The importance of pen testing as part of your ISO or Cyber Essentials journey
No one wants to fail their application for ISO 27001 accreditation, and for some the possibility is unthinkable, to the point where they are reluctant to kickstart the process.
It’s easy to be daunted by the potential hours and financial investment that any security certification journey will take to complete. But these stakes should not be a cause for a delay, only a good motivator for getting everything right first time.
Where pen tests and ISO accreditation meet
The emergence of hybrid working has increased the risk of cyber threats on businesses and their customers. This, met with increased scrutiny about how organisations manage personal data, has caused the number of people seeking out ISO 27001 certification to accelerate rapidly.
Having ISO accreditation proves you have great data security, but it can also double up as great promotional material. Just as pen tests can give you a competitive advantage, ISO accreditation can sway the attention of companies seeking ISO accredited partners and software. This is particularly common with public contracts, where ISO 27001 certification is often a necessity.
ISO compliance demonstrates continual monitoring and awareness of security best practices. And although pen tests are not explicitly referenced to gain accreditation, it’s heavily implied.
Another similar accreditation is Cyber Essentials. Slightly different from ISO, it provides cover to a wider audience, when ISO may be better suited to software or finance companies where security risks are of greater importance.
Even so, Cyber Essentials still suggests organisations need a thorough pen test to qualify - a critical step to implement if you want to pass with flying colours first time.
Part one: self assessment (Cyber Essentials only)
An in-depth self assessment will determine how ready your company is for certification. You’ll be questioned on whether you have the right information security objectives and how willing and able your management team is to contribute to the effectiveness of these objectives.
Most importantly, you’ll be asked what steps you take to mitigate, eradicate or manage risks, and whether you have a programme in place to ensure your information security measures and processes are constantly monitored and improved.
We recommend completing a pen test before you even begin the initial self assessment. You can see where vulnerabilities lie and what loose ends need to be tied up, so you can minimise delays and maximise your chances of success out of the gate. To learn more, check out our thoughts on what pen tests are right for your business and how much they cost.
Part two: gathering evidence
Gathering evidence is the harder part, and is also the stage where most organisations throw in the towel. This part of the journey requires a huge chunk of people’s time, from the admin hours needed to assemble the documentation, to the investment needed to implement the software, hardware, and essential tests.
Here’s where we would suggest getting a second pen test. The first you completed before the self-assessment will highlight the areas that you need to address, and once you’ve taken action, the second pen test will provide some of the evidence that certification requires.
Our CREST-certified testers will reassess for any vulnerabilities, and provided your organisation took all the actions recommended in the initial test, it’s highly likely you’ll be provided with a Datavax cover letter to show that your security could not be breached by the simulated threat our ethical hackers provide, and this can be used as evidence to strengthen your application.
Once all your evidence has been compiled, an auditor will review your documentation and assess the success of your information security management.
The benefits of perfecting your processes the first time round
The board of your company may have postponed the first step of your ISO or Cyber Essentials journey, but after a pen test you can set off with confidence and quickly make strides towards accreditation.
Make the security certification journey as painless as possible and ensure a first time pass with an independent pen test carried out by a CREST-certified tester. As we’re independent, we won’t try to sell you solutions after your test, we’ll only provide a detailed report with recommendations that you can address internally or procure according to your own budget.
When your organisation comes to renew your ISO 27001 or Cyber Essentials accreditation three years later, we’ll be ready to test your defences again. You’l be staying on top of the latest threats and if any vulnerabilities emerged in the three years since you were issued ISO certification, we’ll be able to find them so your accreditation remains uninterrupted.
To learn more about how Datavax can help you along the security certification journey, get in touch.
What pen tests are right for your business and how much will they cost?
When it comes to pen tests, there is a huge volume of choice out there. Whether it’s a web app or external, automated or manual, independent or non-independent, the scope can lead to great variations in cost.
Quality pen testers may push your budget a bit more, but this cost is to cover them meticulously looking through all the nooks and crannies of your IT infrastructure to determine what could be easily exploited.
Starting from around the £2000 mark, a pen test is a lot more affordable than most people think. And this is versus a potential fine of 2% of your annual revenue for trying to cut corners.
The price of getting it wrong
The right pen test could’ve saved UK-based Boomerang Video from a hefty £60K fine. The Information Commissioner's Office (ICO) slapped them with the penalty after an investigation revealed they had failed to carry out regular pen tests which could have detected a website vulnerability. The result? A cyberattack leaking over 26,000 user’s card details.
British Airways took an even bigger hit back in 2020. A data breach which resulted in the leaking of 400,000 customers personal and financial details went undetected for months due to an absence of robust security measures. The ICO weren’t happy, issuing a painful £20m fine to the airline, which at the time was their biggest to date.
Companies of all sizes need to stay hot on their vulnerability assessments. Any internal system updates or introduction of new third parties requires ongoing testing. And if you’re expanding, every new employee represents an increased risk. You may have tested for one thing the first time around, but not considered novel threats or tactics as your business evolves.
