Manoharan Mudaliar

Cyber Security Consultant

A Guide to Insider Threats and How to Manage Them

With the disparate nature of cyber threats currently facing businesses, it isn’t easy for organizations to identify the ones they should prioritize. Most organizations and their think tanks make the deadly mistake of focusing entirely on threats originating from the outside. With the severity and volume of threats and breaches caused by insider attacks on the rise, this oversight can prove to be costly in the long run.

Regardless of whether your internal stakeholders are acting out of negligence or malice, businesses need to realize just how significant a risk insider threats pose for them. We discuss insider threats in greater detail within this guide and also look for ways you can follow to manage them. Just remember to take insider threats as seriously as you take threats originating from the world outside your firm.

What Are Insider Threats?

Insider threat is a common phrase in the world of cyber security, used to define threats posed from within the organization. These threats come from current or former employees, partners or your contractors. Almost all of these individuals have had or have access to your databases, networks and applications. They can unwillingly or willingly use this access to cause disruption, damage and/or modify, steal and erase all sensitive data currently in possession of the organization.

While almost all forms of data under your possession are at threat during an insider attack, the information most commonly targeted includes personal information related to customers and employees, financial records, details about the security controls in place within the organization and intellectual property. While organizations from all kinds of industries are at risk of insider breaches initiated by disgruntled employees or some other stakeholders, recent research indicates that the manufacturing, healthcare and finance sectors happen to be the most susceptible.

Types of Insider Threats

Contrary to popular belief hosted by most individuals, insider threats don’t always happen to be malicious in nature. Cyber security experts are very clear on their definition of insider threats and believe that the term encompasses any action taken from within an organization that can negatively impact its security. Most cases of insider threats are borne more out of unwilling negligence than out of malice.

Research by Ponemon revealed that almost 63 percent of all insider threat related incidents reported in the year 2017 happened out of negligence than an actual agenda. Negligent insider threats are often a result of inadvertent employee errors and poor employee behavior online, including accidentally deleting security protocols or falling for basic phishing scams.

The research also indicated that 37 percent of all threats for the said year were malicious. Malicious insider threats are usually initiated by disgruntled or rogue employees who purposely leak confidential data to inflict damage on the company’s rapport and standing. Criminal insiders don’t work alone, but collude with competitors and can even be affiliated with some other hacking groups.

There are four common types of insider threats, which are outlined below:

Second Streamers

Most insider threats originate due to second streamers. Second streamers are employees with an attitude to ‘stay and profit’. These are current employees who misuse confidential corporate information to generate additional profit through external collusion, fraud or by selling secrets. The University of Surrey hosted a study concerning insider threats recently and found that over 35 percent of all activity on the dark web relates to the trading of corporate data. While most of this data is hacked through external attacks, some of it is also sold by second streamers to add an additional income into their accounts.

Disgruntled Employees

A disgruntled employee can really damage your business today. Unsatisfied former employees or disgruntled current employees pose a serious threat to your corporate data. These employees usually have motive to commit this crime and can use their unfiltered access to get their hands on costly data sources. An insider threat survey by Gartner revealed that almost a third of all criminal insiders committed data theft as a means of revenge. Revenge is perhaps the only thing on the minds of disgruntled employees, and they can go to unprecedented levels in their quest for it.

Inadvertent Insiders

Inadvertent insiders are all employees who usually exhibit compliant and secure behavior, but can fall guilty of occasional errors every once in a while. Since all endpoints are connected to your corporate network, an error made by one employee can have serious repercussions. Such inadvertent insiders usually fall prey to phishing attacks and do not realize the extent of their mistakes until it is too late for them to take remediation measures.

Persistent non-responders

Persistent non-responders are employees that can be considered guilty of criminal negligence. These are employees, often senior executives, that take cyber security awareness training non-seriously. These employees are guilty of showcasing behavior that can often leave them vulnerable to compromise and other social engineering scams. These attacks can compromise the entire corporate network.

Insider Threat Examples

There are multiple examples of insider threats for organizations today to learn from. These examples include:


This is perhaps the highest profile example of insider threats today. Waymo, which is an autonomous car division by Google, was thriving in May 2016, when an employee left them to found a self-driving truck business by the name of Otto. The newly found company was taken over by Uber within 2 months of its introduction. It is alleged that before leaving Waymo, the employee in question downloaded over thousands of trade secrets, confidential files, design files, testing documents and blueprints. Waymo filed a lawsuit against Uber, and the case was settled at a whopping $197 million part way through the trial.


Tesla was recently involved in an insider threat attack as well, where a disgruntled employee abused their internal privileges to alter the manufacturing processes. These alterations damaged manufacturing levels. A public dispute was filed on the basis of whistle blowing. Tesla’s reputation in the market was damaged after this incident.


In 2018, an employee at one of Coca-Cola’s subsidiaries stole a hard-drive containing personal information for thousands of employees and consumers. This breach caused major repercussions, but the impact could have been much worse had the breach occurred after May 2018, the enforcement month of GDPR.

Managing Insider Threats

Reading horror stories related to insider threats can be daunting and troubling. But, rather than doubting every single employee, you should take proactive steps to reduce your risk. We mention 5 key safeguards below:

Closely Manage Privileges and Permissions

Closely monitoring account privileges for different users can help you limit the risk of compromise, be it from an insider in the organization or from someone who has gained access to their account. Privileges and permissions should be reviewed every time roles change and organizations should adopt a policy of ‘least privilege’ for employees, agencies and contractors.

Implement Device Management Policy

Employees access company systems from a number of locations and a number of different devices. Even though organizations have imposed BYOD policies, unsecure devices present a massive security risk. Organizations should make sure that all employee devices have endpoint security software installed.

Application control is also necessary, which is why organizations should post a list of approved apps for use. This will help employees identify the tools that are permitted and others that are not. Organizations should also monitor USB points on high risk devices.

Regular Staff Training

Human errors can be minimized through regular staff training. We discussed inadvertent employee mistakes above, and these acts of negligence can be reduced with proper training. Training employees about their obligations when it comes to data security is just one crucial step to reducing risk inside the organization.

Security awareness training given to employees should also cover topics such as phishing prevention, data protection and password management. With the right training, you can limit negligence on part of your employees which often leads to insider threats.

Proactive Monitoring

Proactive endpoint and network security monitoring through the use of technologies such as EDR, IDS and SIEM can actually help your security team in identifying insider threats before they cause any damage.

For monitoring to be successful, it is necessary that you identify a baseline ‘normal’ activity. Any behavior that falls outside of this baseline should be considered a threat.


UEBA – User and Entity Behavior Analytic – is one way to combat insider threats in your organization. UEBA can help neutralize known and unknown user threats as it uses behavioral profiling and advanced machine learning techniques. All anomalous activities are reported and privilege abuse is limited.

A cyber security consultant can help manage insider threats for your organization. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.


What Is Endpoint Security Monitoring and Why Is It So Important Right Now?

