How cyber aware, prepared, and resilient is your business? Could you adequately defend and survive a cyber-attack?
The stakes are going up. Cybercrime is accelerating at an alarming rate and average ransom payments - roughly 15% of the all-in cost of an attack1 - have reached over $300,000 in 2022. If you were to be attacked today, do you have proper plans and defenses in place to minimize or even negate the damage2? Fortress SRM’s security consulting services will put you on a prudent path to cyber safety.
1 Check Point, 2022
2 Download Fortress SRM Cyber Cost Worksheet
Assessments are the core to understanding and identifying risk
Identifying and understanding cybersecurity vulnerabilities is critical because that awareness will lead to a prioritized list of security gaps and is the first step to planning, budgeting, and remediating weaknesses.
A risk assessment will identify the assets that could be impacted by a cyber-attack: critical operational and financial data, consumer and employee data, intellectual property, and where that data resides – servers, laptops, and network hardware. An assessment will reveal the risks unauthorized access to those assets could create for the organization. Having a quality assessment is a critical component of cyber safety.
After an assessment is completed, organizations should select a set of cybersecurity standards to use as a framework. This framework should be appropriate to the risks the organization faces and the industry they are in.
Established standards include: NIST CSF, NIST 800-171 or 800-53, FedRAMP, ISO 27000, and CIS - Critical Security Controls for Effective Cyber Defense. Organizations that are regulated by the following frameworks may use them as a cybersecurity control: PCC-DSS, HIPAA, GLBA, HITECH, and FISMA.
Assessments help organizations understand their cybersecurity risks and can help it make appropriate mitigation choices so they can defend against threats that are likely to happen. Assessments give organizations clarity to what they need to improve upon and the items that they are excelling at.
True story: It’s Monday morning, and today, Company X is going to announce a large acquisition, but as employees arrive to work, they find the company’s systems are locked. Even worse, their data has been ransomed, and the unknown attacker is threatening to expose proprietary secrets and specifics of the acquisition and destroy data unless the company pays a seven-figure ransom.
It’s a nightmare scenario, and it is happening more and more often to companies engaged in a merger or acquisition (M&A).
Cyber-attacks based on M&A activity aren’t coincidental; they happen because cybercriminals are skilled at finding companies involved in M&A and carefully time their attack, because they know the victims are highly motivated to get the deal done.
With merger and acquisition activity projected to increase for the remainder of 2022 and into 20231, and data protection and related privacy and compliance regulations among the issues impacting M&A strategy and activity, is there anything you can do to prevent a cyber-attack before, during, or after a merger or acquisition?
Absolutely!
1 Deloitte
Download Security Risk Management for M&A
Technical Testing: Vulnerability Assessments and Penetration Tests
Utilizing proactive digital forensics, Vulnerability Scans illuminate the effectiveness of operating system and third-party software patching operations, system vulnerabilities, and how well the organization’s security operations are being executed. Penetration Testing uses similar tactics, techniques, and procedures (TTPs) to those of threat actors to test defenses and Client alerting, monitoring, and response functions to better understand their complete cyber risk profile.
Fortress SRM offers a multi-faceted Technical Testing program designed to identify and understand an organization’s network and data security vulnerabilities from a technical, administrative, and operational standpoint. Fortress will identify the extent of an organization’s threat surface, any possible means of entry and exploitation, and provide a clear path towards addressing any discovered vulnerabilities and gaps.
The Fortress SRM Technical Testing Program is comprised of Vulnerability Assessments and Penetration Testing, each with Basic and Advanced levels of discovery.
Download Technical Testing Service Brief
Fortress helps companies decrease their regulatory compliance risk profile by:
- Addressing the myriad federal, state, industry, and trade association regulations and laws, including HIPAA, CCPA, ISO, and NIST, to name a few. We also employ an automated-assisted platform focusing on today’s high-profile compliance frameworks that enables the Client to monitor, manage, and report on compliance achievement.
- Providing a continuous, organized process for regulatory preparedness and response
- Fostering alignment with our clients’ overall IT Security programs and business objectives to create a symbiotic relationship between technical countermeasures and overall risk mitigation
- Utilizing gap analyses to provide keen insight into current- and future-state capability and maturity, while generating a value-based prioritized roadmap evenly distributed along a manageable timeline
Cybersecurity Program Development is essential to building cyber resiliency in your organization
The high-level role of a VCISO incorporates the broad spectrum of authority and responsibility of a CISO, including, but not necessarily limited to:
- Establishing and supporting the enterprise’s Cybersecurity Strategic Plan (often in the form of a Written Information Security Plan - WISP)
- As required, directs staff in identifying, developing, implementing, and maintaining processes across the organization’s information security. Staff, in this case, includes both the company’s and Fortress’ consulting and/or technical resources
- Directs the establishment and implementation of written enterprise policies and procedures
- Coordinates deployment of any remediation efforts that are a result of an assessment and the subsequent Plan of Action Milestones (PoAM)
- Interfaces with appropriate company legal or outside counsel concerning new regulations governing the collection and use of personal information, protected information, and the like
- Directing awareness and training concerning Phishing and Tabletop Exercises
- Interfacing with an Incident Response Commander in the event of a material breach like a ransomware attack
- Communicating company-wide security and privacy goals
- Monitoring the effectiveness of the overall Cybersecurity-as-a-Service program and any privacy-related risk mitigation and compliance measures
- Cross-function role to Data Privacy and Protection Officers
- Directing Quarterly Business Reviews throughout the Cybersecurity-as-a-Service engagement
GRC Advisory Services come in the form of consulting, advice, and counsel concerning everything from establishing a Compliance Office at the Client organization, to full-scale implementation of GRC assessments and programs that coincide with cybersecurity planning and deployment.
