“A lack of visibility and maturity around cyber security across the organisation”
In January 2016 XServus was engaged by the organisation to carry out a full cyber security assessment of the organisation. The wanted to gain a full understanding and oversight of its vulnerabilities and then develop a road map for implementing all the changes required, to transition into a highly resilient and risk aware organisation.
Our project worked with a key focus on developing the people, process and best practice elements of cyber security, alongside creating a far more robust set of technologies, infrastructure and security.
What we did
This project was predominantly led by a thorough audit of the organisations current Cyber security approach, maturity and capability. Unlike typical security audits where the servers and infrastructure would be simply scanned for vulnerabilities, this was a full organisation wide audit. We assessed the technology, the people and the processes used across all areas of the Organisation for strengths and weaknesses, threats and vulnerabilities.
Further to documenting our findings, we had to develop a number of employee engagement activities. Firstly, ahead of the audit we built trusting relationships across all the important areas of IT. This was to enable us to gather the best results in a non-challenging, but collaborative way. Then secondly, to run genuinely useful tests and simulations around cyber security threats in order to evidence the audit findings and raise much greater awareness of how modern security threats and vulnerabilities could manifest themselves in the organisation. This was a highly important part of the project, as we needed to be successful in engaging and explaining to all members of the internal team, why and how improvements to their security would be valuable to them and their users.
Why the client chose XServus
The major health care organisation approached XServus as our reputation was known to them, as a consulting partner who would quickly understand their challenges at both a technical and an organisation level. And, as a supplier who could be trusted to deliver high quality work, on time and on budget.
We believe clients such as the Organisation, value our ability to engage across the organisation, listen to the views and concerns of the wider teams and build up trust before we begin making any significant changes. This upfront effort, has consistently proven to us that establishing a broad foundation of trust enables a far more successful and timely project and outcome for everyone involved. Organisation, also appreciated and benefited from our ability to challenge and question their current ways of working, in the right places and at the right time. This allows XServus as supplier to uncover the true challenges facing IT and solve complex issues at the root cause, thus enable long-term and effective change. This way of working also allowed us to uncover important and well-hidden vulnerabilities, which would have otherwise gone unseen and almost certainly exploited.
The leadership team at the Organisation also valued that we were experienced and qualified in a wide range of methodologies, which we relevant and/or used in the organisation such as TOGAF, Prince2, ITIL, ISO27001, MoR, NHS NIMM and HSCIC IGT. This meant we were quickly able to fit in with their own internal best practices, their adoption of frameworks such as ITIL and the common IT language used across the organisation.
How we delivered the project
We began the project by analysing the brief and the objective set against some initial fact finding and research. We then re-evaluated the requirements for the project and set internal objectives for XServus to meet. For this project, we set the following objectives:
- To understand the business, IT organisation and security capabilities
- To establish the current maturity of all ITSM processes
- To review current software versioning and patching levels
- To understand the current approach to deploying updates and patches
- To identify critical and tactical security weaknesses in the existing environment
- To present new strategic initiatives, which would enable long term security management capabilities
We quickly established a plan for assessing all the areas of IT and security to review, in order to gather all the data and requirements needed to make effective recommendations for improvements. We also established the key relationships we would need to form around the organisation to make the project run well.
- Interviews and Workshops
The second phase of the project was to carry out qualitative research around the Organisation to establish an accurate view of the current understanding and maturity around cyber security. We were quickly able to use interviews and workshops with both senior and junior IT staff, to build up a genuine picture of the current state, then use that to improve our project plan.
- Technical Discovery & Audit
We used a number of manual and automated techniques and technologies to analyse the entire IT estate. Discovery tools were used to map every desktop, server and device across the network and to then map all the current instances of software, OS versions, anti-virus and security levels. This also enabled us to begin understanding the organisations current approach to deployment, patching and monitoring threats.
- Red Team Simulation
To both understand the current capability for cyber resilience and to further educate IT staff around how modern IT threats manifest, we carried out a ‘Red Team’ simulation. Red Team is a long-established method of penetration testing and ‘white-hat hacking’ which both tests an organisations ability to detect, identify and prevent security threats. It is also an effective way of quickly gaining visibility of where the most vulnerable points of entry our in an IT environment. With the Organisation we used this simulation to discover not just gaps in the technology they were using, but in the staff awareness, training, processes and best practice, which were then all included in the road map for security improvements.
- Vulnerability Assessment
Once aware of each vulnerability within the organisation, we were able to assess each one individually. For each vulnerability, we assessed the realistic risk and impact of a breach in that area, the root cause of the weakness and then produced a set of actions for resolving and maintaining a suitable security measure. We were successful in identifying a range of vulnerabilities.
- Report Creation & Interim Playback
Our findings and recommendations then had to be presented back to several key areas of the Organisation, including the IT leadership team and systems administration staff. For higher level members of the organisation we prepared a detailed presentation, showing how we approached the work, the risks created to both staff and patients by the current vulnerabilities. We were successful in communicating all the existing threats and risks in such a way that all the key stakeholders were able to understand and support the investment required in making the needed improvements and changes.
- Final presentation and report
At the closure of the project, we provided a full report and assessment which could be shared across the Organisation so that all findings and recommendations could be understood and actioned by the relevant teams and staff. Senior leadership we’re also given tailored and relevant reports and materials, which could be used to demonstrate the risks and required investments to the board of the Organisation, in order to secure the best chance of success for the improvements needed.
A road map for change
Our assessment, findings and report were also presented as a roadmap of changes and improvements to be made over time, which allowed the prioritisation and management of security improvements to be made in a realistic, measurable and achievable timeframe.
The whole IT organisation benefited from a broad education around modern cyber security threats and a detailed understanding of the unique threats in their environment. They were also given the tools required to improve their own self-learning and become more aware of the general landscape of IT and Cyber related threats.
Evidence for investment
Providing an assessment and report, which would support the investment in resources, was critical to the success of the project. Many of the senior and technical staff we’re already aware and wanting of some of the important security improvements but were unable to provide the evidence required that demonstrated both the tangible threat and the risk impact of it. The evidence, findings and roadmaps created by XServus were vital tools towards gaining the investment and resources the organisation needed to become secure from cyber threats.
Get in touch
If you and your organisation are facing similar challenges around the understanding and actioning of Cyber Security, get in touch today and one of our expert team will be glad to advise you.