Security

There are a variety of different frameworks available to guide the approach to improving cyber security.  In the UK, the National Cyber Security Center (NCSC) has many online resources available and provides Cyber Essentials as a certification scheme. There are two levels of certification available, Cyber Essentials and Cyber Essentials Plus. In the US the National Institute of Standards and Technology (NIST) Cybersecurity Framework was developed in 2014 and is used by many US and non-US organisations as the basis for establishing their cyber security processes.  Other standard security frameworks can provide further advice such as the CIS 18 Critical Controls.

If you're concerned about cyber security but can't justify employing a full time Chief Information Security Officer (CISO) or Information Security Manager, Spritzmonkey can provide a virtual CISO (vCISO) consultant on a contract service basis. 

For those handling payment information, the Payment Card Industry Data Security Standard (PCI DSS) will apply. This is maintained by the PCI Security Standards Council, where PCI DSS was first launched in 2004 and is currently on version 4.0 which was released in March 2022.

The international standard for an Information Security Management System is ISO 27001. Revised in 2022 as ISO 27001:2022, it can complement your approach to any of the above.  Any security framework can complement IT frameworks such as ITIL or COBIT.

SOC reports are internal control reports based on a set of standards developed by the American Institute of Certified Public Accountants (AICPA). These reports demonstrate an organisation’s information security meets a high level of compliance through on-site audits.

Your staff could be your greatest risk of a security breach in your business, although it may not be done deliberately. You can reduce these risks by implementing a corporate security awareness training programme and increasing your team’s skills so that they are cyber security savvy and are aware of how to act responsibly and safely when online representing your company.

Our Spritzmonkey consultants have specialist knowledge of all the above and with your organisation’s best interests and needs in mind, we will work with you to assess and establish/tailor which of these is more suitable to implement in your business.

Cyber Security Heath-Check

Threats to data security are prevalent in today’s digital era, where all businesses using the Internet are at risk. According to the Cyber Security Breaches Survey 2023, 32% of small businesses, 59% of medium businesses and 69% of large businesses have identified cyber security breaches in the previous 12 months. The cost of fixing the problem for a small company can be debilitating, and sometimes businesses don’t survive. Can you afford to take no action now? Why risk it when you can fix it now?

When you use Spritzmonkey as your cyber security consultant, we will work with you to assess and develop a security programme to keep your information and online data safe. We will carry out a cyber security audit on all of your current storage and security information then using our expertise, we will assess your security risks and draw up a plan, recommending how to shield and safeguard your profitability. A cyber health check will provide you with an incisive and detailed report describing your current cyber risk status and critical exposures, and will draw on best practice – such as ISO 27001, CIS 18 Critical Controls, NCSC guidance and Cyber Essentials – to provide recommendations for reducing your cyber and compliance risk.

Our friendly consultants won’t bombard you with industry jargon, but will explain our action plan for your business in easy-to-understand terminology.

If you already have an in-house IT specialist or outsource your IT to a partner, we will complement their service by providing an independent overview to check that your business is secure.

Security Programme Development

Spritzmonkey are highly-regarded as consultants providing bespoke advice to businesses on strategies to combat the threat of cyber security. A cyber security attack can be costly to your business’s reputation and finances and can destroy your IT system. As well-rounded cyber security experts, we will provide dedicated advice during our consultation to help you ensure that your enterprise is fully prepared for any malicious attacks or accidental breaches.

We will take an overview of your IT security infrastructure and the related technical and non-technical processes and management capabilities to identify your requirements, before presenting to you our recommendations for a cost-effective improvements programme targeted at tightening and transforming your digital defences.

Phishing Simulation

Phishing uses fake emails, texts, or phone calls to attack your business. The assailants can send out a spoof email to lure your employees into visiting websites that can be infected with malware, or they pretend to be someone they are not, to dupe the recipient into making hazardous actions so they can steal your intellectual property or confidential files.

On your behalf, Spritzmonkey can employ a valuable tool known as a Phishing Simulation to assess how your staff respond to malicious spoof emails both before and after security awareness training. These controlled awareness-raising campaigns help alert your team, so they can see for themselves why such training is vital to avoid your business software being infected with malware. They also prove that your awareness campaigns are working. Spritzmonkey can undertake the whole process for you, either as part of a wider engagement or as a one-off exercise.

Visual Hacking

Companies risk being fined by large sums of money if they fail to adhere to the Data Protection Act 2018 and EU GDPR. Whether you have clear security strategies and procedures in place or not, do you know how vulnerable your business is? Do your staff stick to GDPR protocol for handling people’s personal date or private information? You can commission Spritzmonkey to provide an undercover consultant to visit to your office in order to take a visual assessment of your staff’s security attitudes.

Posing as a temporary member of your staff, our undercover consultant would assess your business’s security by accessing unlocked computers, copying documents left lying around and photographing notice boards, for example. This would alert you to the areas where training may be required. We would also note how your staff react to such suspicious behaviour and whether or not they challenge the fake employee or not.

At the end of the assignment, you will be provided with a written Spritzmonkey report which will include our observations, recommendations to address any problem areas and evidence of weak links in your procedures to back-up our findings. You can point out to your crew their individual mistakes and where a real breach could have occurred. This is a great way of re-enforcing the cyber security message, while helping your workers to recognise risks and acknowledge the importance of staff security awareness training. What better way to make your security message to come alive in high definition?

Physical Security Assessments

This is another important layer of defence that Spritzmonkey can offer. You may wish to consider asking us to conduct a physical security assessment on your protection provision for personnel, software, hardware, data and networks from physical actions and events such as flood, fire natural disasters, vandalism, terrorism, burglary or theft. If your organisation is vulnerable to such a physical security breach, the impact could be as devastating as any other type of attack and is generally far easier to exploit.  

Spritzmonkey can audit your physical security to assess whether your company is at risk or vulnerable and recommend practical steps for improvement. This can be done either as part of an overall security engagement or as a one-off assignment.

Please contact us for further details or to arrange a telephone or face to face appointment to discuss your information security needs.

NHS Data Security and Protection Toolkit

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient information must provide assurances that they are practising good information governance and use the Data Security and Protection Toolkit to evidence this by the publication of annual assessments. We have successfully assisted companies in the NHS supply chain to comply with the DSPT.

More and more organisations are moving essential services to third party organisations, who provide cloud and data storage, bill processing, and payroll services.