Last week we published the top security threats to small sustainable organisations and so we thought this week we could discuss solutions to these threats, specifically in the form of services and tools. If you haven’t read that already, we strongly recommend that you do as it comes hand-in-hand with this week's blog!
So without further ado, let's do exactly that. Here are the top solutions and services for small sustainable organisations.
The solutions have been organised into three categories:
Cyber Security Consultancy
Virtual Security Leader
Training & Awareness
Proactive security solutions
Managed Detection and Response (MDR)
Network Security Monitoring
Advisory-based services & Business Continuity
Business continuity categorises practices and solutions that help a business progress. Whether it’s through a security lead, risk management or employee engagement. - everything in this section helps future-proof an organisation. Further, these services are also more advisory than proactive.
Cyber Security Consultancy
Now this is more commonly associated with the bigger picture, being used as a generalised and nonspecific term that encompasses one (or more) of the listed services. However, that’s not to say consultancy isn’t a service in itself, because it is. Cyber security consultancy is an advisory service that - through fact-finding and contextual practices of an organisation - assists decision making/ers regarding cyber security.
Whether it’s through risk assessment or policy implementation, consultancy helps you make the right decision. Need a helping hand or want a nudge in the right direction? Check out what we can do to help you.
In addition to Consultancy there’s also a vCISO (Virtual Cyber Security Leader) which is a more focused service that assists business continuity and is more associated with long-term cybersecurity progression. So let's take a look at what they do to assist your organisation.
Virtual Cyber Security Leader
Before jumping into the virtual world, we first need a baseline understanding of what a cyber security leader is, technically called a CISO. Put simply a CISO, also known as a Chief Information Security Officer, is the executive in charge of and responsible for an organisation’s data and cyber security needs.
Naturally CISO’s require a firm understanding of IT infrastructure alongside ample knowledge regarding the myriad of potential threats to computer systems. Beside IT competency, they also need to be an effective communicator both towards their team and the board; helping translate technical jargon into common English for the less IT literate - among a wide variety of other duties such as:
Design, review and implement secure cyber processes, systems and policies.
Oversee day-to-day cyber operations and initiatives
Breach and incident management
Now with an overview of what a CISO is, not much else needs to be said besides the fact all of this is performed virtually - addressing the needs of the CISO role without the requirement of hiring one internally. You may be asking yourself “Why would I choose a vCISO over an internal CISO?” and there’s a few reasons - four to be exact.
CISOs are in high demand
Cybersecurity has moved from the backline to near the vanguard of organisational concern making hiring a difficult process due to increased demand, especially when you take into consideration the small pool that is the cyber security field it - making it a luxury that some organisations cannot afford (both literally and metaphorically). Where a CISO can only assist one company, a vCISO can assist multiple - allowing a company to quickly fill a CISO role virtually, without the need to go through the hiring process.
vCISOs are a cheaper temporary solution & a consumption-based option
As befits high demand, high prices can be expected. According to salary.com, the average CISO costs over £200,000 a year. This is where vCISOs can come into the equation, elevating the price restrictions and only paying for the services and time required/demanded as opposed to affording an in-house full-time CISO.
vCISOs can be more experienced
vCISOs work with a diverse variety of clients, industries and size which requires tailored cyber security initiatives (policies, training, etc), oftentimes making them more developed and adaptable in their skills than regular CISOs.
vCISOs can be anywhere
Due to the inherent nature of virtual work, vCISOs aren’t restricted to location, or require payment to relocate - unlike a regular CISO. Increasing an organisation's exposure to more suitable candidates.
vCISO’s are the epicentre of an organisation cyber security. They are there to lead the initiative, preventing issues before they occur or mitigating the outfall. Whether it’s organising a training program or setting up security monitoring they and their team are there to develop an organisation’s cyber security.
As we mentioned, CISO’s are in high demand but fortunately we provide such a service - check it out.
As easy as it would be to neglect this service’s explanation and move to the next point, it's important to highlight this for sake of clarity. A risk assessment - being a key tool in risk management - is a process that involves addressing all identifiable risks an organisation may risk and provide actionable steps to mitigate the issue(s).
Naturally, risk can be found in every corner of an organisation therefore assessments come in different shapes and sizes. The variety of risk assessments differ and may be used to identify specific risks such as financial risks, environmental risks, strategic risks, operational risks, reputational risks, etc.
Somewhat different to a risk assessment, but still within the scope of risk management, is to assess what assets an organisation has and what may be affected during a potential incident. This way you can evaluate the fallout of an incident - with the likes of financial loss being a topic of discussion since, as mentioned in the previous blog, financial is the main motivator behind the majority of attacks.
Ultimately risk management is used to identify, reduce, mitigate and solve risks an organisation may face.
Training & Awareness
The enforcement of cyber security training and awareness in the workplace isn’t just a recommendation but a logical and fundamental process to ensure business longevity. Not only does it promote knowledge of cyber security to those that would otherwise be less inclined but it also contributes to halting cyber criminals in their tracks; through an understanding of social engineering that would prevent phishing emails, differentiating a malicious application from legit software, etc.
