Informed by experience
We used our decades of experience in IT and information security management as well as our first-hand engagement investigating hundreds of cyber incidents to deliver a comprehensive assessment based on the common risk concerns of cyber insurance underwriters and cyber security best-practice from standards such as ISO 27001, PCI DSS and NIST. Our findings are summarised to clients by rating their cyber risk management maturity in five key areas, combined with an 'Attackers Eye View' scan.
Skills & resources
We review staff roles and ensure they are clearly defined and assigned to those with appropriate experience or cyber risk qualifications. We also check the organisation has proper IT resourcing considering the information which they store and process. We base our scoring on best practice considering the organisation's size combined with the assets they handle.
Documentation & workflows
Our assessment reviews organisational policies to ensure the correct procedures are in place with appropriate guidance, standards and agreements. A high maturity indicates a hierarchical document set exists, is regularly updated and followed. We examine the organisations cybersecurity culture; are staff aware of cyber threats, governance documents & their obligations.
Security protection & detection
We review the technologies used to protect the organisations business data are planned, budgeted, implemented, up-to-date, and operated effectively. We review security-specific solutions and the security functions available within other standard IT technology, such as operating systems and databases. We apply best-practice to review key safeguards using a layered approach.
Reliance & assurance
We review the assurances an organisation has in regard to their outsourcing partners and vendors. A high maturity indicates the company has considered a degree of trust and cybersecurity as important factors in their contractual relationships. We pay particular attention to clients existing relationships and standard practices when planning outsourcing and vendor assignments.
Records & control
Data asset awareness
We examine how the organisation categorises the data it utilises. We ensure that critical personal and other business data is clearly understood so that the organisation can suitably assess the risks associated with these assets. As part of our assessment report, we produce a data asset register allowing clients to gain clarity over data access content and aggregation, to assign ownership and retention policy.
Many businesses unnecessarily leak information which is used by attackers to scam them and compromise their systems. Our profiler service provides an attacker's perspective for an organisation’s online presence. We scan for vulnerable systems, configurations, user accounts, domains, third party links, technology investment, and other sensitive details. Results then drive practical recommendations for remediation.
We rank an organisations resilience using a straightforward 1-5 score in five key maturity areas. Our scores use proprietary logic functions applied to the information gathered over a personal one-to-one 90-minute security review by our expert assessors.
We summarise assessment findings in a tailored opinion statement. The jargon-less summary clearly outlines the assessment findings for both technical and non-technical executives.
This area provides an overview of every finding paired with a visual high/medium/low risk determination. With one glimpse, a business can identify its cyber strengths and weaknesses.
In-depth remediation details
This section lists each assessment finding in order of urgency. We document each high/medium risk with a reason for its determination. The report also contains clear remediation advice for every high and medium risk, in addition to a commentary on low risks. Tags show a direct relationship to maturity improvement.
This checklist provides a clear action plan for the assessed organisation. The ten most urgent findings are summarised and scored. This section allows the assessed business to determine key remediations actions on its overall cyber maturity.
Data asset register
Many organisations are not aware of the information assets they store and process. As a result, they cannot demonstrate the steps taken to understand and protect these assets. The Cyber3 assessment generates a formal information asset register enabling tracking of ownership, access control and data retention policy.
We help organisations understand the attackers perspective by including an open-source intelligence assessment. This section scans the business for susceptible technologies, misconfigured services, vulnerable user accounts, and many other details commonly used by hackers to breach organisations.
Cyber3 report sections
We outline assessment findings in a comprehensive well-structured report. The report contains jargon-less insights that are easy to understand by both technical and non-technical executives. Using the following report structure, we can raise risks clearly and provide a path to remediation with direct links from our recommendations to stepped improvements in cyber risk management maturity.
Improving cyber security
Our assessment is performed over a 90 minute call with a STORM Guidance cybersecurity expert. As part of the review, we also complete an 'Attackers-Eye-View' scan of the company's entire digital estate. This scan examines all public-facing digital assets for security threats, domain misconfigurations and other vulnerabilities.
The result is a certificate of assessment, a comprehensive risk management report incorporating our unique maturity scoring, and a straightforward strategy to achieve cyber resilience. Assessments are priced at £995 with discounts available for insurers, brokers and their clients.