Cyber attack on a remote endpoint device

COVID-19 has left organizations across the world in a spot of bother. Many organizations have been forced into adapting mass remote working schedules, almost on an overnight basis. With such a sudden and necessary shift to remote work, it can be argued that endpoint security is needed more desperately now than it ever was in the past.

For years, organizations threw austerity out the window to lavishly spend on securing their traditional security parameters. However, the investments have vanished right in front of our eyes, as we adjust to a more remote pattern of work, keeping the desperate times of today in mind.

The transition to remote work online has increased the challenges and complications faced by security teams working day and night to defend their organizations’ honor against online cyber attacks. The challenge of cyber security has been made even harder with the ever-evolving techniques used by attackers.

In this blog we explore the concept of endpoint security for businesses looking to build on their endpoint monitoring capabilities. We also shed some light on the options available for businesses on this front.

What Is Endpoint Security?

Endpoint security usually refers to the protection of all internet-connected devices within a system from cyber threats and cyber attackers. Basic endpoints include workstations, PCs, smartphones, servers, tablets and IoT devices/applications.

Organizations realize how the sophistication and volume of cyber threats has evolved to make them more vulnerable than they previously were. This reinforces the importance of cyber security measures for businesses. For years, organizations have relied on antivirus software solutions across the board to secure all endpoints but recent research might raise questions over the authenticity of antivirus software solutions and what they actually do to negate cyber attacks.

A recent study by researchers at Ponemon Institute suggested that the confidence most business leaders had in traditional antivirus solutions is slowly and gradually declining. Most antivirus solutions block only 40 percent of all attacks, leaving your systems vulnerable to the remaining 30 percent of attacks. Antivirus software solutions still remain essential, but relying on them alone can leave organizations vulnerable to threats such as polymorphic and memory-resident malware.

Effective endpoint security goes above and beyond just signature-based detection techniques. Keeping in mind the evolving nature of cyber attacks, cyber security experts go for a deeper and more intricate level of detection utilizing behavioral analytics among many other techniques. To effortlessly detect, monitor and negate online cyber attacks, organizations today have to opt for tools such as Endpoint Protections Platforms EPP and Endpoint Detection and Response EDR.

What Makes Endpoint Security So Important?

With remote work becoming a norm in the world today, corporations have no other choice but to allow employees to seamlessly connect to corporate networks from remote places. With government restrictions in place, organizations have no option but to make remote work a possibility. However, every device that is connected to your organization’s network presents a problem of its own.

When employees work from their homes, they are usually outside of the corporate firewall that can detect, monitor and block all outgoing and incoming communication to and from endpoint devices. Many organizations consider the use of Virtual Private Networks or VPN a possible form of protection, but ensuring all employees continuously use VPNs with regularity can be a bit of a challenge.

Most endpoint devices offer an easy passageway for cyber attackers to get inside a firm’s network. Endpoint devices have become attractive options for cyber criminals to initiate their attack. These devices usually have numerous unpatched software vulnerabilities and are being used by employees who are highly susceptible to phishing attacks. Phishing is the most common attacker vector used to gain access to endpoint systems.

An increasing number of attacks today are specifically configured to target and extract vulnerabilities in endpoint systems. These attacks also look to gain unauthorized access to the company’s network by installing malicious malware. The burgeoning growth of endpoint devices during this period has increased the opportunities available for adversaries and attackers to launch cyber attacks. Additionally, the growing transition of data towards SaaS and cloud hosting only complicates these challenges further. Research by the Ponemon Institute has revealed that the average costs of a single attack on an endpoint device are upwards of $7 million. This is almost twice the damage that a general data breach can cause.

The disruption and significant damages caused by endpoint attacks make it even more critical for organizations to develop an incident response strategy. Endpoint security is extremely important as it helps organizations reduce the response time it takes to detect and nip cyber attacks in the bud. Tools like EDR come with advanced technology to help automate the response action taken by endpoint devices. Immediate response action can include the isolation of an infected endpoint device from the organizational network to limit the spread of the attack and to ensure that breaches are shut down with minimal damage.

Gartner has predicted that by the end of 2020, almost 70 percent of organizations with more than 5,000 endpoint devices would have an EDR software solution installed with them.

What Is Endpoint Monitoring?

Endpoint monitoring is all about mitigating the risks of attacks on endpoint devices. Organizational security teams should always keep a check on all endpoint devices. All devices connected to the corporate network should be ideally monitored and measures should be in place to identify and shut down all malicious threats targeting the network as a whole.

In simpler terms, endpoint monitoring can be defined as the process to analyze endpoint behaviors across all devices to identify any and all signs of malicious activity and to eventually respond to them in a fitting manner. Endpoint monitoring can typically be achieved by establishing the right strategy for what constitutes as normal behavior, any anomalies or deviations from normal behavior should be identified and restricted.

EDR technologies can come in handy to facilitate endpoint monitoring protocols. All important endpoint events, such as file changes and registry, should be reported. Eventually, any deviations from the actual environment are pinpointed as suspicious activities and are studied in greater detail.

Challenges in Endpoint Security Monitoring

Endpoint security monitoring heavily depends on early detection of attacks. Early detection of all endpoint security attacks is vital for organizations. However, without a dedicated team of established security experts to manage EDR systems and other endpoint monitoring technologies on a consistent basis, corporations will fail to achieve the outcomes they wish for these tools to deliver. A team of dedicated individuals is a must if you want your endpoint security network to deliver the goods.

Endpoint monitoring solutions run through a huge amount of significant data. And, the higher the number of applications and devices being managed, the more alerts you are bound to receive. The continuous inflow of alerts and feedback can cause major complications and complexities for in-house teams. Many in-house security teams do not have the acumen or the training to make sense of these threats as they come at a rate of knots.

Additionally, organizations can get the most out of endpoint monitoring solutions like EDR, if they have a good enough understanding of threat intelligence. Most EDR solutions, or any other endpoint monitoring solution for that matter, will not give you the guidelines you need on threat intelligence out of the box. Specialist expertise is required to tune the chosen technologies and configure them. The solutions have to be configured according to the organization’s specific risk profile, and this is something only an expert can manage.

Without proper manpower, alert fatigue is also a possibility. Expensive technologies can go to waste if you don’t have the resources to recognize the messages they display. In an attempt to reduce these complications, organizations are looking for external help to not only help implement endpoint security monitoring solutions, but to also make sense of the alerts they send.

Managed Endpoint Monitoring

Critically enlisting assistance from an external specialized provider can help organizations develop the right threat hunting environment. Organizations looking to elevate their ability to detect, monitor and remediate endpoint threats need external assistance for the job.

Organizations can combine capital and human resources to seek out all threats that somehow bypass all current defenses. Threat hunting can improve your readiness against attacks and can also ensure that you are ready to shut down threats in their infancy when push comes to shove.

A cyber security consultant can help improve your endpoint security monitoring. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

Understanding the Differences Between EDR and MDR Methods of Threat Detection

Threat detection service

The cyber security world today is filled with multiple acronyms. It isn’t easy for stakeholders to detect and distinguish the differences between many of these acronyms and what they stand for. IT and security personnel need to be well equipped with methods of threat detection, which is why they should be well versed in all the terms in use in the cyber security domain.

