Virtual Chief Security Officer Services

Do you need a security expert in your business?

You know that information security is important, but you don’t know how to properly protect yourself. Birmingham Consulting can work with you to make sure that you are safe, secure, and ready to face anything that comes your way.

Our vCSO program will help your business make security decisions, understand security threats, and optimize security processes using a board level resource who can virtually sit inside your company and manage your security strategy, budget, review of risks and regulatory programs.

Services on this page

Get started & solve your problem!

Threat Intelligence & Strategy Planning

A few years ago, a new threat called “juice jacking” appeared in public areas with device charging stations such as airports, retail establishments, and restaurants. Criminals introduced electronics hidden behind the charging station (the USB port or cable) to bypass security on the devices being charged and infect them.

Any employee travelling or working outside the office who innocently plugged in a phone, tablet, etc. could inadvertently have the device infected, which could then create multiple scenarios to harm the business. One solution is to issue mobile employees with company supplied power adapters for their devices and enforce a policy that employees are not to use public charging stations for company devices. Devices are to only be charged with company-supplied power adapters and cords connected to a standard 120V power outlet. These measures create awareness of the problem with management and employees as well as empowers them to protect the business.

Problem

The number of cyber & social engineering attack methods, information exploitation methods (i.e. fraud), and opportunities for information to be lost or leaked is constantly increasing meaning that ever-changing threats may not be mitigated by existing security measures.

Solution

Ongoing monitoring of “threat landscape” to aggregate, analyze, and identify if business is impacted (i.e. risk increased) due to changes in the threat landscape.

Positive Result

Use the result of the analysis to proactively determine how to mitigate the new risk.

Get started & solve your problem!

Policy Vetting & Management

Your company acquires a large new client who imposes security requirements in order to qualify as an approved supplier. If your security policies are not up-to-date, your company could be disqualified.

Employees are permitted use personal mobile devices for business. An employee loses his device and purchases a new one that is incompatible with company apps. Without an up-to-date “Bring Your Own Device (BYOD)” policy, the company may have information exposed by loss of the old device and the employee’s ability to work may be hindered.

Problem

The number of cyber & social engineering attack methods, information exploitation methods (i.e. fraud), and opportunities for information to be lost or leaked is constantly evolving, meaning that the accuracy and effectiveness of existing security policies will degrade over time.

Solution

Scheduled reviews of, and updates to, security policies to ensure they are keeping up with the changing business and threat landscape.

Positive Result

Management and employees are kept aware of policies intended to protect them and the business.
In addition, scheduled reviews and updates ensures ongoing compliance requirements.

Get started & solve your problem!

Procedure Vetting & Management

A company allows employees to use their personal phones for business. As such, business email, contacts, calendars, and files are sync’d to the phone. When an employee leaves the company, the termination and offboarding procedures need to include confirming that all company information is removed from the employee’s personal devices before the meeting ends.

A company corresponds with investors and needs 2-way flow of private information. They created an approved procedure for staff to follow; however, security researchers discovered a security vulnerability that the platform refuses to fix. An annual review of procedures identified the problem.

Problem

As businesses evolve and grow, new and/or updated software platforms are implemented, devices are updated and replaced, employee roles are created, removed, or changed, vendors and clients are added or removed.

Normal changes to the business can impact the accuracy of existing procedures.

Solution

Scheduled reviews and testing of procedures used to keep the business and employees safe and/or respond to both planned and unplanned events.

Positive Result

Knowing that systems function as intended when needed.

Get started & solve your problem!

Enhanced Security Awareness Training & Workshops

An AR team member at manufacturing company sent a list of all receivables to someone who impersonated the CFO despite the company having basic security awareness training in place but with no associated policy or accountability if the training was not completed or completed incorrectly. The following week, the criminal behind the event emailed the company’s clients started receiving emails stating that the company’s payment remittance information had changed and provided the criminal’s banking information as the new company information. Client’s submitted payments to the criminal instead of the company resulting in financial loss.

