Do you need a Virtual CISO for your business?
You know that information security is important, but you need a board level resource to manage it. Our Virtual CISO services allow for proactive risk management as we ‘virtually’ sit inside your business. We can spearhead your security strategy, budget, review of risks and regulatory programs. This includes making security decisions, understanding security threats, and optimizing security processes.
Services on this page
Threat Intelligence & Strategy Planning
A few years ago, a new threat called “juice jacking” appeared in public areas with device charging stations, such as airports. This is when criminals use electronics hidden behind the charging station to infect the device that’s plugged in.
Moreover, any employee travelling or working outside the office who innocently plugged in a phone, tablet, etc. could inadvertently have the device infected, which could then create multiple scenarios to harm the business. So, one solution is to issue mobile employees with company supplied power adapters and enforce a policy that public charging stations cannot be used for company devices. Collectively, measures like these create awareness of the problem with management and employees.
The number of cyber & social engineering attack methods, information exploitation methods (i.e. fraud), and opportunities for information to be lost or leaked is constantly increasing meaning that ever-changing threats may not be mitigated by existing security measures.
Virtual CISO services include ongoing monitoring of “threat landscape” to aggregate, analyze, and identify if business is impacted (i.e. risk increased) due to changes in the threat landscape.
Use the result of the analysis to proactively determine how to mitigate the new risk.
Policy Vetting & Management
Let’s say your company acquires a large client, but they impose security requirements in order to qualify as an approved supplier. Consequently, your company could be disqualified if your security policies are not up-to-date.
Or, consider employees who are permitted to use personal mobile devices for business. What if they lose their device and purchase a new one that is incompatible with company apps? Without a current “Bring Your Own Device (BYOD)” policy, company data is therefore at risk of being exposed.
The number of cyber & social engineering attacks, information exploitation(i.e. fraud), and opportunities for data leaks is constantly evolving. Therefore, the accuracy and effectiveness of existing security policies will degrade over time.
So, scheduled reviews of, and updates to, security policies with a virtual CISO ensures they are keeping up with the changing business and threat landscape.
Management and employees are kept aware of policies intended to protect them and the business.
In addition, scheduled reviews and updates ensures ongoing compliance requirements.
Procedure Vetting & Management
Let’s take a company that allows employees to use their personal phones for business. As such, business email, contacts, calendars, and files are sync’d to the phone. So, when an employee leaves the company, the termination and offboarding procedures need to include confirmation that all company data is removed from their personal devices.
Another example is when a company corresponds with investors and needs 2-way flow of private information. They created an approved procedure for staff to follow; however, security analysts discovered a vulnerability that the platform refuses to fix. An annual review of procedures with their Virtual CISO identified the problem.
As businesses evolve and grow, new and/or updated software platforms are implemented, devices are updated and replaced, employee roles are created, removed, or changed, vendors and clients are added or removed.
Therefore, normal changes to the business can impact the accuracy of existing procedures.
So, scheduled reviews and testing of procedures with your virtual CISO, used to keep the business and employees safe and/or respond to both planned and unplanned events.
Knowing that systems function as intended when needed.
Enhanced Security Awareness Training & Workshops
Despite the company having security awareness training in place, an AR team member at a manufacturing company sent a list of all receivables to someone who impersonated the CFO. The following week, the same criminal then emailed the company’s clients – stating that the company’s payment remittance information had changed… to their own banking details.
Here’s how it happened:
The initial employee found an email “from the CFO” in her junk folder. The anti-spam technology worked correctly in identifying the email as fraudulent and isolated it. But, the employee moved the email to her inbox and replied with client information. Regardless of whether the actions were accidental or intentional, the company had to notify all clients in the list of the data leak.
As a result, the company increased their automated security awareness training, implemented mandatory attendance of live workshops, as well as implemented a policy that outlines potential consequences.
Most businesses have security awareness training in order to comply with cyber insurance requirements. However, the effectiveness of basic automated training is less than combining automated training with other training methods.
Finally, most security awareness programs do not create adequate accountability for employees so when a preventable incident occurs, employers have no recourse.
Virtual CISO services keep security top-of mind by embedding it in workplace culture through relevant regular security awareness training, live workshops, and more.
Information is power. Staff that are more aware of risks are more likely to spot problems and less likely to inadvertently cause security incidents.
Information Asset Workflow Vulnerability Management
A construction materials company experienced a security event resulting in all of their IT systems being down for a week. Their manufacturing and distribution locations limped along until the situation was resolved. The cost was massive: for remediation, lost sales, damaged reputation, and regulatory penalties. But it also meant:
- They could compromise any business that had purchased material from them.
- Additionally, businesses that require electronic data interchange (EDI) for transactions were consequently at risk of having their IT systems infiltrated.
- Organizations who paid invoices to the company electronically were at risk of fraud from the criminal behind the incident. For example, the criminal could use a hijacked email account to redirect payment to themselves. So, even entities that paid by cheque were at risk of old-school fraud attempts.
- And, if the company used EDI to transact with it’s suppliers, those suppliers were also at risk.
For organizations who had a map of the information flow between themselves and the affected company, they were able to take the steps necessary to protect themselves. However, organizations who did not have such information at hand could not take such steps and were exposed to fraud.
Inbound and outbound information supply chains are vulnerable to attack. This means that if a supplier or customer is compromised, it could result in your company experiencing a cyber incident as well.
Create maps of information flow to all external entities (suppliers, customers, partners, employees, create 3rd-party services). You can do this with the help of a Virtual CISO service in order to immediately identify risk when an external entity is compromised.
When a related external entity is compromised, you immediately know what company information may be affected. For example, what passwords need to immediately change, what accounts need to be shut down or have increased monitoring, and heightened awareness of employees of possible fraud attempts.
Security Guidance & Communication
A company considered a cost reduction measure for hybrid staff, by allowing them to use their personal home computers when working from home. So, when in the office, there would be a pool of computers for people to use.
This increased their security risks because the company had no insight, monitoring, or control over the home computers. There would be no way to prevent unauthorized access to company information from “unmanaged” computers. Also, there are high risks to company systems being infected from a computer it did not own or manage.
Firms retain external legal and finance counsel to supplement existing resources but few retain external security counsel to supplement existing security efforts.
Regularly scheduled security consultations ensure that company initiatives and changes include security in the planning process.
Including your Virtual Chief Information Security Officer in the planning process avoids additional cost and productivity delays by adding security after-the-fact.