Prism Infosec News Archives

Prism Infosec Launches Vulnerability Remediation Service

Posted on 4th February 2025 by Prism Infosec

Prism Infosec is proud to announce the launch of a remediation service line that will enable organisations to promptly implement effective fixes for vulnerabilities identified during engagements. The remediations service connects organisations with Prism Infosec’s team of IT and security experts to deliver tailored solutions that address vulnerabilities while ensuring compliance with industry standards and minimising operational disruptions.

Through leveraging Prism Infosec’s in-depth understanding of vulnerabilities and effective mitigation strategies, organisations can take advantage of a comprehensive vulnerability management service spanning from discovery to resolution, working collaboratively with our teams to develop and implement effective remediations.

Often, after an engagement, organisations are left burdened with the challenging task of resolving a large number of complex vulnerabilities and configuration issues, without the necessary expertise or resources to effectively address them. Prism’s remediation service aims to alleviate this challenge by providing a dedicated team of IT and security professionals to guide organisations from discovery to resolution.

“Post-engagement, organisations often find themselves at a crossroads, with identified vulnerabilities but no clear path to remediation. Naturally, we are seeking to bridge that gap between discovery and resolution by providing an end-to-end service that leaves organisations confident with their security posture. We’re delighted to build on our reputation further by leveraging our extensive in-house talent to deliver more value to our clients through remediation services.” – Ollie Stepney, Head of IT & Remediation Services at Prism Infosec.

Our remediation services will be available to our clients as an extension of engagements, providing a natural progression from the identification and assessment phases. This approach ensures that organisations can immediately begin addressing vulnerabilities without any gaps. Remediation services will also be available as an offering within our Cyber Security as a Service platform, Luxis^AI and via direct engagement as organisations look to improve their security posture in support of any certification or regulatory requirements.

“I am delighted that Prism Infosec has developed the in-house capability to support our clients with remediation services following the end of a security test or consultancy engagements. Always working in partnership with our clients, we understand that there is much to do beyond assessments and audits and sometimes remedial activity can lead to complex and/or overwhelming challenges to solve. Prism Infosec will support our clients every step of the way in partnership to ensure that vulnerabilities and weaknesses are appropriately addressed and without introducing new security risks.” – Phil Robinson, CEO at Prism Infosec.

Key to the remediation service, expansive documentation offers transparency throughout the process. Recognising the value in not only resolving vulnerabilities but also providing detailed information about the issues addressed, the reasoning behind the fix, and the specific steps taken to remediate. This comprehensive documentation allows organisations to gain a deeper understanding of their vulnerabilities, the recommended mitigations for them, and best practices moving forward.

If you are interested in learning more about our remediations service and how it can benefit your organisation, please contact your account manager or email us at remediations@prisminfosec.com for more information.

Prism Infosec Achieves STAR-FS Accreditation

Posted on 20th November 2024 by Prism Admin

We’re thrilled to announce that Prism Infosec is now an accredited provider of STAR-FS (Simulated Targeted Attack & Response assessments for Financial Services), the threat-led penetration testing and red teaming framework launched by the Bank of England, PRA, and FCA this year for the UK finance sector.

The STAR-FS scheme represents a significant step forward in enhancing cyber resilience for financial institutions, providing an innovative approach to identifying and mitigating cyber risks through assessments that simulate real-world threats.

STAR-FS assessments offer:

– Enhanced Resilience: By assessing firms’ capabilities to protect, detect, and respond to sophisticated cyber threats.

– Firm-Led Model: Allowing organizations to proactively identify vulnerabilities within systems, processes, and people.

– Independent Assurance: Beyond the scope of traditional penetration testing, STAR-FS offers regulatory-recognized assessments.

– Broader Accessibility: Making this assessment available to more financial institutions, enabling wider adoption and learning across the industry.

Prism Infosec is committed to helping financial institutions strengthen their cyber defences and meet regulatory expectations. Contact us to learn how STAR-FS can enhance your organisation’s resilience to cyber threats and enable a proactive approach to security.

Our Red Teaming Service:

Red teaming Identifies organisational cyber security weaknesses.

Prism Infosec are GOLD Sponsors of BSides London 2024

Posted on 26th November 2024 by Prism Infosec

Prism Infosec are excited to announce that this year we’re a GOLD sponsor for Security BSides London 2024!

Come and see us on December 14th at our stand and stick around for talks from our very own David Viola (Head of Red Team) and George Chapman (Team Leading Security Consultant) on the day. Keep your eyes peeled for more info to come from them in the lead up to the event.

