QuoStar is one of few UK businesses that is onshoring – while others offshore support facilities.
As a leading IT consulting and service provider we are now delivering 24/7/365 service desk support to provide clients with specialist assistance exactly when they need it. This additional UK based service provision has been bolstered by the raft of new, experienced hires that have been employed since November 2021.
Designed as part of our ongoing response to the impact of Covid-19, QuoStar understands that in today’s working world businesses are operating differently, so we have adapted our business model to suit the needs of our clients.
Today’s flexible and hybrid working means individuals are now working outside of the usual office hours, and they require support at any time to continue to work effectively and securely.
For Quostar, it’s not just about support – it’s the why.
A true UK based 24/7/365 operation means we can respond promptly, ensuring the security needs of clients can be managed around the clock and we can take a proactive approach to management and maintenance – which is far easier to carry out outside of a client’s working/open hours.
Having done away with the tradition method of having ‘First Line Support’ means the QuoStar Support team can be more efficient and clients get a better service. All staff are experienced from the first point of contact rather than just logging a ticket for issues to be dealt with in the morning.
“IT services require more support and management than ever before as businesses try to settle between hybrid and in-person working models. Continuing to provide flexible and cost-effective solutions for our clients therefore remains a key priority for us this year. With our UK-based 24/7/365 service desk, we’re adding another tool for our customers to benefit from the support of our growing team of highly skilled professionals.”
“The last two years, whilst challenging, have brought the opportunity for us to assess our ability to remain agile and efficient as a business whilst making us more resilient to dealing with redefined ways of working. QuoStar aims to provide services that respond to our customer’s changing needs in the long term, and we’re ready to bring disruption to the market to achieve that.”
Security and privacy breaches are on the rise globally, with potentially serious implications for businesses that are not able to handle them promptly and efficiently.
This can feel like a vast and confusing maze to navigate, especially for small and medium businesses, if underprepared.
However, with just a few simple steps, businesses can ensure they are taking the most appropriate response to a breach and giving themselves the best chance of mitigating the impact of an attack. You can see the top five suggestions below from our Head of Security and CISO as a Service Consultant, David Clarke.
A 5 step guide
What to do the face of Security or Privacy breaches
Once a breach is discovered, getting all the key stakeholders together to establish some ground rules about how to deal with the breach is key. This should be done whilst maintaining a ‘no blame’ approach to operations. Additionally, the incident should be given a code name for use in emails and discussions to maintain clarity.
It’s then necessary to capture every piece of known, suspected or inferred information about the breach to get an overview of the situation. The targeted business should only work with verifiable facts, even if there are very few, and all decisions must be directly logged. Crucially, it’s vital to ensure that no suspicion or guesswork is released outside of the key stakeholders. Once ready to release information outside of the company, ensure that it is only via a named spokesperson.
In the case of a personal data breach, the business should, in the first instance, work on the data subject risk analysis. For example, will this breach cause detriment to the data subject? It will then be necessary to verify and check all possible evidence and challenges. After the breach, only 20% or less of the data will remain available. This is why the business should start to size, scope and quantify the breach on an ongoing basis.
Senior management should be briefed only with facts and factual based risk assessments. However, the business should also be prepared to notify the relevant authorities and/or Data Subjects in a controlled manner.
Regulatory bodies will judge a business based on how breaches are managed, not the breach itself. Ensure to register the issue with authorities if required, for example if the risks are very high. Initial focus must be firmly on gaining a level of control, confidence, and containment over the breach.
Ultimately, businesses should reach out for professional assistance if needed. Work on containing the breach to make eradication easier.
If you’d like more support or out any further information on measures you can take to protect your business, get in touch.
Any business can become a target to cyber criminals, but law firms are one of the top targets globally. Even a listed UK Law firm was hit by cyber-security a incidentthis year. It’s obvious that law firms are lucrative and have access to money, so they are often able to pay a ransom where other types of businesses might not.
However, cash flow is not the only reason firms become a target. Law firms have many interaction points and are in effect a service business – service businesses live and die by their reputation. That’s why they are a prime target.
Ransomware risks to law firms: why are they a great target for Ransomware attacks?
They have some great data, and that fits with the Ransomware business model. Ransomware is a revenue generator for cybercriminals. Ransomware encrypts your practice’s electronic data, and takes a copy of the data, which can then be:
Sold to other cybercriminals
Held to ransom over public release of sensitive information
Assumes control of your social media and broadcasts your data and failings
Sell the exploit details to another cybercriminal
Use the same exploit again and ask for another ransom
Are law firms financially protected from cyber-attacks?
Typically, a paid ransom will be reimbursed by Insurance, but of course only if the right controls are in place from a cyber-security / risk perspective in the first instance.
Many firms think they are protected financially by simply having insurance in place to reimburse a ransom payment. However, if there isn’t the right security in place, then insurance won’t pay out.
Money isn’t the only loss a firm faces when hit
Greater threats are posed, here are some other ransomware risks to law firms.
Some ransom groups will demand a ransom, but that will only be after they’ve posted all of the firm’s sensitive data, and client data onto the dark web.
