Tag: cyber security

Cyber Security Post Covid: How to protect against attacks

Posted on by QuoStar

Cyber Security Post Covid

 

Businesses have done a phenomenal job to keep going throughout Covid to keep people working from home, and at the same time building in those layers of security as they go. However, as this new norm sets in, there needs to be more security in place for the post covid world.

 

Working from home needs additional cyber security post covid

 With people working from home, it is important to realise that there are now layers of security your company can’t easily control. Although there has been an inherent layer of security during covid because people have had to work at home, rather than working out and about in cafes and public places.

We recommend giving guidance on these issues to staff as they may not realise that their homes aren’t as safe digitally as they might think they are. Training helps, and it is essential. It’s also essential for organisations to undertake risk assessments of their new agile/remote working environments.

 

Things you should be considering:

Home environments are a business environment

If you want to breach a corporate network, then you seek out the weak links. People themselves, and home networks/devices are without a doubt weak links that need protecting.

Review your remote working environments

It’s essential that security risk registers and controls are revisited regularly. It’s also important to perform regular penetration tests.

Are the roles now paperless?

Do we need collection of classified documents for shredding?

We are sharing screens more

We need to be cautious about what we are inadvertently sharing.

The use of smart speakers and technology at home

We all know of Alexa, but there are hundreds of varieties. They are all managed by different countries using different clouds. They are recording all the time. IoT and AI are likely to further erode the privacy and autonomy of users.

 

Avoiding successful attacks and creating better cyber security post covid, the short answer…

 

Before you hide, go seek!

The biggest key to it all: do you know where all of your data is?

Layer it up

It’s essential that you rely on all 7 layers of cyber security post covid. You can’t just have one control to stop a threat, just as having antivirus software will not protect you from getting a virus. The same way locking a door won’t stop someone burgling your house. It’s best to apply the Swiss cheese model of risk management.

It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.

Encryption

Your data, particularly sensitive data, needs to be protected whilst traveling over non-corporate networks and whilst at rest – sat on a server, the cloud, a mobile or on a laptop.

Work with what you’ve got

Most companies, even big ones, don’t have the budget or endless resources to do everything, the key is optimising what you have got. A simple one, privilege management – what are the entry limits to your digital technology?

Know your risks

It’s essential for all businesses to have a risk register, however large or small. If you don’t know all the risks your organisation faces, how can possibly ensure you are protected against them? It’s negligent to not do so. It’s important that board understands and signs off risks, and doesn’t just leave it to IT. Ask yourself what are your risks to cyber security post covid.

Monitor everything

It’s essential that you monitor all network attached devices for anomalies. If you aren’t looking you aren’t going to see a breach until it’s too late. Many organisations don’t know they’ve had a breach until months after.

 

Business Continuity has been put to the test

Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.

A shortage of senior cyber-security professionals

However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.

QuoStar designed the CISO Service to address this problem.

Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling, and managing risk. Making sure the business’s security posture is strengthened.

Get in touch to find out more here.

 

 

Endpoint security in an agile world

Posted on by QuoStar

WFH small for Endpoint security blog

Endpoint security has evolved significantly over the last 2 years.

The old signature-based antivirus and basic firewalls are simply not enough to protect businesses from an endpoint breach, be it a laptop, desktop or a mobile device. The threat landscape has increased massively through COVID, endpoints are outside of the protection of the corporate network en masse. How the endpoint is protected is going to vary by the workload and application sets used within an organisation.

 

Endpoint Security for SaaS platforms and legacy applications

There are two main camps. Those who are predominately web based, say using Office365 and a couple of line of business applications that run on a SaaS (Software as a Service) platform.  And those who run a mix of legacy applications, probably with Office 365 and perhaps Citrix or Windows remote desktop. There are of course those who use technologies, such as AVD (Azure Virtual Desktop) but for simplicity we’ll bundle them into the latter camp. In reality, the risks to both are similar and need to be assessed.

 

Layering is key 

The key to protecting all endpoints and ultimately all organisations is to have numerous layers of defence. You can’t simply rely on a single control – because if that fails, or has a security vulnerability, then it’s probably going to be breached. The cybercrime industry is simply enormous, global, relentless and moves at lightning speed.

