With increasing technological progress many are adopting modern information technology to increase the productivity of their business. This increased productivity can increase the attack surface of production systems, when implemented poorly. For a good while now, we recognize an increasing trend in targeted attacks on OT systems, like, e.g., the Maersk ransomware attack, or supply chain attacks, such as Solar Winds. These attacks can lead to substantial financial damage, production delays, business interruptions, or loss of trust and even loss of life. Modern security regulations, such as IEC 62443, ISO 27001, or the NIS-directive, address cyber-security threats in overall OT security strategies. Limes Security can support you with integrated strategies, on both the technical and governance side of information security.

Depending on your risk appetite, determined in assessments, your risk profile not only depends on your industry, but on your established security culture. Limes Security utilizes objective frameworks to provide overview of business risks and resulting vulnerabilities. These are addressed and prioritized, while your organization moves along increasing security maturity levels, through a cyber security program. Security programs can take years to accomplish, therefore, it is necessary to run regular security and risk assessments, to accommodate the ever changing nature of cyber security threats. However, investments need to be proportional to the risk, thus, the maturity of an organization’s cyber security profile is assessed and tracked, until the target maturity level is achieved. When asked about „costs “, we usually find that it highly depends on the customers industry, established security culture, current gaps and target maturity levels.

Many information risks cannot be objectively and accurately calculated or measured. We are mostly dealing with imperfect knowledge and improperly analyzed data. However, they can be estimated but critically depend on how risks are framed. They are also not additive of multiplicative but can potentiate one another. Do not forget, unknown risks certainly linger unpredictably in your infrastructure, hence, you need incident handling capabilities. This does not mean that risk assessment is pointless, rather that results should be treated with caution and respect. Where you draw the line between big and small risk is up to your own experience. Additionally, there is an individual perspective effect. An executive manager could view risks that involve them personally liable more critical than others. Compliance with laws and regulations tends to fall into this category. Most targeted risk treatment helps reduce specific risks, and few, like, e.g., incident handling or an effective ISMS, reduce many unspecified risks.

The frequency of security assessments can vary but should be carried out regularly - at least once a year or when significant changes occur in the IT environment - to identify new risks and threats.

It is crucial to embed security awareness and practices into the corporate culture. This can be achieved through regular training, the integration of security into the software development lifecycle and the appointment of security champions in the teams. In addition, compliance with security policies should be ensured through ongoing monitoring and audits.