Blog - March 2019, London, UK
Small and medium sized enterprises are under pressure to protect themselves against cyber attacks to mitigate the risk of being excluded from supply chains.
In a rapidly evolving landscape of cyber threats, many organisations are focusing efforts on protecting the confidentiality, availability and integrity of their networks and systems. While this is important, small to medium enterprises (SMEs) are typically falling to understand the wider risks and to implement basic cyber hygiene measures. This complacency compromises their own IT environment and that of suppliers and partners within their supply chain.
New research conducted by the Federation of Small Business (FSB) identified that 65% of UK Small Businesses do not have plans in place to deal with potential supply chain disruption including cybercrime . The threat is real and SMEs need to act or risk their business failing due to the lack of a robust cyber security strategy.
The weakest link
A number of big brand organisations have recently been exposed by data breaches and although their names may have made the headlines, in some incidences the security breach occurred due to flaws in third-party partners. High profile data breaches such as the attack on communications firm TalkTalk, which was fined £100,000 in 2017 by the Information Security Office (ICO) for a third party’s misuse of data , have been a wake-up call for organisations, whatever their size.
Like TalkTalk, many organisations often rely on a vast network of agile SME suppliers and partners. However, small companies can be easier targets for attackers if they don’t have robust security measures in place. With information and security arrangements shared across a supply chain, the cyber-security of any one organisation within the chain is potentially only as strong as that of the weakest member.
Research firm Vanson Bourne , surveyed 1,300 senior IT decision-makers and IT security professionals in organisations with 500+ employees. Respondents were selected from across major industry sectors and from the US, Canada, UK, Mexico, Australia, Germany, Japan, and Singapore. The study, conducted in 2018, revealed that two-thirds of respondents reported that their organizations had experienced a software supply chain attack, with 90%of those confirmed that they had incurred financial cost as a result. The average cost of an attack was over $1.1 million.
The survey also found that the majority of organizations aren’t adequately prepared and feel vulnerable. Almost 90% of the survey respondents believe that they are at risk for a supply chain attack, yet companies are still slow to detect, remediate and respond to threats.
A determined attacker will stress test the cyber security of a supply chain, seeking to identify the weakest link and use any vulnerabilities present to gain access to other members of the chain. Whilst not always the case, it is often SMEs, with their limited IT expertise and resources, that have the weakest cyber-security arrangements. Once an attack has been
successful against an SME supplier, attackers can then leverage their access as an entry vector into the larger network.
Securing the supply chain down the line
Following the introduction of the EU General Data Protection Regulation (GDPR) and the broader scope of fines available to the Information Commissioner’s Office (ICO), large organisations are realising that it’s no longer enough to ensure their own network is secure, they must now also pay attention to securing the supply chain.
Enterprises that are at the top of a supply chain will more and more require certification as proof of security and compliance, or will want contractual warrants and indemnification as protection for themselves. The increased risks of a data breach and GDPR enforcement are requiring companies to ensure they have cyber security as a part of their contract with processors, contractors or service providers. Larger organisations, which are risk adverse to reputational damage and business disruption, will choose to use only those suppliers that are certified as part of their due diligence and selection process.
The increased risk of cyber-attacks is not only a concern within the enterprise. The Department of Defense (DoD) has announced that all contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.
Effective cyber-security risk management with certification
SMEs can protect themselves against cyber-attacks and mitigate the risk of being excluded from supply chains by undertaking a certification process. Cyber Essentials is a UK government and industry backed scheme to help all organisations protect themselves against common attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IAMSE) they set out basic technical controls for organisations to use which is annually assessed. The aim is to ensure that companies can understand their cyber risks, implement appropriate cyber defences and meet minimum cyber security standards without hindering business and share best practice.
With larger organisations increasingly validating that sufficient cyber-security standards are implemented across the entire supply chain, SMEs risk losing contracts should they fail to prove sufficient compliance and information security to meet the minimum expected by their partners. SMEs that are not prepared to take cyber security seriously will be weeded out by business failure, either due to a data breach or not being able to compete with certified businesses.
It is time for SMEs to act and adapt their information security practices to the new landscape and demonstrate their cyber credentials. By utilising an online information security management system (ISMS) that incorporates Cyber Essentials, SMEs can undertake certification guided by a virtual online security officer (VOSO) as part of its wider cyber security measures. This will help the organisation to coordinate all security practices in one place, consistently and cost-effectively, keeping them safe and competitive in 2019 and beyond.
