Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

Why Company Boards must take Cyber Security out of the too difficult pile!

Posted on : 27-11-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , ,

0

Lady Barbara Judge was recently quoted as saying that the “whole issue of cyber security is so overwhelming to boards that they often put it in the ‘too difficult’ category”.

A recent survey of the UK’s FTSE350 companies showed that although companies are worried about cyber security about a quarter of them fail to take any action.  In the age of a growing cyber security threat landscape and the resulting rise in litigation this a risk that boards can no longer afford to ignore!

So what are the reasons for this complacency?  The  FT/ICSA Boardroom Bellwether survey  found that companies simply feel they have bigger fish to fry and there are more important risks to be concerned about.  Politics and the debate about the UK leaving the EU together with litigation were considered more critical risk factors.  Is this because, fundamentally as Lady Judge said, boards often lack the knowledge to understand the cyber threat and all that it entails?

Cyber security is seen as a buzz word associated with scaremongering and not a reality.  Members of boards are baffled by cyber threat terminology, not understanding the IT language in which cyber security is often communicated. In the cases where directors do accept that a cyber attack is likely to happen, they think that financially they can afford to “take the hit”.  However, with the increasing litigation over cyber security breaches and the fact that litigation generally is high on their risk list, companies will be forced to take more proactive approach to their information security.

UK Companies are governed by the UK Corporate Governance Code which states that Directors are expected to assess and mitigate principal risks facing the company, with UK listed firms required to make a statement to this effect in their Annual Company Report.  Although this is not legally binding the Institutional Share Services organisation can recommend, under extraordinary circumstances, to vote against individual directors for material failure of governance of stewardship and risk oversight.

After the Target breach in the US the CIO and CEO resigned as a result of public and shareholder pressure.  Whilst most litigations a result of a cyber attack have been in the US it is only a matter of time before we see a significant case in the UK.  This shows us that shareholders are not afraid to scrutinise company directors and the board for their role in not taking adequate steps to protect their information and prevent the damage.

Litigation in the UK until now has been rare, the main reason being the difficulty in establishing the nature and extent of financial loss in the aftermath of a breach. However, in the case of Google v Vidal – Hall  earlier this year the court found that the claimants could claim for distress without having to prove pecuniary loss. This has greatly increased the scope for compensation claims in the future.

Regulators are also keen to be seen to be taking tougher action on data loss with fines from the Information Commissioners Office (ICO)  and the Financial Conduct Authority (FCA) on the increase. At the moment the ICO has the ability  to set fines of up to £500,000.  When the EU Data Protection regulation comes into force we will see fines of up to 5% of annual worldwide turnover or 100M Euros whichever is the greater.  

Directors in the UK are under increasing pressure to account for any failures of their company’s data protection policies.  They must reassess their duties to exercise reasonable skill and care to mitigate the principal risks to their business. This now means reviewing their information security risks, protecting their most critical information and putting robust plans in place to deal with a breach when it happens!

To find out how Broadgate might assist with this, please visit our Assurity page.  We specialise in working with boards to identify their key cyber security risks and how to protect them.

Caveat Emptor: The impact of poor cyber security in mergers & acquisitions

Posted on : 30-09-2015 | By : richard.gale | In : Cyber Security

Tags: , , , , , , ,

0

The Ashley Madison breach is now infamous in the world of cyber security as a stark warning of what can happen when hackers get hold your data.  The fallout from this incident has been far reaching and resulting in a failed IPO attempt to list on the London Stock Exchange and multi-million dollar class action lawsuits.  US retailer Target suffered another high profile breach where costs are said to have reached over $160 million and traffic to its site dropped by 23% over the following year. We can see how a breach can have a major impact on company financials in terms of profit and reputational damage.  How you would be feel if you were a new shareholder in Ashley Madison or your company had recently acquired Target?!

Cyber security should be part of any company risk profile and the M & A sector is no exception. However, more often than not this is not the case.  The prime purpose of a merger or acquisition is for the acquiring company to make a return on investment or add value to the existing company.  As cyber security can have a major financial impact it must be seen as a key risk indicator in the due diligence process.

It wasn’t that long ago that mergers and acquisition deals were conducted in a paper based room secured and locked down to only those with permitted access.  These days the process has moved on and is now mostly online, with the secure virtual data room being the norm. Awareness of cyber security in the information gathering part of the deal making process is well established. It is the awareness and need to look at the cyber security of the target company itself that needs to be addressed.  Technology due diligence is investigated but tends to focus on system compatibility and integration alone.