Remote and hybrid working has brought in an extra challenge to businesses. Phishing attacks are on the rise, with many opportunistic cybercriminals taking advantage of the stress and disruption the pandemic brought to many digital workspaces. Most employees had an overnight change to working from home, forgoing basic cyber and phishing awareness.
So when considering which pen test to go for, consider: do you need every employee tested from top to bottom, or just new starters? If you’ve never carried out a phishing test for example, we’d recommend testing the entire employee cohort.
The advantages of getting it right
The pros of staying on top of your cyber hygiene are obvious. Taking the time and effort to protect all of the data moving around your business every day maintains your representation as a trusted party, and saves you from coughing up an eye-watering sum if anything were to go wrong.
There’s a whole range of options out there, from cheaper AI-automated tests that don’t always give you full security coverage, to robust tests carried out by CREST-certified testers. Ultimately, getting a trusted company who understands all the nuances of different types of testing is essential.
Which type of test is right for you?
An external pen test tries to find flaws in your data security by trying to break in from the outside. By probing your perimeter defences, this type of test can identify flaws such as weak passwords, unpatched software and misconfigurations. By contrast, an internal pen test assumes some degree of network access, and simulates the actions a hacker or disgruntled employee might take from inside a network.
Often holding personal data like credit card or personal information, web and mobile applications are highly prized targets for cyberattacks. A web app pen test will look for weak points that could compromise your websites or web applications, including CRM, extranets or internal programs. Mobile app pen tests detect any susceptibilities that may have been left within the application, such as default credentials or encryption keys.
An automated test, sometimes referred to as a vulnerability scan, can never be as thorough as a manual test. It could overlook vulnerabilities of low risk, even though risks of any size should be scrutinised.
That’s why we’ve chosen to stick to a red team approach, which makes use of powerful automated tools but also a senior tester and ethical hacking team who can simulate a real world threat.
It’s possible to get your pen tests through a cybersecurity company that will provide solutions to fill the gaps in your security infrastructure and potentially training for your employees. However, many companies prefer to choose an independent pen tester to review their security, much like you would choose for an MOT or NCT to take place independently from those who make a living fixing the problems they uncover.
A bespoke pen test, led by a senior CREST-certified tester
Starting at €1999 (£1750), we offer a bespoke service based on individual client needs, considering risks you may have already spotted yourselves.
There’s value in consultancy, that’s why we offer a hands-on approach from initial scoping, through to the delivery of a detailed and comprehensive report. You can go away, absorb it, and share what you need with your technical team before coming back to us for any clarification. We work on a traffic light system, highlighting critical items, while also including points of advice and best practice.
Our close-knit team enjoy being hands-on with every client, ensuring exceptional customer service at every point in the process.
The Chief Operating Officer of one of our clients had this to say, “As a digital health company data security is paramount for our business, therefore it was important to choose the right company for our penetration testing requirements. Datavax provided an excellent service from beginning to end, responding promptly to any queries and providing thorough testing, reporting and technical follow up.”
If you’re ready to make your business digitally secure, get in touch.
The risk of doing business: is your legal or accountancy firm putting your data at risk?
Lawyers and accountants depend on a bond of trust with their clients. So you would imagine that protecting their clients’ sensitive personal information would be a priority, yet many firms are relying on cybersecurity measures that are untested – and often incomplete.
At the moment, most firms are presenting an easy target for hackers. And with serious breaches becoming the norm, the promise of confidentiality is becoming impossible for many to uphold, along with the dependability that these trusted professions are meant to provide.
These sectors seem reluctant to respond to the threat, however. So it could be up to you – their clients – to change their outlook.
Why are law firms targeted?
The legal sector has vulnerabilities – they’re embedded throughout its everyday operations. From bank transfers and automated identity checks, to emails carrying your personal information, law firms routinely handle sensitive data, making them an attractive target to cyberattackers.
In August 2020, for instance, UK-based law firm Tucker Solicitors fell victim to a vicious ransomware attack. The firm holds court bundles including private personal data such as medical files, witness statements and names and addresses of witnesses and victims relating to crimes of all severities. After the breach, hundreds of thousands of files containing sensitive information were leaked on the dark web and held to ransom.
A common tactic that law firms often fall victim to is Friday afternoon fraud, which contributes to an eye-watering 75% of all cybercrimes in this sector. This type of fraud is in the name – Friday afternoon is the traditional time-period for completion of property conveyancing transactions. It’s also a time when many in the profession are winding down for the weekend.
Hackers use this window to break into a firm’s defences – which are often outdated and untested – then imitate an employee, contacting clients from what appears to be the employee’s real company email, so they can make off with the completion day funds. It’s the kind of easy-to-mitigate fraud that could be drastically reduced with a robust cybersecurity strategy.
Due to the substantial amount of money passing between law firms and their clients, these kinds of scams are widespread. Large amounts of sensitive data held by lenders, estate agents and mortgage brokers is at risk. Despite all of this, the sector doesn’t seem to be in a hurry to act.
What about accountants?
Accounting firms play a pivotal role in our economy, handling financial data of businesses big and small. They also deal with high-value commercial data and sensitive financial information on a daily basis, making them another prime target for cyberattacks.