The more controls and the more checks and balances you have, the more chance you have of another control picking up and stopping exploits. This isn’t about doubling up, it’s about using a number of controls that protect against primary risks but may have some overlap. It’s not just about technology, so organisations really need to work on their risk registers to understand how they are controlling against certain risks and where they are thin.

 

Information Security Management System

Ideally organisations should be looking at implementing some form of ISMS (Information Security Management System). Something such as ISO27001 or IASME to continually evaluate, test and improve their IT security.

It’s now critical to have a framework to manage endpoint security as things are moving so fast. A business can’t simply rely on IT support and security teams to be responsible for data security. It’s the boards responsibility to make the decisions on how they are going to protect against particular risks, divert budgets, etc. It’s not the IT team that regulatory bodies, such as the ICO, FCA or SRA will punish if there is a breach. Neither will clients or the media be fobbed off that it’s an IT issue, especially if there is no ISMS in place.

 

Simplify IT environments

As a general rule, all organisations need to be focused on simplifying their IT environments. Over the years there has been too much bloat, in terms of too many applications, servers and data. This bloat has led to complexities.

The more complex an IT environment the more difficult it is to secure. This has to be a primary focus in this new world, simplifying the environment. Needs dependant, generally you can simplify and ultimately secure the endpoint by not having any data or applications running on it, except the bare minimum. The larger the attack surface the bigger the danger of an exploit.

This isn’t always going to be possible of course, but where it is, technologies such as Azure Virtual Desktop, Remote Desktop Services and the like do have their place.

 

Endpoint Security of BYOD (Bring Your Own Device)

More and more organisations are again talking about BYOD (Bring Your Own Device) coming out of the pandemic. In certain instances/circumstances BYOD can be extremely beneficial for a business if, for example, it’s giving access to a web based portal to a 3rd party contractor, obviously with some security measures, such as multi-factor authentication. However, as a general business practice, for all staff, BYOD not a good idea because in the main it’s difficult for an IT team to really lock down someone’s own device properly.

There are various container type solutions that isolate data and applications from the underlying operating system that can be used, but depending on what information that employee is dealing with you might want greater control and monitoring of the device. You can’t really do that on an employee’s personal device without impinging on their privacy.

 

Can CYOD help solve Endpoint Security issues?

One good solution can be a CYOD (Choose your own Device) initiative as a sensible middle-ground. That way people get the tech they prefer but the business can overlay whatever security solutions they like. In particular SIEM solutions and intelligent advanced endpoint security protections solutions are more and more critical.

 

What risks does an endpoint face?

The bulk of the risks that face the endpoint come over the network, as a direct attack against an interface, listening and man-in-the-middle attacks or delivered through an application, such as a web browser or email client. Once the endpoint is breached any follow-on breach to the main corporate network is going to also come from this device.

This is why it’s essential to get some control of the connections to and from the endpoint with technologies, such as SASE, CASB and VPNs. It should be noted that generally traditional VPNs are cumbersome and still problematic, and not ideal in a hybrid world.

 

Next Steps

If you’d like a free initial review of your security controls – without any obligation please fill in your details here and one of our team will get back to you.

 

 

 

 

A flexible CISO service for SME’s

Posted on by QuoStar

Flexible CISO service to the on-demand market for SME’s

The flexible CISO service by QuoStar can help SME’s navigate the ever changing cyber-security landscape.

Cyber crime is changing quickly, it’s a global issue and its ramping by the day. The cybercrime industry is on-target to cost the world $6 trillion in 2021 and is forecast to cost $10.5 trillion by the end of 2025. Everyone is under threat. From the individual sat at home on their iPad or mobile phone, through to small, medium, and large-scale enterprises – even countries! 

So how do mid-market and smaller organisations protect against the clear and present dangers? Cyber Essentials? Without a doubt, cyber essentials ‘does not’ make you secure – it is the absolute bare minimum you need to be doing; look at it like locking the doors to your house. It is the same with anti-virus and firewalls – they are no longer enough. 

