When smaller organisations don't know where to start with
cybersecurity they generally have these options available from the market:1. Get a pen test done and do technical fixes as recommended on critical issues. Surprise - its probably patching and secure configuration aspects
2. Do a desktop based assessment performed to a selected standard and do critical fixes as recommended. Surprise - its probably creating or updating some policies
3. Technical training of their IT team so they have a clue. Surprise - it's probably funding self study and certifications.
4. Security awareness training of their personnel so they know what modern scams and digitally enabled fraud looks like. Suprise - it's probably non engaging elearning.
Unfortunately none of these immediately helps them provide a lasting step change in their cybersecurity risk posture or set them on the path to continuous improvement. Here are a few paths forward that might not have come to mind:
If you are a small organisation and have a decent attack surface to protect to look at procuring a capable attack surface management service which will provide you with continuous discovery and vulnerability scanning of your brand's digital assets and alerts on exposure outside of your risk tolerance. (These systems "feed themselves" and provide you with many of the benefits of an annual penetration test every day)
Consider looking at aligning your operations with "common sense" IT hygiene and security standards starting with offline or immutable tested backups, keeping your operating systems and applications in support and applying patches on a routine. Have a look at the CCMLite https://cloudsecurityalliance.org/research/ccm-lite which is mapped to many common security frameworks and has controls that any organisation can and should adopt and it comes with implementation guidance.
Look at a whether a Managed Detection & Response service fits within your risk profile and budget envelope so you have a chance to detect and eject attackers from your endpoints who don't work business hours and have day jobs to do like your IT team.
Look at what security features are available to you at low/no cost/big risk reduction benefit to implement in your systems. If you have EntraID (who doesn't due to M365?) you have the ability to implement phishing resistant MFA for example.
If you are operating in the nonprofit sector and just not getting the love from the large cybersecurity consultancies and just don't have the budget to attract IT talent reach out for itsecurity coaching that will help you get on the path to continuous improvement.
No comments:
Post a Comment