A lot of the threats discussed in our previous blog - such as the aforementioned phishing emails and ransomware downloads - could have been avoided through the correct procedures and email safety, and in turn prevent financial loss that could proceed in an incident.
Another point of discussion is a lack of training. When an organisation’s training and awareness needs are not met, besides being far more susceptible to an incident or breach, reputation damage is a common denominator in the aftermath of an incident. Naturally it’s to be expected and there is only so much sympathy one can give when clear neglect of cyber security needs has occurred - and a way to combat this? Simply by having a focused effort on cyber security, and if you’re not sure what that is or where to start consider getting some assistance (See: Cyber Security Consultancy) or a security lead (See: Virtual Cyber Security Leader).
Training can be conducted through a variety of methods and programs but are either internal or external. Organisations that conduct their training internally usually have a dedicated training team, a sub category in the organisations cyber security sector. Whilst training conducted externally is usually done through a dedicated third party such as a training service provider. Either methods usually follow officially recognised programs such as Cyber Essentials (see: Compliance Assistance).
Compliance comes in many different forms throughout the vast array of industries and jobs. However, in terms of cyber security there’s two types of security compliance - best practices (such as ISO27001) and regulatory requirements (such as the GDPR); the former being an optional obligation and the latter being a mandatory data law in the UK and Europe.
This is where compliance assistance comes into play. Should an organisation require a helping hand, whether it’s to help meet obligations, undertake best practices or write policies - assistance can be sought.
An example of compliance assistance and development of best practices in a workplace would be Cyber Essentials. A full breakdown of what Cyber Essentials is can be found on their official website. However, to provide a brief overview, it’s an officially recognised cyber security program that - through following the recommendations, processes and practices - will ensure adequate and effective cyber security in an organisation.
With this falling under our expertise, we provide such a service - including the Cyber Essentials. Found out more here.
Proactive Security Solutions
As opposed to business continuity, these services revolve around proactive, constant and hands-on processes such as 24/7 security monitoring and vulnerability management.
Penetration testing could be spoken about for hours and would still not cover half the subject. So to keep things brief I’ll refrain from going into too much detail. In essence penetration testing, pen testing for short, is a practical simulated cyber attack against an organisation to check for vulnerabilities - across systems and employees alike.
Put simply, penetration testing answers the question “How easy is it to compromise my organisation?” and tests that practically. Not just in regards to system security but also employee security and awareness (See: Training & Awareness). Performing “fake” phishing attacks on employees is a prime example of an attack focused on employees rather than systems. Pen testing helps organisations manage risk, protect clients and increase business continuity.
Again, this is a topic that could be discussed for hours but to keep things short and sweet we’ll leave it at that. Find out more in this article by WGU.
Managed Detection and Response (MDR)
Managed detection and response, commonly referred to as MDR, is an observation and management service that combines advanced analytics, threat intelligence and human expertise to undertake threat hunting, monitoring and response. Helping both secure an organisation's data and assets but also allows prioritisation of other cyber operations due to the services automation.
MDR is commonly operated as a 24/7 security control that often involves a range of fundamental security activities including cloud-managed security.
Network Security Monitoring
Simply put, network security monitoring is an automated monitoring software that scans and analyses network traffic and devices for security vulnerabilities, threats and suspicious activity.
So with the assistance of a network security monitoring software, organisations can use it to identify and respond to cyber incidents or breaches quickly. Similarly to MDR, it’s usually operated 24/7.
Risk transference, seen as a risk management technique, refers to a process or practice of transferring risk to a third party. In this case we’re talking about cyber insurance and the financial relief insurers can provide to organisations - removing the risk of financial loss.
Similar to other forms of insurance, cyber insurance - also referred to as cyber risk or cyber liability insurance - is a form of cover designed to protect your business should threats of digital nature, such as data breaches or malicious cyber hacks, occur.
That being said, a consistency found within a majority of, if not all, cyber insurances is negligence or lack of care. Should this be found as a cause behind a breach or compromise then a company is liable to take the full brunt of financial losses without support from insurers. Therefore, just because you have cyber insurance in place, doesn’t mean you don’t have to uphold the cyber security responsibilities of an organisation. Training, awareness and prevention is just as important as financial preparations.
Cyber liability insurance provides crucial financial support to help an responsible organisation stay afloat in cases of incidents or breaches. Which is especially important for smaller companies that may not be able to take the full hit of a cyber security breach.
Coincidentally enough, we did a piece on cyber insurance not long ago. If you’d like more insight regarding this topic, we recommend you check it out.
In last week’s blog, we proposed a mini exercise for you to undertake; which consisted of identifying your key assets and prioritising them from most to least important. So let's expand on that even more:
Now with the prioritised list of key assets, cross reference the tools and services discussed today to determine how they can provide the best services for key assets.
So, should a website be a key asset, consider the procedure one might need to follow to keep it afloat (e.g security monitoring to identify potential threats) and if you’re unsure, what service would you seek to get more clarity (e.g cyber security consultancy).
Now get out there and develop your cyber security!
Until next time.