  • Does the board and IT team really understand the true level of risk they face in every area of the organisation?
  • How are those risks to evaluated and controlled?
  • Can they make the right budgeting decisions? 
  • How do they respond if there is a breach?
  • How do you do deal with regulators, such as the ICO (Information Commissioner’s Office)?
  • Is their security stance continually improved?  

That’s where QuoStar’s flexible CISO service comes in

As a Leading IT consultancy, QuoStar is offering you access to an on-demand CISO (Chief Information Security Officer) service that can provide organisations with flexible and cost-effective access to senior cybersecurity leadership as and when they need it – from a fully seasoned professional.  

Our on-demand service provides clients with ongoing senior IT leadership and guidance on cybersecurity strategy, management, and response from a certified and experienced CISO. They will be able to identify, control, and manage the multitude of threats and challenges businesses face in today’s rapidly changing security landscape from the get-go.  

The on-demand service operates in close partnership with senior business leadership and IT teams to ensure both parties hold the relevant responsibilities and accountabilities. They will also help to run and implement Information Security Management Systems, such as IASME or ISO27001. This facilitates enhanced security governance, compliance, and ongoing continual improvement of an organisation’s security position. 

The flexible CISO service is led by QuoStar’s Head of Security, David Clarke, who has over 25 years of experience working in cybersecurity, formerly as Global Head of IT Security at BT and other FTSE100 companies. David currently oversees the development, implementation, and support of QuoStar’s clients’ information and security-related risks. 

 

David Clarke - Chief Information Security Officer at QuoStar

David Clarke, comments:

“As a result of the pandemic, company boundaries have become much more fluid. So many employees now work from home. It’s not always clear what belongs to the company and what is personal. Businesses are now having to manage different servers, cloud services, and access control issues. Their technology needs to be safe and compliant in all these areas before it can be performant.  

“Organisations need to adopt a multi-layer approach to security to manage these risks effectively, but that can be costly. With our on-demand service, however, businesses can truly afford to get the best protection possible, without putting undue strain on the bottom line.” 

The on-demand CISO service follows the successful launch of our on-demand CIO (Chief Information Officer) service earlier this year. Our on-demand CISO service has already seen a rapid uptake of interest, with several businesses already taking advantage of the offering.  

 

Robert Rutherford CEO at QuoStar

Robert Rutherford, CEO at QuoStar, comments:

“We are delighted to add the CISO service, alongside or CIO service. QuoStar gives mid-market and ambitious smaller businesses access to top talent at the level they need. We’ve always been passionate about delivering measurable business outcomes to our clients. Our aim is to reduce risks and improve the bottom line. 

We’ve always taken IT security extremely seriously. We have always kept up to speed with the technical controls to IT security risks. The evolution of the risk landscape, accelerated by COVID and the rise of hybrid working means we need to implement enhanced IT security governance into our wider client base. Relying on technology just doesn’t cut it any longer – organisations need to be proactively managing risk, continually.” 

 

Find out how your business could benefit from our CISO Service why not get in touch? Or request a free online consultation from our team today.  

 

Cyber-Security: Going Beyond Technology

Posted on by QuoStar

Cyber Security Beyond Technology

Cyber Security beyond technology: a White Paper write up based upon a webinar hosted by David Clarke – QuoStar Head of Security & CISO, and Chris White – QuoStar Head of Consultancy & the CIO Service in July 2021.

Why is cyber security beyond technology such a hot topic?

Cyber-security is an increasing threat that all sized businesses should take seriously. It is a topic that should regularly be on the board’s agenda.

A day doesn’t pass without a business being targeted via ransomware, phishing or DDoS attacks – all causing significant disruption to businesses. For some businesses it has been so bad that it’s affected customers and meant closure.

The destructive rise of state sponsored attacks mixed with organised ransom focused crime gangs has changed the threat landscape dramatically.

Most firms are global 24/7, and their assets are mostly digital. The current ransomware situation is dire. Huge due diligence needs to be taken within supply chains now, particularly when working with the government.


We fall like dominoes if we’re not careful

What are the main threats to today’s landscape? Due to the technological set up of industries today, the knock-on effect of digital disruption is now very large. For example, the US fuel pipeline issue effecting the entire east coast of America was down to digital disruption. The possible effects of digital disruption have always been there, but now the impact and knock-on effects are  massive.

