Cyber Health Check Case Study

The client required a solid cyber security framework based on requirements and their working budget to mitigate future malware attacks.

Cyber Health Check

Recommendations on implementing security controls as well as identifying and preventing potential malware attacks.

The client is based in Manchester, England. The company suffered a cyber attack that compromised 50,000 customer accounts.

The client needed to improve their cyber security posture and get its operations on sound footing. IT Governance Ltd, a GRC Solutions company, was engaged to help the senior management team develop a strategy for managing cyber security.

The Head of Cyber Consultancy and our account manager held an initial scoping call with the client’s Managing Director to gather details about the attack and to  determine the organisation’s requirements.

Following the scoping call, it was decided that, given the relatively low level of security maturity, our Cyber Security Health Check solution would provide the best foundation on which to build a solid cyber security framework, based on the organisation’s requirements and working budget. Subsequently, we prepared a statement of work, which was approved by the client’s CEO. Our consultancy support team made the necessary arrangements and a suitably qualified consultant was assigned to lead the project.

The Cyber Security Health Check service evaluates an organisation’s cyber security risk in the three main areas of people, processes and technology. This baseline audit provides high-level recommendations for how identified risks can be mitigated, and is particularly valuable to organisations that have yet to document and evaluate their risks, vulnerabilities and threat exposure.

Our audit service is based on the following programmes and initiatives: the NCSC’s 10 Steps to Cyber Security, ISO 27001, the CIS Controls, Cyber Essentials and our evaluation of the overall threat level to smaller organisations.

The cyber health check began with a detailed overview of the clients’ IT infrastructure, and a comprehensive account of the attack.

The Managing Director and several of the functional managers, including the Development, IT, Network and Operations Managers, were interviewed.

The following non-technical, technical and physical areas were covered during the audit:

Non-technical audit

• Cyber risk governance
• Cyber risk management
• Data security
• Training and awareness
• Legal
• Regulatory and contractual requirements
• Policies and ISMS (information security management system)
• Business continuity and incident management
• Secure development
• Third-party supplier management

Technical audit

• Hosting
• Secure configuration
• Network architecture
• Managed perimeter controls
  • Firewalls
  • IDS (intrusion detection system)
  • Data exfiltration
• Anti-malware
• Access control
• User privileges
• Mobile devices
• Mobile working and removable media
• Security monitoring

Physical audit

• Secured perimeter
• Access control to server rooms, unattended offices, and filing cabinets

During the Cyber Security Health Check, all existing and potential issues were identified and a summary report of findings and recommendations was prepared. The recommendations are listed below.

Non-technical recommendations

• Assign accountability and responsibility for security to an individual or individuals.
• Compile a high-level risk register.
• Develop a suitable risk management framework.
• Conduct a risk assessment of assets at regular intervals.
• Provide security awareness training to all staff upon induction and communicate security updates at regular intervals.
• Comply with the GDPR (General Data Protection Regulation).
• Carry out third-party supplier risk assessments.

Technical recommendations

• Document and communicate an incident management process.
• Document incident response plans for different scenarios.
• Purchase and deploy a suitable internal firewall (hardware or software).
• Document and implement a patching policy for all hardware and software applications.
• Check that the antivirus is up to date on all devices.
• Introduce RBAC (role-based access control) for applications.
• Document and review user access for all applications.
• Encrypt all mobile devices and removable media.

Physical security recommendations

• Apply security controls where applicable.
• Implement a clear desk and clear screen policy.
• Secure unattended offices, server rooms and filing cabinets.
• Encrypt all data in storage and transit.

Other high-level recommendations

• Consider implementing ISO 27001 and Cyber Essentials.
• Conduct regular penetration testing.

The client implemented the report’s recommendations over a 12-week period. As a result, the client has been able to detect and prevent potential malware attacks.

GRC Solutions can help you identify your weakest security areas and take appropriate action, by following practical recommendations.

Assess your cyber risk exposure and identify a practical route to minimise your risks with our four-phase cyber health check, combining:

• On-site governance and information security management audit.
• Technical cyber security control assessments.
• Vulnerability scans.
• Online staff survey.

Learn how a Cyber Security Health Check can provide a high-level overview of your organisation’s cyber risks and the areas that require attention.

To find out more, speak to one of our experts today. Simply call us on +44 (0)333 800 7000 or request a call back.

GRC Solutions has more than 20 years’ experience helping organisations get their cyber security right, working with boards and senior managers in large and small businesses to
identify and manage cyber risks in line with the organisation’s risk appetite and commercial business drivers.

• Access an experienced, dedicated technical team who will work with you and your business objectives.
• Our experts have in-depth knowledge of cyber security requirements and laws, ranging from the PCI DSS to ISO 27001, Cyber Essentials, NIST Cybersecurity Framework, the GDPR and the NIS Regulations.
• IT Governance is a CREST-certified ethical security testing organisation, a PCI QSA company, as well an accredited certification body for both Cyber Essentials and Cyber Essentials Plus.
• We’ve helped more than 600 organisations comply with or obtain certification to the world’s leading information security standard, ISO 27001.
• We offer the broadest and most extensive range of cyber security products in the UK.
• Our tools, books and training courses are preferred by more than 15,000 organisations.
• Our sister company, GRCI Law, enables us to uniquely integrate cyber security advice with extensive legal expertise. This means we can also help you plan for full GDPR compliance.