Cyber Expedite  – Insight Series

Insight Series is a collection of exclusive security related content by industry experts and organisations to keep you informed of current best practices.

When we formed Kontex in 2015, it was borne from frustration we felt having worked in the consultancy industry for some time.

We could see many of the challenges organisations were facing were compounded by the practice of selling more tools, large transformations projects and outsourcing key functions. And really, it just didn’t sit well with us. We wanted to do better. We knew we could prioritise the basics, leveraging organisations existing investments and provide the best talent for the challenge at hand. We wanted to create solutions, not problems.

We’re happy to say our vision for Kontex became a reality, our client-centric, engineering first approach where the client and success of the project was our greatest priority was well received. Allowing us to become an extension of their existing security teams and being able to offer unbiased advice.

Recommended Cyber Expedite Workflow.

3rd Party Review: As one of the top risks and concerns for almost every organisation, its critical you understand your what 3rd parties you use and their associated risk.

Regardless of the type of service they provide, hosting, processing, support, development you should have a complete list and understand the exposure if one of these organisations is breached.

Click the button above to login and start your scoping exercise to connect for free to this service provider.

Connect to Featured Service Provider for free!

 

Use our chat function to request a free voucher – no payment required to scope your requirements.

We expand on the 12 Steps to Cyber Security from the NCSC with insight provided by industry leaders.

l

Step 2 – Identify what matters most!

U

Why should organisations record and identity digital assets in relation to Cyber Security and why is it so important?

It’s crucial to identify and record assets from a security point of view because “You cannot protect what you don’t understand.”

Having an asset inventory allows an organisation to establish a baseline for security controls to be applied, which in turn enables better protection, monitoring, and incident response.

What is the simplest way to start mapping objectives, products, services, processes, people and technology?

Everything starts with an industry aligned cyber assessment of an organisation to understand their maturity level, strengths and weaknesses. This may take the form of an ISO27001, NIST, CIS or Crown Jewels Assessment.

From this a company approved cyber strategy can be developed and implemented with prioritised actions across people, processes and technologies.

How do you start to prioritise what’s important?

The best way to prioritise is to undertake a Crown Jewels Assessment to understand the assets that are of pivotal importance to an organisation. This helps inform the security strategy across the organisations and where to focus most attention.

What would be in your experience some of the key assets that should be recorded and protected first?

Intellectual property is often the lifeblood of a business. Where this has weak or inadequate security controls, it can create a huge risk for the organisation.

Where do organisations start with understanding the risk posed by 3rd parties?

Similar to understanding the assets within your organisation, it is critical to understand the suppliers you are working with and assign a criticality rating against each depending on the level of access they have to your important data. This allows an organisation to put proper third-party governance controls and contractual requirements in place.

What is the best way to start recording assets, is manual task or is there value in purchasing a asset managed tool?

It depends on the size and maturity of an organisation. Ultimately an asset register is only as good as how up to date it is. If an organisation can effectively manage and update this in a manual tracker, this is a great place to start and mature towards a centralised asset management tool over time when they have their process well defined and fully operational.

To expand on control for digital assets, would you recommend any external frameworks, standards or online resources?

The Crown Jewels Analysis process provides a repeatable approach to capturing knowledge from organisations, documenting known dependencies, and prioritizing assets based on their criticality to mission.

Where could an employee or team, tasked with creating these assets registers find internal information which would be valuable or shorten the process?

There are many information security tools which may already be in place across an organisation to run asset discovery scans to identify assets across your environment to use as a starting point and to keep your asset list up to date. Security Tooling like Anti-Virus scanning or Vulnerability Management software can be a great place to start.

How do companies like Kontex usually assist in helping organisations get started quickly?

At Kontex, we take a unique approach to support organisations leveraging existing toolsets to ensure that they are utilising features which may already be available to them rather than adding additional tooling which unnecessarily takes time and resources away from other security initiatives.

What are the key trends currently in relation to digital assets?

Understanding your data allows you to adopt compliance with data retention and transfer obligations; this is becoming more important with the exponential growth of data. The more data being created, leads to an increased demand on security controls to protect same data while it remains in existence.
Good data governance also forms the foundation for implementing Data Loss Prevention and Data Classification initiatives.

What risk would you expect a company to have in relation to digital assets or which ones would you expect them to be managing?

Access controls to your data is a core control that we would expect most organisations to have considered. While organisations may still be immature in their adoption of robust access controls and moving towards a Zero Trust model, basic access controls is an absolute must.

What KPI’s should a company be reporting on in relation to digital assets?

Vulnerability Management remediation time for vulnerabilities identified in line with priority rating of the vulnerability.

If you were the CEO, what assurance would you seek from your security or IT teams in relation to the organisations digital assets?

The effectiveness of Security Controls in place relevant to the criticality of the assets Crown Jewels Control based approach.

What is the one of the key risk areas you are helping organisations with currently. Why Is it such a key risk for organisations today?

We are helping organisations with their third-party governance from a legal and security point of view where security controls are contractually included in supplier agreements relevant to the level of access they have to organisational assets.

A great deal of breaches nowadays are stemming from third parties. Including security controls which are contractually agreed at the outset sets the tone for the relationship and expectations between the parties over and above your typical third- party questionnaires.

Please note: You can bypass the regular payment by using our chatbot and requesting a free voucher. This will allow you to scope and connect to the featured service provider for free!

Please note: You can bypass the regular payment by using our chatbot and requesting a free voucher. This will allow you to scope and connect to the featured service provider for free!