How cyber aware, prepared, and resilient is your business? Could you adequately defend and survive a cyber-attack?
1 Check Point, 2022
2 Download Fortress Cyber Cost Worksheet
Assessments are the core to understanding and identifying risk
Identifying and understanding cybersecurity vulnerabilities is critical because that awareness will lead to a prioritized list of security gaps and is the first step to planning, budgeting, and remediating weaknesses.
A risk assessment will identify the assets that could be impacted by a cyber-attack: critical operational and financial data, consumer and employee data, intellectual property, and where that data resides – servers, laptops, and network hardware. An assessment will reveal the risks unauthorized access to those assets could create for the organization. Having a quality assessment is a critical component of cyber safety.
After an assessment is completed, organizations should select a set of cybersecurity standards to use as a framework. This framework should be appropriate to the risks the organization faces and the industry they are in.
Established standards include: NIST CSF, NIST 800-171 or 800-53, FedRAMP, ISO 27000, and CIS - Critical Security Controls for Effective Cyber Defense. Organizations that are regulated by the following frameworks may use them as a cybersecurity control: PCC-DSS, HIPAA, GLBA, HITECH, and FISMA.
Assessments help organizations understand their cybersecurity risks and can help it make appropriate mitigation choices so they can defend against threats that are likely to happen. Assessments give organizations clarity to what they need to improve upon and the items that they are excelling at.
True story: It’s Monday morning, and today, Company X is going to announce a large acquisition, but as employees arrive to work, they find the company’s systems are locked. Even worse, their data has been ransomed, and the unknown attacker is threatening to expose proprietary secrets and specifics of the acquisition and destroy data unless the company pays a seven-figure ransom.
It’s a nightmare scenario, and it is happening more and more often to companies engaged in a merger or acquisition (M&A).
Cyber-attacks based on M&A activity aren’t coincidental; they happen because cybercriminals are skilled at finding companies involved in M&A and carefully time their attack, because they know the victims are highly motivated to get the deal done.
With merger and acquisition activity projected to increase for the remainder of 2022 and into 20231, and data protection and related privacy and compliance regulations among the issues impacting M&A strategy and activity, is there anything you can do to prevent a cyber-attack before, during, or after a merger or acquisition?
Absolutely!
1 Deloitte
Download Security Risk Management for M&A
A vendor risk assessment, or third-party risk assessment, is a process that enables an organization to choose and monitor their business partners, including their partners' cybersecurity maturity and capability1.
During the assessment process, Fortress will identify and evaluate the potential risks of working with a specific vendor. The Client then decides whether the rewards of the partnership would outweigh the risks. This decision is based on the Client organization’s policies, procedures, mission, goals, and needs. Conducting vendor risk assessments can be a long and tedious process, however, there are many similarities to a general assessment that apply to vendor assessments, so generally accepted cybersecurity frameworks can work well for vendor evaluation. Failing to do so could result in reputation damage, lost business, legal fees, and substantial fines. If any third-party vendor fails to comply with a regulation (such as data privacy or safety standards), the client company will face consequences.
148% of organizations have no security requirements for their vendors (PCW, 2018)
Technical Testing: Vulnerability Assessments and Penetration Tests
Utilizing proactive digital forensics, Vulnerability Scans illuminate the effectiveness of operating system and third-party software patching operations, system vulnerabilities, and how well the organization’s security operations are being executed. Penetration Testing uses similar tactics, techniques, and procedures (TTPs) to those of threat actors to test defenses and Client alerting, monitoring, and response functions to better understand their complete cyber risk profile.
Fortress offers a multi-faceted Technical Testing program designed to identify and understand an organization’s network and data security vulnerabilities from a technical, administrative, and operational standpoint. Fortress will identify the extent of an organization’s threat surface, any possible means of entry and exploitation, and provide a clear path towards addressing any discovered vulnerabilities and gaps.
The Fortress Technical Testing Program is comprised of Vulnerability Assessments and Penetration Testing, each with Basic and Advanced levels of discovery.
Download Technical Testing Service Brief
href="#consultation">Schedule a ConsultationFortress helps companies decrease their regulatory compliance risk profile by:
- Addressing the myriad federal, state, industry, and trade association regulations and laws, including HIPAA, CCPA, ISO, and NIST, to name a few. We also employ an automated-assisted platform focusing on today’s high-profile compliance frameworks that enables the Client to monitor, manage, and report on compliance achievement.
- Providing a continuous, organized process for regulatory preparedness and response
- Fostering alignment with our clients’ overall IT Security programs and business objectives to create a symbiotic relationship between technical countermeasures and overall risk mitigation
- Utilizing gap analyses to provide keen insight into current- and future-state capability and maturity, while generating a value-based prioritized roadmap evenly distributed along a manageable timeline
Cybersecurity Program Development is essential to building cyber resiliency in your organization
The high-level role of a VCISO incorporates the broad spectrum of authority and responsibility of a CISO, including, but not necessarily limited to:
- Establishing and supporting the enterprise’s Cybersecurity Strategic Plan (often in the form of a Written Information Security Plan - WISP)
- As required, directs staff in identifying, developing, implementing, and maintaining processes across the organization’s information security. Staff, in this case, includes both the company’s and Fortress’ consulting and/or technical resources
- Directs the establishment and implementation of written enterprise policies and procedures
- Coordinates deployment of any remediation efforts that are a result of an assessment and the subsequent Plan of Action Milestones (PoAM)
- Interfaces with appropriate company legal or outside counsel concerning new regulations governing the collection and use of personal information, protected information, and the like
- Directing awareness and training concerning Phishing and Tabletop Exercises
- Interfacing with an Incident Response Commander in the event of a material breach like a ransomware attack
- Communicating company-wide security and privacy goals
- Monitoring the effectiveness of the overall Cybersecurity-as-a-Service program and any privacy-related risk mitigation and compliance measures
- Cross-function role to Data Privacy and Protection Officers
- Directing Quarterly Business Reviews throughout the Cybersecurity-as-a-Service engagement
Multi-Factor Authentication (MFA)
Multi-factor authentication encompasses two-factor authentication, or 2FA, and is a digital authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.
