Assessing the level of cyber maturity helps to see the big picture

Today, most transactions are done via the Internet, so it is increasingly important to make sure that your data is safe from prying eyes. This is where cyber maturity assessment (CMA) comes in handy – it helps to identify potential vulnerabilities and what can be done better to ensure security.

According to Igmar Ilves, when it comes to CMA, it does not matter whether an organisation is small or large. “People often think that if there is at least one IT specialist in the house, then cyber security is ensured. In fact, you have to think ahead and ask yourself what the consequences might be if that one IT professional doesn’t have sufficient knowledge in the field of cyber security, or what will happen if they have all the knowledge but suddenly decide to change jobs,” Ilves says.

This does not necessarily mean that you should hire an additional IT specialist. According to Ilves, there are other ways to mitigate risks, such as keeping your documentation up-to-date so that the information about specific passwords or company-owned computers is sufficiently detailed and clear.

Mapping the current situation begins with an interview with the client

To better assess a company’s or an organisation’s information security posture, KPMG’s Estonian cyber security team has developed an affordable service that provides an overview of your company’s capabilities for protecting information assets and responding to cyber threats.

This is not a traditional IT audit but a service focused on a wide range of security aspects based on the specific characteristics of the client and the information collected from them. This is done through an interview with the client’s employees, who will be asked questions about the company’s current safeguards.

Ilves stresses that the most important thing is to answer the questions as honestly as possible and to describe the situation exactly as it is, as this will help to create a clear and concrete picture of the current information security posture. It is not necessary to provide evidence to back up described operations or responses.

Plan, protect and prevent

Hence, the key activity of the assessment is the interview with the client, which usually takes between one and a half and two hours and comprises four focus areas.

The first one is planning, which focuses on planning a company’s information and cyber security activities, raising security awareness, and the responsibilities of management and other key personnel.

Next, we will examine the specific measures related to protection and prevention as regards safeguarding the company’s most important assets.

Questions on detection and response are aimed at determining whether measures have been taken to detect cyber-attacks and other threats and what those measures are.

The section on recovery examines what measures are in place to restore the company’s business operations following a potential cyber-attack, etc.

Conclusions drawn from CMA

All interview questions are based on international standards and methods used in the field, resulting in a separate assessment for each focus area and a final aggregate score. “Without mentioning any names, we will also give the client an idea where their company stands compared to other companies in Estonia,” Ilves says.

He adds that companies that perform IT auditing and security testing on a regular basis and have already implemented certain standards and information security frameworks fare better in the assessment.

“Generally, clients tend to think that their company’s situation is better than it actually is. However, the results of a cyber maturity assessment often confirm the opposite,” Ilves said.

Assessments take into account the specific characteristics of the company

Problems often start with the weakest link in information security, i.e. a human being, so all employees who deal with security issues on a daily basis should be involved in the interview. The assessor sends the questions to the company before the interview.

Cyber maturity assessment recognises that every company and organisation is different. “The aim is to map the actual situation in order to understand where things could be improved and what the biggest risks are,” the cyber security expert explains.

After the assessment, an analysis of the results is presented to the company’s representatives, and a report is drawn up, which, in addition to the assessment, includes an action plan to improve the situation. “It is important to understand that this is not an in-depth analysis or an IT audit, but a general and comprehensive assessment, which depends largely on the responses received from the client,” Ilves stresses.

So, although people are the weakest link in information security, they are also very valuable because the information they provide is essential for mitigating security risks.

Igmar Ilves
Senior Cyber Security Advisor
KPMG Baltics OÜ