Blog - January 2019, London, UK
Cyber risk remains a key concern for every boardroom and small to medium enterprise (SME) business owner. The current cyber landscape is chaotic including state-sponsored hackers, financially motivated cybercrime gangs and simple negligent data loss. Risk is everywhere and liabilities are high. Cyber threat remains one of the most significant and growing risks facing organisations today and too few are prepared.
The global average cost of a data breach per compromised record in 2018 was $148, a 6.4% increase from 2017, according to the Ponemon Institute 13th-annual Cost of Data Breach Study. Interestingly, locations that experienced the most expensive data breaches include the US and the UK, where notification costs are nearly five times the global average. It is clear the problem isn’t going away. Although cyber security most often makes it into the headlines because of large breaches, the most frequent threat is actually to SMEs. Smaller organisations are by nature agile and innovative, harnessing the power of technology and the Internet to reach their customer base, however, this also increases the attack surface. Research conducted by the National Cyber Security Alliance revealed that 60 percent of hacked small and medium-sized organisations go out of business after six months.
Five reasons for cyber insurance
Becoming more resilient to cyber risks in an age of digital disruption means understanding the full scope of cyber governance responsibilities. Here are five reasons why every business, regardless of size or ownership, needs cyber insurance:
1. Cyber crime is growing exponentially – an overwhelming majority of businesses are reliant on online services, which exposes them to cyber security risks. The 2018 Cyber Security Breaches Survey, conducted on behalf of the UK Government, revealed that 43% of UK organisations surveyed had experienced a cyber security breach or attack in the last 12 months. With highly sophisticated attacks now commonplace, businesses need to assume that they will be breached at some point and have coverage to mitigate the risk.
2. Data breaches are costly – as mentioned before, in Ponemon Institute’s 2018 Cost of Data Breach Study, the average cost of a stolen or lost record is $148, while the overall cost of a data breach is nearly $4 million. This is irrespective of the fines and sanctions under the new General Data Protection Regulation (GDPR) within the EU and California’s Consumer Protection Act, which comes into effect on 1st January 2020 and will surely add to those costs.
However, the real expense of an attack against an organisation is not just the financial damage suffered or the cost of remediation, a data breach can also inflict untold reputational damage. Suffering a cyber-attack can cause customers to lose trust and spend their money elsewhere. Additionally, having a reputation for poor security can also lead to a failure to win new business or government contracts.
3. Organisations can be held legally and financially liable if third party data is compromised in a breach – emerging regulation as announced by the US Department of Defence (DoD) and the EU’s GDPR, places the responsibility on organisations to only appoint third parties who can provide sufficient guarantees that the requirements of NIST 800-171 and GDPR will be met. Both the DoD and the UK’s Information Commissioner’s Office (ICO) will hold liable, and may, fine any organisation that has not carried out due diligence to ensure third parties are compliant. Regulatory fines have become synonymous with data breaches and the fact that cyber risks are now global, makes complying with various regulatory responses across different geographies all the more challenging.
4. Standard insurance policies do not cover cyber risk - cyber insurance is specifically designed to cover the unique exposure of data privacy and security and can act as a backstop to protect a business from the financial and reputational harm resulting from a breach. While some categories of losses might be covered under standard policies, many significant gaps often exist and cyber events can impact numerous lines of insurance coverage. Standard policies are often unlikely to cover the cost of even a “standard” security breach, let alone cyber-attack or ‘hacktivism’. Only specialist cyber insurance policies provide extensive cover. However, organisations need to research policies carefully to understand the level of cover offered and their responsibilities to stay within the conditions of the policy.
5. Improved cyber awareness and risk management – insurance is just one piece of the puzzle and solely taking out a cyber insurance policy won’t protect an organisation from a cyber-attack. Given that the single greatest cyber risk is social engineering, ie employees voluntarily but unknowingly allowing an attack to occur, it's critical that organisations get the basics right, such as putting every employee through training on how to avoid and recognize cyber threats. The fact is that the vast majority of damage done by cyber-attacks is due to an inability of the party being attacked to respond. Organisations need a comprehensive risk management plan that details how the company will respond in the face of a cyber-attack, that includes unknown threats.
Getting the basics right
Given the complexities and ever-changing threats it is important to be proactive as possible. Cyber Essentials is a UK government-backed and industry supported scheme that guides organisations on how to protect themselves against the most common cyber threats. Undertaking a certification route will help organisations, especially SMEs which may not have a dedicated cyber security specialist, to coordinate all security practices in one place, consistently and cost-effectively.
