Cyber security measures for mid-sized organisations

To effectively manage cyber risk for mid-sized organisations it is key to establish an effective cyber security strategy. In our blog of the same name, we list some key cyber security measures that mid-sized organisations should deploy in order minimise the level of cyber risk that the organisation is exposed to.

Below we go into more detail about what the cyber security measures do and how they can help your organisation today:

People

The first pillar of an effective cyber security strategy is ensuring people within your organisation know the signs of a cyber attack and the processes instilled to effectively mitigate the effects of a cyber-attack. A Cyber Safety & Phishing service will help to foster a cyber aware culture within the organisation. Most Cyber Safety & Phishing services comprise of a training platform that can be accessed by staff to educate them of the cyber risks they face in their role. Training can be assigned in a schedule to ensure all employees receive the training on a continuous basis. Most platforms will also come with a simulated phishing function. This is an automated email made to look like a phishing attempt to test users to see if they are taking in the education material and can identify the tell-tale signs of a phishing attempt when one lands in their inbox.

Progress can be tracked from a baseline test to show the improvement of the organisations understanding of cyber threats and can be used to prove to stakeholders that people within the organisation take cyber security seriously.

Process

The second pillar of an effective cyber security strategy is ensuring your organisation adheres to information security standards. By adhering to these standards an organisation can reap the rewards of embedded processes and prove to stakeholders that the organisation takes information security seriously, standing out from competitors.

The first stop on the process journey is Cyber Essentials, which is an independently verified self-assessment accreditation. This is the easiest information security standard to achieve and by achieving it encourages the adoption of basic cyber hygiene measures such as administrator controls and multi-factor authentication. Different assessors will offer varying supporting packages, such as time with the auditor to guide the organisation through the question set.

After achieving Cyber Essentials organisations have a three-month window to achieve Cyber Essentials PLUS. This is a certification that requires a technical audit of your systems. It is a technical verification that the measures you self-assessed are in fact in place and working effectively. An auditor will likely need to visit the offices that are in scope – however since lockdown methods have been adapted to allow remote testing – this can be agreed with the assessors ahead of time. According to the DCMS Breach Survey 2022 only 6% of UK business have the Cyber Essentials accreditation and only 1% have the Cyber Essentials PLUS accreditation. So, achieving these standards really does allow an organisation to stand out in the marketplace.

The last and most extensive information security accreditation an organisation can achieve is ISO 27001, which is the internationally recognised information management accreditation. The standard requires the organisation to have anInformation Security Management System in place with relevant policies for information handling, risk management, and privacy. Being an internationally recognized standard, this accreditation comes as a significant benefit for those organisations that deal with stakeholders from outside the UK.  Moreover, whilst ISO27001 is the most extensive certification, it is also often the most appropriate for larger mid-sized corporations that have complex environments that simply cannot always operate the latest Operating Systems as they are not compatible with some of the systems required to operate the business.  The risk-based nature of the standard allows organisations to implement appropriate controls and measures that mitigate and minimise the risk posed by an un-supported operating system or software version, without the necessity to eliminate the information asset from the environment altogether.

norm. assists organisations looking to achieve all of the discussed standards as part of its Compliance Services.

Technology

Technology is the third and final pillar and arguably the biggest in terms of investment, after all it is technology that makes up the systems and networks that we’re trying to protect. Cyber security technology measures should aim to monitor, scan, prevent and test. Below are the technology measures that norm. recommend as a minimum to ensure mid-sized organisations have their bases covered:

Threat Detection & Response (TDR)

Threat detection and response is a monitoring and prevention service. Sensors are deployed on the network, endpoints, or cloud services to monitor traffic and flag any irregularities. The best TDR services come managed and monitored by a 24×7 eyes-on-screen Security Operations Centre (SOC). This consists of a team of trained analysts, who focus on nothing else but investigating alarms, and by being aware of the latest threat actors and intelligence sources, taking mitigation actions to prevent a successful cyber-attack or data leak.

It is important to seek out a TDR service that comes with the support of a SOC – otherwise who will deal with the alarms generated? Typically, this gets left with the IT teams that already have a lot on their to-do lists. A TDR service without the SOC is effectively just Threat Detection service that is left to be monitored and managed internally – whereas the addition of a SOC fulfils the response aspect of the service allowing focus to be concentrated on the important issues – not the noise.

Vulnerability Management

Vulnerability Management is a scanning service, that scans your network, endpoints, and cloud environments and identifies any known vulnerabilities that exist. Once a vulnerability is detected it is evaluated and scored against an industry leading knowledge-base. Each discovered vulnerability is then prioritised according to its criticality and required remediation measures. It is the responsibility of either an internal IT resource or outsourced IT supplier to apply any available patches or apply the recommended system configuration changes to eliminate the vulnerabilities.