Very much looking forward to seeing you all face-to-face and to get together with some of the best Cyber Security minds around!

Prism Infosec launches Luxis^AI, its Cyber Security as a Service (CSaaS) platform

Posted on 3rd June 2024 by Prism Infosec

Prism Infosec is excited to announce the launch of our Cyber Security as a Service (CSaaS) platform, Luxis^AI.

Luxis^AI provides our customers with a fast, simple and effective platform from which to access our suite of expert-delivered cyber security services. Through Luxis^AI, our customers can quickly engage with our services and gain immediate access to testing results and engagement output, ensuring cyber security risks can be managed and assurance can be obtained in real time.

“We’re incredibly excited to bring Luxis^AI to our customers, it fundamentally changes the way customers interact with our service portfolio so they can benefit from cutting-edge services delivered at the pace of their business”, said Phil Robinson, CEO of Prism Infosec.

Read more about what Luxis^AI can offer your business and request a demo today by visiting this link: https://prisminfosec.com/luxisai/

Launching Cyber Maturity Assessment service to boost security baselining

Posted on 8th February 2024 by Prism Infosec

Our Cyber Maturity Assessment is mapped to the National Institute of Standards and technology (NIST) Cybersecurity Framework and covers all five core areas (identify, protect, detect, respond and recover) with maturity graded using five maturity rankings (initial, developing, defined, managed or optimised).

Our team of GRC specialist consultants carry out interviews, review documents, and observe current practices in order to thoroughly assess, capture and report on the risks. The end report delivers insights into a variety of areas including asset management, supply chain risks, identity management and access control, staff security awareness, information protection processes and procedures, security monitoring and detection, as well as the effectiveness of response and recovery planning.

Cyber maturity is defined as being an organisation’s strategic readiness to mitigate threats and vulnerabilities, according to industry body ISACA, but the practice is not as widespread as it should be. One in five organisations do not assess their cyber maturity while the figure for those that do (65%) has not changed over the past two years, according to its The State of Cybersecurity 2023 report.

“We need to move the needle for businesses to become more risk aware. Organisations need to capture, quantify cyber risk and manage it but many have no idea what their level of maturity is. Risk remains an unknown and it is not uncommon to find asset lists that don’t include tangibles such as financial data or intellectual property (IP),” states David Adams, GRC Security Consultant at Prism Infosec.

The top three reasons given for not conducting regular risk assessments, according to the ISACA report, were the time commitment involved (41%), not having enough personnel to perform the assessment (38%) and lack of internal expertise (22%) – all obstacles which indicate the need for external expertise.

The Cyber Maturity Assessment service is delivered by practitioners who individually hold more than 25 years’ experience in security assurance testing, are ISO27001 Lead Auditors, CISSP certified and are sector specialists. They form part of the Governance Risk and Compliance (GRC) Consulting team with the Cyber Maturity Assessment the latest addition to Prism Infosec’s Compliance Framework Assessments.

Suitable for organisations of all sizes from SMEs through to large enterprises, the Cyber Maturity Assessment provides a comprehensive view on the risks facing the business together with a roadmap of recommendations and estimated timescales to enable the business to achieve its cyber maturity goals.

“Risk varies from business to business. Small organisations may have no data protection or risk management process in place and, while the large enterprises do have governance in place in the form of a CIO or an internal audit team, these are generally stretched for time and do not have the necessary skill sets to perform security audits. To accurately appraise risk requires perspective and an understanding of the nuances of the business which a third party can bring to the process.” says Adams.

Cyber hygiene and how to improve cyber resilience across your workforce

Posted on 24th January 2024 by Prism Infosec

In the world of cybersecurity, the saying goes: people are your first line of defence. Empowering employees through comprehensive cybersecurity training, companies can prevent cyber attacks caused by human error.

There’s a great deal of FUD (fear, uncertainty and doubt) spread about by the security industry concerning the threats facing the business but the truth is that adopting basic cyber hygiene practices can significantly mitigate the risk of these threats being realised. It’s a point made in the recent NCSC whitepaper on ‘Ransomware, extortion and the cyber crime ecosystem’ which states that most ransomware attacks are not due to sophisticated attack techniques but are usually the result of poor cyber hygiene. It’s for this reason that adopting a baseline security framework such as Cyber Essentials, Cyber Essentials Plus or ISO 27001 is so fundamental. If this level of cyber security were to be adopted across the board by all businesses the majority of these attacks would fail.