Follow the Swiss Cheese Risk Model

In today’s threat landscape layers of cyber defence need to be in place today. Not one or two, but several layers. Similar to the model that was used in the aircraft industry: the Swiss Cheese risk model!

When Swiss cheese is sliced it has holes, and that’s ok. The problem is when several holes inadvertently line up – if applied to security measures – that’s when disaster can strike. The force magnification is one large risk rather than a few small risks at lower levels.

Clients increasingly want to understand the security measures taken by a business. This in turn means questionnaires, audits, hoops to jump through before business can be conducted.
Requirements need to be met.

Unfortunately, due to the increase in cybercrime over the last couple of years, it’s more a case of WHEN it happens than IF it happens.

 

Prevention is better than cure

Businesses need to start preparing for an attack, rather than preparing to handle one. If you are handling it, it’s too late and the financial damage to deal with it has already been done. The down time caused by having to deal with an attack can cost millions a day potentially. In this case prevention really is better than cure.

The consequence of a breach is not just dealing with the ransomware attack. It’s that it may lead to having to rebuild your whole IT infrastructure. You may need to move physical servers, migrate networks or change cloud systems. Things that take a huge effort but need to be done in a very short timeframe before you are out of business – days or weeks maximum. The Law Firm DLA Piper paid 15,000 hours of IT overtime as a result of their attack!

Smaller organisations still face huge financial impacts and disruption to both them and their clients. Firms must take care of client data too. Breaches of that data can impact reputation, as well as run the risk of potential fines and punishment that can escalate rapidly. Regulators, including the ICO are becoming increasingly interested in these types of events.

So, how can we avoid successful attacks? It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.

 

When will they come for you?

It may seem obvious, but most attacks happen when you’re most vulnerable – for obvious reasons. Particularly during long weekends and bank holidays. So, have a robust plan of how to record a risk, even out of usual hours. Once reported, a risk can be managed or monitored from there at least.

Escalation

It is a real struggle to get this message across to boards. If you’re responsible for security (not just IT but business issues, with IT holding a major stake) have a really robust, easy to use process so anyone can escalate an issue no matter how trivial it is. No, this does not include having to read a 500-page document just to submit a threat.

Stay in touch

A security manager would much rather be called with a minor issue to solve at 3am, than to not be told at all and find out a few days later that there is a huge security breach to deal with and very few options left. Have a robust submitting system. Ideally calling, rather than email, so that someone knows it is being dealt with.

Know all the links in your chain

Supply chains are often the biggest cause of problems. You need to ensure there are correct contacts in place for when issues arise. Who are your contacts? When are they available? Know in advance because you need an immediate handle on things when it hits the fan.

Even in large firms, the demand on digital tech security is not there in the same capacity as it is for physical tech security on a daily basis.

 

The more the merrier?

Companies tend to worry about the role of security if they have thousands (or tens of thousands) of staff. But in reality, the actual number of calls that come through to security as risks are very low, and 98% of those calls are well worth looking at.

The advantages of cloud vs. on premises

Data centres are highly complex – the building itself must be highly resilient. If you are reliant on one data centre or server room, sooner or later, they will go down. Generally, the cloud takes that risk away.

If done right, moving to the cloud shouldn’t be a barrier. But remember whichever you choose security isn’t a one and done deal. It’s a moving target – it needs to be managed, and the risks  monitored, all the time.

What are the risks with the cloud?

Are there additional risks in moving to the cloud? And if so, what can we do to mitigate them? The usual objections of moving to the cloud are security. But there is an argument that the cloud provider knows more about security than most businesses do – it’s their bread and butter.

Companies should be working on the basis that, at some stage, they may be hit – and should know what to do if that happens. There needs to be upfront planning and putting procedures in place.

 

The Regulators are watching

Regulators want us to take due care and attention of our client’s data. That’s why breaches cost the company. One of the first questions posed by the UK ICO is: Have your staff been trained? Most breach enforcement notices happen due to lack of training or management, as opposed to for the breach itself. This training needs to be demonstratable on an ongoing basis.

A security aware culture starts at the top.