At the beginning of 2022, Chester-based umbrella payroll firm Parasol was hit by an attack that forced them to shut down their external and back office systems. This in turn led to thousands of contractors going unpaid or receiving lower pay than expected. A similar attack occurred to the Brookson Group at the same time, and both of these attacks followed a high profile ransomware attack on GiantPay. The UK’s leading accounting companies are certainly in the firing line.
What’s stopping these industries from stepping up their cybersecurity game to protect your data?
It’s an understatement to say that online working has accelerated over the last few years, but many in the legal and accountancy sectors are still slamming the brakes on digital adoption. Some are beginning to use digital documents, but many are still working with systems that existed before ‘internet’ was a word.
There is still some fear of technology from specialists in these professions, even at a basic level. Let alone before you introduce cloud computing and e-signing of critical documents.
The pandemic has only made this worse. Overnight home working added a whole new level of cyber challenges, including a deluge of covid-related scams.
The rapid change in digitalisation from forced remote working may have been too prompt for firms to properly consider data security. SME sized firms tend not to have IT teams, or any in-house understanding. They’ll also probably outsource their compliance, without understanding the implications of their own internal processes.
The only real legal requirement is to follow GDPR, even though they are handling very sensitive information, more so than organisations required to have a pen test. GDPR does not enforce a specific set of cybersecurity measures, but rather expects businesses to take ‘appropriate’ action, leaving law and accountancy firms without IT expertise in the dark.
For some of the most traditional law firms, it may be up to clients like you to nudge them forward. If organisations begin to demand pen tests and other security measures before they will agree to work with a firm, it might tip the balance. This is already common practice in some industries, and it’s essential to ensure a secure supply chain, so it might not be long before organisations and clients demand the same security measures from their lawyers.
What is the solution?
We’re not trying to scare you into never using legal or accountancy help. There is a simple solution to ensuring your data is safe.
There is one thing law and accountancy firms must ensure: that a robust cybersecurity strategy is in place. This can inform employees on the rules for encrypting email attachments, steps for accessing work applications remotely, guidelines for creating and safeguarding passwords, and rules for best use of social media.
Getting cybersecurity training up to standard is also critical, particularly in a hybrid working environment. Training ensures promotion of cybersecurity awareness and best practices among employees, so that they can act in your best interest.
As a client, you can request information on your chosen firm's cybersecurity policy, considering they have an obligation to protect your data. Have they put in a robust strategy, especially since the start of the pandemic, to preserve your information? Are they encrypting their emails that contain your sensitive data? And are they conducting third party due diligence? Next time you’re speaking with a potential legal or accountancy partner, it makes perfect sense to bring cybersecurity into the conversation.
At Datavax, we are cybersecurity experts. To learn more about what we do, check out our guide to independent penetration testing: what we do and why.
Supplier due diligence: how to stop hackers slipping through the back door
A business of any size, needs to get their due diligence process set up from the get-go. And once it’s in place, it also needs to be continually monitored and reviewed.
Due diligence can simply describe the reasonable steps taken by a person to avoid harm. In this case though, we’re going to specifically talk about the risk of a cybersecurity breach via a third party supplier.
It’s not just about compliance and protection. Keeping on top of your supplier due diligence can enable your company to attract both customers and investors. It also gives you peace of mind, so you can focus on building and scaling upwards, knowing your foundations won’t let you down.
Big name data breaches
Ticketmaster and Volkswagen are just two examples of big name brands that have fallen victim to a third party’s vulnerability.
Hundreds of thousands of customers' personal details such as full names, email addresses and phone numbers were exposed in the huge data breaches that occurred via third party suppliers, resulting in hefty fines and a massive dent in public reputation for both vendors.
Had they done their due diligence before agreeing to work with these third party suppliers, these massive blunders could have been avoided. Though it’s not as simple as it sounds.
Large companies like Ticketmaster and VW have huge numbers of suppliers, all with their own subcontractors, making all of them hard to keep a track of. And once a cyberattacker has got in via one third party, it’s easy for them to access data in other parties without being flagged.
But these kinds of data breaches aren’t just limited to household names. Smaller businesses and entrepreneurs are also at risk of being targeted.
What businesses big and small should consider
Some organisations will barely mention their cybersecurity policy when joining a partnership, but others are more switched on.
Has a supplier completed a pen test recently? Was it completed by a tester who is CREST-certified? Some organisations will consider everything about their suppliers and partners, even down to the routers businesses are using for their WiFi.
While you’ll want some differentiation depending on the type of supplier, you’ll want a due diligence policy you can roll out to every single one. This will keep your business, your employees and your customers digitally secure – and enable you to pass the checks of those performing due diligence on your own organisation.
Four best practices for supplier due diligence
1. Security questionnaires for suppliers
First, it’s crucial to understand the ways cybersecurity is implemented into a supplier’s own best practices.
A supplier due diligence questionnaire examines risk by asking questions on data security, human resource policies, financials, and references. You can then use a supplier’s answers to set requirements the third-party supplier must uphold to meet the standards of the business relationship. If anything goes wrong, you can refer back to their answers and hold them accountable.