Cyber hygiene is about baking in best security practice to day-to-day operations.

From how employees interact with one another and external individuals, to how data is used and protected and systems maintained. Unfortunately there has been a decline in certain cyber hygiene practices over the past three years, notably the use of password policies, network firewalls, restriction of administrative rights and software patching, largely due to the move to a decentralised network and the migration to the cloud which has seen some confusion over who is responsible for securing data (the so-called ‘shared responsibility model’). This marked decline is providing attackers with the window they need to exploit users and systems, make it much easier to get a toe-hold on the network, escalate an attack and access data.

Security frameworks such as Cyber Essentials cover the basics when it comes to physical controls with five requirements:

– deploying a firewall
– securely configuring devices/software
– implementing access controls
– deploying anti-virus, and documenting procedures in a security policy.

It’s provides some initial guidance plus it can help assure customers and partners and is now commonly a requirement for cyber insurance. But it’s a foundation stone that should be built upon. In order to boost resilience, the business needs to focus on looking at the wider context of the risks it faces in order move towards becoming cyber mature.

Cyber maturity can be assessed by looking at the way the business manages risk in terms of asset management, the supply chain, identity management and access control, staff security awareness, information protection processes and procedures, security monitoring and detection, as well as the effectiveness of response and recovery planning. It uses a risk framework such as the NIST CSF which has five core areas (identify, protect, detect, respond and recover) and grades the effectiveness of the security in place against each of these on a sliding scale from 1-5. But again, about one in five organisations do not assess their cyber maturity at all, making this a missed opportunity.

If more businesses were to adopt Cyber Essentials, profiled their risks and used cyber maturity assessments to help drive improvements, the potential attack surface would be greatly reduced and the potential for escalation curtailed. There would also be more eyes and ears open to sector-specific attacks, enabling the more immediate sharing of threat intelligence. It’s that wider state of consciousness that will lead to real resilience and it’s the central tenet behind the NIS2 regulations that are coming into force across Europe this year and likely to be adopted in some form or fashion in the UK too.

In terms of making employees more resilient, its key to ensure that training is tailored to the organisation so that it is relevant and meaningful. Previous exploits against the organisation could be used for phishing exercises, for example, with the redacted fallout shared. Devise training that utilises OSINT, showing  how email and social media can be combined to craft attacks and how over sharing can be a problem. Arm users by giving top tips on password use and ad blocking tools because employees seldom have a work/home divide in how they use technology. The idea is to foster a culture of disclosure so that incidents aren’t hidden, so encourage drop-in clinics to answer work queries to prevent dangerous workarounds. Ensure training isn’t just a pin in the calendar but is regularly reinforced through communication over different media.

Prism Infosec Hires Bradley Knight in the Role of Chief Operating Officer

Posted on 12th January 2024 by Prism Infosec

Cyber security consultant Prism Infosec, which has offices in Cheltenham and Liverpool, has welcomed Bradley Knight as its new chief operating officer (COO).

Knight holds a forensic computing and security degree from Bournemouth University and worked most recently at Resillion as operations director for UK Cyber. Before that role, he led the offensive security team at MTI Technology.

“I’ve spent my whole career working in cyber security and I’m excited to be joining Prism Infosec at a time when the company is experiencing phenomenal growth,” said Knight.

“I look forward to working with the talented teams and ensuring the company remains well-positioned to deliver comprehensive, high-quality cutting-edge services to our client base that align with our strategic objectives.”

At Prism Infosec, Knight will focus on delivering operational efficiencies and will oversee the development and launch of new services.

“We’re delighted to welcome Bradley to the team who has a real passion for cyber security and a great track record in leading and managing teams, delivering value and meeting client needs,” said Phil Robinson, CEO at Prism Infosec.

“His experience in the field building and delivering both offensive and defensive service lines, will be fundamental in ensuring we broaden our service portfolio over the coming months as well as maintaining the highest levels of service while the company continues to expand.”

Prism Infosec Exhibiting at the NCSC’s Flagship Event CYBERUK22

Posted on 7th April 2022 by Prism Infosec

Prism Infosec is delighted to announce that it will be exhibiting at the NCSC’s CYBERUK 2022 conference, in Newport on the 11th and 12th of May 2022 on stand A29.

For more information on the conference see the NCSC website and agenda.

Do come and visit our stand for a chat and to learn more about the services that we can deliver to your organisation.

We look forward to seeing you there!