Here’s what happened:

The employee searched through her junk mail folder and found an email supposedly from the CFO. The email was very clearly sent from a non-company email address, was flagged as junk, and marked with a banner indicating it was from an external sender. In other words, technology worked correctly: It identified the email as fraudulent and isolated it from the employee’s workflow.

The employee moved the email to her inbox and replied to the bad actor with an attached spreadsheet containing amounts owed and client contact information. It is undetermined if these actions were accidental (i.e. an operational oversight due to overwork or unchecked sense of urgency) or the actions were intentional (i.e. the employee was collaborating with the bad actor or the employee was motivated by some other factor). The company had to notify all of the clients in the list of the data leak in order to try to prevent them paying the bad actor

As a result, the company is increasing the frequency of the automated security awareness training, implemented mandatory attendance of live security workshops and implemented a policy that outlines potential consequences if such a event occurs again.

Problem

Most businesses have some form of security awareness training in order to comply with cyber insurance requirements. However, the effectiveness of basic automated training is less than combining automated training with other training methods.

Finally, most security awareness programs do not create adequate accountability for employees so when a preventable incident occurs, employers have no recourse.

Solution

Keep security top-of mind by embedding it in workplace culture though relevant regular security awareness training, live workshops, and/or frequent security awareness tips.

Positive Result

Information is power. Staff that are more aware of risks are more likely to spot problems and less likely to inadvertently cause security incidents.

Get started & solve your problem!

Information Asset Workflow Vulnerability Management

A construction materials company experienced a security event resulting in all of their IT systems being down for a week. Their manufacturing and distribution locations limped along using paper records until the situation was resolved. The cost was massive: for remediation, lost sales, damaged reputation, and regulatory penalties.

As bad as it was for the affected company, all businesses who had ever purchased material from the company were now at risk of also being compromised or defrauded. Businesses who relied on electronic data interchange (EDI) to conduct transactions now had the possibility of their IT systems being infiltrated from the affected company.

Organizations who paid invoices to the company electronically were at risk of fraud from the criminal behind the incident. For example, the criminal could use a hijacked email account to change payment information so that payments were deposited into their account instead of the company’s.

Even entities that paid by cheque were at risk of old-school fraud attempts.

Also, if the company used EDI to transact with it’s suppliers, those suppliers were also at risk. For organizations who had a map of the information flow between themselves and the affected company were immediately able to take the steps necessary to protect themselves. However, organizations who did not have such information at hand were not able to take such steps and were exposed to fraud.

Problem

Inbound and outbound information supply chains are vulnerable to attack, meaning that if a supplier or customer is compromised, it could result in your company experience an event such as also being compromised or defrauded.

Solution

Create maps of information flow to all external entities (suppliers, customers, partners, employees, create 3rd-party services) in order to immediately identify risk when an external entity is compromised.

Positive Result

When a related external entity is compromised, you immediately know what company information may be affected. For example, what passwords need to immediately change, what accounts need to be shut down or have increased monitoring, and heightened awareness of employees of possible fraud attempts.

Get started & solve your problem!

Security Guidance & Communication

During a regularly scheduled check-in, a company mentioned that they were considering a cost reduction measure for hybrid staff by allowing them to use their personal home computers when working from home. When in the office, there would be a pool of computers for people to use.

This scenario introduced a huge amount of risk because the company had no insight, monitoring, or control over the home computers. There would not be any way to prevent unauthorized access to company information from “unmanaged” computers. Also, considering that most home systems have much less security than company assets (if any) and children use the same computers, there would be a high risk of the company system being infected from a computer it did not own or manage.

Problem

Firms retain external legal and finance counsel to supplement existing resources but few retain external security counsel to supplement existing security efforts.

Solution

Regularly scheduled security consultations ensure that company initiatives and changes include security in the planning process.

Positive Result

Including security in the planning process avoids additional cost and productivity delays by adding security after-the-fact.