Certification is a valuable indicator of a mature approach to cyber security in organisations. It helps to guard against the most common cyber threats and demonstrate a commitment to cyber security. Whilst cyber insurance can provide a layer of protection when an organisation is faced with a cyber threat, it is no substitute for good cyber hygiene. Insurance should be viewed as an important addition to a company’s overall risk management, but organisations should not wait for a breach before confronting their cyber risks and exposure.
Blog - January 2019 London, UK
Cyber security has become a fundamental component of business operations. As cyber criminals get more sophisticated and threats continue to evolve it is vital that companies invest in security policies, procedures and products regardless of size, market or location.
Small and medium-sized enterprises (SMEs) are as much at risk from data breaches as large organisations. According to the Cyber Security Breaches Survey 2018, 42% of small businesses identified at least one breach or attack in the last 12 months. This is a significant problem which is set to increase as criminals find new ways to digitally delve into organisations for increasingly valuable personal information.
However, it is not an insurmountable problem and SMEs can protect themselves against common cyber-attacks by undertaking a certification process. Cyber Essentials is a government and industry backed scheme to help all organisations protect themselves against common cyber-attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IAMSE) they have set out basic technical controls for organisations to use which is annually assessed. Here are four reasons to get certified:
1. Mitigate cyber risks
Whilst no security strategy can stop 100% of attacks, the aim is to mitigate the risk as much as possible. The majority of attacks exploit basic weaknesses in IT systems and software, and these can be quite straightforward to defend against. Being fully Cyber Essentials[i] compliant mitigates 80% of the risks faced by businesses such as malware infections, social engineering attacks and hacking. The Cyber Essentials scheme aims to provide businesses with a strong base from which to reduce the risk from these prevalent cyber-attacks.
2. Identify weak security links in your supply chain
As the saying goes, you are only as strong as your weakest link and this is especially true when dealing with third parties that are outside of your domain of control. The 2017 Data Risk in the Third-Party Ecosystem study found that 56% of respondent organisations had been affected by a third-party data breach, up from 49% the previous year. This should be a major concern to any organisation as GDPR makes it clear that organisations are accountable for data breaches caused by any third-party service providers they appoint to handle data.
Organisations, or in GDPR speak, ‘controllers’, must only appoint third party ‘processors’ who can provide sufficient guarantees that the requirements of the GDPR will be met and the rights of data subjects protected. By using a third party that has achieved certification via a scheme such as Cyber Essentials or IASME governance standard, organisations can show that they have taken steps to conduct due diligence within its supply chain. Certification demonstrates that information security procedures within a third-party processor are certified to be the same, or more comprehensive than, the information security procedures followed by the controller organisation for the data involved in the contract.
3. Show commitment to cyber security
By displaying the Cyber Essentials badge on its website, an SME can demonstrate to customers, partners and investors their commitment to cyber security. This is particularly beneficial for organisations that are storing personal information on customers and employees, or hosting commercially sensitive data. Through certification, SMEs can proactively provide sufficient guarantees that regulatory requirements will be met and the rights of data subjects protected.
4. Competitive advantage
Improving cyber security within its supply chain is a priority for UK Government. It has decreed that suppliers must be compliant with the Cyber Essentials scheme in order to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. However, Cyber Essentials presents a competitive advantage to certified SMEs when competing for all business or tendering for public sector proposals as they will be able to demonstrate their security credentials and their diligence towards defending the integrity of their customers’ data.
Supported at every stage
Achieving safety and compliance doesn’t have to be a costly or complex project. By utilising an online information security management system (ISMS) that incorporates Cyber Essentials, SMEs can undertake a certification route guided by a virtual online security officer (VOSO) as part of their wider cyber security measures. This will help the organisation to coordinate all security practices in one place, consistently and cost-effectively. Additionally, SMEs can take advantage of the expertise of online cyber security consultants at a fraction of the cost of a full time in-house security specialist or a team of consultants.
Certification has many benefits; it ensures standardisation within the supply chain and is a good differentiator for SMEs who provide services as it shows a diligence to information security. The UK National Cyber Security Centre has taken a leadership role in providing the technical expertise for the Cyber Essentials scheme, which ensures that it encompasses the county’s best technical insight and experience. Cyber Essentials certification can help SMEs implement strong, cyber security hygiene practices and benefit from the new digital world.
