- 11th November 2019
- Posted by: cchchan
- Category: Blog
As technology becomes increasingly sophisticated and plays more of a role in our day to day lives, the risks surrounding cyber security change too. This means that the role of a Cyber Security Consultant changes with it and staying ahead of the hackers is vital.
So how does a Cyber Security Consultant spend their working day in 2019?
How does a Cyber Security Consultant stay up to date?
7:00am – Wake up and check the cyber security news sources for updates on the latest vulnerabilities to be discovered. As hacks often originate from overseas, the battle against cyber security threats takes place around the clock. With major hardware and software developers based in Japan and the USA, and many hacking attempts originating from China, India, Taiwan, Russia and Brazil, most major breaches take place overnight so there is often a lot to catch up on by the time the UK wakes up.
There is always a significant amount of news to digest. Each week, the National Cyber Security Centre produces a weekly threat report to summarise any major breaches. Other news and security advisories come directly from development teams. Regular targets for vulnerability exploits include web browsers such as Chrome, Firefox and Edge and website Content Management Systems like WordPress and Magento so these products all make regular announcements on any fixes or patches.
Other sources of vulnerabilities include the Common Vulnerabilities and Exposures list, an international effort by the cyber security community to help widely report and standardise any data breaches. The Cyber Security Consultant will check the list for the applications, databases, network types, hardware, firewalls and encryption systems used by clients and get in touch to put security measures in place if there are any new risks to manage.
What is a Cyber Security Consultant qualified to do?
9:00am – Conduct an on-site Cyber Essentials Plus vulnerability assessment
The Cyber Essentials Certification has become increasingly popular for organisations as an achievable way to protect their business from 80% of the most common cyber attacks. This is a UK government-backed scheme designed to protect the devices, internet connection, data and services of a firm or establishment. This scheme has a higher level variant, Cyber Essentials Plus. CE Plus requires an independent assessment of the 5 technical security controls to confirm that these 5 controls are in place.
As part of the Plus certification, a Cyber Security Consultant will verify that firewalls, configuration, user access, anti-malware and patching controls are all up to scratch. When a Cyber Essentials Plus certification is achieved, businesses can bid for advanced government contracts and increase business opportunities. The certification also includes an on-site vulnerability scan and report of all major non-compliance areas.
Carrying out this expert assessment and vulnerability scan can take a fair amount of time and is often dependent on the size of the organisation and the size of scope. CS Risk Management’s consultants will generally spend one day at your company’s headquarters to conduct the tests. This is usually sufficient to assess an SME or medium-sized organisation. The external scan is conducted before the on-site assessment meaning that by scanning a representative sample of each computer type, vulnerability scans for large companies can be completed within a day subject to proper preparation or equipment.
The Cyber Essentials Plus assessment involves testing all internet gateways, scanning every computer type used within the organisation, checking network credentials and servers, analysing the responsiveness of antivirus software and ensuring User Access Control policies are as they should be. If you are successful and obtain a pass, your Cyber Essentials Plus certificate will be issued. This will then need to be recertified annually to ensure that you are still compliant with the scheme.
How does a Cyber Security Consultant benefit a business?
1:00 pm – Conduct Cyber Security Audit Consultation Session
With the vulnerability scans underway, a Cyber Security Consultant may conduct other audits in conjunction with different international standards. This takes the form of a business-driven consultation on the overall process of assessing information risk, and is in line with the ISO 27005 risk assessment standard and the ISO 27001 Information Security Standard. The consultation is a two way session and offers support, guidance and advice in working out the current risks posed and creating a risk treatment plan.
ISO 27001 Consultancy and Risk Assessments
During the consultation, the ISO 27001 consultant can provide a tailored risk assessment criteria which is appropriate for the business’ sectors, activities and stakeholders, selecting from the 114 security controls found within the ISO 27001 Annex A. These can be used to determine the business’ current appetite for risk, identifying valuable or vulnerable assets that need to be protected and predicting the likelihood of an incident occurring. With these risks identified, the business impact can then be determined and an assessment produced detailing the overall risks in question.
With the detail about an organisation’s risk captured, a treatment plan can then be developed with steps detailing which risks need to be accepted, reduced or transferred depending on company attitudes and abilities. Risk reduction can be carried out in line with the ISO 27001 controls, in areas such as introducing information security policies, improving asset management, upgrading communications security and ensuring compliance with standards such as GDPR.
How does a Risk Management Consultant protect their own organisation?
4:00pm – Update internal ISMS
An Information Security Management System (ISMS) is a practical management tool to help organisations stay on top of information security risks. This system of processes makes an organisation more resilient to attacks on the confidentiality, availability and integrity of information. An ISMS should be regularly maintained and needs to grow as a business grows, through the concept of continuous improvement.
As a result of interacting with a wide range of organisations of different sizes and diverse sectors, new policies and methods of managing and protecting information can be finessed. These can be added to a cyber security consultant’s own organisation’s ISMS to check they are viable policies. If the implementation approaches turn out to be ineffective or clash with the day to day operations of a business and create unnecessary bureaucracy, they will need significant improvement before they can be recommended externally.
4 pm is often the start of the business day in the USA, so a consultant’s day ends the same way it begins, with checking the usual sources for news of cyber security risks, vulnerabilities, and fixes and passing these on to relevant clients. Once this is sorted, the consultant will return to the site where the Cyber Essentials Plus vulnerability scans have been running to interpret the results and provide either the certification or a report on areas for improvement.
No two days are the same for a cyber security consultant. The next day maybe spent recertifying for one of their many professional security certifications such as CISSP, CISM, CISA, GICSP, CBCI certification, and ISO 27001 lead implementer. Other consultants are on hand to help with urgent cyber security disaster recovery services, helping to minimise disruption and getting back on track as quickly as possible.
CS Risk Management prides itself on the quality of the work delivered by our risk management consultants. This leads to happy, long term clients that we can continue to improve and protect from the latest cyber-attacks. Through our long term commitment to organisations we have won multiple awards and had our Information Security Management Systems declared as “Best in Class”. To start working with our cyber security consultants, contact us today.