The firm may be able to get operational again, but the real damage goes beyond that, as their client’s data is in effect spread globally for anyone to access. It’s easy to see that the ransom payment is just a fraction of the real cost a firm could face.
A breach means letting clients know their data is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. That’s big, it will seriously hurt the firm and all those they work with.
Regulators want to try to compound that damage. A firm is now looking at huge fines from the regulators, such as the ICO and the SRA. It’s a horrible place to be, hence the focus from those in the global ransomware business, which is now bigger than the drugs trade (theglobal cybercrime economy generates over $1.5 trillion).
This year 4 New Square Chambers took an unusual approach this year after they were attacked mid-June. For damage limitation purposes they took out a court order demanding the criminals not to share the stolen data. The mystery hackers were ordered to hand over any information they may have obtained by 27 September 2021 or face possible contempt of court proceedings – but only time will tell how well this has worked.
Risk and IT security are not separate entities
Too many in the legal industry view the ransomware risks to law firms and IT security as separate entities. They simply put being secure from a cyber perspective and all those risks down to the IT team. That’s just not going to wash with regulators, clients and very likely the media. Risk is a board responsibility/accountability, not IT’s.
Of course, the IT team plays it part. However, like every important functional operation in a firm, you need governance. The whole firm needs to be aware of its role in controlling risk, especially as most IT breaches come from an employee doing something they shouldn’t. The biggest threat to a firm’s security is more often that not going to come from something simple such as someone unsuspectingly clicking a link or giving information out over a phone.
IT can only so go far
New and emerging threats are often targeted at the end-user sat at their laptop or on their phone. Sure, technology has its risks, such as unpatched software or a lost laptop, but people are always the weakest link. Although employees pose one of the largest risks with one of the biggest impacts, the threats are of course much wider.
The other big risk is vulnerabilities within IT systems that face the Internet, both those run internally and through third parties, such as a website host, an IT supplier, or some form of partner organisation that links into a firm’s systems. Every link into a firm is risk. they need to be evaluated and tested. A firm should certainly penetration test their own systems, but they should also look at those they interface with, to ensure they also deal with their part of the wider risk piece.
So, how can the ransomware risks to law firms be avoided?
There are most certainly the basics that should be dealt with, especially where ransomware is concerned, such as:
Have you got an air gap in your backups?
Ransomware attackers want to encrypt your data. That may take you down for a few days. However, if your backups are also on the same network as your data they will be looking to ensure they are also encrypted. That leaves a firm dead in the water with no chance of recovery.
Do you have a rigid patch management policy?
Many businesses patch once a week, many once a month. That’s not enough. The IT team needs to be continually aware of brand new threats and needs to deal with them quickly, or they need to rely on a specialist IT security partner to deal with it.
Do you use a VPN to protect endpoints on public networks?
Too many firms allow their staff to connect at home or in other locations, such as hotels, over unprotected networks. That’s a risk that needs to be controlled via a VPN.
Do you consistently train and test your users how to spot suspicious email or call?
Again, staff are the weakest link and need to be able to spot suspicious behaviours online.
Do you control USB ports to ensure non-approved storage devices can’t be installed?
You can’t allow staff to plug anything into a work machine or a machine that accesses work machines without controls in place. For example, a Rubber Ducky Attack cyberattack, where a custom USB device emulates a USB keyboard to attack a workstation.
Do you have an email security protection system in place?
You do need an advanced email security protection system in place that checks both links in email and the attachments. You can’t generally rely on email provider systems, not even Microsoft’s.
Do you have next generation antivirus in place?
Traditional antivirus systems aren’t enough to protect against ransomware. Once they’ve detected it with a scan it’s too late. You need NGAV (Next Generation AntiVirus) which can spot ransomware before it does its damage.
Do you have 2-factor authentication in place?
This is probably one of the biggest protections against ransomware available. A third party can steal a password, but they cannot get access to systems without a known device.
Do you have a SIEM and a 24x7x365 SOC?
A SIEM is a Security Information and Event Management system. A SOC is a Security Operations Centre. If you’ve done the other points, then you need a system that looks for suspicious behaviour (a SIEM looks for it) and a team that can take that alert and respond (a SOC). These systems can be expensive, so you need to really make a judged call on how far you should go.
So how do you decide how far you take your IT security?
Well, first you really need to understand the all the risks you face. You need to understand what the likelihood of those risks being exploited, and you need to understand the likelihood of it happening. How do you do that?
You need a system, you need a framework. Too many firms think they have Cyber Essentials so they are secure. That’s not the case. Cyber Essentials is the very basic and doesn’t make you secure, especially not from the ransomware risks to law firms.
Have a plan for resiliency.
The only way a firm, particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). If you have an ISMS you are doing the right thing from a leadership perspective. You can know your risks, you know the controls of those risks and you can make a call on what you need and want to do – based on real knowledge.
An ISMS, such as ISO 27001 will give you complete knowledge of your risks and how you deal with them. It will also let you manage all of your suppliers and third parties, ensuring they don’t pose a risk you are unaware of.