IT and cyber security personnel need to make quick decisions in the heat of the moment, which is what makes it even more important for them to know their acronyms in full. Two of the most common acronyms likely to be encountered by organizations looking to improve their threat detection mechanism for shutting down threats are MDR and EDR. MDR stands for Managed Detection and Response while EDR stands for Endpoint Detection and Response.

This blog takes a look into the differences between EDR and MDR methods of threat detection, and oversees just how they can help cyber security personnel take the right decision.

What Is EDR?

Endpoint Detection and Response or EDR is a term commonly used by cyber security agencies and personnel to define measures taken to detect threats in endpoint servers. With the growing number of endpoint servers, organizations today take special interest in ensuring that all host devices connected to their network are protected. These devices include laptops, desktops and other mobile servers.

Endpoint Detection and Response technology combines different elements of functionality with next generational antivirus to deliver anomalies reported in all endpoint systems. EDR does a good job at detecting anomalies by supporting threat hunting and by eventually automating the incident response process.

EDR solutions begin work by collecting all of the data generated by endpoint systems. Once this data is collected, the systems run behavioral analytics to examine and detect any signs of suspicious activity in how the endpoint system is being used. This constant monitoring ensures that even the slightest anomaly is detected by the system. Once an anomaly is detected, a prompt alert is sent generated for human investigation and response.

Endpoint systems can be used to contain and quarantine infected devices, perform kill chain analysis, block malicious IPs and create a custom threat watch list for monitoring. All these benefits provide security teams with the layer of visibility they need to not only identify, but also respond to threats and intrusions.

Features of EDR

  • Endpoint device data monitoring: As we have studied above, all endpoint devices are constantly monitored as part of an EDR system. Systems are monitored for suspicious data and files, which may be the doing of a network threat. All detected threats are mitigated with limited damage. EDR also monitors and updates security systems like anti-malware programs in endpoint devices.
  • Traffic Analysis: Cyber security specialists monitor traffic going in and out the endpoint system, looking for variations in the flow. These variations are basically signs of an intrusion. Specific digital methods of common threats are identified.
  • Digital Forensics: Digital forensics is perhaps one of the most essential aspects of EDR. Once a data breach takes place, a thorough forensic analysis of all endpoints is conducted to unearth the cause behind and the damage caused by a breach. Digital forensics help mitigate network threats and also guide cyber security analysts about threats, so that they can be neutralized in the future.
  • Endpoint Event Storage: Log files from a threat are stored in central locations accessible by all. These log files play an instrumental part in eventually unearthing data surrounding the breach.

What Is MDR?

MDR or Managed Detection and Response is an acronym used to define a process for helping organizations not only detect, but also respond to threats. MDR combines a number of areas such as human expertise, endpoint detection technologies, networks and threat intelligence mechanisms to reach the results that it generates.

All Managed Detection and Response Services are delivered by professional MDR experts. These services are concocted to help organizations form an enterprise grade cyber security mechanism. MDR is best suited for businesses that do not have the ability or the financial prowess to build a fully oiled in-house security system. MDR comes at a fraction of the cost it takes businesses to build their own cyber security capabilities in-house. The system not only helps save costs, but also ensures that organizations are able to safeguard their systems from threats.

MDR can work as the virtual extension of the in-house team within your organization. It not only hunts down threats, but also responds to them around the clock. MDR goes well beyond the scope of what is traditionally offered by a managed security service provider. MDR providers are tasked with hunting for, investigating and providing the support needed to remediate and manage threats.

Features of MDR:

  • Intrusion detection and prevention: MDR systems come equipped with the ability to recognize all attempts to breach a network. Countermeasures are a hallmark of MDR. With MDR almost all kinds of network intrusions are discovered right in their infancy. Timelier responses are possible due to early detection.
  • Threat Analytics: MDR does not only oversee the mitigation of all threats, but also runs an analysis over the kind of threat in action. Cyber security protocols following MDR protocols look for composition and sources of threats during threat analysis. Analyses help experts develop the right counter measures for keeping all such threats away in the future.
  • Round the clock support: With MDR, businesses can rest assured knowing that their systems are monitored 24×7. Since attackers don’t work in 8 hour shifts, an attack can come at any hour, which is why coverage throughout the day is necessary.
  • Proactive Threat Hunting: Some network threats are made to evade traditional security systems. MDR systems can detect all such threats due to attention round the clock and because of their specialized tools. All sophisticated threats are neutralized before they can cause any damage to individual systems and the network as a whole.

Does MDR Include EDR?

EDR technologies are an important part of MDR’s stack. EDR technologies allow MDR security teams to achieve deeper threat coverage and visibility. Some EDR providers even offer MDR services dedicated to specific endpoint detection. All such services are marketed as Managed EDR.

However, in almost all cases, EDR is just one of the many tools in place of a full stack MDR service. MDR providers also incorporate a wide range of other services to achieve comprehensive visibility. Other services offered by MDR providers in their stack include intrusion detection, SIEM, vulnerability management tools and network traffic analysis. An MDR provider will deploy, accurately configure and properly monitor all the technologies included within their service pack.

Challenges of In-House Endpoint Monitoring

As the sophistication of cyber threats continues to grow, the perimeters in place for controlling threats are insufficient now. While buying and integrating all necessary technologies is already extensive, most organizations also have to go through the additional burden of training their staff members.

Many organizations run into spending exuberant amounts on staff training, without realizing the cost burden of all such expenditures. The potential offered by systems like EDR is significant, but no organization can truly unlock this potential without a dedicated team of experts to configure, monitor and manage these systems around the clock.

Overstretched IT teams often fail to extract value out of these systems, while professionals end up suffering from alert fatigue. Eventually, the technology is rendered redundant. It is because of these challenges that organizations today prefer managed security services to fill in the resource gap.

The Rise of MDR

Managed Detection and Response has grown as a popular form of threat detection because of the growing concerns related to managed security services or MSS. These concerns include the inefficiency of MSS systems to handle modern cyber threats.

Many MSSPs were criticized for passing threats with only basic monitoring and alerting. MDR goes well above and beyond the scope of a traditional security service, adopting a more outcome-driven and proactive approach. Elements included in a typical MDR include continuous network and endpoint monitoring, security orchestration, threat hunting and remote threat disruption and containment.

Many MDR providers also extend their coverage to cloud services. This could mean proper detection and response in GCP, Azure, AWS and common SaaS applications. It is believed that a quarter of all organizations across the globe will be using MDR services in 2024, a massive jump from the 5 percent that use these services today.

A cyber security consultant can help provide the help you need in choosing the right threat detection service. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.


Understanding SOAR and Its Impact on Threat Detection and Mitigation

Working on a network security solution

Keeping your remote systems protected is no more a matter of just deploying a firewall and an antivirus system. Defending your systems from modern, sophisticated cyber threats requires you to put up a unified security strategy. Your strategy should detect, manage and mitigate all security lapses and attacks whenever they emerge.