A study published by law firm Freshfields Bruckhaus Deringer found that 78 % of global respondents did not think that cyber security was analysed in great depth as part of the M&A due diligence due process, despite the fact that two thirds said that a cyber incident during the deal or discovery of a past breach during due diligence would significantly impact the transaction.

Deal makers acquiring must take assess the cyber risk of an organisation in the same way that it would assess overall financial risk. Due diligence is all about establishing the potential liabilities of the company you are taking on.  According to the Verizon Data Breach survey it takes an average of 205 days to discover a breach. Often companies are breached without ever knowing. It is therefore crucial to look at the cyber risk not just in terms of have they been breached but what is likelihood and impact of a breach.  An acquisition target company that looks good at the time of closing the deal may not look quite so good a few months later.

The main reason for this lack of importance given to the cyber threat is that M&A teams find it hard to quantify the cyber risk particularly given the time pressures involved.  A cyber risk assessment at the M&A stage would is crucial if the acquiring company wants to protect its investment. The ability to carry out this assessment and to quantify the business impact of a likely cyber breach with a monetary value is invaluable to deal makers. Broadgate’s ASSURITY Assessment provides this information in a concise, value specific way using business language to measure risks, likelihood and cost of resolution.

Conclusion

A cyber security assessment should be part of every M&A due diligence process. If you don’t know what you are acquiring in terms of intellectual property and cyber risk how can you can possibly know the true value of what you are acquiring!

Also crucial for all prospective sellers to demonstrate a serious proactive planned approach to cyber security when attempting to achieve the best price for their business.

Is your small business the next target for hackers?

Posted on : 28-08-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , , , , , ,

0

Cyber attacks make great headlines but behind the headlines are the real stories affecting real business.  The fact is that smaller medium sized companies are increasingly more likely to be targeted than their larger counterparts.  SMEs are now considered the biggest target in the cyber threat landscape.

There are many reasons for this, smaller companies don’t think that that they have anything of interest to hackers “why would anybody want to attack us we don’t have anything to steal”. They couldn’t be more wrong,  even if they don’t have any information which is of interest in its own right they may well provide a way into a larger organisation in their supply chain.

Some worrying statistics are emerging which show hackers are specifically targeting smaller companies as they do not have the budget for people or technology to protect themselves. Key risks for smaller firms are:

  • Lack of security policies and controls
  • Low levels of knowledge of potential threats and methods to combat
  • Small or no budget allocated to cyber protection
  • Outdated technology and update procedures
  • ‘Ostrich’ approach to risk assuming it will happen to someone else

The impact of a cyber attack on an SME can be disproportionate to its size. Larger companies can absorb relatively large losses well and can call on external help to resolve  – Sony’s breach in the end was estimated at £35m which had negligible impact on a multi-billion dollar organisation. For smaller firms, any loss (whether cyber or other fraud) can put them out of business if it impacts cash-flow and could result in the loss of major clients if they are part of a larger firms supply chain.

It is crucial to understand that information assets are more valuable than you might think.  Although larger enterprises now appear to be taking steps to protect their organisations many do not look to their partners and vendors so they too are guilty of not understanding the effect on the supply chain.  There is no point in pulling out all the stops internally to protect information assets if the companies that you do business with are not doing the same.

Many commentators have described SME’s as the Achilles heel in the business world which will result in devastating financial consequence if they do not take appropriate action to protect their information assets.  The UK Government Information Security Breaches Survey 2015 found that 74% of SMEs had reported that they had suffered an information security breach. They also found that severe attacks can now cost up to £300k+ for a smaller business.  This would put many smaller companies out of business as they couldn’t afford to take a hit this big.

In response to this threat the UK government have launched a number of initiatives designed to help SME’s to understand the cyber security issues that they face. 2014 saw the launch of the Cyber Essentials Scheme which is designed to be a much simpler way for business to take steps to limit their risk of a breach.  Most recently in July a voucher scheme has been set up which will enable SME’s to apply for a maximum of £5000 which can be used to fund specialist advice from Information security specialists that they otherwise would not be able to afford.  These initiatives are designed to increase the resilience in the UK business community to cyber attack. Ed Vaizey digital economy minister has said “We want to protect UK business against cyber attack and make the UK the safest place in the world to do business online.”