News Release - 11 December 2018, London, UK,
Cyber security specialist CySure Ltd has partnered with Rubitek as a digital consulting re-seller. Rubitek has added CySure’s Virtual Online Security Officer (VOSO) to its digital consulting offering to support businesses worldwide with their cyber security.
Sammy Williams, Digital Architect at and Director of Rubitek, said: “We are delighted to introduce CySure’s VOSO to our product suite. Cyber-attacks are becoming increasingly prominent in the world of business, so to be able to help small and medium-sized enterprises (SMEs) prevent attacks is a really exciting opportunity for us. VOSO fits in nicely with our established digital consulting products, and we’re all looking forward to supporting businesses all over the world, one click at a time.”
SMEs in the UK are just as much at risk from data breaches as large organisations. According to the Cyber Security Breaches Survey 2018, 42% of small businesses identified at least one breach or attack in the last 12 months. Suffice to say, this is a significant problem, and one that’s only set to increase as online criminals continue to discover new ways to access valuable and personal information stored by businesses.
Sammy continued: “We chose to partner with CySure because VOSO incorporates the high security standards, around-the-clock monitoring and action-lead reports we offer our customers. CySure shares our values and vision of helping SMEs stay cyber-safe and, like us, no challenge is too complex, and no goal is too grand for them. Together, our aim is to shield as many SMEs from internet-based attacks as we can.”
VOSO incorporates both US NIST and UK Cyber Essentials security standards to guide enterprises through the certification process, ensuring the right steps are taken to keep data secure and organisations compliant.
When it comes to the world of GDPR, CySure maps the security component of the regulations into VOSO and breaks them down into digestible, easy-to-follow actions. This enables businesses to clearly navigate their way through a staged compliance approach and work towards Cyber Essentials (CE). Many companies see CE certification as a commercial differentiator and evidence of their commitment to cyber security.
Joe Collinwood, Chief Executive Officer of CySure, concluded: “Cyber security has become a fundamental component of business operations but, unfortunately, some SMEs are lagging behind.
“It’s vital that SMEs safeguard their business by investing in security policies, procedures and products. CySure is partnering with Rubitek because its market-leading consulting, design and solution architecture services complement VOSO, and we share the same objective to support SMEs in implementing strong, cyber security hygiene practices so they can thrive in today’s digital economy.”
For more information about Rubitek, visit https://rubitek-consulting.com
Blog - December 2018, London, UK
Even before GDPR came into effect in May 2018, there was concern over the inconvenience and financial burden that becoming compliant places on organisations, especially small and medium sized enterprises (SMEs) lacking full time IT expertise. It’s all very well for commentators and reports to recommend organisations allocate between 9% and 13% of their IT budget to cyber security but if there is no budget in the first place that advice is meaningless.
What questions to ask?
In truth, are we asking the wrong questions when it comes to GDPR and cyber security in terms of SMEs? Asking a smaller business the size of its IT budget is not particularly relevant when the majority of companies work on a “break and fix” basis. The real question should be are there proper organisational policies and technical measures in place to secure their customers and employees personal data? Along with what measures are in place to stop staff doing what they shouldn’t be doing and therefore putting the organisation in danger of attack and non-compliance?
The Data Protection Act states that appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This is known as Principle 7. SMEs are therefore expected to have adopted Principle 7 and GDPR sits on top of it; however, it can only be achieved through people and processes to ensure correct implementation.
There is no single product that will provide a complete guarantee of security for any business. The recommended approach is to use a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security.
There is a lot of misinformation out there about GDPR but what haven’t been fairly represented are the business benefits. The real driver for adopting new compliance principles should be to make businesses more efficient, secure and competitive.
The key points of GDPR are that businesses must have consent and an opt-in from customers that cannot be confusing. For example, an organisation’s policies must state precisely what data is being collected, what it will be used for and how long the company will store that data. In essence, GDPR is about putting the power of data back in the hands of consumers, giving customers a better understanding of where their data is and what it’s being used for.
Organisations concerned about meeting compliance regulations could benefit from undertaking a Cyber Essentials (CE) or CE Plus certification route from The IASME Consortium Ltd guided by a virtual online security officer (VOSO) as part of an information security management system. This helps to manage the business safely, avoid cyber threats and become GDPR compliant.