Almost all cyber security experts have heard of SOAR, better known as Security Orchestration, Automation and Response. SOAR is considered to be one of the most capable tools for managing security threats and creating an actionable mitigation strategy to tackle them.

Originally coined by Gartner in 2017, it is used to refer to the presence of tools combining Threat Intelligence Platforms, Security Orchestration and Automation and Incident Response Platforms together. A SOAR solution essentially enables users to gather data from multiple sources and view it together in one location.

Understanding How SOAR Works

SOAR tools and solutions can basically be defined as monitoring platforms that give users access to a dashboard compiled with metrics and security data from different systems across the organization. Combining data from different sources across the organization helps give a comprehensive understanding of threats, with an immediate incident response.

Tools coming under the SOAR solution use AI and threat intelligence to help users respond to threats and improve their decision making skills. The automated response generated through SOAR tools helps reduce the time it takes to detect problems and the system, and to resolve them.

A typical SOAR platform is made of three integral components:

  • Orchestration
  • Automation
  • Response


Orchestration is the process of gathering data from multiple sources and compiling it together on one platform. Orchestration is considered highly useful in the cyber security domain as it gathers data from different disparate technologies and tools to provide a single top-down perspective into security attacks and threats.

For instance, a typical SOAR tool would use the feature of orchestration to gather alerts from multiple data sources and compile them in one place where users can easily manage these threats. Compiling security event data and real-time results in one place can make vulnerability management and threat detection easier than before. Without a proper tool for security orchestration in place, security analysts would have to sift between different tabs and systems to maintain a professional network. This leaves greater room for human error.


Automation is another forte of SOAR tools for reducing administrative burdens. Most network administrations and security analysts face a wide range of administrative burdens when managing security threats. Manually monitoring, detecting and responding to cyber events and attacks has proven ineffective and useless for many professional organizations. One network analyst cannot possibly monitor over a dozen systems together. These systems generate over a thousand alerts and alarms during a typical day.

SOAR solutions offer automation in not just alert detection, but also in how network managers respond to the security threat. Automated solutions automatically shut down systems or devices where cyber threats have been detected.


A typical SOAR tool is also concerned with enabling users to respond to a given situation, also known as incident management. The dashboard compiles and gathers data from across the board, which is why response and incident management activities take place here. Network analysts can monitor the dashboard to view threat intelligence alerts in real-time.

SOAR tools offer root-cause intelligence and diagnostics to help users find security events that have infiltrated the system faster. In simpler words, SOAR tools come designed with the intention of performing a thorough diagnostic operation during the remediation process.

Ways SOAR Is Helping Businesses Combat and Overcome Security Challenges

The cyber security domain has never been as complicated as it is right now. In the face of complications and ever-evolving threats, SOAR offers businesses of all sizes an opportunity to improve their chances of swiftly detecting and responding to attacks.

Some of the complications facing businesses on the cyber security domain include:

  • A rise in ever-evolving and disruptive cyber security threats
  • Shortage of qualified security analysts for managing threats on a routine basis
  • And, the growing structure and reliance on IT estates. Businesses now have more to lose from a cyber attack than ever before.

SOAR helps support cyber security systems by:

Providing Intelligence of the Highest Order

Cyber security threats have become complicated and more disruptive over time, which is why tackling these threats now requires an ability to not only recognize all indicators of compromise, but to also understand the techniques and procedures followed by attackers, along with their line of attack.

SOAR systems compile and validate data from disparate sources, including security and exchange technologies such as intrusion detection systems, firewalls SIEM and UBA technologies and threat intelligence platforms. Eventually, SOAR helps SOCs become even more intelligence driven.

The changes brought through better quality intelligence allow security personnel to contextualize incidents in a better manner. Security analysts can also make better decisions, while accelerating the process of threat response and detection.

Improving the Efficacy of Operations Without Downtime

The need to oversee multiple security technologies with different metrics of their own can put a significant strain on your security personnel. Not only do systems require constant monitoring to ensure their ongoing health, but the thousands of alerts generated by disparate security systems can lead to alert fatigue, eventually creating gaps for actual cyber attack alerts to go through unnoticed.

Constantly switching between different networks can also make situations worse than they actually are. Constant switching can cost time and effort and can also elevate the risk of mistakes.

SOAR solutions and tools can help CSOCs semi or fully automate some of the mundane tasks performed by security personnel on a day to day basis. SOAR tools provide solutions through a single glass window, utilizing both, machine learning and AI, to give automated real time alerts and responses. Security analysts often waste a lot of their time during the day on context switching and SOAR solutions can stop this wastage of time through unified results on a single dashboard.

The solution also helps ensure that security threats are managed in a more efficient and timely manner, improving the organization’s productivity and capacity to operate without any major cyber attacks. Additionally, the system ensures that more incidents are managed without the need to hire more staff members on your security team. SOAR helps security staff perform smarter rather than harder, by giving them the means to streamline their efforts.

Enhancing Incident Response

Data breaches and cyber attacks have become extremely common in today’s world. Rapid response is extremely vital for minimizing the damage caused through these breaches and cyber attacks. Two key vectors used to gauge performance here include mean time to detect or MTTD and mean time to respond (MTTR). SOAR helps organizations reduce the mean time to detect and respond by qualifying and remediating security alerts in a matter of minutes, rather than weeks or even months.

SOAR also enables and helps security teams automate the procedures for incident response. Automated responses include the immediate blocking of an IP address on the IDS system or firewall. This helps suspend infected user accounts and other endpoints on a given network.

Streamlining the Reporting Process

In most cyber security operation centers or CSOCs, frontline workers waste a significant amount of their time trying to manage impending cases, creating reports, journaling and preparing documents for the incident response procedure. Manually reporting processes and cyber attacks can waste time and requires attention to detail, taking focus away from the mitigation of other follow up attacks.

SOAR can come in handy in the reporting process as it aggregates and compiles intelligence from a wide range of sources before presenting it in a visually appeasing format. SOAR helps organizations reduce the paperwork and hassle that goes into the reporting process, while simultaneously improving contact between the corporate heads and frontline workers.

Through the use of automation, SOAR can also help codify knowledge and prevent the loss of institutional memory from cyber attacks. Since organizations face difficulty in otherwise retaining security talent, institutional memory from within the system can come in useful in the future.

SOAR allows you to perform tasks faster and reduce time to resolution. The longer your threats go unaddressed, the greater the chances of disruption and damage.

A cyber security consultant can help improve your transition towards SOAR. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

The Most Common Attack Vectors for Ransomware

An attack vector is a path which attackers can exploit to gain unauthorized access into a network or computer to deliver a malicious outcome or a payload. Attack vectors give attackers a chance to exploit certain vulnerabilities in a system to install different kinds of malware before they launch consistent cyber attacks.

Attack vectors can also be predominantly used to gain access to personal identifiable information or sensitive data. An attack on sensitive data usually leads to a data breach; threatening financial and personal information from hundreds and thousands of customers. With the current cost of a data breach marked at $3.92 million, companies can actually benefit from taking the right steps at the right time to limit cyber attacks.

