Well for us it means that it’s not a separate subject and we don’t do it, advise on it, or even talk about it in isolation. This is because our industry often sees security as a bolt-on, something to be added to, or overlaid onto your IT systems. This approach leads to security being talked about in terms of products and services – Network Security, Firewalls, Anti-virus etc. That’s why we see Managed Services Providers (MSPs) turning into Managed Services and Security Providers (MSSPs). And IT companies adding products to their portfolio so they can say they now do security!
Our approach to security starts with the belief that it runs throughout the entire organisation; it should be part of your DNA. It’s often said that IT is about enabling people. If you’re approach to security is to add it to your IT systems as an afterthought, then it can often be disabling. If you bake it into your organisation, we believe it can empower people.
Is Security really an IT Issue?
Macnamara includes Cyber Essentials as part of our standard Managed Service offering. Cyber Essentials is the nationally recognised Government scheme that helps businesses protect themselves from fraud and Cyber Attacks. It’s a great place to start but it’s really a point in time snapshot and doesn’t mean that you’re now secure.
A good analogy would be getting an MOT for your car. This means that your car is in full working order on the day you pass the MOT, but what happens if your exhaust falls off the next day? Is your car still compliant? There’s no continuity. By having CE as part of our Managed Service, we provide the continuity. Then there’s CE Plus. This takes things a step further by requiring separate technical validation. Again, we can provide this, but we won’t put you forward for it unless we’re sure that you understand what it means and are willing to adhere to the guidelines. This is generally why we only accredit and certify companies in Cyber Essentials that are already working with us. We don’t offer it as a separate stand-alone service.
CE is a good starting point, but it only addresses the technical aspects of security: Are your machines properly patched? Is your Firewall configured correctly? Do you run Anti-Virus? All of these are important, but Security isn’t just the domain of IT. At Macnamara we believe that you’re not secure unless the idea of Security is embraced by the whole business!
Business & Information Security
To bake Security into your business and move toward true Business and Information Security, you need to implement: Policies, Training and Awareness, and Compliance. To take this approach is to recognise not only the importance of Information Security, but the fact that it’s not a product or solution that’s implemented once, it’s a process that is and should be on-going. Furthermore, it’s an ethos that runs throughout the organisation.
We’d be lying to you if we said this was simple. It can be a very detailed undertaking, but we want to give you a sense of what’s involved.
Our approach mirrors the IASME Governance Model. The standard includes all five Cyber Essentials technical controls and adds additional topics that mostly relate to people and processes, for example:
- Risk assessment and management
- Change management
- Training and managing people
- Incident response and business continuity
Naturally, we start by carrying out a full assessment of your business. This helps us both to understand where we are, but perhaps more importantly, where you’d like to be. Not all businesses are the same and therefore not all businesses are required to be fully compliant to the highest level or standards. We need to understand what’s appropriate so that you’re not striving for ISO27001, when Cyber Essentials Plus is what’s needed.
The results of this assessment are then discussed, and a plan can then be agreed. This might look something like…
Creation of a single overarching Information Security policy, which should be drawn up and signed by the CEO. This will include a short clear statement about your commitment to information security and specify roles and responsibilities.
This policy would probably then be broken down into various areas, each with their own clear statements, for example:
- Data retention
- Business continuity
- Data protection
- Email and internet access
- Home working
- BYOD & mobile device management
- Asset management
- Password, encryption, and admin rights
- Security incident response
- Backup and archiving
These policies on their own will not achieve a significant improvement in your information security posture, but by accompanying each one with a clear set of procedural instructions on how to give effect to its objectives, a major improvement in security will be achieved.
For example, if the Password, Encryption and Admin Rights policy specifies that all emails containing personal information must be encrypted, the accompanying procedure should point to the data protection policy for a definition of personal information and give clear precise instructions on how to encrypt an email.
Compliance and Baselines
This approach allows us to create a security baseline and a compliant framework under which your organisation operates. We can then extend this security baseline to include technical baselines for your IT assets. A good example of this might be that all devices used to access your data must be encrypted. This is to protect against access to your information if such equipment is lost or stolen. E.g.
- Windows 10 Pro – Enable BitLocker
- Windows 10 Home – Should not be used
- Mac OS – Enable File Vault
- Android and iOS Devices – Enable native encryption
Implementing security enabled technical baselines creates compliant systems and software, which in turn allows your staff to be productive. They can carry out their day-to-day tasks safe in the knowledge that they can securely access the right information, from the right sources, using the right devices, from any location.
This is what we mean by Information Security!
We realize that our approach isn’t for everyone. But if what we’re describing makes sense then it’s probably worth us exploring it further.
Start by engaging us to carry out a GDPR and Security Assessment. Once this is completed you can either choose to carry on our engagement and have us implement, manage, and support the recommendations ongoing. Or alternatively, use it as a standalone independent audit.