At Quostar we have a process called “Chain of Resiliency” which highlights the weakest links in your critical systems whether cloud or traditional server-based. This is so you can estimate the cost of lack of resiliency per system appropriate to your law firm, and do a cost-benefit realisation.
In short, a strong Executive action plan will:
Copy what the big tech companies do.
Enforce Backup and restore process (The important bit is the restore)
Implement an Information Security Management System (ISMS)
Use risk as a management tool not as a list
Implement Governance over risks with key stakeholders
Follow best practice
If you’d like any advice from ourCISOon your firms cyber security set upget in touchtoday.
“The Product Security and Telecommunications Infrastructure (PSTI) Bill supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This is a very interesting piece of legislation as the “Product Security Measures” apply to manufacturers, importers, and distributors in the supply chain for consumer connectable products.
“A consumer connectable product is an internet-connectable or network-connectable product.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
The PSTI Bill
The government has stated that the security requirements will apply in relation to products including:
Connected cameras, TVs, and speakers
Smartphones
Connected children’s toys and baby monitors
Connected safety-relevant products such as smoke detectors and door locks
Internet of Things base stations and hubs to which multiple devices connect
Wearable connected fitness trackers
Outdoor leisure products, such as handheld connected GPS devices that are not wearables
Connected home automation and alarm systems
Connected appliances, such as washing machines and fridges
Smart home assistants
The security requirements, to be set out in regulations, will:
Ban default passwords
Require products to have a vulnerability disclosure policy
Require transparency about the length of time for which the product will receive important security updates.
The scale of devices with weak security is absolutely huge, Kaspersky research says there were 1.5 billion attacks against IoT (Internet of Things) products in the first 6 months of 2021.
The question is, will this legislation make a difference? Removing default passwords will of course make a huge difference, yes. And no. It may just delay the inevitable. Will the devices have to have a standard for passwords e.g. minimum length or complexity? Will the device have a lock out period e.g.10 fails and you are locked out? If not, enumeration software will eventually crack the password.
Vulnerability disclosure
Good idea in principle, the difficulty will be whether these devices will auto update as it may be unlikely many users will have the technical capability to do it themselves.
Important security updates
If security updates are available for 2 years, similar to the average Android phone, what happens then? Will the consumers be alerted when the end of the 2 years is up? Will this then become part of built-in obsolescence, so new phones, doorbells, fitness wearables, washing machines need to be bought new again probably every 2 years.
“Ensure that consumer connectable products, such as smart TVs, internet-connectable cameras and speakers, are more secure against cyber-attacks, protecting individual privacy and security” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This would seem to indicate that if there is damage to an individual’s privacy, there could be a group action against the TV manufacturer, importer, distributor, and manufacturers.
Should these devices go through a form of accredited security testing? In business-to-business relationships, there is usually a requirement that all systems should be updated within 14 days and be in support by the vendor.
In the age of Teleworking would the “work” supply chain be fully in scope? Home routers should not use a default password, and all software/firmware under the legislation must be in support by the vendor. Should smart speakers be updated? The doorbell, fish tank thermometer, alarm system, Wi-Fi Garden lighting? These could all potentially be in scope, especially where someone works from home, as a vulnerability for the corporate workspace.
Just one vulnerable point can allow criminals into a network.
In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details.
It’s very difficult to ensure that every link in the chain has appropriate cyber security measures in place and it only takes one vulnerable point to allow criminals into a network. Once they’re in, the knock-on effects can be catastrophic.
This is a step in right direction, but how do we manage the consequences, and will enforcement be likely?
Even in theCode of Practice for Consumer IoT Security there is some mention about encryption and cryptographic keys, but it’s not very detailed. Without encryption how will personal data and passwords be stored on IoT devices?
Hopefully, this will be the start of safer online world. Although is it enough? Probably not at this stage.
Will there now be a possibility of a class action against a device manufacturer for privacy infractions? Does this mean that the device manufacturer, importer, distributor could inadvertently (under GDPR) become a data controller if they are responsible or partly responsible for a breach? The bill raises more questions than it answers in the long term.
At Quostar we manage these types of issues for corporate clients regularly. Patch management, passwords, release management and regular upgrades as well as containing systems and devices that cannot be upgraded, so they need to be contained and segregated with special security layers.
David Clarke is the Head of Security and resident CISO (Chief Information Security Officer) consultant.
We look at where the IT Support needs of SME’s are heading and why.
Here at QuoStar we’ve certainly seen an increase in the demand for Managed IT Support Services, particularly over the last 12 months. And especially by Small and Medium Enterprises (SME’s).
The driving force behind the need for Managed IT Support Services
A primary driver is that IT teams have been running flat-out trying to control a significant increase in cyber security threats, whilst dealing with a rapid move towards hybrid working over the last 18 months. And it’s unlikely to slow down any time soon, with security threats and hybrid working both on the rise. Forbes suggests theHybrid Modelwill rewrite the future of work.
