Schneider Electric launches remote Cyber Risk Assessment service in UK and Ireland

The Cyber Risk Assessment is a non-invasive high-level assessment service performed by Schneider Electric’s cyber security experts that results in the provision of recommendations and a roadmap for achieving a given organisation’s cyber security objectives. The process is completed in less than one week.

With damages from cyber crime expected to reach $6 trillion this year, a small chink in a company’s armour can result in substantial financial and reputational losses in today’s business landscape.

In essence, the new service allows Schneider Electric to remotely assess its customers’ operations and provide them with an understanding of their cyber security risk posture by dint of identifying gaps and key risk areas that need to be remediated.

Schneider Electric has already applied this process to its own Flint smart factory during the digital transformation of the facility, which is over 30 years old.

“Assessing all of the cyber threats a company faces can be a daunting task, but as attacks become increasingly common, firms simply cannot afford to bury their heads in the sand,” explained David Pownall, vice-president of services at Schneider Electric for the UK and Ireland. “We’ve created the Cyber Risk Assessment service to be the first step towards building a reliable and robust cyber security programme. This assessment process should then serve as the starting point when applying cyber security requirements in an operational technology (OT) environment.”

High-level assessment

The Cyber Risk Assessment service is a non-invasive high-level assessment performed by Schneider Electric’s OT cyber security experts. The service aligns to control categories found within industry Best Practice and standards.

To ensure a complete and actionable summary report, Schneider Electric collects information about businesses’ OT systems before conducting interviews. This includes current cyber security policies, cyber programme objectives, applicable standards, existing cyber security tools and technologies. This is all in addition to an OT network diagram, which displays the location of critical assets on the network.

Personnel data is also used, including identifying those personnel most familiar with the OT network layout (ie OT/cyber knowledge) and stakeholders who can answer detailed technical questions regarding the OT equipment and assets used within the customer’s network.

Two-stage process

The Cyber Risk Assessment itself has two key elements to it. The first element is the assessment and report. The second centres on the consultation services to discuss the results in-depth and create a tangible roadmap for the next steps. Areas to be covered here include:

Cyber security assessment

*Documentation review (eg network diagrams, current cyber security policies and programme elements)

*Remote interviews with key OT and cyber security stakeholders

*Cyber security expert analysis identifying key risk areas, gaps and recommended steps for remediation

Schneider Electric will then create a report which provides a starting point to prioritise areas.

Expert consultation

*A deep dive into the results of the cyber security assessment. Schneider Electric’s cyber security experts provide detailed recommendations and step-by-step guidance for the implementation

*Companies can ask Schneider Eleetric’s experts questions and gain clarifications of the assessment results

*Experts outline a suggested time frame for implementation and budget estimate

*Workshop sessions will define a blueprint for cyber security and prioritise which areas to address

Within the assessment, Schneider Electric’s cyber security experts will conduct controls-related network discussions, including a review of network architecture, ICS system components, cyber security policies and procedures and also physical security procedures.

*Additional information is available online by visiting the Schneider Electric website

96% of UK organisations experience at least one business-impacting cyber attack in past 12 months

Tenable Inc, the cyber exposure company, has published the results of a global industry study of business and security executives that reveals the majority of UK organisations (96% of those surveyed, in fact) have experienced a business-impacting cyber attack in the past 12 months.

The data is drawn from ‘The Rise of the Business-Aligned Security Executive’, a commissioned study of more than 800 global business and cyber security leaders, including 103 respondents from the UK. The survey was conducted by Forrester Consulting on behalf of Tenable.

As cyber criminals continue their relentless attacks, 63% of respondents in the UK have witnessed a dramatic increase in the number of business-impacting cyber episodes over the past two years. Unfortunately, these attacks had damaging effects, with organisations reporting loss of employee data (44%), financial loss or theft (36%) and customer attrition (34%). Some 65% of security leaders in the UK say these attacks also involved operational technology.

Business leaders want a clear picture of how at risk they are and how that risk is changing as they plan and execute business strategies. Only four out of every ten local security leaders say they can answer the fundamental question: “How secure, or at risk, are we?” with a high level of confidence, despite the prevalence of business-impacting cyber attacks.

Global respondents

Looking at global respondents, fewer than 50% of security leaders said they are framing cyber security threats within the context of a specific business risk. For example, although 96% of respondents had developed response strategies to the COVID-19 pandemic, 75% of business and security leaders admitted their response strategies were only “somewhat” aligned.

Organisations with security and business leaders who are aligned in measuring and managing cyber security as a strategic business risk deliver demonstrable results. Compared to their siloed peers, business-aligned security leaders are:

*Eight times more likely to be highly confident in their ability to report on their organisations’ level of security or risk

*90% are very or completely confident in their ability to demonstrate that cyber security investments are positively impacting business performance compared with 55% of their siloed counterparts

85% have metrics to track cyber security RoI and impact on business performance versus just 25% of their siloed peers

Business-aligned leaders

Those organisations with business-aligned cyber security leaders are also:

*Three times more likely to ensure cyber security objectives are in lock step with business priorities

*Three times more likely to have an holistic understanding of their organisation’s entire attack surface

Three times more likely to use a combination of asset criticality and vulnerability data when prioritising remediation efforts

“In the future, there will be two kinds of CISO — those who align themselves directly with the business and everyone else,” said Renaud Deraison, CTO and co-founder at Tenable. “The only way to thrive in this era of digital acceleration is to bring cyber into every business question, decision and investment. We firmly believe this particular study shows that forward-leaning organisations view cyber security strategy as essential to innovation and that, when security and the business work hand-in-glove, the results can be transformational.”