by Claire Harratt

Head of Managed Security Awareness Services

Connect with Claire Harratt on Linkedin Connect with Claire Harratt on Linkedin

Cyber Resilience and Data Security

At Saepio we are big fans of the Hiscox Cyber Readiness Report, which they state, ‘provides a picture of the cyber readiness of businesses and offers a blueprint for best practice in the fight to counter an ever-evolving threat’. 


A key finding of their 2022 report was that companies that consider themselves ‘experts’ in cyber resilience had fewer attacks, were less likely to pay a ransom, and recovered from incidents more quickly. This year’s report reinforces the message that expertise pays off, with ‘cyber novices’ paying an average of two and half times the costs of an attack as a percentage of revenue, than non-novices. 

In our opinion, the first step in maturing to an ‘expert’ level of cyber resilience is to conduct a cyber risk assessment. There are many standards you could assess against for this, such as ISO27001, NIST, the CIS 18 etc. but we recommend assessing against the NCSC’s Cyber Assessment Framework (CAF). 

The CAF defines four key security objectives to consider on the road to good cyber resilience:

A – Managing Security Risks

B – Protecting Against Cyber Attacks

C – Detecting Security Events

D – Minimising the impact of Security Incidents. 

Whichever standard you chose to assess against, all consider data security as a key element and at a recent event with our partner Varonis, we discussed how their tooling can specifically assist with the CAF controls. For example, Varonis can help with:

  • Understanding where your sensitive data is, who has access to it and enforcing a least privilege model (Objectives A&B)
  • Detecting security events by spotting anomalous data access and alerting on it (Objective C)
  • Minimising the impact of an incident by taking automated actions such as killing user sessions, resetting passwords or blocking command and control domains. Varonis can also provide an audit trail of what has happened to your data, allowing you to respond fast and recover quickly from a breach (Objective D)

A Varonis Data Risk Assessment can help you answer questions such as:

  • Where is my sensitive data?
  • What’s exposed?
  • How do I reduce risk without breaking anything?
  • Who is accessing regulated data, where are they putting it, and why?
  • Can I prove compliance?
  • Do I know what users and applications are doing?
  • How quickly can I detect insider threats, ransomware and ATPs?
  • Can I investigate breaches and recover quickly?

Contact Us

If you’d like to know more about how a free Varonis data risk assessment can help you address these questions, then please get in touch at