£5,000,000 versus £40,000
Posted by Peter Bassill on 28/01/2019A significant proportion of company leaders see Cyber Security as their biggest risk. Understanding the importance of good Cyber Security practices is relatively easy, determining how best to implement those practices isn't. That is where sometimes you need an expert.While it may appear that new technologies are creating new opportunities for hackers to cause damage, the converse is, in fact, the truth. The majority of the attacks seen in every day are merely new revolutions of old versions. The internet is cyclical like that. Organisations must identify where their most significant risks exist, and the data which requires the most protection. One continually evolving risk is Phishing, especially Spear Phishing. Spear Phishing is where individuals, often company executives, are targeted in a manner designed to help secure access to the internal information. Spear Phishing is not just an email-based attack, as is often thought. Spear Phishing is performed over the phone, in person and by letter too. It can be rather hard to defend against, and no technology can help.A new client first came to us after a failed £5 million security initiative. They were sold a lot of point solutions, and it just did not work for them. The problems were numerous for the client, many of the suggested measures did not get implemented, and there was continual resistance from the business. They saw security as a hindrance to performing their jobs. So they brought us in to see if we could turn the initiative into a success.We started by involving all of the departments in the security journey. We worked with each department to identify what information they used and stored and what parts of the information needed protecting. By understanding what needed protecting as a departmental level, we could use a prioritised approach to security, thus gaining a more comprehensive plan moving forward as well as a buy-in. Our client had already identified Phishing and their biggest concern, so we built an education program around Phishing. We avoided performing Phishing attacks and appointing blame to those who failed it. Instead, we used the positive and celebrated those who spotted the attack. Within three months the success rate had risen to 4% to more than 92%. And because we used a prioritised approach to securing the sensitive information within the clients' environments, the information was secured, so the 8% did not pose any increased risk to security.So what did £40k buy them? That was the cost of a one-year Continual Cyber Assurance program. During the year we delivered many key services:
Scheduled, regular vulnerability assessments
Quarterly external and six monthly internal penetration tests
Review of all their policies, processes and procedures
Security Awareness workshops and lunch time sessions
4 "breakfasts with a hacker" (a kind of show and tell with our pentesters)
For more information on our Continual Cyber Assurance service, you can visit the service pages here.