GRC Advisory is aimed at providing the Client, in part with the Fortress CyberResiliency Index, a high-level measure of the company’s cyber maturity, degree of protection, and survivability in the event of a cyber-attack. The CyberResiliency Index leverages multiple assessment and current-state cybersecurity programs in place throughout the organization, providing a confidence score comparing the company to proven, effective resiliency measurements and against its industry and peers.
Additionally, GRC Advisory provides the Client with a Compliance-as-a-Service (CaaS) program - a full or partial-scale compliance program that gives the Client the ability to anticipate, prepare for, and respond to growing regulatory requirements, coupled with cybersecurity that adapts to incremental or dramatic changes in regulatory compliance.
GRC Advisory can be accessed as part of a Cybersecurity-as-a-Service program, through CaaS, or independently from any current program the company may have in place.
Who has access to the critical data that is the lifeblood of your organization? Do you know?
Fortress SRM consults on policies, programs, and technologies to manage the roles and access privileges of users in on-premises and cloud-based systems and resources to constrain access to select people (Privileged Access Management - PAM). Fortress can assist with business requirements evaluation, policy creation, tool evaluation, and cost analysis to best advise on the appropriate choices for the organization.
Fortress SRM can also assist with the project implementation of the selected tool and create the day-to- day standard operating procedures (SOPs) required.
Employee, Executive, and Board Training
Organizations and their employees have legal and regulatory obligations to protect the privacy, integrity, and confidentiality of their data.
Researchers from Stanford University found that over 80 percent of all data breaches are caused by employee mistakes. Training employees to be cyber aware is one of the most impactful ways to increase an organization’s cybersecurity and start to build a culture of cyber safety.
Humans are the first layer of defense in network security, and in effect, a company’s human firewall. Human behavior in the face of increasingly sophisticated cyber threats is an important measure of a company’s ability to resist attacks, like phishing emails – one of the cybercriminals favorite tools. These attempts to steal data, deliver malicious software (malware), or otherwise compromise the integrity of networks and computer systems, by tricking the recipient into clicking a malicious link, downloading a malicious attachment, or divulging sensitive information must be stopped.
Companies must develop a culture of security, where users understand that their role includes rights and privileges, and therefore responsibility. They should foster this culture and look for additional ways to create excitement about security. Fortress provides a continuing education program that includes regular testing and awareness training that is essential for improving resilience to cyber-threats, as well as strengthening the human firewall.
Fortress SRM’s cybersecurity training typically covers:
- Why cybersecurity procedures are necessary and important
- How to create strong passwords
- Email handling, including how to recognize and address phishing attempts and avoid malicious file downloads
- Protecting mobile devices that are used outside of the organization’s facilities
- Understanding what to do and who to contact if a security incident occurs
- The need to limit access to data to only authorized personnel
- How to protect information when working remotely
- How to identify and avoid social engineering attempts
- The program is customizable to industry and company workforce makeup.
Phishing Test Campaigns
Phishing test campaigns help heighten awareness and increase employee engagement around a company’s security initiatives by featuring real-world trap scenarios and consistently reinforcing positive behavior. Even the best trained companies have a test hit rate of 3%-4%. How does your company rate?
Identifying where critical data is stored enables organizations to implement appropriate security controls and measures to protect it. This might include encryption of data both at rest and in motion, privileged access controls that identify and narrow the number of authorized users of critical data (least privilege), and 24/7/365 monitoring mechanisms tailored to specific storage locations whether cloud, data center, or on premise.
Knowing where critical data is stored facilitates better data lifecycle management practices and informs procedures for data retention, archival, and disposal based on the sensitivity, importance, and location of that data.
Solid Data Protection and Data Classification procedures are essential for Incident Response, Compliance, and Third-Party Risk Management, and are fundamental to developing a robust cybersecurity strategy that effectively protects sensitive and valuable information from unauthorized access, loss, or compromise.
Fortress SRM delivers Threat Management in the form of a programmatic framework, holistic threat intelligence from a global, industry, or threat perspective, and/or orchestration services within our Security Operations Center, including EDR and SIEM analysis.
Fortress SRM Threat Management leverages leading technology systems, along with open-source inputs, providing you with visibility into some of today’s most potent Indicators of Compromise (IoC).
