Create a culture of security within your organization
Do you need to know that your current information security practices are effective? Benefit from third-party audits of your cyber defences, so that you can be confident with your security.
Our Protection Accountability services will educate and prepare your executives, IT staff, and staff to recognize, avoid, and effectively handle potential cyber incidents. You will learn what to do when attacks happen, so that you can minimize damage and fallout.
Services on this page
Get started & solve your problem!
Risk Assessments
During a Level 1 risk assessment, a company discovered that their data loss protection risk level was higher than acceptable. Upon investigation, they discovered that multiple stand agreement templates referred to outdated legislation, effectively nullifying many existing confidentiality agreements.
Businesses struggle to quantify security risk and therefore are unable to quantify security ROI.
Identify changing risk levels by performing risk assessments against a standard set of controls to calculate Risk as Impact times Likelihood minus effectiveness of controls. at scheduled intervals.
Use the result of the assessment to understand overall organizational risk and decide if mitigation measures are necessary to decrease liability, meet any applicable compliance, and meet any applicable regulatory requirements.
Get started & solve your problem!
Security Incident Response Testing & Validation (Tabletops)
Fire drills are a common occurrence in public schools for good reason. The entire point of the exercise is to be prepared so that in the chaos of a real fire, nobody needed to panic because everyone knew exactly what to do – and it had already been practiced! As the saying goes, “Practice Makes Perfect.”
When it comes to cyber security for your business, are you applying the same forethought? Do you have a cyber incident response plan (IRP)? You probably have one for health & safety emergencies, why not for cyber emergencies? What about a list of all the data your business shares with vendors and clients? If a supplier is hacked, could that put you at risk? Bank account numbers? Fake invoices? Email impersonation? Or something as simple as not receiving product when you need it?
And, if you have a plan, do you practice it? Do you rehearse the steps and procedures for remediation or reducing risk?
In the “heat of the moment” of a crisis or security incident, people (and therefore companies) often forget what needs to be done and/or discover that the procedures they have in place are not effective.
Conduct a form of self-training by confirming the effectiveness of incident response policies and procedures using regularly scheduled tests of various possible security incidents.
Management and employees are kept aware of policies intended to protect them and the business.
In addition, scheduled reviews and updates ensures ongoing compliance requirements.
Get started & solve your problem!
IT Performance Analysis
A company was using a best-of-breed Business Continuity and Disaster Recovery (BCDR) solution to backup their information and ensure they could quickly recover from productivity loss incident.
However, their analysis revealed that the BCDR appliance automatic updates had been failing for over 6 months and as a result, all backups were more than 6 months old. The same problem with the updates also broke alerting by the BCDR so the IT department was not getting notified of failed backups. The company was able to resolve the issue with updates and re-commenced successful backups. Fortunately, no productivity loss occurred while the issue was being resolved. Had something occurred before the problem was fixed (e.g. security incident or equipment failure), the company would have lost 6 months of work.
IT departments can get caught up in solving productivity issues and often do not have time to stay up-to-date on proactive measures and industry best-practices.
Conduct regularly scheduled analyses of essential IT practices against IT security best practices.
Identify and remediate IT systems that may not be functioning optimally before they are needed.
Get started & solve your problem!
Vendor Security Risk Assessments
A company was corresponding with a supplier over email to resolve a billing issue. During the exchange, the supplier included all of the company’s credit card information in an unsecured email.
The AP clerk knew that sending credit card information by an unsecured method was against her company’s policy but did not know if the supplier had such a policy. The company cancelled the credit card and stopped doing business with that supplier. A vendor risk assessment would have identified the risk before it led to an information breach.
Suppliers need to comply with your security requirements, including applicable policies and procedures in order to protect your organization’s information.
Conduct regularly scheduled assessments of all suppliers to verify that they are not putting your company at risk.
Your company can manage qualify and mange vendors based on the risk they pose to your company.
Get started & solve your problem!
Executive Management / Board Reporting & Updates
In 2019, SolarWinds – an IT service management company – was compromised by cyber attackers. By December 2020, their Orion software, which was used by tens of thousands of businesses and organizations, was compromised as well. Still, SolarWinds stayed quiet about the attack until their customers started to put two-and-two together.
In 2023, the SEC brought a civil complaint to SolarWinds as a company as well as their CISO. This is a growing trend in information security cases: executives and board members are being held responsible for their overall choices and their effects on their customers.
Board members and executive management are increasing being held accountable for security events by suppliers, customers and regulatory bodies. Ignorance and/or delegation is no longer an acceptable defence when it comes to security risk.
Ensure that risk levels are documented and effectively communicated to board members and executive management on a regular basis.
Board members and executive management can make informed decisions about risks and are in a defendable position when a security event occurs.