The benefit of this approach is that SMEs can take advantage of the expertise of online cyber security consultants at a fraction of the cost of a full time in-house security specialist or a team of consultants. The process can be broken down into a set of discrete actions providing an easy to follow, staged approach to compliance. By taking away much of the time consuming administrative burden, a VOSO frees up management to focus on policies, procedures and employee training to create a cyber aware and compliant culture.
To become GDPR compliant organisations must have a comprehensive understanding of their data, which gives the opportunity to better understand their customers. In order to comply with regulations, increasing data visibility across organisational silos, de-duping lists, and cleansing and mapping data are essential practices.
Organisations can improve data management by detecting and getting rid of redundant, obsolete and trivial files, after all, why take responsibility for something that has no business value. With data cleaned up employees can be more productive and efficient through working with accurate, easily searchable and accessible data. By improving data management, organisations can reduce risks while unlocking the true value within their data and improve performance.
Cyber security and GDPR compliance does not rest just with IT whether inhouse or outsourced - it is everyone’s responsibility. Small businesses can help their employees comply with the new regulation and protect against data breaches by developing a comprehensive communication and training strategy. Achieving safety and compliance doesn’t have to be a costly or complex undertaking. By utilising an online information security management system that incorporates Cyber Essentials, SMEs can navigate their way to security and look forward to the benefits of legislation through competitive differentiation and a new business culture that values customer privacy. It’s all a case of asking the right questions in the first place.
News Release - 7 November 2018, London UK
Cyber security specialist CySure Ltd has appointed EnterpriseRed as a specialist reseller partner in the UK further extending Cysure’s international network of partners across the Republic of Ireland, South Africa, the USA and the UK. The Berkshire-based cybersecurity experts will resell CySure’s information security management system, Virtual Online Security Officer (VOSO).
After conducting a review of their solution portfolio, EnterpriseRed identified a gap for an information security management system to assist with compliance. CySure’s VOSO solution was chosen as it enables customers to manage and demonstrate their compliance with the General Data Protection Regulation (GDPR) simply and effectively. VOSO incorporates both US NIST and UK CE cyber security standards to guide enterprises through the compliance process ensuring the right steps are taken to keep data secure and organisations compliant.
Ian Kennedy-Compston, CEO of EnterpriseRed said, “There is a lot of misinformation about GDPR and the cost and complexity of becoming compliant. CySure’s solution cuts through the fog, with clear guidance and support for organisations throughout the process. We see VOSO as adding significant value to the GDPR process spreadsheet completion and envisage this product will significantly assist our customers going forward.”
CySure has been accepted onto the UK Government’s G-Cloud 10 digital marketplace. As part of that process the security component of the GDPR was mapped into VOSO, providing an easy to follow, staged approach to GDPR along with all the policies and training videos necessary to complete the compliance process.
Joe Collinwood, Chief Executive Officer of CySure added, “The partnership with EnterpriseRed was borne from a joint philosophy that achieving safety and compliance doesn’t have to be a costly or complex undertaking. However, many small to medium enterprises (SMEs) still don’t have the bandwidth to address this matter effectively despite the risk of data breaches. By utilising VOSO, organisations can enjoy the benefit of a powerful information security management system which interprets government and industry standards to ensure the right steps are taken to keep data safe and the organisation compliant. By partnering with EnterpriseRed, Cysure continues to extend its footprint in the UK market and we look forward to a mutually beneficial relationship.”
For more information on CySure and its full suite of services, visit www.cysure.net For more information about EnterpriseRed, visit https://enterprisered.com/
Blog - October 2018, London UK
The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 with great fanfare, and rightly so. It is the most significant change to data protection legislation in Europe for over two decades and puts individuals back in the driving seat of how their data is used. However, there continues to be a lot of confusion within the business community on the steps that need to be taken to ensure compliance. Consequently, many businesses are suffering from ‘GDPR fatigue’ caused by over exposure to security and legal rules.
GDPR applies to even small business
GDPR is designed to govern how every organisation treats the personal data it collects. The size and location of the business is irrelevant, if an organisation holds personal information on individuals in the EU, as consumers or employees, then the regulation applies. In practice, this means that the principles guiding how data should be collected, processed, shared and stored apply to virtually every business within the EU, as well as those beyond Europe with customers the European Union. There’s no exemption for small businesses or sole traders.
For small and medium sized enterprises (SMEs) compliance can often be unclear as many companies have relied on their IT person, an outsourcer or external legal services to advise and implement data privacy measures. This has left some business owners unsure of what actions are needed to meet the requirements of the legislation.
