Security Portfolio and Baseline Security

Working within the commercial side of Cyber Security we’re finding that those in the IT department are unfortunately being lumped with the Job of Security. Realistically Security should be a separate job, due to the time investment it takes on top of the “business as usual jobs”. However public opinion is “if it has a plug attached to it, it’s part of IT’s role”. This distinction should be made clear to your clients, or you should be charging more as you will need more employees to keep up with your clients demands, otherwise your Opex will increase and your profits will slim. If it’s not in their contract, then you shouldn't be delivering it.

They should be doing everything they can to benchmark their IT security,If they were compromised it will be their name in the papers not yours.

With baseline Security, A LOT ! are in the dark with what to do. Some don’t even see this as a problem yet. From our side we see it as a case of, “when” you get hacked, it’s not going to be “If” you get hacked anymore. We suggest 4 Pillars for security. Policy's | Testing | Cleansing | Preventing

A good place to start is to find out their security matrix (i.e. what is the risk of a hack to their business and what would the damages be ? From this you would move onto the next question "What policy's do they have in place for security, and are they the right policy's ?". If they're starting a fresh we'd suggest they hire one of our virtual CISOs/Security Managers to implement changes. For a SME with an average risk we would suggest Annual Pen tests of their infrastructure ( depending on how often they change it), followed by quarterly scans. Now that the Network has been tested to protect against external threats, it'd be useful to see if there are any dormant malware that is undetected.We'd suggest a Network Threat Assessment, this would monitor traffic and data on their network and would be manually combed through (you'd be surprised how many large enterprises we've found riddled with Malware). The last process would include prevention, so the likes of social engineering/phishing and even teaching developers how to code securely. From a commercial side, this is the baseline we are told to "sell" and educate our clients about.

But hey if the work gets too much for you, you can always chuck a few leads my way/partner with us haha

/r/msp Thread