We provide a range of cyber risk security services, which are detailed below. If you have any questions, or you'd like to arrange a service, please get in touch today.
There's significant hype surrounding cyber security, often fuelled by media reporting. However, where there is smoke there may well be fire. The challenge with cyber security is helping senior business leaders understand which of the real facts of cyber security impact their business and how to sort the wheat from the chaff. Exploiting the experience and insight secured from a wide range of business, from assessing a wide range of threats and the consequences to enterprises from successful attacks can help build this understanding.
A strategy helps point and show the enterprise where it needs to go to protect its critical information assets. At a lower level of detail, the enterprise must have sound and relevant policies to define what it needs to do to be secure. Importantly, these policies must if they are to be effective must be relevant and appropriate to the culture, ethics and organisational structure of the enterprise that is going to use them! We now help enterprises to move beyond classical information security policy structures to embrace cyber security recommendations that can help create policies that are more accessible and relevant to the business.
If one has a strategy and defined policies and standards for the enterprise, the next question is how well am I doing., and am I doing enough? Gauging the maturity of an enterprise’s cyber security governance, risk and compliance activities and operational capabilities is an important step in defining how well placed an enterprise is to defend itself from threats. Also, it can help to assess how far the enterprise has come and how far it might need to go in implementing its strategy. These cyber security maturity assessments establish a benchmark to help make informed management decisions on the direction and pace of the cyber security strategy.
A strategy gives direction and purpose to your security and protection initiatives. It is essential to have a strategy if you want to transition your enterprise from simply addressing compliance to being risk aware and sufficiently secure against your threats.
Significant hype and hyperbolae is surrounding cyber security, often fuelled by media reporting. However, where there is smoke there may well be fire. The challenge with cyber security is helping senior business leaders understand which of the real facts of cyber security impact their business and how to sort the wheat from the chaff. Exploiting the experience and insight secured from a wide range of business, from assessing a wide range of threats and the consequences to enterprises from successful attacks can help build this understanding.
A strategy gives direction and purpose to your security and protection initiatives. It is essential to have a strategy if you want to transition your enterprise from simply addressing compliance to being risk-aware and sufficiently secure against your threats.
A strategy helps point and show the enterprise where it needs to go to protect its critical information assets. At a lower level of detail, the enterprise must have sound and relevant policies to define what it needs to do to be secure. Importantly, these policies must if they are to be effective must be relevant and appropriate to the culture, ethics and organisational structure of the enterprise that is going to use them! We now help enterprises to move beyond classical information security policy structures to embrace cyber security recommendations that can help create policies that are more accessible and relevant to the business.
If one has a strategy and defined policies and standards for the enterprise, the next question is how well am I doing., and am I doing enough? Gauging the maturity of an enterprise’s cyber security governance, risk and compliance activities and operational capabilities is an important step in defining how well placed an enterprise is to defend itself from threats. Also, it can help to assess how far the enterprise has come and how far it might need to go in implementing its strategy. These cyber security maturity assessments establish a benchmark to help make informed management decisions on the direction and pace of the cyber security strategy
One of the more important documents for any enterprise is their plan for when it all goes wrong, and they are under attack! Having a plan, an Incident Response Plan, is critical to enable the enterprise to be capable of formulating a reasoned and accountable response. Failure to have such a plan when the enterprise is processing personal information, is a significant non-compliance against General Data Protection Regulation expectations. This response plan must help the enterprise mitigate harm to itself and its customers, remediate issues that caused the attack and then recover from the attack.
An enterprise cyber and information risk assessments must be based on an informed appreciation of the threats that could be directed at the enterprise and the attack techniques that might be used. These threats should then be set against the assets the enterprise needs, and must protect, and the potential and residual vulnerabilities that might expose them. The assessment should identify the Enterprise’s risk appetite and tolerances and from these make reasoned recommendations to reduce risk.
As much as “compliance” is perceived to be an absolute, “you will comply!”, there are shades of compliance and strategies that can both manage and reduce risk and at the same time reduce the compliance burden. Nowhere is this more relevant in considering which PCI standards might be apply or which standards one needs to be compliant to and to what level of assurance of compliance.
Government regulation and private regulation such as PCI has always had a role in setting out what you need to secure and now it is increasingly telling you how you need to protect it and what you need to do. Is your business ready, and what impacts will it have upon you? This is becoming increasingly important in the area of data protection and the need to conduct data privacy impact assessments.
All risk assessments start with a consideration of the threat. Yes cyber threats are real, but are all threat actors and their attack strategies going to target you? Are some threats more likely than others given your business? A threat assessment allows you to make reasoned decisions which threats you certainly need to be concerned about.
Data breaches and compromise events can be harrowing and costly. You most probably will need expert forensics analysis to determine exactly what happened and what was damaged or lost. But are you prepared to manage the consequences of these forensic findings? You may well need support to assess and prioritise the resolution of any findings. However, most of all you may also need support in managing the impact and consequences of the incident with those external and internal parties who were relying upon you to be secure.
All relationships have rocky patches. Nowhere is this truer than with your external providers who you pay to assess you; it is their job to be challenging and at the same time they do have their own quality and ethical standards to maintain. Experience has shown that it is often useful to have a third party to help broker resolution of issues and to help achieve a balanced risk decision.
If you are vendor you may have a wonderful new solution, but do you truly understand about the arcane world of payments to ensure that you are promoting your product to the correct community? For the correct purpose and where they have a genuine business need? Equally, there may well be ways your product might have value for the payments community which you've never realised.
Technology and securing it is now a board level concern. Enterprises big and small are increasingly employing technologists and security specialists in senior positions. Given the rapidity in career progression for these individuals, they may well lack the breadth of experience they need. Mentoring and supporting them can reduce these risks.
Security leadership is becoming increasingly important for all enterprises big and small to help enterprises make appropriate decisions to protect their information. Where the resources to provide the required leadership cannot be found from inside, or outside, the enterprise securing external support can be the next best thing. This support can be measured in short or long-term support as frequent as the enterprise needs it.
How do you know that the third parties and vendors that provide you products and services are secure? Is that piece of paper or certificate they show you sufficient to understand the level of risk they represent to you? You can never delegate or abrogate risk to these third parties it is always your risk. Everyone should therefore be conducting risk assessments of those they buy products or services from.
There are tried and tested playbooks for managing a project to conduct an external assessment on your enterprise. However all of this experience and practice may well be moot if the scope of the assessment project is not well thought through. Are you covering sufficient or not enough? Equally, as much as you may think the technology and processes are ready to be assessed, how much of the management and decision making behind this is ready to be assessed?
No one is so secure that they will be immune from suffering a cyber-attack and all the damage that this entails. Is your enterprise ready to respond, and how effective is your response plan to manage the crises that will follow? Exercising the plan in a controlled low-stress classroom facilitated workshop is one of the best ways that you can make the judgement as to how ready you are.