CyberRisk Services
At CyberRisk we believe that protecting your organisation’s reputation is crucial in ensuring that your business continues to grow and meet its objectives. We provide you with expert advice to protect your organisation and its reputation from cyber-attacks. Safeguarding your business is our one mission and goal. We do this by leveraging years and years of experience and best practices from managing and deploying proven, practical, pragmatic and cost effective IT Security programs to many organisations across many different industries. We help you to identify your key data assets and business processes, assess the strength and effectiveness of your security controls, help build strategies and plans to mitigate your risks and deploy the right security measures to reduce your risk to an acceptable level.
CyberRisk offers a comprehensive portfolio of services and capabilities that assist you to effectively manage your risk.
Security Strategy and Program Design, Implementation and Operation
An organisation needs a security strategy or program that supports its goals and objectives. CyberRisk specialises in designing, implementing and running comprehensive business driven security programs.
Today’s corporate leaders face multiple challenges, including the need to innovate in extremely competitive business climates, address highly dynamic regulatory and compliance challenges, and secure the enterprise against a wide barrage of new and evolving sophisticated threats. Security is a major consideration in the way that business and information technology systems and processes are designed, built, operated, and managed.
Organisations often take a bottom-up approach to security and continually build on top of their existing security investments. This technology-centric approach often creates an excessively complex and disjointed security infrastructure that is difficult to manage and prone to operational inefficiencies which can escalate IT costs.
The need to be able to integrate security with business functions and operations exists more than ever. A business-driven approach can achieve end-to-end security that supports business goals such as driving innovation and reducing organisational costs, as well as operational requirements to address compliance measures, protect against internal and external threats, and prioritise the security risk management activities that make the most sense for their organisation.
CyberRisk Value
We can provide answers to the following questions:
- Does my security program support my organisation’s goals and objectives?
- Am I investing money in the right areas?
- Will my security program provide an adequate level of protection given the size and nature of my business?
- Am I getting the value I should expect from my investments in information security?
For more information about how to design a business driven security program click here.
Enterprise Risk Management, Audit and Compliance
CyberRisk provides guidance, expertise and recommendations to help you make informed decisions about addressing gaps, managing risk and allocating resources to better protect your organisation. CyberRisk can help you to comply with standards such as the PCI DSS, ISM, NIST SCF and ISO 27001.
Identifying, mitigating and managing cyber risk allows you to make better business decisions and protect your organisation. In the modern data driven enterprise managing your information assets is critical to managing your risk.
CyberRisk Value
We can provide answers to the following questions:
- Have I identified all of the major risks to my business?
- Do I have plans in place to manage my key risks?
- Are my treatment plans effective and providing value for money?
- Is my spend on information security optimised and focused on what matters to my organisation?
- Am I complying with all of my obligations?
- How can I comply with the PCI DSS?
- I would like my organisation to be ISO 27001 compliant, what do I need to do and where do I start?
- My auditors have raised too many issues for me to fix. How can I close my open audit findings cost effectively and in a timely manner?
- Am I likely to pass my audit? Where are the auditors most likely to find issues? What can I do about this before they arrive?
Security Awareness and Digital Safety Culture
Perfect security is neither practicable nor affordable; information security is about managing risk and managing people. Without the human factor, no amount of money spent on technology or processes will work to reduce the risk of a data breach. People drive technology and as a result human error is the single biggest contributor and root cause of security incidents; however, spending on security awareness is often negligible compared with the amounts spent on security technology. CyberRisk is able to design and implement an effective security awareness program that works.
The human element is one of the most critical aspects of any security program, yet it’s often the most neglected. Many security leaders prioritise other projects and see little value in the efforts they do commit to training and awareness, following a “compliance is enough” attitude. However, this is the problem: Awareness initiatives are sporadic, with materials that reflect the minimal, uninspired investment in compliance focused activities. Meanwhile, security technologies that are critical to protecting environments are often rendered useless due to easily avoidable human factors.
CyberRisk Value
We can provide answers to the following questions:
- Is my security awareness program designed to be effective?
- What can I do to change the behaviour of my people and make them more aware of and follow good security practice?
- How can I improve my security awareness program and make it more effective?
- Have I based my security awareness activities on techniques that are proven to change behaviour?
Incident Response and Capability Assessment
Organisations are increasingly finding themselves at risk as cyber attacks and intrusions rise. Attacks are becoming more sophisticated, targeted and damaging. CyberRisk can help you to take a proactive stance against unauthorised intrusion and attacks by assessing your organisation’s ability to effectively respond to a cyber attack.
100% security is impossible and a security breach is inevitable. Your ability to respond to an incident is crucial in limiting the damage to your organisation’s business operations and reputation. Limiting the damage and reducing the time and cost of recovering are key attributes of breach response. Cyber attacks can strike at any time, without warning, and when they do, time is of the essence. Your organisation needs to be prepared to respond quickly when your defences have been breached. During an attack, it is critical to have a plan in place so that your security team can spring into action, contain the situation, and minimise the damage.