Gartner predicts that: “By the end of 2021, 51% of all knowledge workers worldwide are expected to be working remotely (up from 27% of knowledge workers in 2019).” They also estimate that remote workers will represent 32% of all employees worldwide by the end of 2021 – up from 17% of employees in 2019. That figure has almost doubled in just two years!
Most organisations have required the skills, experience and pure horsepower of a managed services business to speed up their projects up, while also taking the reins within various parts of their IT operations, such as IT service,IT security,networking and cloud platforms.
What common snags have IT teams been hitting?
The pace of change within organisations in terms of digital transformation and cyber security has been rapid over the last few years, spurred on even more so by the workplace changes forced upon everyone by Covid19.
IT teams have been swamped by internal demands over the last few years, as well as having been diverted onto other internal projects pushed down from the board. When you couple that with some quite large skills-gaps, managed IT services are a perfect solution, both now and into the future.
What are the benefits of Managed IT Support Services for businesses?
Put simply, Managed IT Support Services provide organisations of all size access to guaranteed experts and service-levels at a fixed cost.
The information technology space is rapidly changing, yet is absolutely critical in virtually every single sector, and for all sizes of operation. Using a managed IT solutions provider means organisations can pick and choose the right operational support to build the IT operation they desire, without many of the complexities and costs of doing it internally.
It’s often extremely beneficial for an organisation to outsource to managed service providers in order to free up internal IT staff to focus on business improvement and transformation. It takes the pressure off when you can leave others to “keep the lights on” so to speak.
The need to free up internal IT teams by outsourcing to a managed service provider is going to be further fuelled by the skills shortage in the UK and globally while the need for rapid transformation within businesses grows as they try to compete on a national – and in many cases international – basis.
Why are managed IT Support services so important to SME’s (small and medium enterprises)?
They don’t need, nor could many justify, a full-time resource. But they do, however, still need access to, and the ongoing support of, an experienced C-level executive. Accessing that means they remain competitive and secure in a rapidly changing world.
What managed IT services can QuoStar offer SME’s?
QuoStar provide a wide range of managed services across a broad spectrum of industries. We predominantly work with businesses with 30-300 employees. It’s often these businesses get left behind in the market – even though they are the ones most likely to need the additional support.
In terms of sector, we vary, but we find that we have a strong base within the legal and the recruitment sectors because our experience over many years has given us a great depth on knowledge in those fields – and that in itself is in demand.
We can provide everything a business needs, from the service desk through to IT management and CIO level consultants on a flat fee basis. This allows our clients to pick and choose the right capabilities to support and compliment their needs as required.
IT Support & Managed Cloud
We provide businesses – both with or without internal IT teams – with the right skills, teams and service levels to keep them available, stable and secure. We run public, private and hybrid clouds for organisations. This ensures that the cloud services are delivering the right levels of service at the right price point.
Fully Managed IT Support: Total Service
Co-Sourced IT Support
Managed Networks
Managed Cloud Services
Hybrid working platform: Workspace Ignite
Disaster Recovery and Business Continuity
Hosted Telephony & VoIP
IT Security
We deliver a wide range of managed security solutions. We provide technological controls to the risks posed to organisations on 24x7x365 basis. So you don’t have to attract, employ and retain IT Security experts. Something which is virtually impossible in all but the largest enterprises.
QuoStar provides top-tier, proven and experienced IT leaders, such as CIOs (Chief Information Officers), CISOs (Chief Information Security Officers) and CTOs (Chief Technology Officers) on a fractional basis. This gives mid-sized and smaller organisations access to the support of industry leaders, but again on a monthly basis as and when required.
IT Consultancy
Cloud Consultancy
Office 365 consulting
Microsoft Azure Consultancy
Network and Communications
Infrastructure
Agile & Hybrid working
Digital Transformation
We help businesses take the next step in their digital evolution. It’s imperative for any business in today’s world – and even more so when looking for expansion.
CIO as a service
Data & BI
IT Strategy & Roadmaps
Process improvement
Coaching and mentoring
Ensure your business stays ahead of the curve by using the right Managed IT Services Support for your business.
Businesses have done a phenomenal job to keep going throughout Covid to keep people working from home, and at the same time building in those layers of security as they go. However, as this new norm sets in, there needs to be more security in place for the post covid world.
Working from home needs additional cyber security post covid
With people working from home, it is important to realise that there are now layers of security your company can’t easily control. Although there has been an inherent layer of security during covid because people have had to work at home, rather than working out and about in cafes and public places.
We recommend giving guidance on these issues to staff as they may not realise that their homes aren’t as safe digitally as they might think they are. Training helps, and it is essential. It’s also essential for organisations to undertake risk assessments of their new agile/remote working environments.
Things you should be considering:
Home environments are a business environment
If you want to breach a corporate network, then you seek out the weak links. People themselves, and home networks/devices are without a doubt weak links that need protecting.
Review your remote working environments
It’s essential that security risk registers and controls are revisited regularly. It’s also important to perform regular penetration tests.
Are the roles now paperless?
Do we need collection of classified documents for shredding?
We are sharing screens more
We need to be cautious about what we are inadvertently sharing.