Cookies and consent - 4 things every business should know
• Data minimisation – businesses should only collect personal information which is directly relevant and necessary to accomplish a specified purpose. If you don’t need it, don’t collect it! Companies should also periodically review the data they hold ensuring the deletion of anything not needed
• Integrity and confidentiality – businesses must ensure they have appropriate security measures in place to protect the personal data held. This extends to ensuring that any personnel that have access to personal data have a legitimate need to do so and receive regular cyber security training
• Data protection by design – organisations are obligated to consider data protection and privacy issues upfront in everything they do. In essence, this means integrating or 'baking in' data protection into processing activities and business practices, from the design stage right through the lifecycle
• Breach notification – there is a duty on all organisations to report certain types of personal data breaches to the relevant supervisory authority. Organisations should prioritise developing a robust detection, investigation and internal reporting procedure before a breach happens. Certain types of personal data breaches must be reported within 72 hours of becoming aware of the breach, so it is essential that processes are in place.
The importance of certification
Certification is a way of demonstrating that an organisation’s method of processing personal data complies with GDPR requirements. Organisations concerned about meeting compliance regulations could benefit from undertaking a certification route, such as Cyber Essentials or the IASME Governance standard, guided by a virtual online security officer (VOSO) as part of a wider information security management system.
Obtaining certification for data processing can help SMEs to:
• Have a competitive advantage
• Be more transparent and accountable
• Create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals
• Improve standards by establishing best practice
• Mitigate against enforcement action.
The benefit of certification via an information security management system (ISMS) is that SMEs can take advantage of the expertise of online cyber security consultants at a fraction of the cost of a full time in-house security specialist or a team of consultants. The process can be broken down into a set of discrete actions providing an easy to follow, staged approach to compliance. By taking away much of the time consuming administrative burden, a VOSO frees up management to focus on policies, procedures and employee training to create an aware and compliant culture.
The processes necessary for GDPR compliance can deliver many commercial advantages, after all data is the lifeblood of any organisation. By taking a proactive stance towards GDPR, SMEs can take control of their data and engage with customers and prospects on a deeper and more personalised level. SMEs that treat GDPR as a box ticking exercise are missing the wider opportunity to demonstrate trust and confidence with their target audience – their customers.
Joe Collinwood is CEO of Cysure.net
Blog - October, London, UK
With new threats appearing daily cyber security is becoming increasingly important and complex, yet many business owners don’t have the bandwidth to take the trend seriously. Most news stories have focused on security breaches in large organisations however, all businesses are vulnerable to security threats, especially if they lack the resources and expertise to implement operational and risk management policies. Cyber criminals are preying on this lack of expertise and target medium sized enterprises as they are easy victims and can be used as a backdoor to larger companies.
The Cyber security breaches survey 2017 conducted by Ipsos Mori on behalf of the UK Government revealed that 52% of small businesses identified a cyber breach or attack in the past 12 months. The most common types of breaches identified were related to staff receiving fraudulent emails (72%), followed by viruses, spyware and malware (33%), people impersonating the organisation in emails or online (27%) and ransomware (17%). For companies with limited budgets, cyber security can be a tricky job, however, getting “your ducks in a row” with an information security management system is a good place to start.
Here are 5 Steps to Cyber Security:
1. Leadership is vital – cyber security starts at the top of the organisation, if management leads by example taking an active approach to the mitigation of cyber risk, this attitude will prevail throughout the organisation. Understandably, leaders are often focused on building their business and not inwardly looking at complex organisational policies. However, adopting a systematic approach to processes and procedures promoted by a virtual online security officer, as part of an information security management system takes away much of the time consuming administration burden.
Organisations that cannot afford a full time inhouse security specialist can seek the services of an online service to guide them through the complex, emerging safety procedures and protocols to improve their online security and reduce the risk of cyber threats.
2. Education and awareness training – as revealed in the Cyber security breaches survey 2017, phishing emails and malware are the two biggest threats to organisations. Both of these exploit human behaviour so it’s vital that staff are trained to recognise the threat and respond appropriately.
Similarly, accidental breaches, privilege misuse and data loss are all the result of employees not understanding their information security obligations. Educating staff on the ways they could put data at risk helps organisations turn one of their biggest vulnerabilities (people) into an area of strength.
3. Identify your risks - a risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme. Identifying the risks that can affect the confidentiality, integrity and availability of information is a time consuming process. However, by identifying threats and vulnerabilities organisations can take steps to mitigate by prioritising which risks need to be addressed in which order. Without an assessment, organisations may miss vulnerabilities or waste time, effort and resources addressing events that are unlikely to occur or won’t cause significant damage.