What Is Ransomware?

While attack vectors are the same for all kinds of cyber attacks, ransomware attacks put businesses in a heightened spot of bother. Call it the novelty of ransomware or just the widespread destruction these attacks have caused recently, but businesses sure do view the malware as a significant threat.

Most forms of ransomware lock or encrypt files on a system, while some other variants completely erase documents and relevant data. Once access to documents within the system is blocked, the malware automatically demands victims to pay a ransom in order to get their files back. Ransom figures can vary from case to case; based on the data that is on hold.

There have also been cases of embezzled businesses paying their ransom amount, only to receive other ransom requests for a full clean slate. Hence, if you thought you could gain access to your files by paying the ransom, then think twice.

Victims suffering from ransomware attacks are at risk of not only losing personal data and files, but also losing productivity and customer trust. Customers seldom deal with organizations that have gone through a major data breach without successful recovery.

While ransomware first came to the scene in 1989, a lot has changed about them since. Ransomware attacks have not only matured in sophistication, but are far more widespread than they ever were before. The year 2019 saw a 74 percent increase in ransomware attacks, with ransom payments currently orbiting around $80,000 on average in Q4 2019. With enhanced earning potential, ransomware sure is the malware of choice for Madoff’s of the cyber world.

Preventing Ransomware by Understanding the Vectors at Play

What can organizations in the line of fire do to better defend themselves from a ransomware attack? Security experts have for long recommended that organizations maintain up-to-date backups at all times. These backups should be stored offline, so that affected systems can be wiped and restored if all other defenses fail.

However, considering cyber attackers are revving up the heat, experts also feel that organizations can be better prepared if they’re watching for and blocking out the favorite tactics, procedures and techniques ransomware gangs like to follow.

Hence, it is critical for you to understand the tactics attackers use for encrypting your files and delivering their threats. An understanding of attack vectors will help you focus your security and attention towards all fronts that need better defense.

Loose RDP Endpoints

Rankings released by most security firms tracking the techniques commonly used by cyber attackers are mostly inconclusive because of geographic variations and the lack of diversity in incidents they’ve investigated.

However, recent research from a ransomware incident report firm, Coveware, suggests that RDP happens to be the most common vector used by attackers in the 1,000 incidents they studied from the first quarter of 2019. RDP accounted for more than half of all successful attacks covered by Coveware during this period, followed by phishing attacks and targets on known or disclosed software vulnerabilities.

RDP, or the remote desktop protocol, is an authentic tool that connects systems from across the firm and gives remote access to IT administrators. While RDP makes remote management more convenient and easier, it also leaves a loophole in the setup for attackers to barge through. Cyber attackers with access to RDP endpoints can use that entry point and the connected systems within the tool to establish their foothold over the corporate network and the data present in it.

Security firm McAfee recently mentioned that it has tracked “an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets.”

Organizations with RDP systems can take quite a few steps to shut down vulnerable system endpoints. These steps include protecting the system with strong passwords, restricting access to the system for only VPN users and putting multifactor authentication in place before login. RDP systems can also be configured to amp up network-level authentication. This ensures that all users are required to authenticate themselves before they start an RDP session.

Phishing for Credentials

Email phishing is the second most popular ransomware attack vector used by attackers. Attackers use attachments, links or both together to trick curious users into downloading the attachment or opening the link.

Phishing emails usually come from known contacts. The email can ask users to enter their credentials for any bogus purpose. The credentials entered by the employee are then stolen and used to access key points within the target computer to install the ransomware.

Phishing can also happen through malicious email attachments. As we mentioned above, an unsuspecting employee will receive an email from a known or trusted source. The email will contain an attachment with it, which users will be asked to download. As soon as the user clicks on the attachment, the system is infected and the files within that system or the connected network are held for ransom.

Knowledge can truly be considered power when it comes to mitigating or limiting the risk of compromise or ransomware through phishing. Organizations looking to safeguard their data should educate employees on the dangers hosted by phishing emails. Employees should be warned against entering key credentials for any bogus purposes and should save contacts on email, to ensure similar looking email addresses do not swindle them.

Drive-By Malware Attacks

Drive-by malware attacks work on a framework similar to phishing to infect systems. Cyber criminals take control over legitimate websites by posting advertisements that redirect consumers over to malicious sites that host technical codes designed with the core purpose of exploiting all known vulnerabilities within a browser.

Exploit kits most frequently used in these drive-by attacks were RIG, Fallout, and Spelevo,” Group-IB says. “Some threat actors, such as Shade and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma operators gathered information about the intruded network, moving laterally and compromising entire network infrastructures.”

Malicious Insiders

An insider is usually an employee who has access to private company vulnerabilities and information. A malicious insider is, hence, someone who exposes these vulnerabilities and private information to other threat actors.

Unhappy or disgruntled employees usually act as malicious insiders. All employees and users with access to networks and sensitive data can inflict irreparable damage through malicious intent and privileged misuse.

As an organization, you can benefit by keeping an eye out on all unhappy and disgruntled employees. By keeping an eye out, we want you to monitor their data and network access across devices. Even the slightest discrepancy should be considered a red flag.

Patchy Protection

Patchy protection or software vulnerability is the last attack vector we will shed light on. Unpatched software actually ends up laying out a welcome mat for every malware intruder and attacker. In many cases where software isn’t properly patched or updated, attackers can gain access to files and data within the networks, without having to actually harvest credentials from employees. Talk about making work easy for cyber criminals!

Once attackers gain access to the system through an unpatched hole in your software, they can attack key programs and exfiltrate sensitive consumer data. Additionally, a number of ransomware attacks have decreased their footprint and have evolved into newer forms where they are extremely hard to detect. The invisible nature of the attack usually means that the ransomware can dwell for an unlimited period of time in your setup, leading to maximum destruction, even if you are able to take some face saving measures.

To ensure vulnerabilities in your software aren’t exploited, you need to immediately identify and finish them. Periodic vulnerability scans can help you identify weaknesses within the setup and what you ought to do to eliminate them.

Regardless of how prepared you are, a cyber security consultant can do wonders for your fight against ransomware. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

Situations Where You Should Consider Penetration Testing

Panic after a cyber attack

In this age of change and progress, cyber threats continue to evolve rapidly. Cyber attackers use experience from previous attacks and knowledge of current deficiencies to come up with new and unique methods of breaking through the digital barriers in place within most firms.  The diaspora of cyber criminals from their original modes of attack have found most companies lacking, which possibly explains the increase in cyber attacks and the punitive damages suffered as a result of these attacks.

In this war between prevention and damages, penetration testing comes as the perfect tool for checking vulnerabilities and patching up gaps in your endpoint systems/firewall. Penetration testing is conducted by professional ethical hackers, as a method designed to assist organizations in identifying hidden vulnerabilities in their applications, systems and networks.

While penetration testing has proven itself to be a worthwhile assessment technique, there seems to be confusion over the frequency of these tests. We believe that every organization should commission pen testing at least once a year, while other larger businesses should conduct these tests at least on a quarterly basis.