The use of smart speakers and technology at home
We all know of Alexa, but there are hundreds of varieties. They are all managed by different countries using different clouds. They are recording all the time. IoT and AI are likely to further erode the privacy and autonomy of users.
Avoiding successful attacks and creating better cyber security post covid, the short answer…
Before you hide, go seek!
The biggest key to it all: do you know where all of your data is?
Layer it up
It’s essential that you rely on all 7 layers of cyber security post covid. You can’t just have one control to stop a threat, just as having antivirus software will not protect you from getting a virus. The same way locking a door won’t stop someone burgling your house. It’s best to apply theSwiss cheese modelof risk management.
It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.
Encryption
Your data, particularly sensitive data, needs to be protected whilst traveling over non-corporate networks and whilst at rest – sat on a server, the cloud, a mobile or on a laptop.
Work with what you’ve got
Most companies, even big ones, don’t have the budget or endless resources to do everything, the key is optimising what you have got. A simple one, privilege management – what are the entry limits to your digital technology?
Know your risks
It’s essential for all businesses to have a risk register, however large or small. If you don’t know all the risks your organisation faces, how can possibly ensure you are protected against them? It’s negligent to not do so. It’s important that board understands and signs off risks, and doesn’t just leave it to IT. Ask yourself what are your risks to cyber security post covid.
Monitor everything
It’s essential that you monitor all network attached devices for anomalies. If you aren’t looking you aren’t going to see a breach until it’s too late. Many organisations don’t know they’ve had a breach until months after.
Business Continuity has been put to the test
Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.
A shortage of senior cyber-security professionals
However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.
QuoStar designed the CISO Service to address this problem.
Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling, and managing risk. Making sure the business’s security posture is strengthened.
Many organisations have seen their cloud computing bills rise and rise – when many costs have gone down over the last 12 months, in both public and private platforms.
So, how should organisations be reviewing their cloud computing to ensure that they are paying the right price for the right cloud infrastructure?
Review licensing of your cloud computing regularly
It’s worth regularly reviewing licensing, particularly around the Microsoft stack. Microsoft makes regular changes to licensing, particularly around cloud-based services; some small adjustments can deliver significant savings within an estate. It’s worth noting that many organisations are doubling-up on licensing, particularly when using Azure and Microsoft licensing, i.e. Not using the Azure Hybrid Benefit program. If you bundle this program with reserved instances, then savings of up to 80% can be made.
Reserved Instances
Ensure that you are using reserved instances where appropriate. Many organisations are still using pay as you go billing and ultimately losing out versus locking in pricing for a year or more. In some scenarios you can save more than 70% with reserved instances.
Price matchingbetween cloud computing providers
Most public and private cloud providers will match their direct competitors on price. If you are up for renewal on your cloud platform or not in contract it’s important to take this into account. Also, even if you are in contract it may be worth speaking to your provider about extending your contract term for a reduced monthly fee.
Look at containers
Cloud containers are lighter weight than virtual machines and thus cost less. Look at your applications. See which you can repackage into containers to reduce the VM footprint and also costs.
Testing environments
Many organisations are paying to host their development and testing environments. This is typically unnecessary, and most cloud providers will allow you to run these workloads and licenses at a significantly reduced cost.
Move from database virtual machines
Often, due to technical and operational familiarity, a lot of databases sit on VMs when they could sit in an elastic database. You can gain significant cost-savings, resiliency and often security, without a huge amount of work.
Look for redundant disks
So many cloud estates have idle disks lurking around with them. It’s important to identify where these are as they will be costing you every month. Most cloud providers, particularly within the public cloud arena make this easy, i.e. Look at the disk owner (or lack of) within the Azure portal’s disk screen.
Look at storage tiering
It’s easy overtime for data usage on disks to change. It’s important to ensure that the right data is stored on the right type of disk. That will ensure you are paying the right amount to store or process that data. Storage tiering, particularly automatic storage tiering, if not in use already should be evaluated to get the right balance for spend vs performance.
If you’d like an audit of your cloud platforms to validate that you have the right cloud infrastructure at the right price get in touch now.
The flexible CISO service by QuoStar can help SME’s navigate the ever changing cyber-security landscape.
Cyber crime is changing quickly, it’s a global issue and its ramping by the day. The cybercrime industry is on-target to cost the world $6 trillion in 2021 and is forecast to cost $10.5 trillion by the end of 2025. Everyone is under threat. From the individual sat at home on their iPad or mobile phone, through to small, medium, and large-scale enterprises – even countries!
So how do mid-market and smaller organisations protect against the clear and present dangers? Cyber Essentials? Without a doubt, cyber essentials ‘does not’ make you secure – it is the absolute bare minimum you need to be doing; look at it like locking the doors to your house. It is the same with anti-virus and firewalls – they are no longer enough.
Does the board and IT team really understand the true level of risk they face in every area of the organisation?
How are those risks to evaluated and controlled?
Can they make the right budgeting decisions?
How do they respond if there is a breach?
How do you do deal with regulators, such as the ICO (Information Commissioner’s Office)?