Some providers offer a Vulnerability Patch Management service, which along with scanning your network and devices for known vulnerabilities, it also automatically identifies available patches and automatically installs these on any impacted devices. 

It should be noted that this is not a one-time exercise or even a periodic process.  Along with people, technical vulnerabilities are often the greatest source of exploit for would-be attackers.  In much the same way that your people need to be continuously educated, reminded, and tested, the same is true of the systems.  The best services will scan on at least a weekly basis and in the case of end user devices every few hours.  The NCSC recommends that urgent and critical vulnerabilities are patched within 14 days of the patch being made available to minimise the window of opportunity for the vulnerability to be exploited. With this kind of cadence, if not managed properly staying on top of this process can sometimes feel like pushing water uphill.  

Penetration Testing

The testing element of technical cyber security measures comes in the form of penetration testing. It’s important to get external validation to ensure that your defences are working as expected and to discover any chinks in the armour.

A penetration test is when ethical hackers act as a malicious attacker and force entry into your network using common tactics that would be deployed by a malicious actor. The ethical hackers won’t cause any damage or steal data when they are in, but they will report their findings to allow for remediation of the route to entry. Good penetration testing providers will also include a re-test within the scope of works, so once the route to entry has been remediated the ethical hackers will re-test to ensure it has been adequately fixed.

Penetration tests come in three forms, internal, external and webapp. Internal is when the ethical hackers will visit your offices and conduct testing from inside the network, to determine to what extent an attacker or an insider threat could compromise the availability or assets of the organisation once the perimeter controls have been circumvented. External is when the ethical hackers will conduct testing remotely, testing more than just your network configuration by also testing your employees’ resolve by using social engineering attempts. Web app is when the ethical hackers will test a specific application, whether it be a website, a mobile app or an internal browser-based application used by employees.

Penetration tests are a great way to find gaps in your defences. Sometimes, a penetration test is confused for a vulnerability scan.  Often a vulnerability scan is conducted as part of a penetration test to identify the “low-hanging fruit” that the tester could exploit.  A true penetration test will take the output from the scan and seek to exploit any weaknesses found.  The best providers also strive to deliver an outcome by testing the whole environment, and in some cases the physical security as well.  Moreover, organisations should ensure that the scope to be tested is fully completed, not as far as possible within a set number of days, or worse only up to the point that the tester is able to gain access to the environment.  Following the test, the organisation should have a clear understanding of all the risks and opportunities that are available for a real attacker to exploit, or that the business has a clean bill of health, and every aspect has been tested. 

With all that in mind, a word of warning, a penetration test is only as good as the day it is conducted. New vulnerabilities are constantly being discovered and businesses are continually changing set ups and adopting new software which means penetration test reports become outdated quickly. It is important to conduct penetration tests on a regular basis whilst also implementing the other security measures we’ve covered in this article.

Cyber Security Incident Response Team (CSIRT)

While deploying measures across people, process and technology will construct an effective cyber security strategy, it is also important to be able to react swiftly and efficiently if/when the inevitable happens. A Cyber Security Incident Response Team service minimises the impact of a cyber attack or data breach by providing instant access to fully trained cyber and data protection experts when you need it most. Using specialist investigation teams, a CSIRT service will help to analyse, contain, eradicate, and restore in the wake of a cyber attack. A good CSIRT service will also assist with any regulatory compliance considerations of a breach such as handling communication with the local Data Protection Regulatory body, e.g., in the UK, the Information Commissioners Office.

Single managed service

Looking through this article maybe overwhelming when considering what needs to be done and how many controls and services are required to effectively combat cyber risk – but that also tells its own tale about the high level of cyber risk that mid-sized organisations now face.

Procuring and managing these services internally would start to become very expensive, noisy and time consuming. This is why Managed Security Service Providers are starting to appear in the market that will offer all of these as a single managed service. Taking the responsibility of keeping your organisation safe off your desk and onto theirs.

There are several benefits to this:

• As the customer you’d only have to deal with the MSSP, with a clear set of responsibilities, costs, and service outcomes as opposed to multiple security vendors that require their products to be deployed, configured, and tuned to your environment individually, and once up and running the people to drive them.   
• Going down the MSSP route is more cost effective than going it alone. MSSPs already have all of the relationships and infrastructure in place to deliver the one service and pass on those economies of scale and knowledge to their customers.  Typically, the cost of a managed service is about 25%-40% the cost of trying to deploy the equivalent measures in-house
• MSSPs are pure-play cyber security providers. It’s all they do and all they’ll ever do. No split interest, no divided attention. 100% focus on keeping your organisation safe
• They can provide true expertise. Cyber security professionals looking for jobs in the industry are more likely to choose an MSSP to work for. This is because they offer a wealth of experience across all aspects of cyber and have constant exposure to the threats affecting multiple industries and geographies, not just those that may impact your business today,