It is, however, also necessary for businesses to consider events around them and commission testing if they feel the need for it. Research and real-life experiences have proven that unplanned penetration tests happen to be a lot more effective than planned penetration tests.

In this blog we look at certain situations where you should consider penetration testing. Be ready for these scenarios and perform penetration testing to unearth basic vulnerabilities.

After Significant Infrastructure Changes

Growth almost always comes with change. As organizations grow, they change; from the culture inside the workplace to the IT environment, everything evolves with growth and time. The breakneck pace at which organizations are adopting cloud technology, the rise of BYOD, the increase in remote working technologies and the proliferation of IoT devices are some of the changes creating new and advanced network security risks. Changes created as part of the adoption and implementation process of new IT platforms can make your systems more vulnerable to cyber attacks.

Organizations that have recently made significant changes to their cloud, hybrid or on-premise infrastructure should keep their security assessments on the front of their mind. Your IT assets are usually left vulnerable after such key changes, which is why you should perform penetration testing in such scenarios to ensure that all vulnerabilities are assessed and the security of all assets is appropriately configured.

Penetration testing should also be seriously considered after you have installed new security technologies in your organization. Scenario based testing can help outline vulnerabilities in your system and can also help improve the effectiveness of your cyber security defenses. The ultimate goal is an overall improvement in how you handle threats and safeguard your systems.

When Launching a New Service, Product or Application

Launching a new service or a product can itself be a daunting task for any organization. The entire process of R&D coupled with financial investments can exhaust you and your team. However, rushing to the market with your new service, product or application can prove to be a costly mistake, especially if you haven’t taken all necessary security precautions.

Web application testing should be an integral part of your Quality Assurance process. Most organizations rush into launching new products or services and eventually go through the hassle and embarrassment of bad publicity when vulnerabilities in the new website or application are penetrated by cyber attackers.

Penetration testing can help uncover all software vulnerabilities related to data authentication, encryption, input validation and session management before the product or service is officially launched. Testing should also be commissioned before you release major app or product updates. Testing will help unearth any and all vulnerabilities in them and would allow you to rectify them before you suffer some actual damage.

When Going Through a Business Acquisition or Merger

Most mergers and acquisitions impact IT environments in ways more than one. IT environments for both firms are going through unprecedented change at a rapid pace. It is hard to imagine the huge amounts of digital assets that change hands during this process. And since the stakes are high, it is only justified for both firms involved in the deal to make testing a vital part of the entire merger and acquisition process.

A vast amount of rather confidential and important data is shared between both parties during a merger or acquisition. Data security is often compromised, but we would want you to make it a priority during the process. Penetration testing should definitely be conducted before and after the merger or acquisition happens, so that confidential consumer data and your digital assets are safeguarded during this crucial juncture. A cyber attack that occurs during the merger and acquisition process can damage not only the deal, but also the reputation and value for organizations involved.

When Working Toward Regulatory Compliance

Regardless of the industry you operate in or the region you currently service, serious sanctions await you if you do not take the required steps toward improving security. The DPA Act of 2018 and the GDPR show the hard line approach most regulators are now willing to take toward organizations who aren’t sincere in their efforts to securing and safeguarding confidential consumer personal and financial data.

Most organizations today realize the importance of compliance and the bad press they might receive if they fail to adhere to the regulations in place. Almost all data security regulations and guidelines make it necessary for organizations to perform regular security assessments. Security assessments can unearth possible vulnerabilities in your system. The vulnerabilities found through penetration testing methods can then be addressed to eventually improve how your company responds to cyber attacks.

GDPR and PCI DSS are current regulations in place within Europe and the United Kingdom, which require organizations to safeguard cardholder data at all times to avoid penalties that come with non-compliance. These regulations clearly require firms to assess their security protocols on an annual basis.

When Implementing Remote Systems

With the COVID-19 virus in full steam, many organizations have had to innovate and head towards a remote model of work. Remote work is the order of the day as it allows organizations to keep the steam of their engine running, even with most of the employees working from home.

However, remote work comes with a myriad of risks, especially since organizations have had to rush into it. But, a situation like this definitely warrants penetration testing, as there are a lot more vulnerabilities coming from unmonitored endpoint systems being used by workers to assess organizational networks from home.

After you position an endpoint security system, it is necessary that you run a penetration test to determine if there still are any vulnerabilities that have escaped your eye. Negligence right now can lead to irreparable damages in the long run.

Reasons to Go for Scenario Based Testing

Scenario based testing is a specialist form of testing that assesses your security networks through ethical hackers. This method of penetration testing can help you find out the effectiveness of your organization’s digital security and can also help drive improvements in threat hunting, incident response and breach detection.

Organizations should use scenario based testing as it gives answers to the following questions:

  • How effective are your current security protocols at detecting, preventing and responding to threats within the system?
  • Are there any blind spots within your network that attackers can persistently exploit?
  • Are sophisticated attacks shut down by your security analysts before they render irreparable damage to your systems?
  • How good is your security team at identifying genuine attacks and differentiating them from false positives? The sheer number of alerts being generated by your security system can lead to alert fatigue, which is why penetration testing helps determine whether your security analysts are still up to the job or if they are burdened by the frequent alerts.
  • Do you have any incident response plan in place for addressing threats and managing possible compromises? A plan of action can help you sail through attacks, even when the tides aren’t in your favor.
  • Do your in-house security personnel and teams have the intellectual know-how to mitigate the damage from breaches and remediate them? Loopholes in this regard can ameliorate damage further.

All these questions, when answered, help you identify where you currently stand and the steps that can be taken to improve your network security standing. With the right efforts and tests, you definitely can improve your network security to prevent attacks.

A cyber security consultant can help you perform penetration tests and identify the need for them. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.


How to Create an Effective Business Continuity Plan

Creating an effective business continuity plan

The COVID-19 pandemic has led to a complicated period of acceleration and innovation for businesses across the globe. Industries have come up with better technologies, while adapting to new channels of communication and work from home practices. All of this has been achieved in an astoundingly limited period of time.

However, with the troublesome work from home scenario, businesses have also had to grapple with the fear of cyber security exposure. Remote work is the new norm today, and employees are accessing and checking in to company portals from unmonitored network protocols and computer systems.

The need of the hour for businesses today is to come up with a business continuity plan. A business continuity plan can be defined as a well drafted plan of action that dictates the modus operandi businesses follow when they are faced with a major disruption. The plan outlines all instructions and procedures that should be followed by businesses during such disasters. It not only covers business continuity, but it also oversees business processes, human resources, assets and partners.

With the current COVID-19 pandemic in perspective, it is only necessary that businesses draft a plan that safeguards them from the risk of a cyber attack. Cyber attacks, including malwares, can put your internal data at risk. Additionally, the confidential consumer data you have can also be breached during such an attack.

