA. There are clients from whom we will never hear again, but there are also clients who will contact us, say, in six months and wish to improve their situation. The reactions are different. Having said that, we have designed the service in a way that does not necessarily require any follow-up on our part. The report on its own is sufficient in terms of the value it provides.

Kukk: The reactions depend on how the company perceives the importance of IT security and whether they can find resources to address it. Most of the follow-up activities require human or financial resources. The fact that the company becomes aware of the risks does not necessarily lead to concrete actions to tackle them.

Our aim is to show what the current situation of the company is. It is up to the company whether it will purchase additional services and what kind of services it considers relevant.

BACKGROUND

Calculating the aggregate score of cyber maturity

• The result of a cyber maturity assessment (CMA) is an aggregate score. It is calculated and represented as a percentage, with the highest possible score being 100% and the lowest 0%.
• The aggregate score is divided into four different levels: ‘with deficiencies’ (0–59%), ‘satisfactory’ (60–74%), ‘good’ (75–89%) and ‘very good’ (90–100%). These, together with the percentage assigned, provide an overall assessment of a company’s level of cyber maturity.
• The aggregate score is based on a combination of scores achieved in five focus areas: planning, protection, detection, response and recovery. Similar to the aggregate score, these individual scores are calculated as a percentage, with the highest possible score being 100% and the lowest 0%.
• It is important to underline that each focus area is assigned a different weight when calculating the aggregate score. The percentage share of each focus area in the aggregate score depends on the type of company being interviewed and is determined by the assessor of cyber maturity based on KPMG’s methodology.
• The basis for determining the aggregate score is an interview conducted by KPMG’s specialists with the company’s key personnel and KPMG’s methodology for determining the level of cyber maturity.
• All reports are prepared in parallel in Estonian and English.

GOOD TO KNOW

• The company has no information security policy in place.
• The company has not carried out an information security risk assessment.
• The company does not conduct any internal or external (independent) audits of its information systems.
• The company lacks confidence that its external partners (service providers) have business continuity plans in place and that they are adequate and periodically tested.
• The company has taken no technical measures to allow the use of external storage devices only where there is a business need and documented approval has been obtained.
• The company has taken no software security measures to prevent the launch of malicious code.
• The company has introduced no technical solutions capable of detecting any covert channels.
• The company’s Wi-Fi network may be at risk.
• The company has not blocked access to the most common file exchange and messaging centres.
• Checks on user accounts and user rights in the information system are not carried out consistently.