The security aware culture starts at the top. That should be followed by various layers beneath – technology, end point protection, patching. The layer around staff is based in awareness and  knowledge to mitigate situations, as well as supplier due diligence.

There needs to be upfront planning and procedures put in place. There are philosophical decisions to be made before a security breach happens. You could well experience something that propagates. Your customers could also come under attack. Do you focus resources on protecting customers first or the business?

To best manage cyber-security risks, assume the worst-case scenario in order to avoid any unnecessary surprises – and prepare/plan for it.

Business Continuity has been put to the test

Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.

Businesses have done a phenomenal job to keep going. To keep people working from home.

A shortage of senior cyber-security professionals

However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.

 

QuoStar designed the CISO Service to address this problem

Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling and managing risk. Making sure the business’s security posture is strengthened.

Book your free consultation now. Find out more quostar.com/ciso-as-a-service

 

Fill out this form to download a PDF copy of this Cyber Security Beyond Technology white paper.


This write-up covers aspects of cyber-security, threats, actions to be taken, the risks of moving into the cloud, responsibilities, managing vendors and how to build a security aware culture.

If you’d like to attend one of our live webinars you can see the upcoming events in our calendar.

Get more than basic cyber-security protection

Posted on by Teila Hurlock

more than basic cyber-security protection

 

Work towards achieving Cyber Essentials Plus and put in place these 7 security measures.

Want more than basic cyber-security protection for your business? If you already have our 9 Steps to combatting cyber-threats in place and you’re Cyber Essential certified, you’ve made a good start. But if this is all you have, then for proper security there are still a few more steps you can take to safeguard your business. Cyber-crime is £1 trillion industry for cyber-criminals.

After getting the basic accreditation, you can work towards achieving Cyber Essentials Plus. This is a similar experience in achieving the basic Cyber Essentials accreditation. The difference is that it deals with security at a higher level and demands more rigorous policies and practices to be in place.

How else can you secure your business?

Cyber Essentials covers a broad range of topics regarding security and so will likely cover most of your basic security needs. But we also have a brief list of some security systems and techniques which are worth looking into. Or, if you’re looking to get the best level of cyber-security we recommend our CISO service.

 

ISO 27001 ACCREDITATION

ISO 27001 is an internationally recognised certification you can get which proves your cyber-security is at a high level. It can be used as a compelling point for people to choose your business over competitors.

 

STAFF SECURITY TRAINING

Employees are often considered to be the weakest link in the cyber-security chain. But with regular training, they can become one of the strongest as they are able to spot and prevent threats.

 

WARM AND HOT STANDBY

Because of the rising cost of an outage, getting systems back online quickly is vital to prevent minute by minute money from burning. The rise of virtualisation and the cloud has made disaster recovery and business continuity a much simpler and cost-effective venture than before. It’s worth considering.

 

MULTIPLE CONNECTIONS

With connectivity being so critical to a firm, it’s essential to have backup network and Internet connections to prevent a failed connection from leaving the firm isolated from clients and the wider world. Multiple firewalls and/or routers are also recommended.

 

SECURING THE LAN

The LAN has previously been left relatively unprotected but it’s now imperative that you secure the internal network to restrict access from undesirable third parties. You also need to secure any wireless or virtual networks to stop a single breach from creating an open door across the entire firm.

 

MOBILE DEVICE MANAGEMENT (MDM)

Bring Your Own Device (BYOD) is a popular policy, but it’s also dangerous without the correct measures in place. Procedures need to be set up for when a device is lost or stolen or when an employee leaves the company. Don’t adopt BYOD for the sake of it, do it for an important reason. And if employees do need personal devices, look into Choose Your Own Device (CYOD) as a more secure alternative.

 

DATA LEAK PROTECTION

In order to implement an effective data leak protection policy, you need to really understand what data you have and the risks you face. Only then can you really begin to implement the correct controls. These will vary from sector to sector but should include things like portable encryption, endpoint protection, email content control and intelligent firewalls.

 

In short, put in place more than basic cyber-security to stay ahead of the game. Stop those cyber-criminals in their tracks with a good level of protection for your business.

 

Any questions about either of the Cyber Essentials accreditations? Read our FAQ on the subject.

Get more advice on achieving the best levels of cyber-security – contact our team today.