2. Tiering suppliers by criticality
Save time during supplier onboarding due diligence by tiering your suppliers based on the relationship they will have with your business.
For instance, you’ll want to prioritise security of an organisation that will need access to your sensitive data (e.g. a SaaS product provider) more than a business that does not have immediate access to critical information (e.g. a graphic design agency).
Instead of trying a one-size-fits-all approach to evaluating criticality, tiering helps you work out whether you need to review evidence of a clean independent pen test, or whether it's enough for a supplier to abide by GDPR.
3. Monitor your suppliers regularly
Cybersecurity due diligence needs to be kept up throughout your vendor partnerships, and isn’t something you can just forget about once the contract is signed.
Depending on your resources, you can use an automated continuous monitoring solution to keep your finger on the pulse about the varying risk profiles of your suppliers. Or you could simply require suppliers to update you on any changes in their systems or processes that have the potential to impact security.
4. Evaluate third-party cyber security risk using a pen test
If a third party is dealing with your customers’ data, they will need to present a recent penetration test report, showing either a clean result, or detailing the actions taken to rectify any vulnerabilities found, plus the related retest to ensure the remedial work has been effective.
Penetration testing (often referred to as pen testing) is a security exercise that attempts to seek out and exploit vulnerabilities in a computer system, network or web, to identify any weak spots that could be taken advantage of by a hacker.
A successful test can often reassure customers. Even if they have to address gaps in their security, businesses can wear their due diligence as a badge of honour.
By following these best practices, you can lower the risk of partnering with third parties and relieve the burden on employees. Your security, legal and compliance teams will thank you.
Datavax is a trusted, neutral cybersecurity partner with expert CREST-certified pen testers. See how you could benefit by booking a free 30-minute consultation with one of our senior testers and project managers today.
Beyond compliance: The business benefits of penetration testing
It goes without saying that the biggest benefit of carrying out regular penetration tests is protecting your business and customers from an attack and data breach. However, there are also a number of other benefits businesses can leverage.
Compliance is also crucial to avoid facing fines – from GDPR to PCI DSS and SWIFT CSP – but compliance and protection from an attack are far from the only factors to consider here. If you’re looking for funding, looking to be acquired, or simply looking to land more deals, it might be time to consider the business benefits of penetration testing.
Peace of mind
Pen-testing can highlight where your team needs training, where your software needs updating and where your system needs restructuring. Crucially, independent pen testers can make these recommendations without trying to sell you a solution.
Ultimately this gives you peace of mind. Once your team’s cybersecurity strategy has been thoroughly tested with both manual pen tests and automated tools, you’ll know what you’re working with. You can see what’s not working, improve your protocols and setup, and ensure a continuity of security throughout your organisation. Then you can keep building your company without worrying about cracks in the foundation.
Attracting and keeping customers
It’s not only your organisation that will appreciate a pen tested infrastructure. You’re also able to pass on that peace of mind to your clients – reassuring them that their data is safe with you.
Large organisations are aware of the risks involved in trusting other companies with their data. Some of our own clients require cover letters for the companies they work with, and they won’t link their data to your organisation unless they can see you’ve either had a clean pen test or you’re addressing any issues that were found.
So if you can promote the fact that you’ve had pen testing done to prospective clients, you’ll be more likely to get through their quality assurance gate. And once you’re through it, you’ll be able to appeal to other key stakeholders too, particularly strategic and financial partners, who need to feel at ease before they give the go ahead.
Attracting investors
Speaking of financial partners, it’s here that the rubber can really hit the road. Companies looking to merge with or buy other businesses often won't even consider acquisitions that they can't qualify as being data-secure.
Shareholders can be equally discerning. If Series A or Series B funding is in your long term plans, you need to act like a billion dollar company before you’re treated like one. That means having a robust information security strategy and being able to prove it’s airtight.
Protecting your brand
The pandemic has made it clear that businesses need to look beyond present efficiency to create systems that are robust for the future. So while your brand may be high and dry to date, you can’t afford to roll the dice on your reputation tomorrow.
Thorough penetration testing can ensure you avoid more than GDPR fines. It can ensure you steer clear of irreparable damage to your brand. If vulnerabilities are uncovered in testing, especially if they come up more than once, you’ll know how you need to act to mitigate risk. You’ll be able to address the issues, create a long term continuity plan, and keep growing long into the future.
A blueprint for data security success
So whether your destination is acquisition, funding or converting more leads, a bias-free audit can set your company in the right direction. Your IT teams might have carried you this far. But scanning for blind spots will do them a favour in the long run – and inspire trust in all onlookers, too.
Datavax is a trusted, neutral, and CREST-certified cybersecurity partner. To learn more, don’t hesitate to get in touch.
Independent penetration testing: what we do and why
If you’re looking for penetration testing for your organisation, you’re unlikely to want to compromise. You’re dealing with highly sensitive data - medical, financial or personal - and the risk of disclosure doesn’t bear thinking about.
Except, of course, you have thought about it. You’ve built a highly secure system to protect against malware and supply chain attacks. You just need an authority to examine whether your infrastructure is watertight.