4. Regular reviews – policies and procedures are the documents that establish an organisation’s rules for handling data. Policies provide a broad outline of the organisations principles, whereas procedures detail the how, what and when things should be done. Together they provide a framework of do’s and don’ts for the organisation’s workforce on how data should be managed and trains employees to offset social engineering campaigns that are one of the main causes of a data breach.
A good information security management system will provide policies and procedures that ensure regular reviews are conducted with all employees to ensure they are up to date and policies remain effective. If a procedure isn’t working, it needs to be rewritten.
5. The wonders of a dashboard – assessing progress and monitoring improvements is essential to maintaining an organisation’s security posture. A dashboard simplifies the process by providing a central location for all plans, policies, best practice advice and employee training information. Good dashboard software should guide companies through complex safety procedures and protocols, display compliance progress against selected standards including GDPR as well as online security training videos for continual staff training. A visual traffic light system soon lets business leaders know just how well prepared their organisation is to prevent a data breach or cyber attack.
It’s time for companies to act
By underestimating the true impact a cyber attack can have on their reputation and the disruption caused while management remediate the situation, businesses are putting themselves at significant commercial risk. Now more than ever it is essential to take action and reduce the risk of cyber threats. Without adequate protection they are risking their future business growth and development.
Managing risk from inside the organisation is vital and relies upon the application of a consistent set of policies and processes, backed up by continual employee training. By utilising an information security management system that incorporates leading cyber security standards, companies can benefit from the expertise of online cyber security consultants at a fraction of the cost, enabling them to create robust, best-practice policies to help keep their organisations safe.
Joe Collinwood is CEO of Cysure.net
News Release - 28 September 2018, London UK
Cyber security specialist CySure Ltd has announced that its Virtual Online Security Officer (VOSO) has been accepted onto the Government’s G-Cloud 10 digital marketplace. With the latest iteration of the G-Cloud framework, CySure has extended the proven capabilities of the company’s VOSO online solution to protect organisations against the growing threat of cybercrime. It has mapped the security component of the General Data Protection Regulation (GDPR) into VOSO, providing an easy to follow, staged approach to GDPR along with all the policies and training videos necessary to complete the compliance process.
Organisations today, particularly those in the government and public sector, operate in a constantly changing environment where cybercrime is a real threat. Latest statistics from the Department for Digital, Culture, Media & Sport reveal that four in ten businesses and two in ten charities have experienced a cyber security breach or attack in the last 12 months. However, only 27% of businesses and 21% of charities have a formal cyber security policy or set of policies in place.
Joe Collinwood, Chief Executive Officer of CySure said, “Research from GCHQ reveals that 80% of cyber-attacks are easily prevented when staff are trained regularly, and the right policies are in place. Managing risk from inside the organisation is vital and relies upon a consistent, dynamic process with continual training. Our VOSO solution interprets government and industry security standards in simple terms and outlines the steps to take to protect online equipment and stored data at the fraction of the cost of a human counterpart. We are delighted that VOSO has been accepted onto the government’s G-Cloud framework, the go-to place for trusted technology solutions from suppliers that are thoroughly vetted, can demonstrate clear ways of working and transparent pricing. Our customers in the public sector can depend on our expertise to create a robust, best-practice formula to help keep their organisations safe.”
CySure’s simple-to-use, web-based Virtual Online Security Officer incorporates a comprehensive range of features such as remote monitoring and secure configuration of all networked devices, asset mapping, vulnerability scanning and patching, dashboards to display compliance progress against selected standards including GDPR as well as online security training videos for continual staff training. Costing £1 per user per month, VOSO reduces the requirement for expensive in-house cyber security consultants or compliance officers, mitigates the risk of law suits and regulatory fines and ensures employees are trained regularly and kept informed of the latest cyber security updates.
News Release - 24th September 2018, London UK
Cyber security specialist CySure Ltd has signed up Renaissance Contingency Services as the company’s first distributor in Ireland. The Dublin-based IT security and compliance experts will resell CySure’s information security management system, Virtual Online Security Officer (VOSO). The agreement with Renaissance further extends Cysure’s international network of partners across the Republic of Ireland, South Africa, the USA and the UK.
