Building a strong security foundation

No matter the type of organisation, good, strong fundamentals in its security setup will always be key

Günter Bayer, chief information officer at Stryve: ‘With security awareness training, it’s teaching people what to look out for, and it’s one of the simplest things you can do’

The cybersecurity industry can feel overwhelming at times. With numerous products and services out there, it’s easy for the average organisation to treat a flashy product as a silver bullet, but all good security comes back to the fundamentals.

No matter what size of organisation you are or what industry you’re in, one of the biggest things you can do to protect yourself is to keep awareness high, Günter Bayer, chief information officer at Stryve, said.

“With security awareness training, it’s teaching people what to look out for, and it’s one of the simplest things you can do,” he said. “When done well, it can stop many bigger issues.”

While the style of attacks changes and evolves, the main vectors remain consistent. Recent stats from IBM’s Cost of a Data Breach 2022 report found that stolen or compromised credentials were one of the top attack vectors (19 per cent), with phishing following up suit (16 per cent).

Security faces an issue where many tools and services require a certain amount of investment to use or continuously avail of. Smaller businesses wouldn’t be able to afford that, so the focus should be on returning to basics.

Even then, larger organisations can benefit from the same philosophy where simple changes like password phrases can go a long way.

If you cover the basics, said Bayer, everything else is enhancements relative to what the business needs.

That said, even knowing what the fundamentals are and what protocols and policies to implement can be a challenge.

A model that Bayer has seen growing in popularity is the Cyber Essentials certification – a British-backed and EU-recognised set of basic technical controls organisations should have in place to protect themselves against common online threats.

Designed for any sized business in any sector, it shows that an organisation has committed to good cybersecurity practices, guarding themselves against attacks and filling customers and suppliers with confidence. Such a standard gives a good entry point for a good security posture.

“What’s happening recently is that businesses are requesting that you have at least Cyber Essentials certification,” he said. “It validates the business as it’s meeting the minimum requirements for security.

“It’s quite a nice thing as it shows the outside world that you’re a responsible IT operator when interacting with users, customers and other businesses.”

Once the larger organisations have the fundamentals down to a tee, they can start thinking about what else to add to augment and complement their setup. Stryve offers many security services such as secure cloud, Pen Testing, Disaster Recovery, and more.

One service it offers is CISO (Chief Information Security Officer) as-a-service. Bayer mentions two reasons why a company may take one on. The first is that an organisation may not know what to do to achieve a good security posture, which requires sorting out the basics.

Once that’s in place, it feeds into the other reason: to have an outside viewpoint look at your policies, procedures and technologies and provide an objective perspective on your setup. The result is the same, said Bayer, where all organisations want to be moving forward instead of sideways.

Overall, organisations are looking for the same validation that they’re on the right track. Whether it’s following Cyber Essentials Certification or bringing in a CISO or CIO, businesses want to know that the measures they’re taking are effective and have a purpose to them.

“What people are looking for is a validator,” he said. “They want to know what they’re doing is right, that they are going down the right path and covering their bases.

“With the CISO space, you can also be looking at whether the business is complying with standards and regulations like the pharmaceutical industry.”

And it’s best to avoid purchasing something for the sake of it. It’s easy for an organisation to sell a product, but even if it’s best of class, it will have no impact if the fundamentals aren’t in place.

That philosophy is something Stryve adheres to. It helps organisations develop the fundamentals first – if needed – as they will always determine the difference between an attack crippling an organisation or causing a blip in day-to-day operations.

“We don’t want to try and sell people stuff; we want to be your partner,” he said. “From a CISO advisory to security services, all these offerings tie together, but also they can work independently from each other.”

“Rather than being a transaction, we’re about helping people on their journey, advising people and using our experience to deliver the best possible partnership.”