Elevating Cybersecurity: A Story of Standards, Strategy, and Success
In the realm of cybersecurity, achieving and maintaining certifications such as Cyber Essentials and Cyber Essentials Plus is a testament to a company’s dedication to safeguarding its operations and client data against cyber threats. However, what do you do when inheriting a situation where past practices and certifications seem more like wishful thinking than reflections of reality? This was the challenge I faced upon joining a company whose cybersecurity posture was, for lack of a better term, underwhelming. It’s a story not just about meeting standards, but transforming an organization’s security culture and infrastructure from the ground up.
Embarking on a Cybersecurity Odyssey
The task at hand was no small feat: recertifying for Cyber Essentials and Cyber Essentials Plus with a backdrop of historical complacency in cybersecurity practices. It was clear that to not only achieve recertification but also to genuinely uplift our security measures, external expertise was imperative.
Choosing a Good Partner
Having worked with Cyber Security Associates in the past at a previous company, I reached out and partnered with them to achieve our Cyber Security and Cyber Security Plus certifications. They are IASME certified, so they were in a position to be able to consult on cyber security, but also to, ultimately, certify us once the work had been completed to bring us up to standard, making them the perfect partner.
Revamping Technology and Practices
The process highlighted several critical gaps and antiquated practices that needed addressing. Foremost among these was the issue of mobility and security. Many staff members were anchored to desktops that lacked basic security features, such as Trusted Platform Module (TPM) chips, rendering device encryption efforts futile against determined adversaries. This setup not only compromised security but also hindered our flexibility in responding to incidents where physical access to the office was obstructed.
Addressing this, I worked on a project to update all staff devices, transitioning to Dell laptops equipped with Dell USB-C docks. This move not only fortified our security posture with devices capable of effective encryption but also revolutionized our workspace flexibility, enabling staff to work securely from any desk or location.
The company also had gaping holes in their network and systems setup. For example, the computer lab was on a separate VLAN to prevent potentially infected customer devices coming into contact with our corporate machines, however the computer lab was fully routable to the production LAN, making the entire setup pointless. Also, the Hyper-V Host was acting as a Domain Controller and even hosting services such as ESET Remote Administration Console. To top it all off, that virtual host server was open to the internet.
We leveraged this opportunity to overhaul our approach to software management and security measures. Implementing patch remediation software across all devices and transitioning our ESET Remote Administration Console to cloud-managed services were pivotal steps in enhancing our defensive capabilities and operational efficiency, moving away from the burdensome practice of self hosting vital services and simultaneously lowering our attack surface. We are currently working on removing on our on-premise servers and migrating to be a fully cloud based company, harnessing the power of the Microsoft 365 and Azure services.
The Serendipitous Effects of Transformation
The impact of these changes for far bigger that mere compliance with cybersecurity standards. It brought about a new era of enhanced protection against cyber threats, improved operational resilience, and elevated staff morale—evidenced by the universal appreciation for the new laptops. Moreover, this transition fostered a culture of collaboration and adaptability, unshackling our team from the constraints of static workstations and enabling a dynamic, responsive working environment.
Equally important, this journey allowed us to reinforce our commitment to customer data protection, showcasing our proactive stance on cybersecurity to our customers.
Looking Ahead: Strengthening Our Cyber Resilience
The path to recertification was not just about ticking boxes; it was a catalyst for a profound transformation within our organization. Building on this momentum, we are now laying the groundwork for a comprehensive Business Continuity & Disaster Recovery Plan. This initiative is aimed at enhancing our readiness and response to potential incidents, ensuring that our operations can withstand and quickly recover from disruptions.
Furthermore, with an eye on the future, we are aspiring to achieve ISO27001 certification. This endeavour underscores our commitment to implementing a robust information security management system (ISMS), further securing our clients’ data and fortifying our standing in the cybersecurity landscape.
A Journey of Continuous Improvement
Our journey towards recertification was a testament to the power of collaboration, innovation, and unwavering commitment to cybersecurity excellence. It served as a reminder that certifications are not mere badges of honour but milestones in a continuous journey of improvement and adaptation. As we press forward, our experiences underscore the importance of viewing cybersecurity not as a static target but as an evolving landscape that demands vigilance, innovation, and, above all, a culture of continuous enhancement.