Is their security stance continually improved?
That’s where QuoStar’s flexible CISO service comes in
As a Leading IT consultancy, QuoStar is offering you access to an on-demand CISO (Chief Information Security Officer) service that can provide organisations with flexible and cost-effective access to senior cybersecurity leadership as and when they need it – from a fully seasoned professional.
Our on-demand service provides clients with ongoing senior IT leadership and guidance on cybersecurity strategy, management, and response from a certified and experienced CISO. They will be able to identify, control, and manage the multitude of threats and challenges businesses face in today’s rapidly changing security landscape from the get-go.
The on-demand service operates in close partnership with senior business leadership and IT teams to ensure both parties hold the relevant responsibilities and accountabilities. They will also help to run and implement Information Security Management Systems, such as IASME or ISO27001. This facilitates enhanced security governance, compliance, and ongoing continual improvement of an organisation’s security position.
The flexible CISO service is led by QuoStar’s Head of Security, David Clarke, who has over 25 years of experience working in cybersecurity, formerly as Global Head of IT Security at BT and other FTSE100 companies. David currently oversees the development, implementation, and support of QuoStar’s clients’ information and security-related risks.
David Clarke, comments:
“As a result of the pandemic, company boundaries have become much more fluid. So many employees now work from home. It’s not always clear what belongs to the company and what is personal. Businesses are now having to manage different servers, cloud services, and access control issues. Their technology needs to be safe and compliant in all these areas before it can be performant.
“Organisations need to adopt a multi-layer approach to security to manage these risks effectively, but that can be costly. With our on-demand service, however, businesses can truly afford to get the best protection possible, without putting undue strain on the bottom line.”
The on-demand CISO service follows the successful launch of our on-demand CIO (Chief Information Officer) service earlier this year. Our on-demand CISO service has already seen a rapid uptake of interest, with several businesses already taking advantage of the offering.
“We are delighted to add the CISO service, alongside or CIO service. QuoStar gives mid-market and ambitious smaller businesses access to top talent at the level they need. We’ve always been passionate about delivering measurable business outcomes to our clients. Our aim is to reduce risks and improve the bottom line.
We’ve always taken IT security extremely seriously. We have always kept up to speed with the technical controls to IT security risks. The evolution of the risk landscape, accelerated by COVID and the rise of hybrid working means we need to implement enhanced IT security governance into our wider client base. Relying on technology just doesn’t cut it any longer – organisations need to be proactively managing risk, continually.”
Cyber Security beyond technology: a White Paper write up based upon a webinar hosted by David Clarke – QuoStar Head of Security & CISO, and Chris White – QuoStar Head of Consultancy & the CIO Service in July 2021.
Why is cyber security beyond technology such a hot topic?
Cyber-security is an increasing threat that all sized businesses should take seriously. It is a topic that should regularly be on the board’s agenda.
A day doesn’t pass without a business being targeted via ransomware, phishing or DDoS attacks – all causing significant disruption to businesses. For some businesses it has been so bad that it’s affected customers and meant closure.
The destructive rise of state sponsored attacks mixed with organised ransom focused crime gangs has changed the threat landscape dramatically.
Most firms are global 24/7, and their assets are mostly digital. The current ransomware situation is dire. Huge due diligence needs to be taken within supply chains now, particularly when working with the government.
We fall like dominoes if we’re not careful
What are the main threats to today’s landscape? Due to the technological set up of industries today, the knock-on effect of digital disruption is now very large. For example, the US fuel pipeline issue effecting the entire east coast of America was down to digital disruption. The possible effects of digital disruption have always been there, but now the impact and knock-on effects are massive.
Follow the Swiss Cheese Risk Model
In today’s threat landscape layers of cyber defence need to be in place today. Not one or two, but several layers. Similar to the model that was used in the aircraft industry: the Swiss Cheese risk model!
When Swiss cheese is sliced it has holes, and that’s ok. The problem is when several holes inadvertently line up – if applied to security measures – that’s when disaster can strike. The force magnification is one large risk rather than a few small risks at lower levels.
Clients increasingly want to understand the security measures taken by a business. This in turn means questionnaires, audits, hoops to jump through before business can be conducted.
Requirements need to be met.
Unfortunately, due to the increase in cybercrime over the last couple of years, it’s more a case of WHEN it happens than IF it happens.
Prevention is better than cure
Businesses need to start preparing for an attack, rather than preparing to handle one. If you are handling it, it’s too late and the financial damage to deal with it has already been done. The down time caused by having to deal with an attack can cost millions a day potentially. In this case prevention really is better than cure.
The consequence of a breach is not just dealing with the ransomware attack. It’s that it may lead to having to rebuild your whole IT infrastructure. You may need to move physical servers, migrate networks or change cloud systems. Things that take a huge effort but need to be done in a very short timeframe before you are out of business – days or weeks maximum. The Law Firm DLA Piper paid 15,000 hours of IT overtime as a result of their attack!
