Tackling the ever-changing cyber security threat in an agile and proactive way requires influential members from the whole business to work together. Here is a selection of key questions by which you can assess your business's cyber-readiness.

Board and C-suite

  • What are our key information assets including IP and who is responsible to protect them?
  • Do we know the reputational and financial impacts of a cyber security attack?
  • Am I personally at risk?
  • Can solutions be found that marry a desire for security with competiveness?
  • How does our crisis response plan take information assets into account?
  • How can we move from reacting to anticipating the threat?
  • Are we considering cyber security when making investment decisions during mergers and acquisitions?
  • Are we exposed further up or down the supply chain?
  • How regularly do we review the cyber threat and update response plans?
  • Have we created a culture where employees can raise issues before it is too late, and that those issues will be escalated appropriately within the business?

CIO and IT professionals

  • What systems do we need to operate?
  • Which of those systems have the most business critical or sensitive information?
  • What would motivate a cyber-attacker specifically to attack our business?  Do we know who and why?
  • How regularly do we review and test processes in line with the ever-changing technology and security climate?
  • What is cyber security best practice for my industry and are we keeping pace of changing regulation?
  • Are there any trends that make our information vulnerable at certain times?
  • What cyber attacks has our business suffered so far?
  • How affective has our response been to date?
  • Are training programmes in place to address data protection and cyber risks faced by our employees?
  • Who is represented in our incident response team? (Legal, HR, PR, IT, Risk, etc)
  • Who is empowered to act and make the decisions needed in the event of a crisis; what's the chain of command?
  • Do we have a review mechanism in place to determine the cause of the incident and learn from the experience?

General counsel and legal professionals

  • Do we know our regulatory and compliance obligations as they pertain to cyber security?
  • Have these been adequately communicated to the other relevant stakeholders in the business?
  • Do we have reporting processes in place to make appropriate regulatory notifications and reports in the event of a cyber security incident?
  • Who regularly tests our incident response plans and should a representative from legal be involved?
  • How do we keep up to date and implement cyber security policies across multiple jurisdictions?
  • Do we have appropriate policies and procedures in place for our employees describing acceptable and secure use of the organisation’s information assets and systems?
  • Are our policies and procedures formally acknowledged in employment terms and conditions?
  • Are our stakeholders clear on how to interact with the media in the event of a crisis?
  • What should happen if we suffer a breach through our supply chain?
  • Have we adequately reviewed our inbound and outbound contracts in the context of cyber security risk?
  • Are we adequately involved in assessing cyber security risk associated with any mergers, acquisitions or outsourcing arrangements?
  • Do we have appropriate insurance in place to cover loss as a result of a cyber incident?
  • How do we feedback the conclusions from an investigation into our policies and procedures and ensure that employees are given appropriate notice and training on them?