“There are only two types of companies: Those that have been hacked and those that will be hacked.”
Robert S. Mueller, III, former Director of the FBI and now Special Counsel
By the time he made this comment, it was out of date – it should instead read
“There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”
Find out about how to protect your business
If you are interested in any of these area then please click here
Your team: Your first Line of Defence
Your team are your greatest resource without whom literally nothing about your organisational goals would move forward. They are the doers! They are also, by definition, the individuals who see, modify, change, delete your valuable information. They are your first line of defence against information security risks.
However, they are also one of the key attack vectors for malactors who seek illegal and uncontrolled access to your data through social engineering attacks these threats include, but are far from limited to
Threats
DNS spoofing
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s
Living Off the Land (LOtL)
Living off the land is a form of cyber attack where the malactor uses standard software, such as that used by system admins, to identity where they have arrived, on what systems, with what users and vulnerabilities. Admin software is typically whitelisted and is run only in dynamic memory which is often not logged (although it should be).
These characteristics make these attacks incredibly difficult to detect, identify and resolve as a result of this.
Phishing
Phishing is a form of social engineering scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware
Pretexting
Pretexting is an early stage of more complex social engineering attacks in which the con artist gains a victim’s trust, typically by creating a backstory that builds the victims trust.
Spear Phishing
Spear phishing usually involves an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees.
Scareware
Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software
SMS phishing
SMS phishing or Smishing is the term used to describe phishing via the use of SMS text messages.
Spoofing attack
A spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Vishing
Vishing, or voice phishing, is the use of telephony to conduct phishing attacks. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. VOIP has opened up new opportunities for attackers
Watering Hole
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware
This is a superficial list of threats in an ever-widening set of threats.
Training
We can provide training directly to your team and work closely with internationally recognised certification organisations to support full certification
Cyber Essentials
CyberEssentials and CyberEssentials+ are UK data protection standards which focus your business on five technical control themes:
- firewalls
- secure configuration
- user access control
- malware protection
- security update management
These areas, along with the increased use of largely uncontrolled home working environments are the key areas of technical risk and always falll within the scope of certification
International Standards
The International Organization for Standardization (ISO) is an international nongovernmental organization made up of national standards bodies; it develops and publishes a wide range of proprietary, industrial, and commercial standards comprising representatives from national standards organizations.
Because the organization is global and would therfore have different acronyms in different languages, the founders named it using its short form: ISO
ISO-27001 is one of the standards of interest to those who take data privay and data protection seriously. Other important standards in this area incude ISO-22301: Business continuity management systems and ISO-27701: Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
ISO-27001
ISO-27001, unlike CyberEssentials, rightly focuses on a whole organisation’s Information Security by establishing the gap between operational processes and technologies and the best practices represented by ISO-27001 areas of interest. This is documented in the Risk Treatment Plan and delivered via an organisational and ISO-9000 compliant Information Security Managemeent System (ISMS) and supporting real-world changes which directly reflect the context of that organisation – not an idealised non-real-world company.
The net effect of implementing ISO-27001 and, if you chose, achieving ISO-27001 certification requirements means that an organization has achieved the global gold standard for securing information in the Context of that organisation. Whilst certification provides a valuable USP and is often required to win contracts there is no actual requirement to achieve certification. It may simply be enough that your business follows the process and achieves that gold standard for its own internal purposes.
Operational compliance is assessed against this internal standard on an on-going basis and, on occassion, non-conformities are identified. These Improvements are put in place thoughout the life of the ISMS which maintains and improves this high standard of data procection and Information Security.
ISO-27701
ISO-27701is a privacy extension to ISO/IEC 27001. It enhances the existing Information Security Management System (ISMS) with requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS) thereby achieving a gold standard in the protection of Personally Identifiable Information – Data Subjects’ Private Information with even greater focus on protecting special categoy data.
ISO-27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications so organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification. As such it meets all requirements of regulations such as GDPR/UKGDPR Arcticle 32 and associated data protection requirements
ISO-22301
This standard enables an organisation to fully understand and perfect its readiness for disaster scenarios. The might include loss of premise, key information assets either by damage or attack (such as those represented by Ransomware).
To achieve this ISO-22301 focuses risk analysis on
- Operational planning and control
- Business impact analysis and risk assessment
- Business continuity strategies and solutions
- Business continuity planning and procedures
- Exercising of the planned activities
- Management Review of the process
Like ISO-27001 the organisation’s preparedness is documented in an ISO-9000-compliant Managementy System which are then used to assess operational performace. This process inevitably leads Improvements being made thoughout the life of the BCMS and surrounding processes.