At Datavax we leverage established practices, certified testers and the latest security tools to uphold the highest standards of testing.
We’re independent, and that’s unusual
A lot of companies that provide penetration testing are also trying to sell you something.
Like a mechanic at a garage, they’ll check over your car, see what’s amiss and then offer to fix everything. Now a very trustworthy mechanic might give you a very honest quote. But in general, there’s a reason that MOTs and NCTs take place independently from those who make a living fixing the problems they find.
It’s the same with penetration testing. If a tester’s priorities are split between finding issues and fixing them, their assessments may not be entirely without bias. At Datavax, we’ve chosen to offer testing alone so that you can have full confidence in our findings.
Our Red Team approach simulates a real cyber threat
When it comes to what we can find, we believe we have the edge.
Ultimately when you’re trying to protect against hackers who may be highly proficient, you want testers who are highly proficient too. Testers who are capable of finding any and all security weaknesses ethically before they’re discovered illegally.
Hackers are humans, capable of using human creativity to exploit exposed vulnerabilities. So our testers, likewise, don’t rely solely on automatic tools for our tests.
Now, we do make use of some of the strongest tools available, including Burp Suite Spider, Nikto and Dirbuster. But for our web application testing, automation only accounts for 25% of our Red Team penetration method. Our CREST-certified testers (the Red Team), expend most of their efforts creatively using this auto-gathered information to see if they can get past the security of your organisation (the Blue Team), simulating a real-world threat.
We uncover security gaps that other teams might not find
Our ethical hackers are, if we may say so, some of the best in the field. Our team has a mixture of certifications including CREST and have extensive experience in testing methodologies. We also put a senior penetration tester on every project to ensure we don't miss even the most complex or hard-to-find vulnerabilities.
And we do find them. We’ve found cookies that would have allowed a hacker to create a new Administrator level account and wreak havoc. We’ve identified a cached post-authenticated client session that would allow for PII information leaks. We’ve even discovered an SQL Injection that enabled us to download a database table full of unencrypted credit card information - for hundreds of customers.
Because the companies in question hired us, the gaps in security were discovered by ethical hackers, and not the other kind. They didn’t have to pay out fines, deal with reputation damage, or face a single hiccup in their operations. They could simply address the issue and continue to serve their customers with peace of mind.
We’re personally on hand from start to finish
Even when you know that the test is necessary, that the threat is a simulated one, and that you’re hiring a CREST-certified team, it’s still a little unnerving to let anyone hack your organisation.
That’s why we ensure you have a dedicated contact from the early scoping stages right through to the end of the project. Your project manager will help demystify the process, be on hand to answer any questions, notify you if any critical issues are found, and ensure the entire project is efficient.
Your dedicated project manager will never close a project until you are happy and your team understands both our reporting and the actions they need to take. We want to offer support for as long as we can be useful and make the experience as positive as possible.
Some penetration testing companies might choose to be faceless but from our perspective our people are an important part of the package. While the human side of what we do might not seem as important as our technical rigour, the companies we work with come to highly value it:
“Working with the team at Datavax was a joy. From the outset they were warm, friendly and professional, and provided clear feedback and advice.” - Chief Technology Officer
“Datavax were very easy to deal with. All queries and requests were responded to promptly and in a pleasant and helpful manner.” - Credit Union Manager
“Datavax provided an excellent service from beginning to end.” - Chief Operating Officer
We provide a senior tester every step of the way
You won’t only get a project manager from the get go, you’ll also get a senior tester.
Your IT team, CTO, COO or consultant will be able to ask our senior tester highly technical questions. In return, they’ll be able to ask your team questions that a less experienced tester wouldn’t know or be confident enough to ask. This senior input enables us to scope out your infrastructure in a more defined way. As a result, you get a more accurate quote and our team will be able to put their efforts where it counts.
When you need to bundle several tests together (web, app and social engineering, for instance) a senior tester will have the experience needed to schedule these according to your priorities. If a less experienced tester was left to do this, it would be much more of a guessing game. But our team setup enables you to get better value in a clearer timeframe.
Finally, our experience and responsiveness ensures no time is wasted. During the scoping stages, a senior tester might highlight an issue that you can sort straight away, even before we begin testing. Also, once testing begins, if critical gaps are discovered in your security, our team will feed this back to you in real time so you resolve the issue fast.
To learn more about what we do and how we do it, don’t hesitate to get in touch.
CREST certification - don't accept anything less
In theory, penetration testing can be done by anyone from any location. If they have the set up of an ethical hacker – a laptop, an internet connection and the relevant software – they’re ready to go. The only issue is, can you have confidence in their services?
When it comes to hiring pen testers, you’re naturally looking for those you can trust with your data, security and reputation. That means choosing testers accredited for high technical ability and watertight codes of conduct. And for many organisations, that means CREST.
CREST-certified testers are rigorously and independently assessed
It’s often more expensive to use a CREST-certified tester since they’ve acquired a vast amount of experience and a high level of technical expertise. The journey to CREST certification is long and hard, but the lessons a tester learns on that road are worth their weight in gold.
