Tag: growth

Our Cyber Maturity Assessment is mapped to the National Institute of Standards and technology (NIST) Cybersecurity Framework and covers all five core areas (identify, protect, detect, respond and recover) with maturity graded using five maturity rankings (initial, developing, defined, managed or optimised).

Our team of GRC specialist consultants carry out interviews, review documents, and observe current practices in order to thoroughly assess, capture and report on the risks. The end report delivers insights into a variety of areas including asset management, supply chain risks, identity management and access control, staff security awareness, information protection processes and procedures, security monitoring and detection, as well as the effectiveness of response and recovery planning.

Cyber maturity is defined as being an organisation’s strategic readiness to mitigate threats and vulnerabilities, according to industry body ISACA, but the practice is not as widespread as it should be. One in five organisations do not assess their cyber maturity while the figure for those that do (65%) has not changed over the past two years, according to its The State of Cybersecurity 2023 report.

“We need to move the needle for businesses to become more risk aware. Organisations need to capture, quantify cyber risk and manage it but many have no idea what their level of maturity is. Risk remains an unknown and it is not uncommon to find asset lists that don’t include tangibles such as financial data or intellectual property (IP),” states David Adams, GRC Security Consultant at Prism Infosec.

The top three reasons given for not conducting regular risk assessments, according to the ISACA report, were the time commitment involved (41%), not having enough personnel to perform the assessment (38%) and lack of internal expertise (22%) – all obstacles which indicate the need for external expertise.

The Cyber Maturity Assessment service is delivered by practitioners who individually hold more than 25 years’ experience in security assurance testing, are ISO27001 Lead Auditors, CISSP certified and are sector specialists. They form part of the Governance Risk and Compliance (GRC) Consulting team with the Cyber Maturity Assessment the latest addition to Prism Infosec’s Compliance Framework Assessments.

Suitable for organisations of all sizes from SMEs through to large enterprises, the Cyber Maturity Assessment provides a comprehensive view on the risks facing the business together with a roadmap of recommendations and estimated timescales to enable the business to achieve its cyber maturity goals.

“Risk varies from business to business. Small organisations may have no data protection or risk management process in place and, while the large enterprises do have governance in place in the form of a CIO or an internal audit team, these are generally stretched for time and do not have the necessary skill sets to perform security audits. To accurately appraise risk requires perspective and an understanding of the nuances of the business which a third party can bring to the process.” says Adams.

In the world of cybersecurity, the saying goes: people are your first line of defence. Empowering employees through comprehensive cybersecurity training, companies can prevent cyber attacks caused by human error.

There’s a great deal of FUD (fear, uncertainty and doubt) spread about by the security industry concerning the threats facing the business but the truth is that adopting basic cyber hygiene practices can significantly mitigate the risk of these threats being realised. It’s a point made in the recent NCSC whitepaper on ‘Ransomware, extortion and the cyber crime ecosystem’ which states that most ransomware attacks are not due to sophisticated attack techniques but are usually the result of poor cyber hygiene. It’s for this reason that adopting a baseline security framework such as Cyber Essentials, Cyber Essentials Plus or ISO 27001 is so fundamental. If this level of cyber security were to be adopted across the board by all businesses the majority of these attacks would fail. 

Cyber hygiene is about baking in best security practice to day-to-day operations.

From how employees interact with one another and external individuals, to how data is used and protected and systems maintained. Unfortunately there has been a decline in certain cyber hygiene practices over the past three years, notably the use of password policies, network firewalls, restriction of administrative rights and software patching, largely due to the move to a decentralised network and the migration to the cloud which has seen some confusion over who is responsible for securing data (the so-called ‘shared responsibility model’). This marked decline is providing attackers with the window they need to exploit users and systems, make it much easier to get a toe-hold on the network, escalate an attack and access data. 

Security frameworks such as Cyber Essentials cover the basics when it comes to physical controls with five requirements:

– deploying a firewall
– securely configuring devices/software
– implementing access controls
– deploying anti-virus, and documenting procedures in a security policy.

It’s provides some initial guidance plus it can help assure customers and partners and is now commonly a requirement for cyber insurance. But it’s a foundation stone that should be built upon. In order to boost resilience, the business needs to focus on looking at the wider context of the risks it faces in order move towards becoming cyber mature.  

Cyber maturity can be assessed by looking at the way the business manages risk in terms of asset management, the supply chain, identity management and access control, staff security awareness, information protection processes and procedures, security monitoring and detection, as well as the effectiveness of response and recovery planning. It uses a risk framework such as the NIST CSF which has five core areas (identify, protect, detect, respond and recover) and grades the effectiveness of the security in place against each of these on a sliding scale from 1-5. But again, about one in five organisations do not assess their cyber maturity at all, making this a missed opportunity. 

If more businesses were to adopt Cyber Essentials, profiled their risks and used cyber maturity assessments to help drive improvements, the potential attack surface would be greatly reduced and the potential for escalation curtailed. There would also be more eyes and ears open to sector-specific attacks, enabling the more immediate sharing of threat intelligence. It’s that wider state of consciousness that will lead to real resilience and it’s the central tenet behind the NIS2 regulations that are coming into force across Europe this year and likely to be adopted in some form or fashion in the UK too. 

In terms of making employees more resilient, its key to ensure that training is tailored to the organisation so that it is relevant and meaningful. Previous exploits against the organisation could be used for phishing exercises, for example, with the redacted fallout shared. Devise training that utilises OSINT, showing  how email and social media can be combined to craft attacks and how over sharing can be a problem. Arm users by giving top tips on password use and ad blocking tools because employees seldom have a work/home divide in how they use technology. The idea is to foster a culture of disclosure so that incidents aren’t hidden, so encourage drop-in clinics to answer work queries to prevent dangerous workarounds. Ensure training isn’t just a pin in the calendar but is regularly reinforced through communication over different media.

Cyber security consultant Prism Infosec, which has offices in Cheltenham and Liverpool, has welcomed Bradley Knight as its new chief operating officer (COO).

Knight holds a forensic computing and security degree from Bournemouth University and worked most recently at Resillion as operations director for UK Cyber. Before that role, he led the offensive security team at MTI Technology.

“I’ve spent my whole career working in cyber security and I’m excited to be joining Prism Infosec at a time when the company is experiencing phenomenal growth,” said Knight.

“I look forward to working with the talented teams and ensuring the company remains well-positioned to deliver comprehensive, high-quality cutting-edge services to our client base that align with our strategic objectives.”

At Prism Infosec, Knight will focus on delivering operational efficiencies and will oversee the development and launch of new services.

“We’re delighted to welcome Bradley to the team who has a real passion for cyber security and a great track record in leading and managing teams, delivering value and meeting client needs,” said Phil Robinson, CEO at Prism Infosec.

“His experience in the field building and delivering both offensive and defensive service lines, will be fundamental in ensuring we broaden our service portfolio over the coming months as well as maintaining the highest levels of service while the company continues to expand.”