A Look Into Cyber Attacks Today

Almost 96 percent of all businesses in the United Kingdom suffered a cyber attack during the last year. While cyber attacks previously targeted important financial data, hackers have realized the potential in the market for consumer data, including date of birth, password hashes, email addresses and usernames.

A recent scam involving Dubsmash, My Fitness Pal, My Heritage and ShareThis saw important consumer data from over 200 million user accounts stolen and put up for sale on the Dream Market dark web marketplace. This new revenue stream has brought in a group of eagle eyed hackers looking to attack and breach sensitive consumer data.

The average cost of a single data breach caused by a cyber attack hovers around $3.62 million on average. This is a staggering amount that most businesses today aren’t able to meet. This is exactly why almost 60 percent of small and budding companies run out of business within six months of falling into a cyber attack that leads to a data breach.

A business continuity plan does not take a lot to build, but it sure can be the difference between shutting down after a cyber attack and continuing to function properly.

Anatomy of a Business Continuity Plan

If your organization doesn’t have a business continuity plan in place already, then you have to start by assessing your core business processes, the areas inside your organization that are most vulnerable and the potential losses you will incur daily if these processes go down.

Once identified, you can proceed with developing your business continuity plan. This would entail the following general steps:

  1. Identify the scope of your plan
  2. Identify all key business areas that would shut down as a result of a cyber attack
  3. Identify all critical functions in your organization
  4. Identify how output and productivity are focused or dependent on certain functions and areas
  5. Determine the downtime that it will take for you to perform each critical function
  6. Create an actionable plan for maintaining operations in the face of disaster

You can maintain a checklist as a potential tip for covering everything you should. The checklist should include the location of your data backups, along with where the plan is available and who you can trust with overseeing key business processes when disaster strikes.

Once you are creating your business continuity plan, you would like to interview and talk to people and employees who have previously gone through similar experiences of data breaches and cyber attacks. Hear their ‘war stories’ and understand the mentality that helped them pull out of that mess. People usually like sharing tips and tricks on how they saved the day, so you won’t face much resistance here. The insights you get from experienced people will actually help you craft a plan.

Test Your Business Continuity Plan

Hope for the best, but be prepared for the worst. Once you have a business continuity plan on paper, it is necessary that you test and approve it, before relying on it to get you through cyber attacks. Testing a plan is the only way for you to know whether it will work or bust.

To make the testing process difficult and almost life-like, you have to create an artificial cyber attack with the sole purpose of breaking your business continuity plan. Do not go for an easy scenario where you come out high fiving each other when the plan actually isn’t ready for real life situations. Create a complicated attack that actually tests and strains every part of your plan.

Test how your task teams perform, and if you are in sync with the targets you have set in the actual plan. To make the situation even more life-like, you can promise recovery teams a bonus if they get through the situation in the desired time.

There are three basic ways for you to test and explicate your business continuity plan on an annual basis.

  1. Start with table top exercises that take place inside a conference room and involve team members poring over the plan and its possible limitations. Have the best talent in your firm come together on a quarterly basis to check for chinks in the armor.
  2. Secondly, you have the option of a structured walk-through, where every team member walks through their components of the plan. Identify different disasters or types of cyber crimes in mind and rehearse what each member would do in the face of the actual disaster. This will help you locate whatever weaknesses there are in the plan.
  3. Lastly, you can go through disaster simulation testing to design an environment that simulates an actual cyber attack. The purpose of a simulation is to find out whether you can actually carry out core business functions during the attack.

Try including new employees into the team every once in a while, so that their fresh eyes can detect any lapses of information that other members might overlook.

Organizations with a website can go for web penetration testing to identify any gaps within their website. You can opt for the following well established methodologies to pen test your website.

  • OSSTMM (Open Source Security Testing Methodology Manual)
  • OWASP (Open Web Application Security Project)
  • ISSAF (Information Systems Security Assessment Framework)
  • PTF (Penetration Testing Framework)
  • PCI DSS (Payment Card Industry Data Security Standard)

These methodologies will help you run penetration tests on your website and check its response.

Tips to Create an Effective Business Continuity Plan

You can create an effective business continuity plan with the following tips:

Establish Communication Lines

Your business continuity plan should establish communication lines within the organization. An employee who detects a cyber security issue on their remote system while working at home should know who to contact in the moment. News of an attack or any update should immediately get to the team in action without delays.


A continuity plan should ensure that the business has good, regular and clean back-ups of the entire IT state available on a daily basis. Running back-ups every month doesn’t work anymore, which is why you need to have preferably daily or weekly back-ups at worst. Ensure that your back-up is secured in a remote network, as there have been instances of ransom-ware attacks running into the back-up and shutting that down as well.

Prepare a Plan for Each Essential Service

If you have identified multiple essential services in your business, then you need to come up with a plan for all essential services separately. You should follow all that we have mentioned above to come up with a separate plan for each service or silo. Identify individuals tasked with looking after each service, so that there aren’t any last minute hiccups.

Keep the Virus From Spreading

One of your first plans of action after a cyber attack is to stop the virus from spreading. Disconnect the internet, change settings for the firewall, update credentials for affected systems and remove remote access altogether. The virus shouldn’t be allowed to spread, as that will ameliorate the damage.

Regardless of how prepared you are, a cyber security consultant can do wonders for your business continuity plan. If you are looking for someone to ramp up your business continuity plan, then you have come knocking down the right door.

I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.Creating an effective business continuity plan

A Penetration Testing Guide for Compliance

The world today is more regulated than it ever was. The business landscape for example is inundated with regulations and legal requirements that should be followed for smoother operations. Organizations across all industries have to comply with a myriad of regulations and standards set for information security.

Consumers provide businesses today with tons of sensitive data pertaining to their own personal selves and their financial status. The stakes surrounding consumer data are higher than they ever were, considering the sensitivity of data businesses now have, and the damage that consumers will experience if the data lands in the wrong hands.

In many regulations concerning consumer data, businesses are required to partake in penetration testing, which is a type of ethical hacking practice to address and identify vulnerabilities present in the security for your networks, applications and systems. Some regulations and laws directly ask for penetration testing protocols, while others imply it through the need to build additional assessment processes to mitigate the cyber risk looming over organizations.

In this blog we take a look at some of the common standards and regulations related to pen testing and provide you with the guidance you need.


GDPR is the Godfather of all data regulations and governs countries and organizations operating within European markets. GDPR, which is short for General Data Protection Regulation, has been around for a couple of years now and imposes the responsibility of securing consumer data on businesses.

The United Kingdom has enshrined GDPR requirements within its own Data Protection Act of 2018. These regulations were crafted well in advance to take center stage once the UK leaves the European Union.

The GDPR covers all facets of data protection and especially highlights the need for organizations to improve the security and governance surrounding consumer data. Organizations handling personal data should have the best measures in place to ensure that data is secure at all times and is being governed appropriately.

The GDPR Article 32 specifically requires organizations to implement, “A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing”.