Fortress provides full implementation and testing for MFA on a project basis customized to the Client’s unique situation and technology stack.
Geo-Fencing
Security is knowing who is on your network and exactly where in the world they are. In the age of remote work, location identification and remote control of assets are essential.
GRC Advisory Services come in the form of consulting, advice, and counsel concerning everything from establishing a Compliance Office at the Client organization, to full-scale implementation of GRC assessments and programs that coincide with cybersecurity planning and deployment.
GRC Advisory is aimed at providing the Client, in part with the Fortress CyberResiliency Index, a high-level measure of the company’s cyber maturity, degree of protection, and survivability in the event of a cyber-attack. The CyberResiliency Index leverages multiple assessment and current-state cybersecurity programs in place throughout the organization, providing a confidence score comparing the company to proven, effective resiliency measurements and against its industry and peers.
Additionally, GRC Advisory provides the Client with a Compliance-as-a-Service (CaaS) program - a full or partial-scale compliance program that gives the Client the ability to anticipate, prepare for, and respond to growing regulatory requirements, coupled with cybersecurity that adapts to incremental or dramatic changes in regulatory compliance.
GRC Advisory can be accessed as part of a Cybersecurity-as-a-Service program, through CaaS, or independently from any current program the company may have in place.
Who has access to the critical data that is the lifeblood of your organization? Do you know?
Fortress consults on policies, programs, and technologies to manage the roles and access privileges of users in on-premises and cloud-based systems and resources to constrain access to select people (Privileged Access Management - PAM). Fortress can assist with business requirements evaluation, policy creation, tool evaluation, and cost analysis to best advise on the appropriate choices for the organization.
Fortress can also assist with the project implementation of the selected tool and create the day-to- day standard operating procedures (SOPs) required.
Fortress delivers Threat Management in the form of a programmatic framework, holistic threat intelligence from a global, industry, or threat perspective, and/or orchestration services within our Security Operations Center, including EDR and SIEM analysis.
Fortress Threat Management leverages leading technology systems, along with open-source inputs, providing you with visibility into some of today’s most potent Indicators of Compromise (IoC).
A well-implemented Threat Management program helps ensure you are on top of what is becoming an overwhelming number of threats, bad actor methods, insiders, vulnerabilities, and targeted industries, people, and systems.
Employee, Executive, and Board Training
Organizations and their employees have legal and regulatory obligations to protect the privacy, integrity, and confidentiality of their data.
Researchers from Stanford University found that over 80 percent of all data breaches are caused by employee mistakes. Training employees to be cyber aware is one of the most impactful ways to increase an organization’s cybersecurity and start to build a culture of cyber safety.
Humans are the first layer of defense in network security, and in effect, a company’s human firewall. Human behavior in the face of increasingly sophisticated cyber threats is an important measure of a company’s ability to resist attacks, like phishing emails – one of the cybercriminals favorite tools. These attempts to steal data, deliver malicious software (malware), or otherwise compromise the integrity of networks and computer systems, by tricking the recipient into clicking a malicious link, downloading a malicious attachment, or divulging sensitive information must be stopped.
Companies must develop a culture of security, where users understand that their role includes rights and privileges, and therefore responsibility. They should foster this culture and look for additional ways to create excitement about security. Fortress provides a continuing education program that includes regular testing and awareness training that is essential for improving resilience to cyber-threats, as well as strengthening the human firewall.
Fortress’ cybersecurity training typically covers:
- Why cybersecurity procedures are necessary and important
- How to create strong passwords
- Email handling, including how to recognize and address phishing attempts and avoid malicious file downloads
- Protecting mobile devices that are used outside of the organization’s facilities
- Understanding what to do and who to contact if a security incident occurs
- The need to limit access to data to only authorized personnel
- How to protect information when working remotely
- How to identify and avoid social engineering attempts
- The program is customizable to industry and company workforce makeup.
Phishing Test Campaigns
Phishing test campaigns help heighten awareness and increase employee engagement around a company’s security initiatives by featuring real-world trap scenarios and consistently reinforcing positive behavior. Even the best trained companies have a test hit rate of 3%-4%. How does your company rate?
Incident Response Preparedness is urgently needed to repel and survive an attack
Fortress’ Incident Response Preparedness advisory will guide your organization through all the planning and tactical actions needed to develop, practice, and achieve a high degree of cyber resiliency in the event of an attack.
Schedule a Consultation
You're not planning to fail, so don't fail to plan.
PLAN
Lorem Ipsum Dolor
PLAN
Lorem Ipsum Dolor
PLAN
Lorem Ipsum Dolor
PLAN
Lorem Ipsum Dolor
PLAN
Lorem Ipsum Dolor