CyberRisk Value
We can provide answers to the following questions:
- Are my incident response processes designed to be effective?
- Is my incident response process effective?
- Does my incident response team have the optimal structure?
- Do I have the tools in place to rapidly detect an incident?
- How can I improve my ability to effectively detect an incident?
Disaster Recovery and Business Continuity
A disaster can strike at any time, how confident are you that you can respond effectively?
CyberRisk Value
We can provide answers to the following questions:
- Which of my business processes are the most critical to my organisation?
- How much data can my organisation loose in a disaster? How long can my business continue without key IT systems before it fails?
- If an IT system supporting a critical business process becomes unavailable, do I have a plan in place to recover? Will the plan work? Has it been tested properly?
- How can I continue to operate my business effectively whilst my IT systems are being recovered?
Secure Solution Design
CyberRisk can help you to ensure that you have implemented well designed and cost effective safeguards into your IT systems.
Including security early in the information system development life cycle will usually result in less expensive and more effective security than adding it to an operational system.
CyberRisk Value
We can provide answers to the following questions:
- Is the design of my system secure?
- Have I included all of the required safeguards considering the importance of the information the system holds?
- Will my system integrate with my existing environment securely?
Privacy
An entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store, maintain or process personal information on its behalf. CyberRisk can assist you in ensuring that your security controls and safeguards are well designed and are operating effectively, thus allowing you to meet your obligations under the Privacy Act.
Does your organisation collect or store personal information? The Privacy Act regulates how entities handle individuals’ personal information. Along with obligations regarding the collection, use, disclosure and the provision of access to personal information, the Privacy Act also requires entities to take ‘reasonable steps’ to protect the personal information that they hold from misuse, loss and from unauthorised access, use, modification or disclosure.
When developing or reviewing a project, consider the need for a privacy impact assessment (PIA). A PIA identifies how a project can have an impact on individuals’ privacy, and makes recommendations for managing, minimising or eliminating privacy impacts. CyberRisk recommends that you should conduct PIAs as part of your risk management and planning processes. If your existing systems have never been assessed then CyberRisk can help to make sure that they comply with the relevant standards.
If the Office of the Australian Information Commissioner (OAIC) investigates a possible breach of the Privacy Act it considers two factors:
- the steps that the entity took to protect the information
- whether those steps were reasonable in the circumstances
Our Privacy Readiness Assessment service can provide you with the help you need to ensure that your organisation has reasonable security measures in place to protect personal information and thus meet your privacy obligations.
CyberRisk Value
We can provide answers to the following questions:
- Are my controls reasonable, given the requirements of the Privacy Act?
- Have I taken reasonable steps to secure my customers’ information?
- Does my data breach response plan and procedures comply with the Privacy Act requirements around mandatory data breach reporting?
Policy Development and Implementation
Your Information Security Policies are the cornerstone of your Information Security Program. Policies explain how information should be secured and managed in your organisation. To be successful you must have well-defined objectives for security and an agreed-upon management strategy for securing information. CyberRisk can assist you in developing pragmatic security policies that your people will actually use.
A security policy establishes what must be done in order to protect an organisation’s information assets. A well written policy contains sufficient definition of “what” to do and part of information security management is determining how security will be maintained in your organisation and how much risk will be tolerated. Management defines information security policies to describe how the organisation wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules and safeguards that will be used to implement the policies.
CyberRisk Value
We can provide answers to the following questions:
- My organisation needs some policies, where do I start and what does finished look like?
- Do my policies reflect my organisation’s tolerance for risk?
- How can I write policies that my people will understand and follow?
- Will my policies pass an audit?
- Do I have all the policies my organisation needs to maintain an acceptable duty of care?
Data Protection Assessment
Your security program should be designed to deliver value for money, well designed and effective safeguards and a reduction in risk. CyberRisk can assess the maturity of your security program, identify gaps and make recommendations for improvement.
Digital information is the heart of today’s organisations. The effective use and management of information is directly linked to the continued success of your enterprise. However, the cloud, mobility and big data have introduced a significant number of new information security risks and greatly amplified existing ones. Breaches occur almost daily and there are now many high-profile examples of information risks being realised, and their impacts continue to grow. Your organisation must improve its management of information security risk to stay in business.
CyberRisk Value
We can provide answers to the following questions:
- Have you identified and mitigated your most significant risks?
- Are your controls designed correctly? Are they operating effectively?
Security Operations Centre – Design, Build and Operation
Is your organisation overwhelmed by the onslaught of security data from disparate systems, platforms and applications? Are your numerous point security solutions (anti-virus, firewalls, intrusion detection, access control, identity management, single sign-on, etc.) creating millions, maybe billions of daily log messages. In addition to directed attacks becoming more frequent and sophisticated, there are regulatory compliance issues that place an increasing burden on your security, systems and network administrators. This situation creates a large amount of information and log data to manage and you need a formal mechanism to deal with it. One answer is to create a security operations centre (SOC). A SOC in its most basic form is a team that deals with information security incidents and related issues. CyberRisk can assist you in designing, implementing and/or running a SOC.
