Cyber security
22.04 2021

Is your company’s cyber security up to standard, and are the risks mitigated?

It may seem to managers that their company’s or organisation’s cyber security level is as it should be. Unfortunately, it often comes as a bad surprise that this is a misperception and that the situation is not quite as good.

With all kinds of activities being carried out online in almost all sectors and companies, the question of whether all data is safe from prying eyes is becoming increasingly important.

Assessing the level of cyber maturity helps to see the big picture

This is where cyber maturity assessment (CMA) comes in handy – it helps to identify potential information security vulnerabilities in a company and what can be done better to ensure security.

According to Igmar Ilves, a cyber security expert at KPMG, when it comes to CMA, it does not matter whether it is used to assess a small company or a large organisation.

“People often think that if there is at least one IT specialist in the house, then cyber security is ensured. In fact, you have to think ahead and ask yourself what the consequences might be if your company’s only IT professional doesn’t have sufficient knowledge of cyber security, or what will happen if the IT specialist who does have relevant knowledge suddenly decides to change jobs, for example,” he explained.

However, this does not necessarily mean you should hire an additional IT specialist. “There are other ways to mitigate risks, such as keeping your documentation up-to-date,” Ilves pointed out. This means that the information about specific passwords or company-owned computers should be sufficiently detailed and clear.
Mapping the current situation begins with an interview with the client

To better assess a company’s or organisation’s information security posture, KPMG’s team in Estonia has developed an affordable service that provides an overview of the organisation’s capabilities for protecting its information assets and responding to cyber threats.

Ilves emphasised that this is not a traditional IT audit but a service focused on a wide range of security aspects based on the specific characteristics of the client and the information collected from them. This is done through an interview with the client’s employees, who will be asked questions about the company’s current safeguards.
Ilves stressed that the most important thing is to answer the questions as honestly as possible and to describe the situation exactly as it is, as this will help create a clear and concrete picture of the company’s current information security posture, especially as no evidence to back up described operations or given responses will be asked for.

Plan, protect and prevent

As mentioned above, the key activity of the assessment is an interview with the client, which usually takes between one and a half and two hours and comprises four focus areas.

The first one to be addressed is planning, which focuses on planning a company’s information and cyber security activities, raising security awareness, and the responsibilities of management and other key personnel.
Next, we will examine the specific measures related to protection and prevention with regard to safeguarding the company’s most important assets.

Questions on detection and response are aimed at determining whether measures have been taken to detect cyber-attacks and other threats and what those measures are.
The section on recovery examines what measures are in place to restore the company’s business operations following a potential cyber-attack or other unanticipated negative events.

Conclusions drawn from CMA

Igmar Ilves emphasised that all interview questions are based on international standards and best practices in the field, resulting in a separate assessment for each focus area and a final aggregate score.
“Without mentioning any names, we will also give the client an idea where their company stands compared to other companies in Estonia,” Ilves added.

According to the expert, companies that perform IT auditing and security testing on a regular basis and have already implemented certain standards and information security frameworks fare better in the assessment.

“Generally, clients tend to think that their company’s situation is better than it actually is. However, the results of a cyber maturity assessment often confirm the opposite,” Ilves said.

Problems are largely similar

Ilves highlighted the lack of robust safeguards and the absence of a risk-based approach and regular IT audits as the main reasons companies’ information security scores are often lower than expected.

“Often, a company also lacks a clear and simple overview of its information assets, i.e. standard documentation. The latter often contains outdated data,” he said.

“Should a key person leave and be replaced with a new employee, they will often not know where certain information is stored. This problem could be avoided by having internal rules and up-to-date documentation,” Ilves added.

Assessments take into account the specific characteristics of the company

As problems often start with the weakest link in information security, i.e. a human being, all employees who deal with security issues on a daily basis should be involved in the interview. To ensure this, the questions that the assessor will ask are sent to the company before the interview takes place.

Cyber maturity assessment recognises that every company and organisation is different – and this will be taken into account in the final evaluation.

“The aim is to map the actual situation in order to understand where the company could do better and what its biggest risks are at the moment,” the cyber security expert said.

After the assessment, an analysis of the results is presented to the company’s representatives, and a report is drawn up, which, in addition to the assessment, sets out an action plan to improve the current situation.

“It is important to understand that this is not an in-depth analysis or an IT audit, but a general and comprehensive assessment, which depends largely on the responses received from the client,” Ilves stressed.

So, although people are the weakest link in information security, they are also a company’s greatest asset because the information they provide is essential for mitigating information security risks.


Igmar Ilves
Senior Cyber Security Advisor
KPMG Baltics OÜ

Cyber Security Expert: IT Hygiene Should Not Be Neglected During Holidays and Vacations

The line blurring between work and spare time, and the widespread use of remote work mean that peo..

Cyber security

A Company Must Not Be Bought Without a Pre-transaction IT Audit

It is a volatile time for economy, which always leads to businesses being purchased and sold. For ..

Cyber security

How To Prepare for Overcoming a Cyber Incident

It is no longer a question of if cyber incidents take place, but when they will take place. Based ..

Cyber security

Too Many Companies Underestimate IT Risks

Mihkel Kukk, Head of Cyber Security Services at KPMG, notes that, although great importance is att..

Cyber security

KPMG Cyber Security Expert: Chief Information Security Officers (CISOs) Play a Key Role in Combining Business and Information Security Objectives

"Not dealing with information security should not be seen as an IT risk, but rather as a strategic..

Cyber security

KPMG: artificial intelligence cannot replace a doctor

Mihkel Kukk, Head of Cyber Security Services at KPMG, says that artificial intelligence cannot rep..

Artificial Intelligence

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
cyber@kpmg.ee
Narva mnt 5, 10117 Tallinn, Estonia
${item.title}
KPMG Baltics KPMG Global Privaatsuspoliitika
KPMG IT Audit
Oma veebilehel kasutame küpsiseid. Küpsised aitavad analüüsida veebiliiklust ning annavad meile statistilist teavet.
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: