Everyone can agree that having good policies is sensible. But before you can create good policy you need a plan, you need to know what direction to go in. That could be towards a standard, or to general best practice. Getting a line in the sand and establishing where you are is a great start.
The best way to kick off the process and to establish your Baseline is to conduct an assessment of your existing security policies, processes and controls, against a compliance standard or best practice framework. We call this your ‘Security State of the Nation’. Key stakeholders are interviewed. Existing security infrastructure is documented. Risks are quantified. Recommendations are made for how you will move forward to achieve your target state… but what is your target state?
We help you define a sensible target security state, the right size security posture relative to the risks your business faces.
Having something measurable to aim at is key, there are 2 broad types of Target State.
Examples
• NCSC Cyber Assessment Framework
• ISO27001
• Cyber Essentials Plus
• CIS 18 Critical Security Controls
Very much the “Stick” to the Best Practice “Carrot”. These are mandated on organisations by government or regulators, if you want to work, or continue to work in a specific sector, geography or vertical then you will need to comply with them. Failure to do so can result in loss of reputation, business, or potentially huge fines.
Examples
• UK Data Protection Bill
• EU General Data Protection Regulation
• The Network and Information Systems Regulation (NIS)
• PCI-DSS
Once an initial assessment has been completed, the improvements can begin. The plan will look at Policy, Product & People, ensuring the work is directed towards risk reduction and the overriding best practice or compliance standard.
If the end goal is to be formally awarded a best practice certificate, Saepio assist by making sure you are in a position of readiness prior to the assessment with the chosen accrediting body.
Technology alone can’t guarantee safety. Your staff, and how aware of the threats you might face can be a huge asset in the fight against cyber crime. Improving staff behaviours and creating a security culture within the organisation is vital.
It’s not just general staff though, your Board, your exec team, your IT department even, all might benefit from a more tailored security awareness program.
How do you assess the Security Culture within your organisation? How do you quantify the risk that your staff may pose? Understanding where the gaps in knowledge might be will help you to address them. Whether strucutred testing, ad-hoc or one-off, there are a number of ways to determine the strength of your human firewall, and where it might need improving.
Going in hand with testing, is training and education. It’s good business practice, as well as great corporate social responsibility to make sure your staff are well trained to recognise, react to, and ultimately prevent potential cyber threats. Regular short doses of training are key to ensure the knowledge is retained, the program is successful, and the behaviours of staff are improved.
If you don’t have this expertise in-house, then we can supply it. We have consultants acting as vCISO to provide guidance to the board, and to enact the Security Improvement Plans where required. Acting on a workstream or retainer basis, the vCISO becomes an extension of your team, providing regular updates to a risk register and project managing your improvement journey. Whether that is towards greater Cyber resiliance inline with the NCSC CAF, or attaining Cyber Essentials Plus or ISO27001 certification if appropraite
Penetration testing is a great way to baseline or ultimately prove your security posture from a product maturity, configuration and operational standpoint. Working with our teams of external, CREST accredited Penetration Testers, Saepio can supply a wide range of services – External, Internal, Wireless, Web App, Red Team, Social Engineering and more.
If the worst happens, and you do fall victim to a cyber attack or incident of some kind, then understanding exactly what happened can be key to preventing it from happening again. In the litigious culture that we live in, where failure to report a breach correctly inside 72 hours can have huge consequences, sometimes expert help is needed to investigate. Saepio work with consultants holding all appropriate badges, certifications and security clearances to undertake this work if required.
Whilst Technology alone won’t solve all your problems, it’s a significant component of an effective information security ecosystem.
In a world where budgets are limited, and IT staff time often more so, it’s imperative that each organisation takes stock of their current situation, requirements, risk profile, headcount and funds prior to investing in technology.
Saepio recommend a methodical approach, don’t try to run before you can walk.
We have grouped the never-ending list of Security technologies into 3 distinct areas – Essential, Advanced & Production
These should be the foundations of any modern companies security stack. In line with Cyber Essentials Plus these are the areas that if neglected will represent the greatest risk to the majority of organisations. Do the basics well to continually combat commodity cyber attacks.
Once you’ve operationalised the Essential Controls and are ready to further your cyber resilience, then a whole other world of technology and process becomes relevant. As the value of the data/systems/applications that you use/deliver/support/manage increases then looking at these areas will help to further reduce your risk of falling foul of a cyber incident
These types of technology will not be required by all organisations. However, if you have public facing security systems with data and applications in the cloud, or you are developing your own code or software, then these are areas to consider.