It is imperative that all businesses of any size understand the cyber threat and the effect this has on their entire supply chain network. Always know who you are doing business with and take steps to ensure you know how they are protecting your information assets.

In addition to assisting many ‘blue chip’ clients we also provide information risk assurance to smaller organisations. Often this can be quickly assessed with our ASSURITY product. Please do get in contact if you need some advice.

Kerry Housley

Kerry.Housley@broadgateconsultants.com

 

Broadgate’s ASSURITY: Calculate your security exposure

Posted on : 30-07-2015 | By : admin | In : Cyber Security, Innovation

Tags: , , , , , , , , , ,

1

Broadgate are pleased to announce the launch of our security assessment product, ASSURITY.

Over the years we’ve helped our clients address the increasing security challenges and protect their digital assets. Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product.

So how can ASSURITY help?

Like it or not, dealing with the threat of data breaches is part of modern business. Not only that, it is a board level agenda item now with corporate executives being held accountable. Currently, European law makers are engaged in the lengthy process of approving the new European General Data Protection Regulation. There are still variations to be agreed upon, but when it comes to potential fines to be imposed for data breaches the upper end stands at €100 million or 5% of company revenue.

It also states that;

 “if feasible” companies should report a data breach within 24 hours of detection….and “where a data breach has occurred, the organization has to notify all those affected unless it can prove that data is unreadable by anyone not authorized to access it”

Against this backdrop, it becomes even more important that executives really understand their current risk exposure and can quantify the impact and likelihood of an event.

The ASSURITY product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated against other offerings through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

The ASSURITY product leads organisations through a 3 step process;

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call +44(0)203 326 8000 to speak to one of our security consultants.

 

ASSURITY: Cyber Value at Risk calculations

Posted on : 30-07-2015 | By : richard.gale | In : Cyber Security, Innovation

Tags: , , , , , , , , , ,

0

If the assumption that cyber attacks are inevitable is true then what can you do? An approach is to pour unlimited amounts of money into the blackhole of IT security. Another, more sensible, approach to take would be risk based, predicting the likelihood, the form and the cost of an attack against the cost of avoidance or mitigation.

Our ASSURITY Information Risk Assessment calculates the Cyber Value at Risk (CVaR) based on a number of criteria including industry, size, profile, interface, level of regulation and a number of other factors. What it provides is hard facts and costs that company directors demand to ensure they are obtaining value from their information security investments and that it is directed to right places.

Building a credible method of estimating and quantifying risk is essential to the process of risk management. The very public breaches at Sony, Target & Ashley Madison mask the multitude that do not make the press. In the UK there is little incentive to highlight a breach but new legislation will change that for organisations in the next year. So given that cyber attacks are “inevitable” then how can the economic impact be calculated for a particular organisation?

The World Economic Forum recently released its report “Partnering for Cyber Resilience; Towards the Quantification of Cyber Threats,” which calls for the application of VaR modelling techniques to cyber security. The report describes the characteristics a good cyber-oriented economic risk model should have, but it doesn’t specify any particular model. Here, we consider the concept of “value at risk,” what it means, how it can be applied to the cyber, and describe how a CVaR model is implemented in our ASSURITY product.

At Broadgate we have carried out a significant number of security assessments so can draw on the data but we can supplement it with simulated information based on a set of assumptions and factors related to an organisation. We utilise that knowledge from the financial markets to build out Cyber VaR.

  • Assets – these are the network infrastructure of an organisation
  • Values – these are the loss potential of service disruption, intellectual property, compliance failures etc located in the assets
  • Market changes – increase and decrease in the incidence of attack and its effectiveness

Using the data and historic information the CVaR can be calculated with growing certainty and so the risks/costs of an attack can be computed with confidence.  The challenges are modelling the network, value and market changes!

So why does CVaR matter? Cyber Security like most control mechanisms comes down to risk management. Risk management needs real information and figures in order to be useful to a business. If it does not then it is just guesswork so could end up with focus on the wrong areas resulting in over spending and gaps in defences.

Different organisations, sectors and organisational profiles have differing risk profiles and exposures. Companies also have different risk appetites (which change at different stages of their development). So understanding YOUR Cyber Value at Risk is a significant tool to helping understand the risks to your organisation, the potential losses and how to focus your cyber investment. Broadgate’s ASSURITY product can help articulate the risks, costs and best path to resolution.

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call +44(0)203 326 8000 to speak to one of our security consultants.

 

NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.