The accreditation is not permanent. All CREST-qualified professionals are required to re-sit examinations every three years. This ensures you never hire an ethical hacker who is anything less than a leader in their field.
CREST-certified professionals typically have at least 10,000 hours of experience, and they are capable of managing ethical hacking teams that can dive deeply and creatively into an organisation’s infrastructure. To learn more about this process – known as a Red Team approach – see our article on what makes our independent penetration testing different.
CREST-certified testers sign up to enforceable Codes of Conduct
All pen testers holding a CREST qualification sign a personal code of conduct, which ensures they follow ethical practices and vetted processes.
You don’t have to take a CREST member’s word for it, either. As a governing body, CREST can and will carry out onsite audits of their members. They also extend their rigorous expectations beyond the walls of the company to any contractors working or assisting the organisation they vet.
What are the other options besides CREST?
While there are plenty of pen testing qualifications from GIAC to CRTOP and CEPT, only a few certifications serve as an effective barometer of how trustworthy a tester is.
CHECK is a popular accreditation in this regard since it’s a government scheme conducted by the UK National Cyber Security Centre. Tigerscheme, set up and administered by the University of South Wales, is also well recognised.
But sooner or later, if you spend any time in cybersecurity circles, you’re going to hear someone say that CREST certification is the gold standard – and few would debate the point.
The Council of Registered Ethical Security Testers is the seal of approval that many public sector contracts and major private companies look for – and sometimes require. Just as no one ever got fired for buying IBM, no CTO or CIO ever took heat for doing business with CREST-certified testers.
So is CREST worth the cost?
CREST’s high standards mean that when you hire a certified tester, you’re prioritising the security of your organisation. While this has obvious preventative benefits, it also has significant business benefits.
We’ve seen several cover letters which include the sentence, “We’ve had penetration testing by a CREST-certified tester”. 2022 cybersecurity trends suggest this practice will only increase as organisations become more and more discerning of those they do business with.
Datavax is a trusted, neutral cybersecurity partner with CREST-certified testers. If you’re still sitting on the fence about pen testing, you can book a free, no strings attached, 30-minute consultation with one of our senior testers and project managers.
A quick guide to planning your 2022 cybersecurity strategy
If you’re anything like us, you’re probably reflecting on your 2021 IT infrastructure and wondering, ‘how can we iterate on this and make it even stronger?’
Inevitably, cybersecurity will be front of mind whether you’re a CTO, COO or a founder. This will be especially true if you’re in a growing organisation with a swelling data footprint, or if you’re diversifying into new sectors, or releasing products that make use of sensitive financial or health data.
Looking at the aftermath of events in 2021 such as the HSE phishing crisis and the supply chain attack on Kaseya, it’s safe to say the benefits of testing your security go far beyond prevention and compliance.
PwC’s Independent Post Incident Review of HSE shows their infrastructure was insecure because they lacked investment to maintain it. There’s no doubt that getting the budget you need to create a robust infrastructure is non-negotiable, so here’s our quick guide to evaluating and iterating on your cybersecurity this coming year.
2022 and beyond
What we do now needs to be informed by what’s ahead. By 2025, Gartner predicts that 60% of organisations will prioritise cybersecurity when deciding on transactions and business engagements. This is hardly a far flung prediction, either. We’ve already seen companies rule out organisations for acquisitions or mergers based upon their security infrastructure.
Bloomberg report that according to the US Treasury, the average ransomware transaction was $102.3m per month in 2021. And while cyber insurance might mitigate the damage, it won’t cover GDPR fines or protect against disruption as ransomware attacks become more frequent. Market analyst Jeffrey Williams told the Insurance Times that ransomware attacks now occur every 11 seconds, which is in line with pre-2021 predictions.
With this in mind, it’s no surprise that the Digital Europe Programme is assigning €269m of its funding to advance cybersecurity equipment, tools and data infrastructures. Similarly, the UK government is investing £700m in cybersecurity training and business support.
Whether you take advantage of this funding or not, it’s essential to evaluate your security strategy, policies and technology. You may realise you should be enforcing a zero trust policy, role based access, stricter VPN policies – or you might need to ensure your remote employees have the home infrastructure they need. For many companies, it will also be crucial to reassess their hybrid working cybersecurity strategy and monitoring tools.
Getting the buy-in and budget you need
As with many organisations, you will eventually come up against the issues of internal buy-in and budget. And this is where you’ll likely want to consider a pen test.
Pen testers can discover where exactly the vulnerabilities are in your organisation – whether it’s your cookies, authentication or employee behaviour. Once you know what your weaknesses are, you can present the risks to stakeholders and use your budget to strengthen them in the optimal way.
To understand what kind of test is right for you, you should know that automated tools alone will not be sufficient. Hackers don’t solely rely on automated tools, so you shouldn’t rely on defences tested by automated tools either. Of course, the strongest tools can speed up the process, but if you’re going to simulate a real cyber threat, you’ll need a seasoned ethical hacking team – known as a Red Team – testing your infrastructure.
