The NIS2 Directive is the EU-wide legislation on cybersecurity that came into force in 2023, following rules introduced in 2016 (NIS). NIS2 expanded the scope of sectors and entities who need to (legally) comply with the framework. The increased scope aimed to cover the “most” critical sectors, which are vital for the economy and society, though are heavily reliant on IT.
These 6 pertinent questions will allow you to identify an initial baseline of capability, rapidly...
What and where is our most critical data or system(s)?
As we KEEP do more and more work around the world for corporations, government departments and CNI providers we’re seeing a recurring and worrying trend; Blind Faith. Whilst some of this may be cultural, it can no longer be used as justifiable reasoning for the failure to secure core assets, understand the possible threats or at least implement basic protections. Why?
What monitoring coverage do we have of our infrastructure, people, data, and suppliers?
The simple fact(s) in cyber and information security is that there is NO right and wrong way to go about things. Yes there are frameworks / standards and guidance, which are good practices. BUT the right way for YOUR organisation may be totally different to that of another organisation. Yes you may have the same goal of strong security, but what does that ultimately mean?
Do you model Cyber Threats, depict likely attack scenarios via Attack Trees and provide those findings back in a succinct manner to those responsible for the risk(s)? Surely that’s for the proviso of large companies, with big budgets and oodles of staff? I hear you say… Perhaps, but any organisation large or small can start to model their Cyber Threats. Why?
If you have a CSP, MSSP, reseller or any other 3rd party that has access to your environment(s) and GDAP isn’t implemented, it’s likely they have the Global Administrator role by default. If your provider hasn’t contacted you about GDAP and/or implemented it already, you’d be right to question what else they haven’t done for you!?
If you’re not particular techy these acronyms may not mean much, but you can easily make checks, even if you can’t implement the fix! Read on….. One of KEEPs consultants recently assessed a client (CNI) where only 55% of their domains had the necessary SPF and DMARC configurations in place correctly. This mis-configuration allows attackers (at minimum) to easily email spoof and target your users. If you do nothing else this week, check the basics!
- June 2024 (2)
- March 2024 (2)
- January 2024 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
With decades of experience, KEEP is a trusted Cyber Security Consultancy, providing tailored solutions for clients ranging from Critical National Infrastructure to SMBs.
We work with organizations in the UK and globally delivering projects, guidance and outcomes suited to your business sector, risk preferences, and financial capacity; targeting the highest level of cyber security for your organisation.
Our Services:
- Assurance Services: Our Assurance Services enable you to understand and quantify your current risks and vulnerabilities to prioritise their remediation.
- Risk Management: Without Risk Assessment and Management, fundamental security falters. Let our Consultants guide you and prioritise the actions that are most relevant to your organisation, threat profile, risk appetite and resources.
- Managed Security Services: Our Managed Services provide the benefits and scale of outsourcing with the knowledge and skills of our consultants and analysts.
- Microsoft Cloud Security Services: We are experts in Microsoft Sentinel and Microsoft Defender XDR.
Solutions To Your Cyber Security Challenges.