The best way to kick off the process and to establish your Baseline is to conduct an assessment of your existing security policies, processes and controls, against a compliance standard or best practice framework. We call this your ‘Security State of the Nation’. Key stakeholders are interviewed. Existing security infrastructure is documented. Risks are quantified. Recommendations are made for how you will move forward to achieve your target state… but what is your target state?

We help you define a sensible target security state, the right size security posture relative to the risks your business faces.

Having something measurable to aim at is key, there are 2 broad types of Target State.

Examples

• NCSC Cyber Assessment Framework
• ISO27001
• Cyber Essentials Plus
• CIS 18 Critical Security Controls

Very much the “Stick” to the Best Practice “Carrot”. These are mandated on organisations by government or regulators, if you want to work, or continue to work in a specific sector, geography or vertical then you will need to comply with them. Failure to do so can result in loss of reputation, business, or potentially huge fines.

Examples

•  UK Data Protection Bill
•  EU General Data Protection Regulation
•  The Network and Information Systems Regulation (NIS)
•  PCI-DSS

Once an initial assessment has been completed, the improvements can begin. The plan will look at Policy, Product & People, ensuring the work is directed towards risk reduction and the overriding best practice or compliance standard.

If the end goal is to be formally awarded a best practice certificate, Saepio assist by making sure you are in a position of readiness prior to the assessment with the chosen accrediting body.

How do you assess the Security Culture within your organisation? How do you quantify the risk that your staff may pose? Understanding where the gaps in knowledge might be will help you to address them. Whether strucutred testing, ad-hoc or one-off, there are a number of ways to determine the strength of your human firewall, and where it might need improving.

Security Awareness Training

Going in hand with testing, is training and education. It’s good business practice, as well as great corporate social responsibility to make sure your staff are well trained to recognise, react to, and ultimately prevent potential cyber threats. Regular short doses of training are key to ensure the knowledge is retained, the program is successful, and the behaviours of staff are improved.

If you don’t have this expertise in-house, then we can supply it. We have consultants acting as vCISO to provide guidance to the board, and to enact the Security Improvement Plans where required. Acting on a workstream or retainer basis, the vCISO becomes an extension of your team, providing regular updates to a risk register and project managing your improvement journey. Whether that is towards greater Cyber resiliance inline with the NCSC CAF, or attaining Cyber Essentials Plus or ISO27001 certification if appropraite

Penetration testing is a great way to baseline or ultimately prove  your security posture from a product maturity, configuration and operational standpoint. Working with our teams of external, CREST accredited Penetration Testers, Saepio can supply a wide range of services – External, Internal, Wireless, Web App, Red Team, Social Engineering and more.

If the worst happens, and you do fall victim to a cyber attack or incident of some kind, then understanding exactly what happened can be key to preventing it from happening again. In the litigious culture that we live in, where failure to report a breach correctly inside 72 hours can have huge consequences, sometimes expert help is needed to investigate. Saepio work with consultants holding all appropriate badges, certifications and security clearances to undertake this work if required.

These should be the foundations of any modern companies security stack. In line with Cyber Essentials Plus these are the areas that if neglected will represent the greatest risk to the majority of organisations. Do the basics well to continually combat commodity cyber attacks.

• Firewall
• Web and Email
• Anti-Malware
• Multi Factor Authentication
• Vulnerability Management
• Patch Management
• Backup
• Encryption

Once you’ve operationalised the Essential Controls and are ready to further your cyber resilience, then a whole other world of technology and process becomes relevant. As the value of the data/systems/applications that you use/deliver/support/manage increases then looking at these areas will help to further reduce your risk of falling foul of a cyber incident

• Security Monitoring (SIEM)
• EDR and NDR
• Threat Intelligence
• Security Orchestration & Automation
• Identity & Privilege Access Management
• Cloud Security
• Data Leak Prevention
• Secure Access Service Edge

These types of technology will not be required by all organisations. However, if you have public facing security systems with data and applications in the cloud, or you are developing your own code or software, then these are areas to consider.

• Web App Firewall
• DDoS Prevention
• Customer IAM
• CSPM & CWPP
• Static AST
• Dynamic AST
• Pentesting as a Service
• Breach & Attack Simulation