Smaller organisations still face huge financial impacts and disruption to both them and their clients. Firms must take care of client data too. Breaches of that data can impact reputation, as well as run the risk of potential fines and punishment that can escalate rapidly. Regulators, including the ICO are becoming increasingly interested in these types of events.
So, how can we avoid successful attacks? It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.
When will they come for you?
It may seem obvious, but most attacks happen when you’re most vulnerable – for obvious reasons. Particularly during long weekends and bank holidays. So, have a robust plan of how to record a risk, even out of usual hours. Once reported, a risk can be managed or monitored from there at least.
Escalation
It is a real struggle to get this message across to boards. If you’re responsible for security (not just IT but business issues, with IT holding a major stake) have a really robust, easy to use process so anyone can escalate an issue no matter how trivial it is. No, this does not include having to read a 500-page document just to submit a threat.
Stay in touch
A security manager would much rather be called with a minor issue to solve at 3am, than to not be told at all and find out a few days later that there is a huge security breach to deal with and very few options left. Have a robust submitting system. Ideally calling, rather than email, so that someone knows it is being dealt with.
Know all the links in your chain
Supply chains are often the biggest cause of problems. You need to ensure there are correct contacts in place for when issues arise. Who are your contacts? When are they available? Know in advance because you need an immediate handle on things when it hits the fan.
Even in large firms, the demand on digital tech security is not there in the same capacity as it is for physical tech security on a daily basis.
The more the merrier?
Companies tend to worry about the role of security if they have thousands (or tens of thousands) of staff. But in reality, the actual number of calls that come through to security as risks are very low, and 98% of those calls are well worth looking at.
The advantages of cloud vs. on premises
Data centres are highly complex – the building itself must be highly resilient. If you are reliant on one data centre or server room, sooner or later, they will go down. Generally, the cloud takes that risk away.
If done right, moving to the cloud shouldn’t be a barrier. But remember whichever you choose security isn’t a one and done deal. It’s a moving target – it needs to be managed, and the risks monitored, all the time.
What are the risks with the cloud?
Are there additional risks in moving to the cloud? And if so, what can we do to mitigate them? The usual objections of moving to the cloud are security. But there is an argument that the cloud provider knows more about security than most businesses do – it’s their bread and butter.
Companies should be working on the basis that, at some stage, they may be hit – and should know what to do if that happens. There needs to be upfront planning and putting procedures in place.
The Regulators are watching
Regulators want us to take due care and attention of our client’s data. That’s why breaches cost the company. One of the first questions posed by the UK ICO is: Have your staff been trained? Most breach enforcement notices happen due to lack of training or management, as opposed to for the breach itself. This training needs to be demonstratable on an ongoing basis.
A security aware culture starts at the top.
The security aware culture starts at the top. That should be followed by various layers beneath – technology, end point protection, patching. The layer around staff is based in awareness and knowledge to mitigate situations, as well as supplier due diligence.
There needs to be upfront planning and procedures put in place. There are philosophical decisions to be made before a security breach happens. You could well experience something that propagates. Your customers could also come under attack. Do you focus resources on protecting customers first or the business?
To best manage cyber-security risks, assume the worst-case scenario in order to avoid any unnecessary surprises – and prepare/plan for it.
Business Continuity has been put to the test
Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.
Businesses have done a phenomenal job to keep going. To keep people working from home.
A shortage of senior cyber-security professionals
However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.
QuoStar designed the CISO Service to address this problem
Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling and managing risk. Making sure the business’s security posture is strengthened.
Fill out this form to download a PDF copy of this Cyber Security Beyond Technology white paper.
This write-up covers aspects of cyber-security, threats, actions to be taken, the risks of moving into the cloud, responsibilities, managing vendors and how to build a security aware culture.
If you’d like to attend one of our live webinars you can see the upcoming events in our calendar.
In his role as Head of Security at QuoStar, David leads the CISO Service. The CISO service provides businesses with the cyber-security skills and experience necessary to manage the multitude of threats and rapidly changing risk landscape of today, on a flexible and cost-efficient basis. David take’s a moment to share his views on it all.
1. How did you get started in the security field and ultimately become a CISO?
David: I was around when some of the first Viruses went mainstream. Back then I worked for one of the only companies that made Multi Factor Authentication systems in the 90’s. It was “leading edge” at the time.
I built and ran one of the largest commercial remote access platforms using Multi Factor Authentication. Then I ran Infosec for some FTSE 100 companies, one of which was the largest private trading network in the world – trading 3.5 trillion dollars a day. Another was managing Global Security Services Operations Centres (24/7) across 4 continents, where most of the customers were FTSE 250.
2. What do you enjoy most about working as a CISO Service resource/consultant?
David: Meeting challenges of audit, due diligence, and breach management.
Audit is getting more involved and complex and due diligence is often 300-400 questions and an “interview” with the compliance department of potential customers.
Breaches is about managing with around 10% knowledge of the situation and making decisions in a very short time for the best outcomes – while ensuring buy in from the board. They always seem to happen on Friday evening!
3. As Head of Security, what challenges or issues do you regularly see in small and mid-market businesses? Why do you think the same issues keep occurring?