Today most organisation have a business requirement to perform proactive monitoring of their infrastructure to detect and respond to security attacks. We offer services to help organisations build a Security Operations Centre (SOC) capability, with a comprehensive approach to defining the business drivers for such a capability, designing services that will be delivered by the SOC, and development of processes and procedures that the SOC will operate with.
CyberRisk’s experienced security operations consultants can help you understand your business requirements and define your use cases, perform the necessary planning, design of infrastructure, establish service catalogue definitions, document processes, and assist with the configuration of your SOC infrastructure and tooling.
CyberRisk can also assist with selecting appropriate technology that is best fit to the organisation’s monitoring requirements, in addition to providing log data on-boarding to Security Information and Event Management (SIEM) platforms, configuration of alerting and development of monitoring dashboards.
Additionally, CyberRisk has experience in assisting organisations who choose to outsource some of their security monitoring needs to a third party Managed Security Service Provider (MSSP) and can provide consulting support throughout the process. CyberRisk offers support services to clients who are looking to run a Request For Proposal or Request For Quotation process, where we will work with you to define your MSSP service requirements, evaluate vendor proposal responses, and review proposed MSSP service and support agreements to make sure your organisation is receiving a service that meets your needs, represents value for money, and the support terms offered by the chosen MSSP are reasonable.
CyberRisk Value
We can provide answers to the following questions:
- Are you being proactive in monitoring your environment to help defend against security threats?
- How mature is your security operations capability compared to other organisations of similar size?
- Are you collecting the right type of logs to provide the visibility required to detect malicious activity?
- Do you have the right tooling in place to enable your team to see, identify, and act upon threats in your environment?
- Are the process workflows in your security operations capability designed in the most effective way?
- How can your SOC or Security Operations team achieve efficiency improvements?
Vulnerability Assessment
Do you know which of your web applications, databases, servers and network devices are most vulnerable to hackers? Do you understand your level of exposure? Before you can secure your systems and environment, you need to understand where your weaknesses lie. A vulnerability assessment will identify, document and assess weaknesses in your information systems and allow you to take pro-active measures to plug the holes before they are used to breach your defences.
Protecting your information and information systems from the constantly changing threat landscape can be a daunting task. CyberRisk can assist by identifying, classifying and then assisting you to remedy any weaknesses in the most cost effective and efficient way.
CyberRisk Value
We can provide answers to the following questions:
- How many and what types of weaknesses do I have in my environment?
- Which weaknesses expose my organisation to the highest risk? What can I do to manage my risk?
Penetration Testing
Our comprehensive penetration testing services mimic the actual tactics, techniques and practices that real world attackers would use to attack your systems. CyberRisk can help you find any weaknesses that you might have before the bad guys do.
A penetration test mimics the actions of a focused attacker attempting to exploit weaknesses in the security of your systems using real world tactics, techniques and procedures. Our testing examines your IT systems for any security weakness that could be used by an attacker to compromise your environment and either steal your information or damaged and destroy your IT systems. We will assess the security of the systems in scope and depending on the IT services discovered, approach any potential vulnerabilities just as a real-world attacker would. By exploiting weaknesses in system code, the human element and mis-configuration of applications and operating systems, we will gain an initial foothold in your environment and move laterally through your network harvesting user passwords and eventually taking control of your network. At the end of the engagement we will provide you with a risk assessed and prioritised list of the weaknesses we exploited and practicable and pragmatic recommendations for improvement and remediation.
Our professional and expert ethical hackers can perform:
- External or internal infrastructure penetration testing (end points, networks, servers, virtualisation technologies and cloud environments)
- Web application penetration testing (web or mobile applications)
CyberRisk Value
We can provide answers to the following questions:
- How vulnerable is my organisation to a hacking attack?
- Does my security posture have any weaknesses?
- Are my systems secured from internal and external threat actors?
- Do any weaknesses or vulnerabilities exist in my environment, and if so, how can hackers exploit them and how far can they go?
Compromise Assessment and Threat Hunting
Attackers are often resident inside a network for months and even years before being detected. Do you suspect that your systems have been breached? Is there an attacker lurking in your environment? CyberRisk can examine your endpoints, servers and network traffic to determine if you have been the target of any attacks.
Using our knowledge, tools and threat intelligence sources we can examine your systems and look for traces of activity from both past and present threat actors. A compromise assessment is a proactive engagement to identify any past or present suspicious activity. Threat hunting is the process of proactively and systematically searching through computer systems and network events to detect and isolate threats that have evaded your detection systems. CyberRisk can assess your existing threat hunting capability or assist you to develop one.
CyberRisk Value
We can provide answers to the following questions:
- Have my network and information systems been compromised? If so, how severe is the incident?
- How did the attackers gain entry and what did they do?
- How can I stop similar attacks in the future?
- How mature is my threat hunting capability?
- What can I do to improve the effectiveness of my threat hunting activities?