This is where cyber maturity assessment (CMA) comes in handy – it helps to identify potential information security vulnerabilities in a company and what can be done better to ensure security.
According to Igmar Ilves, a cyber security expert at KPMG, when it comes to CMA, it does not matter whether it is used to assess a small company or a large organisation.
“People often think that if there is at least one IT specialist in the house, then cyber security is ensured. In fact, you have to think ahead and ask yourself what the consequences might be if your company’s only IT professional doesn’t have sufficient knowledge of cyber security, or what will happen if the IT specialist who does have relevant knowledge suddenly decides to change jobs, for example,” he explained.
However, this does not necessarily mean you should hire an additional IT specialist. “There are other ways to mitigate risks, such as keeping your documentation up-to-date,” Ilves pointed out. This means that the information about specific passwords or company-owned computers should be sufficiently detailed and clear.
Mapping the current situation begins with an interview with the client
To better assess a company’s or organisation’s information security posture, KPMG’s team in Estonia has developed an affordable service that provides an overview of the organisation’s capabilities for protecting its information assets and responding to cyber threats.
Ilves emphasised that this is not a traditional IT audit but a service focused on a wide range of security aspects based on the specific characteristics of the client and the information collected from them. This is done through an interview with the client’s employees, who will be asked questions about the company’s current safeguards.
Ilves stressed that the most important thing is to answer the questions as honestly as possible and to describe the situation exactly as it is, as this will help create a clear and concrete picture of the company’s current information security posture, especially as no evidence to back up described operations or given responses will be asked for.
As mentioned above, the key activity of the assessment is an interview with the client, which usually takes between one and a half and two hours and comprises four focus areas.
The first one to be addressed is planning, which focuses on planning a company’s information and cyber security activities, raising security awareness, and the responsibilities of management and other key personnel.
Next, we will examine the specific measures related to protection and prevention with regard to safeguarding the company’s most important assets.
Questions on detection and response are aimed at determining whether measures have been taken to detect cyber-attacks and other threats and what those measures are.
The section on recovery examines what measures are in place to restore the company’s business operations following a potential cyber-attack or other unanticipated negative events.
Igmar Ilves emphasised that all interview questions are based on international standards and best practices in the field, resulting in a separate assessment for each focus area and a final aggregate score.
“Without mentioning any names, we will also give the client an idea where their company stands compared to other companies in Estonia,” Ilves added.
According to the expert, companies that perform IT auditing and security testing on a regular basis and have already implemented certain standards and information security frameworks fare better in the assessment.
“Generally, clients tend to think that their company’s situation is better than it actually is. However, the results of a cyber maturity assessment often confirm the opposite,” Ilves said.
Ilves highlighted the lack of robust safeguards and the absence of a risk-based approach and regular IT audits as the main reasons companies’ information security scores are often lower than expected.
“Often, a company also lacks a clear and simple overview of its information assets, i.e. standard documentation. The latter often contains outdated data,” he said.
“Should a key person leave and be replaced with a new employee, they will often not know where certain information is stored. This problem could be avoided by having internal rules and up-to-date documentation,” Ilves added.
As problems often start with the weakest link in information security, i.e. a human being, all employees who deal with security issues on a daily basis should be involved in the interview. To ensure this, the questions that the assessor will ask are sent to the company before the interview takes place.
Cyber maturity assessment recognises that every company and organisation is different – and this will be taken into account in the final evaluation.
“The aim is to map the actual situation in order to understand where the company could do better and what its biggest risks are at the moment,” the cyber security expert said.
After the assessment, an analysis of the results is presented to the company’s representatives, and a report is drawn up, which, in addition to the assessment, sets out an action plan to improve the current situation.
“It is important to understand that this is not an in-depth analysis or an IT audit, but a general and comprehensive assessment, which depends largely on the responses received from the client,” Ilves stressed.
So, although people are the weakest link in information security, they are also a company’s greatest asset because the information they provide is essential for mitigating information security risks.
Senior Cyber Security Advisor
KPMG Baltics OÜ
The line blurring between work and spare time, and the widespread use of remote work mean that peo..
It is a volatile time for economy, which always leads to businesses being purchased and sold. For ..
It is no longer a question of if cyber incidents take place, but when they will take place. Based ..
Mihkel Kukk, Head of Cyber Security Services at KPMG, notes that, although great importance is att..
"Not dealing with information security should not be seen as an IT risk, but rather as a strategic..
Mihkel Kukk, Head of Cyber Security Services at KPMG, says that artificial intelligence cannot rep..
Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.
HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.
Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.
Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.