You should also strongly consider hiring pen testers who are CREST-certified or similarly qualified and vetted. The process, training and experience they undertake to get that certification makes them an invaluable asset to have on your side.
Finally it’s worth understanding the benefits of independent pen testing. The more impartial your testers’ security recommendations, the easier you’ll find it to persuade stakeholders that those suggested measures are necessary.
Book a free consultation
To kick off the new year, we’re going to be offering organisations a free 30-minute consultation to discuss their infrastructure and cybersecurity strategy.
You’ll have the opportunity to speak with a senior tester and a project manager, and ask any questions – technical or otherwise. There’s no obligation to commit to any form of pen testing with us afterwards, but we’ll be able to explain anything in case you need to make a business case to other decision makers in your organisation.
Datavax is a trusted, neutral and CREST-certified cybersecurity partner. To book a consultation with us, don’t hesitate to get in touch.
Cybersecurity for hybrid working: A senior leader’s guide
Cybersecurity for hybrid working: A senior leader’s guide
Every company is already a couple of chapters into their own work from home story, and for many the plot has taken a turn toward hybrid. But no matter how flexible the arrangement, if your organisation gives employees the option to work from home, you need to ensure your company is not taking a flexible approach to cybersecurity too.
It’s not only an issue for IT teams, but for anyone in leadership. After all, the most secure organisations have done more than purchase the right security software. They have also addressed gaps in employee awareness, set comprehensive policies in place, and have found ways to reinforce best practice company-wide.
Employee awareness
Let’s be clear about this: If your staff don’t understand the risks, all your cybersecurity processes are redundant.
It’s tough to get everyone on the same page. As a HP Wolf Security report has it, over 50% of employees are more worried about deadlines than a data breach. Because of these mismatched priorities, employees can perceive restrictions to be unnecessary obstacles to their own workflows, particularly when other aspects of hybrid working are often orientated around their preferences.
It’s no surprise, perhaps, that 83% of IT teams believe home working to be a “ticking time bomb” for a network breach. And despite their best efforts, 69% of IT teams said they’re made to feel like the bad guys for imposing security restrictions.
What are your employees’ general at-home technology habits like? Do they know about phishing, or other major cybersecurity concepts? Have you ever tried testing them?
If you’re uncertain how to motivate your employees to follow best practice, the threat of ransomware might tip them over the edge. As we saw in the HSE phishing crisis, employees need to operate by a zero trust principle. They need to assume they will be targeted by hackers, and unless employees exercise caution, they could bring their entire organisation to a standstill.
"The most important factor when it comes to cyber security across a hybrid working model is communication and a strong culture of security awareness. You can have the best policies in the world, but if those aren't known and understood by every member of your workforce then they may as well not exist.
The most successful organisations are those in which every team member has a respect for cyber and information security, and understands where to go for help and how to report concerns. Whether those things are written in to policies is almost irrelevant."
CTO - i3PT
Policy and procedure
Awareness alone won’t protect against every hybrid working security risk. You’ll also want to consider what policies you can put in place to set the standard, promote best practice and mitigate the damage should the worst happen.
Too many organisations rush into buying cybersecurity software, without really knowing what their vulnerabilities are. But simply getting comprehensive policies down on paper – from IT security to remote access and encryption – can help your organisation to assess where you are not yet compliant and where you need to take further steps.
Role based access
One of the first security principles you should be aware of, and set processes in place for, is the principle of least privilege. Each employee in your organisation – and beyond, in the supply chain – should only have access to the data they need to do their role. This is known as RBAC, Role Based Access Control.
In a small organisation, you can afford to give each employee tailored permissions, while in a larger organisation you may organise it by management level and by department – giving finance access to one set of data, the engineering department another.
VPNs
You also need specific protocols around hybrid working. Employees should always be connected to the company VPN (Virtual Private Network) at all times. This creates a secure encrypted tunnel between their workstation and your workplace, and it shouldn’t be turned off for a second.
On the other hand, free VPNs are an absolute no go, and this needs to be enshrined in your policy. These VPNs, often used to access international streaming services or other blocked content, are full of holes. Your employees might see it as a helpful hack to watch US Netflix, but for their ingenuity they might be hacked in return.
Hardware and software
But even a company VPN is little help as protection if your employees are accessing that VPN from a device full of malware. If an employee’s children are using the same laptop or phone to download from untrustworthy sources at weekends, there’s no telling what’s on it. While Apple’s App Store is relatively regulated, the Google Play Store is a wild west.
In a hybrid world, the boundaries are blurring between employees' personal and work lives, and it can be hard to know where they draw the line.
Without the right support, too, digital poverty may force remote employees to go occasionally to public places to fulfil their job requirements, connecting to unknown routers or other insecure hardware.
A way to mitigate this is to put policies in place to ensure all your employees have the home infrastructure they need, including updated IoT-enabled devices, like printers, webcams, and routers. This isn’t one to overlook, particularly if you’re looking to get cybersecurity certification. Cyber Essentials, for instance, require employees’ routers to be relatively new, otherwise your company will be deemed too vulnerable for their standards.