David: 1. Robust management of access and privilege management. 2. Managing risk consistently. 3. Not aligning Cyber Security with Data protection requirements – as they overlap at a core level.
If you have control of the information assets servers and cloud, information security is much easier to manage. It enables savings in resource and effort if this happens and can demonstrate to the business control and improvement.
4. How do you think the security landscape has changed in the last five to ten years?
David: As a CISO Service lead, I believe it is manging the hybrid of internal servers and cloud – and managing the challenge of access control. The company boundary is very fluid, especially where ‘what’s company and what’s personal’ is concerned.
One of the best frameworks is ISO27001. It is good for demonstrating accountability and decision making. It also aligns with SOC2 and parts of HIPAA quite well.
5. What do you think will be the emerging risks businesses need to consider in the next 1-2 years?
David: It used to be technology first, then followed by making technology safe and compliant. Now technology needs to be safe and compliant first, and performance orientated second – along the lines of what has happened in the automotive, aerospace, building and food industries.
The risks potentially surround the technology itself not having enough security management capability, or that if it does it can be resource intensive. There’s also the globalisation of threat actors and the capability of managing multiple global data protection regulations.
More recently the US Biden government issued a memo to US Businesses in summary June 2, Stating the 5 best practices – one being Multi Factor Authentication. Other important aspects are multi-pronged backup Updates, Incident Response, external testing and network segmentation.
6. Has the Covid pandemic exacerbated security concerns or introduced new ones for businesses to deal with?
David: Probably, due to homeworking and fast transformations of moving office servers to the cloud, as well as an increase in Ransomware attacks, an increase in Data Protection legislation globally and the increase in corporate security concerns due diligence.
It has been an increasing challenge for a Head of Security. We have seen an increase in demand from due diligence enquiries, especially for more detailed homeworking policies and guidelines. So, the lines have blurred as to what is home device or a work device. The “physical office” is now the home office, and mandating rules now have to be guidelines that are appropriate – as well as using more layers of defence to protect staff and corporate assets.
7. Do you think businesses focus too much on the technical/technology element of security (e.g. AI solutions)? What other areas do they need to consider?
David: Potentially yes, without an end-to-end strategy, it makes security technology “tactics” unlikely to see a ROI, Return on Investment.
As Head of Security, I see the human element of security is also overlooked quite often. Especially when you consider that almost half of all security breaches are caused by human error. This is even more disconcerting when you consider that only 60% of employees will report a security breach too.
We are actually hosting a free webinar on that subject on 29th July 2021 at 1pm, so if you’d like to know more register for free.
8. How important is cyber-security education? What are the challenges for a Head of Security conveying the risk/educating business? Who in the business needs to receive education/training and how often?
Education is very important, as is having the appropriate training for each role ideally aligned to the companies risks – so that maximum benefits can be realised e.g. developers would require different training from HR staff, as the risk they are managing are different.
9. Do you feel there is a security skills/talent shortage? What advice would you give to businesses to combat this?
David: I’m not entirely sure. If there is a shortage, there is definitely a misunderstanding of what skills are required.
Personally, I would align the risks and the strategy, then decide what skills are required to make it happen. It may be that companies would benefit from outside help – to formulate the strategy, and always have access to a range of skill levels onboard to achieve skills resilience.
The other issues that many companies seem to come up against are 24/7 and global, so having just one capable Security resource will not be enough to cover these time periods.
10. As Head of Security, what advice would you give to businesses who want to reduce risk and increase their security posture?
David: Manage Risk regularly with key stakeholders.
Ideally do not remove a risk or lower a risk without evidence, from at least the following e.g. a Policy, Procedure, Penetration test, Internal Audit, External Audit or risk committee approval. This will demonstrate accountability and assist in managing data protection, to enable a defensible position in the security posture.
Ensure a multi-layer approach to security. Utilise things like Access control, least privilege, Approved applications, strong email defences, layered endpoint security, centralised control of endpoints and access, plus multiple point backups.
11. If there was one security investment you could recommend to businesses what would it be and why?
David:
One piece of tech most companies aren’t using
To keep companies ahead, Secure Access Service Edge will help with Cyber security and Data Protection. The ROI is great! It releases staff time, and the payback can be in months.
One Framework
You can manage risk and accountability using ISO27001 framework. If you are not going to be certified, ISO27001 also helps align with NIST, SOC-2 and can help align some components of Data protection. It can clearly demonstrate accountability.
Training that is focused to the role in the business is most appropriate, using the “Incident” metrics to tailor training and technology requirements.
One practice
Have a data/Cyber champion in every business function so you’re able to manage threats, risk and increase incident reporting capability to enable “real-time” issue management.
We hope you found David’s current take on Cyber-Security insightful. During his career David has worked across multiple sectors, including financial services, government, utilities and FinTech, working with a variety of clients – from start-up level and SME up to FTSE 100. He previously held the role of Global Head of IT Security at BT and Radianz (formally Reuters). He’s also been responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion/trillion-dollar environments. He is also an active CISO consultant on our CISO service offering.
