Do you need a Virtual CISO for your business?
You know that information security is important, but you don’t know how to properly protect yourself. Our Virtual CISO services will help your business make security decisions, understand security threats, and optimize security processes as a board level resource who can virtually sit inside your business and manage your security strategy, budget, review of risks and regulatory programs.
Services on this page
Get started with Virtual CISO services & solve your problem!
Threat Intelligence & Strategy Planning
A few years ago, a new threat called “juice jacking” appeared in public areas with device charging stations such as airports, retail establishments, and restaurants. Criminals introduced electronics hidden behind the charging station (the USB port or cable) to bypass security on the devices being charged and infect them.
Any employee travelling or working outside the office who innocently plugged in a phone, tablet, etc. could inadvertently have the device infected, which could then create multiple scenarios to harm the business. So, one solution is to issue mobile employees with company supplied power adapters for their devices and enforce a policy that employees are not to use public charging stations for company devices. Such as, devices are to only be charged with company-supplied power adapters and cords connected to a standard 120V power outlet. Collectively, measures like these create awareness of the problem with management and employees as well as empowers them to protect the business.
The number of cyber & social engineering attack methods, information exploitation methods (i.e. fraud), and opportunities for information to be lost or leaked is constantly increasing meaning that ever-changing threats may not be mitigated by existing security measures.
Virtual CISO services include ongoing monitoring of “threat landscape” to aggregate, analyze, and identify if business is impacted (i.e. risk increased) due to changes in the threat landscape.
Use the result of the analysis to proactively determine how to mitigate the new risk.
Get started with Virtual CISO services & solve your problem!
Policy Vetting & Management
Your company acquires a large new client who imposes security requirements in order to qualify as an approved supplier. Therefore, your company could be disqualified if your security policies are not up-to-date.
Employees are permitted use personal mobile devices for business. So, what if an employee loses his device and purchases a new one that is incompatible with company apps? Without an up-to-date “Bring Your Own Device (BYOD)” policy, the company may have information exposed by loss of the old device and the employee’s ability to work may be hindered.
The number of cyber & social engineering attack methods, information exploitation methods (i.e. fraud), and opportunities for information to be lost or leaked is constantly evolving. Therefore, the accuracy and effectiveness of existing security policies will degrade over time.
Scheduled reviews of, and updates to, security policies with a virtual CISO ensures they are keeping up with the changing business and threat landscape.
Management and employees are kept aware of policies intended to protect them and the business.
In addition, scheduled reviews and updates ensures ongoing compliance requirements.
Get started with Virtual CISO services & solve your problem!
Procedure Vetting & Management
A company allows employees to use their personal phones for business. As such, business email, contacts, calendars, and files are sync’d to the phone. So, when an employee leaves the company, the termination and offboarding procedures need to include confirming that all company information is removed from their personal devices before the meeting ends.
A company corresponds with investors and needs 2-way flow of private information. They created an approved procedure for staff to follow; however, security researchers discovered a security vulnerability that the platform refuses to fix. An annual review of procedures with their Virtual CISO identified the problem.
As businesses evolve and grow, new and/or updated software platforms are implemented, devices are updated and replaced, employee roles are created, removed, or changed, vendors and clients are added or removed.
Normal changes to the business can impact the accuracy of existing procedures.
Scheduled reviews and testing of procedures with your virtual CISO, used to keep the business and employees safe and/or respond to both planned and unplanned events.
Knowing that systems function as intended when needed.
Get started with Virtual CISO services & solve your problem!
Enhanced Security Awareness Training & Workshops
An AR team member at manufacturing company sent a list of all receivables to someone who impersonated the CFO despite the company having basic security awareness training in place but with no associated policy or accountability if the training was not completed or completed incorrectly. The following week, the criminal behind the event emailed the company’s clients started receiving emails stating that the company’s payment remittance information had changed and provided the criminal’s banking information as the new company information. Client’s submitted payments to the criminal instead of the company resulting in financial loss.
Here’s what happened:
The employee searched through her junk mail folder and found an email “from the CFO”. The email was clearly sent from a non-company email address, was flagged as junk, and marked with a banner accordingly. The technology worked correctly in identifying the email as fraudulent and isolated it. But, the employee moved the email to her inbox and replied with an attached spreadsheet, which included client information. It is undetermined if these actions were accidental or the actions were intentional. The company had to notify all clients in the list of the data leak.
As a result, the company is increasing their automated security awareness training, implemented mandatory attendance of live workshops and implemented a policy that outlines potential consequences for such events.
Most businesses have some form of security awareness training in order to comply with cyber insurance requirements. However, the effectiveness of basic automated training is less than combining automated training with other training methods.
Finally, most security awareness programs do not create adequate accountability for employees so when a preventable incident occurs, employers have no recourse.
Virtual CISO services keep security top-of mind by embedding it in workplace culture though relevant regular security awareness training, live workshops, and/or frequent security awareness tips.
Information is power. Staff that are more aware of risks are more likely to spot problems and less likely to inadvertently cause security incidents.
Get started with Virtual CISO services & solve your problem!
Information Asset Workflow Vulnerability Management
A construction materials company experienced a security event resulting in all of their IT systems being down for a week. Their manufacturing and distribution locations limped along using paper records until the situation was resolved. The cost was massive: for remediation, lost sales, damaged reputation, and regulatory penalties.
As bad as it was for the affected company, all businesses who had ever purchased material from the company were now at risk of also being compromised or defrauded. Businesses who relied on electronic data interchange (EDI) to conduct transactions now had the possibility of their IT systems being infiltrated from the affected company.
Organizations who paid invoices to the company electronically were at risk of fraud from the criminal behind the incident. For example, the criminal could use a hijacked email account to change payment information so that payments were deposited into their account instead of the company’s. Even entities that paid by cheque were at risk of old-school fraud attempts.
Also, if the company used EDI to transact with it’s suppliers, those suppliers were also at risk. For organizations who had a map of the information flow between themselves and the affected company, they were able to take the steps necessary to protect themselves. However, organizations who did not have such information at hand were not able to take such steps and were exposed to fraud.
Inbound and outbound information supply chains are vulnerable to attack, meaning that if a supplier or customer is compromised, it could result in your company experience an event such as also being compromised or defrauded.
Create maps of information flow to all external entities (suppliers, customers, partners, employees, create 3rd-party services) with the help of a Virtual CISO service in order to immediately identify risk when an external entity is compromised.
When a related external entity is compromised, you immediately know what company information may be affected. For example, what passwords need to immediately change, what accounts need to be shut down or have increased monitoring, and heightened awareness of employees of possible fraud attempts.
Get started with Virtual CISO services & solve your problem!
Security Guidance & Communication
During a regularly scheduled check-in, a company mentioned to their Virtual CISO that they were considering a cost reduction measure for hybrid staff by allowing them to use their personal home computers when working from home. When in the office, there would be a pool of computers for people to use.
This scenario introduced a huge amount of risk because the company had no insight, monitoring, or control over the home computers. There would not be any way to prevent unauthorized access to company information from “unmanaged” computers. Also, considering that most home systems have less security than company assets, there would be a high risk of the company system being infected from a computer it did not own or manage.
Firms retain external legal and finance counsel to supplement existing resources but few retain external security counsel to supplement existing security efforts.
Regularly scheduled security consultations ensure that company initiatives and changes include security in the planning process.
Including your Virtual Chief Information Security Officer in the planning process avoids additional cost and productivity delays by adding security after-the-fact.