Michael Conway, Director at Renaissance Contingency Services said, “Every day, networks and businesses are being attacked by cyber criminals and we need to work alongside partners we can trust to guide organisations through today’s complex security and compliance landscape. We selected CySure after evaluating the marketplace for a solution that would allow our partners and their customers to manage and demonstrate their compliance with the General Data Protection Regulation (GDPR) simply and effectively. When combined with our 30-year track record in the industry, we can jointly offer the depth and strength of solutions and advice our partners need to grow their business while protecting themselves and their customers against the constant threat of cyber attacks.”
CySure has been accepted onto the UK Government’s G-Cloud 10 digital marketplace. As part of that process the security component of the GDPR was mapped into VOSO, providing an easy to follow, staged approach to GDPR along with all the policies and training videos necessary to complete the compliance process.
Joe Collinwood, Chief Executive Officer of CySure added, “As Ireland’s premier IT security distributor and leading business continuity consultancy provider, Renaissance has an enviable reputation for delivering a robust set of solutions. According to GCHQ research 80% of cyber attacks are preventable when staff are trained regularly and the right policies are in place. VOSO is a complete information security management system which interprets government and industry standards to ensure the right steps are taken to keep data secure and organisations compliant. This new partnership provides the potential for CySure and the IT channel to create a powerful valuable proposition to keep Irish public sector organisations safe and secure.”
On 20th September, CySure and Renaissance will co-host a 45-minute webinar entitled “Cyber Security, GDPR and Local Government”. During this interactive tutorial, attendees will learn about the main areas that make public sector organisations vulnerable to attack such as staff and contractor changes, human error and weak internal processes. They will also take away some simple, inexpensive ideas to facilitate their own path to GDPR compliance including the need for continual process monitoring; knowing when to engage external consultants to plug in knowledge and skills gaps while containing costs and a deeper understanding of executive legal responsibilities. To register for the webinar visit https://cysure.net/events
For more information on CySure and its full suite of services, visit www.cysure.net For more information about Renaissance Contingency Services, visit www.renaissance.ie
News Release - May 2018, London, England
Founded in 2015, CySure's VOSO is being launched after two years in development.
Joe Collinwood, CySure's CEO and co-founder, says, "Protecting a small business from Cybercrime is now an urgent issue for the economy. We recognize the typical SMB is already stretched beyond capacity and is struggling to deal with cybersecurity. The arrival of CySure mean SMB's can protect themselves the same as a large corporation might, but at a fraction of the cost it normally takes."
CySure has recently completed several field tests and installations with early adopters to demonstrate the effectiveness of VOSO for SMBs. CySure is now available in both the UK and the United States.
CySure believes VOSO is set to become the standard for executing a continual cybersecurity process allowing senior executives to easily monitor and oversee a cyber risk mitigation strategy.
What SMBs need is a simple and inexpensive way to create, implement and enforce cybersecurity security policies and procedures with the minimum of resources.
The advantage over competitors is that CySure's SaaS VOSO is inexpensive, makes it easy to implement standards-based security policies and procedures, quickly builds a breach response plan, and paves the way for cyber insurance optimization.
The ransomware program WannaCry that recently attacked computers in more than 150 countries has left small and medium-sized businesses scratching their heads and wondering what to do to protect themselves. The Government offers little practical help for the smaller enterprise. Virus checkers, anti-malware software and firewalls afford only so much safety. The heart of the problem of risk mitigation is not technology but human behavior.
CySure's approach is to take complex Government standards such as NIST and Cyber Essentials and deploy a Virtual Online Security Officer that automatically translates the selected standard into a simple to follow solution containing the related policies for the business owner. The service guides executives to which part of their compan's cybersecurity plan needs attention and translates this information into clear, actionable steps. The VOSO continues to monitor a company's performance against the selected standard.
CySure's VOSO allows leadership to understand what to focus on to successfully guard against 80% of all cyber-attacks. CySure understands that some breaches cannot be prevented, so CySure complements their solution with a breach response plan and optimized insurance.
CySure's VOSO creates an audit trail that enables senior executives to easily demonstrate adherence to the highest government standards and that management is discharging its fiduciary responsibility to protect the assets of their company.
CySure believes many SMBs are struggling either to become HIPAA compliant or maintain that accreditation as well as become cyber secure. As a result, CySure plans to initially market its product in highly regulated industries where HIPAA compliance is mandatory as Cyber Essentials and HIPAA share many similar requirements.
CySure is a start-up with headquarters located in Fair Oaks, California and an office in London.