A well-implemented Threat Management program helps ensure you are on top of what is becoming an overwhelming number of threats, bad actor methods, insiders, vulnerabilities, and targeted industries, people, and systems.
A vendor risk assessment, or third-party risk assessment, is a process that enables an organization to choose and monitor their business partners, including their partners' cybersecurity maturity and capability1.
During the assessment process, Fortress will identify and evaluate the potential risks of working with a specific vendor. The Client then decides whether the rewards of the partnership would outweigh the risks. This decision is based on the Client organization’s policies, procedures, mission, goals, and needs. Conducting vendor risk assessments can be a long and tedious process, however, there are many similarities to a general assessment that apply to vendor assessments, so generally accepted cybersecurity frameworks can work well for vendor evaluation. Failing to do so could result in reputation damage, lost business, legal fees, and substantial fines. If any third-party vendor fails to comply with a regulation (such as data privacy or safety standards), the client company will face consequences.
148% of organizations have no security requirements for their vendors (PCW, 2018)
Incident Response Preparedness is urgently needed to repel and survive an attack
A cyber-attack can be a devastating event if your organization is not prepared.
Whether it’s business email compromise, ransomware, or distributed denial of service, the forethought put into how you respond can mean the difference between a minor inconvenience and the survival of your business.
Fortress SRM’s Incident Response Preparedness advisory will guide your organization through all the planning and tactical actions needed to develop, practice, and achieve a high degree of cyber resiliency in the event of an attack.
Tabletop exercises, or attack simulations, are an important element in assuring a prompt and efficacious response to a cyber-attack.
Fortress SRM partners with our Client’s internal IT team and executive management (C-Suite, HR, Finance, Operations) to stage in-depth tabletops around various attack vectors: Ransomware, BEC/Wire Fraud, DDoS, and Insider Threat.
The White House, the FBI, and CISA all recommend that companies perform a cyber focused tabletop at least annually.
One of the most significant benefits of partnering with Fortress SRM has been their Frontline Service Desk services. Their team of skilled analysts provides round-the-clock support, ensuring that our employees always have access to the assistance they need. This has enabled our small IT department to function as a true 24x7x365 operation, allowing us to focus on more strategic initiatives instead of being constantly reactive. With Fortress SRM watching over our firm, we can confidently say that our IT team can do what it does best: support and defend the firm while driving strategic initiatives.
IT Director – Regional Premier Accounting and Advisory Firm
Fortress SRM has been an invaluable partner to our accounting firm. Their comprehensive endpoint protection, monitoring, and patching services have significantly strengthened our cybersecurity posture and reduced our risk exposure. Their efforts have helped us stay ahead of potential threats and maintain a secure IT environment. Their expertise and dedication have been instrumental in ensuring the success of our organization.
IT Director – Regional Premier Accounting and Advisory Firm
The Fortress SRM team is one of the key vendors that my company cannot do without. In the everchanging and fast-paced world of IT and Cybersecurity, it is crucial that all companies partner with a group that is prepared to stay on top of the latest challenges. Fortress does that and more for us. No environment is 100% safe, but we have the peace of mind knowing that Fortress is there for us to navigate any challenges that we might face.
CTO, Leading US-Based Professional Employer Organization
The Fortress SRM team provided us a smooth and transparent transition to an MSP patching model. Their superior security solutions are more cost-effective and faster than our in-house efforts. Their communication, collaboration, professionalism, and responsiveness are commendable. We highly recommend Fortress SRM for their exceptional service and expertise.
CIO – Accounting, CPA, and Business Consulting Firm
Fortress SRM not only provided the best tools in the industry to improve our security posture, but they also helped us lower our insurance premiums. It has been a great experience, and we look forward to working with them for many years to come.
Cybersecurity Engineer – Retail Company
The realization was, we could dramatically improve our security and Fortress SRM could do it better, faster, and cheaper than we could do it ourselves.
VP, Global IT Security and Operations – Global Electronics Manufacturer
They are a consummate group of professionals who can evaluate a company’s maturity and respond at the right engagement level to address the incident response requirements and more. Zero hesitation with their support and documentation.
Director of Security – International Nonprofit Information Security Association
The Fortress SRM team has been an invaluable asset for our organization. Real world threats are ever-changing, and our strategic partnership adds the extra layer of granular security expertise and resources when necessary. The IR team parachuted in behind the threat actor’s lines and helped us get back to work within hours instead of days or weeks. We know we have one of the best security partners in the business and would not hesitate to recommend their team to our peers in our industry or others.
CIO – Major Financial Services Firm
Working with the Fortress SRM team on a daily operational basis on numerous programs to bolster the security footprint of the operation was an overall great experience during both a time of crisis and also normal operations – a rare find in a strategic partner.
Security Consultant – International Cybersecurity Certification Organization
The Fortress SRM team has helped our clients navigate the challenges of fast-moving data incidents and reach favorable resolution of all the risks that an incident presents. I have the highest confidence in their knowledge, experience, and practical problem-solving skills.
Partner and Chair of the Privacy and Cybersecurity Group – National Law Firm
You're not planning to fail, so don't fail to plan.