The Information Commissioner’s Office or ICO is the authority responsible for managing and checking on data protection in the United Kingdom. ICO has clearly mentioned in its online guidance that organizations regularly conduct the vulnerability scanning and penetration testing assessments laid down by the GDPR. Any risks that are identified during the testing phase should appropriately be identified and handled in the right manner. In accordance with the focus on personal information by GDPR, organizations should ascertain key endpoints where testing is necessary.

I advise you to conduct GDPR penetration testing on an annual basis to screen your internal and external data infrastructure. Organizations should also include web app testing within the pen testing model, if the business in question includes payroll systems, CRM systems, email and other sensitive personal data online.

ISO 27001

ISO 27001 is an internationally acclaimed and followed information security standard that comes within the ISO/IEC series of international quality standards. The ISO 27001 standard basically mentions a wide framework of controls related to Information Security Management Systems (ISMS).

To become certified with this standard, organizations should build a fine set of security controls. These security controls should deal with identifying and assessing certain security risks currently present across the networks in place.

The ISO 27001 is clear in outlining that organizations have the liberty to set security controls based on their own assessment of security risks. This ensures that no set of controls highlighted in the ISO are mandatory, and in fact, it mentions a list of best practices that you should consider and keep up with.

Objective A.12.6.1 of ISO 27001 clearly states that all information related to technical security vulnerabilities in the system should be gathered and improved upon in a timely manner. All organizations should determine their exposure to these vulnerabilities and put up appropriate measures to determine the right way forward.

Penetration testing can come in handy across multiple stages of an ISMS project or task. Organizations should hence look to find a more flexible penetration testing provider that not only tailors the assessment, but also meets the bespoke requirements. Risks identified during the pen testing process should ideally be treated as part of a continuous improvement process. No risk should be left lying around.


Out of all data that consumers provide on a payment or an ecommerce platform, cardholder data is perhaps the most important. The information on a consumer’s card is extremely sensitive and shouldn’t land in the wrong hands. The Payment Card Industry Data Security Standard, or PCI DSS, lists a set of requirements for businesses to follow. All companies who process online transactions and gather card data from consumers are required to partake in PCI security audits for full compliance.

Requirement 11 of PCI DSS 3.2 is clear on what it demands from businesses. The requirement asks businesses to authorize frequent penetration testing protocols. Organizations that gather consumer cardholder data and fall within the domain of PCI DSS must always perform external and internal pen testing on an annual basis. The tests should also be performed after any significant changes to the infrastructure.

Organizations performing pen testing to comply with the regulations and guidelines mentioned by PCI DSS should identify issues such as poor access controls, coding vulnerabilities, encryption flaws and unsafe configurations.

NIS Directive and Regulations

The NIS Directive, better known as the Network and Information Systems Directive, is currently in place within the UK, as part of their pan-EU plans. The directive is in place to improve the security and reliance of critical services online.

The NIS Directive typically applies to all operations of essential services or OES. These services include transport, healthcare providers, utilities and Relevant Digital Service Providers (RDSP). Online marketplaces, cloud computing services and online search engines are also included in these essential services.

The NIS Directive doesn’t directly impose penetration testing standards, but there are regulations within the plan that mandate effective protection against cyber risk and attacks. The Objectives A and B within the plan require businesses to enable assessments, verification, inspections, testing and auditing for a secure environment.

While the NIS Directive doesn’t necessarily delve deep into the requirements of testing, it draws parallels with the requirements and guidelines mentioned as part of the GDPR. OESs and RDSPs can follow testing procedures required by the GDPR to remain safe on the NIS front.

NHS DSP Toolkit

The Data and Security Toolkit is a self-assessment tool in place for organizations in the UK’s healthcare sector. The tool basically helps organizations in healthcare to improve security by benchmarking against NDG Standards. NDG or National Data Guardian standards apply to all organizations currently operational in the social care and healthcare sectors.

Standard 9 of NDG clearly outlines that an actionable strategy should be in place to protect sensitive IT systems and consumer data from cyber threats. This strategy should at least include penetration tests that cover critical network infrastructure and your web services.

The NHS Digital guidance clearly recommends that organizations should tread carefully when scoping tests to prevent adverse effects on the systems or assets being assessed. Sub clause 9.4.3 also recommends organizations to find a penetration testing provider that can help them handle tests easily.

Choosing a Pen Testing Supplier

Reading through and complying with the numerous requirements and regulations of security legislations can be daunting and intimidating. However, it is equally important to understand the benefits that come out of testing your core network processes and gateways. While penetration testing has innumerable benefits of its own, you can also comply with different regulations by holding regular tests on an annual basis.

Any organization looking to perform penetration testing for compliance and security purposes should preferably try to find a flexible provider who not only understands the regulation, but can also tailor their testing methods to your industry and services. Your pen testing provider should understand the requirements you have and the latest pen testing standards that can be used to meet your demands.

Finally, it is crucial that you don’t view penetration testing as a tick-box exercise performed purely for compliance. Penetration testing is critical for your organization’s rapport and data security methods, and you should perform it regularly to keep up with the ever changing threat landscape.

A cyber security consultant can help you perform penetration testing and remain compliant. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.


Cybersecurity Best Practices To Protect Your Business

Best Practices To Protect Your Business

The dynamics of commerce have been forever altered by the sustained importance for businesses to adopt an online presence in addition to, or even in place of, a brick-and-mortar presence. One could even argue that as the COVID-19 pandemic shatters lives, livelihoods, and entire economies, the need for businesses to streamline and maintain their digital presence has only increased in urgency.

Amid social distancing measures and stay-at-home orders, we’re all spending more of our lives online. However, as the situation develops, it really wouldn’t be farfetched to say that in a post-COVID-19 world, the need for robust and reliable cybersecurity is as critical as access to the internet itself.

The global cybersecurity market is currently valued at $173 billion and is expected to touch $270 billion by 2026. As the digital economy flourishes and internet dependency increases, a report by Accenture found that 68 percent of business leaders believed their cybersecurity risks were increasing. These aren’t unfounded concerns; a study by the Clark School at the University of Maryland in 2017 found that a hacking attack occurs every 39 seconds. What makes that statistic particularly telling is that 60 percent of small businesses that fall victim to a cyberattack go out of business within six months.

We’ve prepared this guide with four simple but effective cybersecurity practices every business should adopt to keep cyber threats at bay.

Read moreCybersecurity Best Practices To Protect Your Business

A Cybersecurity Guide for Your Remote Workforce

Cybersecurity Guide for Your Remote Workforce

To help mitigate the disastrous effects of the COVID-19 pandemic, companies around the world have had to adopt a remote work model, whereby employees are working from home.

However, most companies aren’t very experienced when it comes to managing a fully remote workforce and the unique challenges it presents. Organizations’ IT infrastructures are struggling with the increased number of unmanaged and unsecured personal devices.

This opens them up to data breaches, losses, and potential compliance violations. Moreover, according to Link11, DDoS attack lengths and other cyberthreats are projected to increase by 30 percent during the pandemic.

If, like many other businesses, you have had to make the shift to remote work, we’ve prepared this guide to help you secure your remote workforce and your company.

Read moreA Cybersecurity Guide for Your Remote Workforce