THREAT – INDUSTRY & PROFILE
Q1. What industry are you in?
Different industries have different risk profiles. While industries like defence or financial services present obvious targets for a range of attackers, many other industries are also significant targets.
NB: Risk profiles have been determined by reference to recent industry data from reputable sources such as the Australian Cyber Security Centre Threat Report and the Verizon Data Breach Investigations Report.
Q2. What is the size of your company in terms of staff numbers (including contractors)?
Q3. What is the size of your company in terms of revenue?
The size of your company in terms of staff numbers has an impact on your ‘attack surface’, and the size of your company in terms of revenue is a reasonable proxy for how visible your organisation is in the market and the likelihood that someone will target you.
Q4. Is there anything exciting happening in your business that would make you an interesting target for attackers?
When assessing the likelihood of your organisation being attacked, one of the key questions to ask is simply “why would it happen?” Often the answer will be financial gain. The question then becomes how that financial gain would be obtained. On the mass-market side you will have ransomware and related attacks, but on the targeted side you may have attacks aimed at obtaining information to facilitate insider trading, or indeed corporate espionage. Keeping an awareness of how “interesting” your organisation appears based on your current projects and initiatives, is worthwhile.
THREAT – INNOVATIONS & DATA
Q5. If you were to be hacked, how concerned would your customers / external partners be about the information the hacker would have access to?
Q6. Does your business hold information that belongs to other parties (e.g. your customers or your business partners)?
While question 4 is focused on considering your business value, it’s also important to consider the value of the data you hold. Particularly, considering the value of that data to your customers (rather than to your organisation). The more sensitive data you hold, the more likely it is that you will be targeted.
Q7. What do you believe would be the consequences if your business had some or all of its intellectual property leaked online?
Businesses have a varying level of reliance on unique IP. Some businesses would lose all competitive advantage and would be significantly damaged if their IP was lost. Others would carry on without any real impact.
Q8. What would be the impact to your business if information you hold was tampered with?
While most of the earlier questions were focused on the confidentiality of information, this is looking at the integrity of the information you hold. While it would almost always be inconvenient, in some cases it could be catastrophic: if you’re running a hospital and there’s a fear the data set related to which drugs, are meant to be administered to which patients, has changed, that is a big problem.
Q9. Suppose your most important system – which could be an industrial control system, some key sensors, your e-mail, a file server, or anything else that’s network-connected – was not accessible for a period of time. How long could your business get by?
While earlier questions have covered confidentiality and integrity of information, this one is looking at availability. If your key system is unavailable, do you have a manual workaround of some kind to keep the business running? For how long could that continue?
Q10. Does your business have a reliance on – or have on the strategic roadmap – emerging technologies such as blockchain, machine learning or Internet of Things enabled devices?
History has shown us that we as an industry have a habit of rolling out new technologies well before cyber security considerations are effectively addressed. Implementing such technologies in a production system therefore can introduce additional risk. The examples provided – blockchain, machine learning / AI, and IoT devices – will of course evolve over time.
THREAT – STAKEHOLDERS
Q11. Is your organisation subject to many externally-imposed requirements (whether from laws, regulations, industry codes or standards, or contractual requirements) when it comes to your cyber security practices?
Cyber security regulation varies from industry to industry and indeed from country to country. In some industries (such as defence, financial services, telecommunications and many parts of government) it is also commonplace to have cyber security requirements imposed through contract. As a general principle, if you are subject to such requirements, it would be expected that your security maturity would correspondingly be higher.
Q12. Does your organisation have any business partners, customers or other external entities you have a close relationship with that you think could be a target for a cyber attack (e.g. because of their public profile, the information they handle or their role in critical infrastructure)?
One of the biggest topics in cyber security at the moment is supply chain risk. Given the connectedness of organisations these days, there is a high likelihood that you may be targeted not as an end-target, but as a stepping stone to one of your business partners or customers. Professional services firms such as lawyers, consultants and investment banks are prime examples of such targets.
Q13. How many different countries or regions do you operate in? (ie where are your clients?) Note that you can choose multiple answers by clicking on the ‘plus’ sign after selecting one.
There are two main drivers for this question. Firstly, the broader your international footprint, the larger your attack surface. Secondly, if you are doing business in a country or region that is known for having active cyber security threats and corporate espionage, this increases your likelihood of being subject to attack.