How to reinforce best practice
Communicating the gravitas of your policies to a remote team isn’t always simple. It requires more than a company-wide email or a team message – which employees can all too easily ignore. So how can you convince them to take it seriously?
One avenue is training. You could consider putting your company through Cyber Essentials, or ensuring your development teams are aware of OWASP. At a bare minimum, training should get many of your employees using two-factor authentication and updating their software regularly. But there will almost always be employees who don’t show, don’t listen or don’t implement what they’ve been taught.
Here penetration testing can be of great help, enabling you to:
- Discover which employees are most at risk so that you can intervene.
- Assess the unique vulnerabilities of your organisation, which will inform your policies and the actions you need to take as a company.
- Reinforce best practice by setting up monitoring to automatically notify employees when they act outside of company policy.
We’ve been trusted, neutral, and CREST-certified cybersecurity partners to a variety of companies over the years, and we can help your organisation too. To learn more, don’t hesitate to get in touch.
5 lessons Medtech companies can learn from the HSE phishing crisis
In May, Ireland’s public health service, the HSE, was plunged into disarray. Servers were shut down, referrals ground to a halt, and an entire maternity hospital was put out of operation. Even now, patients are unable to find out whether their own personal data was compromised.
All of this happened because one member of staff clicked on a phishing email. Except, of course, they’re hardly to blame. The HSE crisis was the result of a number of connecting issues - issues which may affect all medtech companies to one degree or another.
Now the HSE is, of course, a huge public body that’s notoriously underfunded. So the implications for private medtech startups won’t exactly run in parallel. Nevertheless, all medtech companies are handling similarly sensitive information, and the consequences of a cyber attack could be equally severe.
1) It’s a question of when, not if
With the HSE crisis, the situation was made worse by slow response times. After the confusion, the various public bodies soon found they had no way of closing down or limiting the information the hackers had accessed.
In some ways, response protocols should be bread and butter security, even though they aren’t required under GDPR. If your Standard Operating Procedures aren’t already in place, we strongly recommend nailing them down, including your disaster recovery plans.
With the right failsafes around hosting, too, you can ensure your systems are not shut down completely in the event of an attack.
2) The latest patches are needed but there may still be gaps
Much of the criticism thrown at the HSE surrounded their use of Windows 7. It was running on many of their workstations, largely because a number of applications were dependent on that operating system.
Legacy systems are typically more of an issue in the public than the private sector. But it’s still good practice to prepare to update systems sooner rather than later. One of our customer’s products will be unsupported by Google when they stop supporting former versions of Android, so our customer is already preparing the product to ensure it will remain compliant and secure in years to come.
While we don’t find many legacy systems in our penetration tests, we do uncover a number of issues related to data patches and updates. Either software hasn’t received the latest patch or interdependencies are brought crashing down by an update. To ensure infrastructure that was secure yesterday is still secure today, medtech companies need to monitor these updates and test for vulnerabilities regularly.
3) Humans need to be as secure as software
It’s not just applications that need updating, it’s the people using them too. Software products can help serve as an early warning system to protect against phishing but they will never be completely foolproof against a sophisticated attack.
Of course, with over 100,000 staff, the HSE had far more phishing targets than the average medtech company. But that doesn’t mean the threat is any less real for you. To keep the virtual gates locked against unwelcome visitors, cyber security training should be part of any medtech company’s growth strategy.
Testing for your organisation could include identifying employees who are at risk of phishing attacks and assessing what level of training is needed based upon your employees’ activity.
4) A small breach can become a big one
The HSE crisis was almost certainly the result of a spear phishing attack rather than the generic emails that are easily sifted out by a spam filter.
In a targeted spear campaign, an attacker might use real information about your employees to masquerade as one of them. If the hacker has gathered enough information through a correspondence leak, they may even be able to refer to a recent conversation about an ongoing issue in your organisation. Their forged communication can be very convincing.
The risk is amplified in a remote working situation. And while more secure communication tools like Teams and Slack help here, they only go so far to bridge this gap. When you cannot quickly glance over at a colleague - who has apparently sent a Slack message that looks slightly off - you might not check in with them before you click the link they’ve sent.
5) Hybrid working will appeal to hackers
Finally, because HSE’s data was so decentralised, a number of weak points existed in their systems. For medtech companies continuing to work remotely, or pivoting to hybrid, this will be an important issue to bear in mind.
When you have more than one area where you’re storing information - and they link together in some way - there will be vulnerabilities that wouldn’t exist if the information was centralised.
On the other hand, while a single centralised system might seem like a bigger target, it’s far easier to protect. So long as you have enough safeguards covering a single vulnerable point, you mitigate the risk.
When Datavax began working remotely, we understood what we were up against. We quickly implemented company-wide antivirus software and paid for a company to install patch management software on all our workstations. This notifies our employees if any application or system goes out of date. It also enables us to keep track of our infrastructure as if it was all under one roof.
Ultimately, the more links in the chain you have, the more security you need. Your systems are likely much more secure than the HSE’s were in May but you still want to pass with flying colours every time an audit is done.
----
To check that your security is rock solid, you may want an independent penetration test. To learn more, don’t hesitate to get in touch.