SAVVY SERVICES
We offer a wide range of cybersecurity services to suit your business needs
CONSULTANCY
Recognising not all businesses are the same, we don’t believe in a one-size-fits-all approach. Therefore, our service is unique. Assessments can be organisation-wide level, or the service can be delivered focusing on individual projects or initiatives. We contextualise our assessment to your business risk appetite, the business size and the sector in which you operate. We digitise the results, allowing you to understand your security posture in detail, not simply in terms of technical defences but equally in the more significant concerns of ‘People’ and ‘Process’.
The Savvy Assessment delivers fast results and cuts straight to the point. So you won’t be waiting weeks for a lengthy report to be produced; instead, your results are with you in a matter of hours. And because pictures paint a thousand words, at Cyber Savvy, we display your results in a Cyber Savvy Dashboard. This visual representation gives you absolute clarity of critical failings, areas of misalignment and opportunities to streamline and enhance your current security posture and business operations.
What’s more, the team will then conduct a call with you to talk you through the findings, recommended prioritisation of actions and quick wins to mitigate business risk to tolerable levels.
SAVVY ASSESSMENT
Cyber Savvy's experienced professionals can undertake qualitative and quantitative cyber and information security risk assessments to identify the threats and vulnerabilities facing your organisation and assist you in making informed cost-effective decisions regarding control investment.
Recognising not all businesses are the same, we don’t believe in a one-size-fits-all approach. Therefore, our service is unique. Assessments can be organisation-wide level, or the service can be delivered focusing on individual projects or initiatives. We contextualise our assessment to your business risk appetite, the business size and the sector in which you operate. We digitise the results, allowing you to understand your security posture in detail, not simply in terms of technical defences but equally in the more significant concerns of ‘People’ and ‘Process’.
The Savvy Assessment delivers fast results and cuts straight to the point. So you won’t be waiting weeks for a lengthy report to be produced; instead, your results are with you in a matter of hours. And because pictures paint a thousand words, at Cyber Savvy, we display your results in a Cyber Savvy Dashboard. This visual representation gives you absolute clarity of critical failings, areas of misalignment and opportunities to streamline and enhance your current security posture and business operations.
What’s more, the team will then conduct a call with you to talk you through the findings, recommended prioritisation of actions and quick wins to mitigate business risk to tolerable levels.
Cyber and Information Security - What it is and is not!
The industry does a pretty good job at confusing what ‘Cyber’, ‘Data’ and ‘Information’ Security is and is not. What’s more, it only has itself to blame for the ‘image crisis’ it suffers amongst the Small-Medium Sized Businesses (SMB) community who all too often view cyber security as a corporate requirement or a job for their outsourced IT provider.
For this exact reason, we established Cyber Savvy to cut through the industry noise and provide SMBs with Affordable, Accessible, Applicable and Adaptable solutions and services.
Cyber Security explained...
Doctrinally defined as; “the ability to protect or defend the use of Cyberspace from cyber attacks.”
It’s not all that helpful a definition, is it? And by now, you are probably asking yourself, what is ‘Cyberspace’?!? Cyberspace is defined as “a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers”.
Back to Earth for a minute…
In practice, Cyber Security is focused on protecting data in electronic form; this is likely to include computers, servers, networks, mobile devices, etc. The aim is to ensure these assets are resistant to compromise or attack. Part of that requires identifying the critical data, where it resides, its risk exposure, and the ‘people’ ‘process’ and ‘technological’ controls you must implement to protect it.
Information Security explained...
Doctrinally defined as;
“Protecting Information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction to provide:
- Confidentiality, which means preserving authorised restrictions on access and disclosure, including means for protecting personal privacy and proprietary Information
- Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
- Availability, which means ensuring timely and reliable access to and use of information".
Note; you will often hear ‘Confidentiality’, Integrity and ‘Availability’ referred to as CIA.
In practical terms, ‘Data’ and ‘Information’ are intrinsically linked; consider ‘Information’ as ‘data’ placed into context and the two terms’ broadly’ interchangeable within business, at a ‘high-level’.
In modern business, most data resides electronically on servers, desktops, laptops, or somewhere on the Internet – but a decade ago, before ‘Confidential’, ‘Sensitive’ or ‘Private’ Information migrated online, it was sitting in a filing cabinet. In many instances, across every sector, those filing cabinets still exist. Therefore, Information Security is concerned with making sure data, ‘in any form’ is protected.
Where they overlap...
There is a clear overlap between ‘Cyber’ and ‘Information’ Security, which adds to the confusion. Ultimately, the value of the data is generally the biggest concern for both types of security;
In Information Security, the primary concern is to preserve the CIA of the data.
In Cyber Security, the primary concern is protecting against unauthorised electronic access to the data.
In both circumstances, it is important to understand what data, if accessed without authorisation, is most damaging to the organisation, so a ‘security framework’ can be established with appropriate controls in place to prevent unauthorised access.
Where there are dedicated resources in separate teams, both teams will likely work together to establish a Data Protection framework. For example, simplistically and by way of example, the Information Security team prioritises the data to be protected, and the Cyber Security team develops the protocols for data protection.
What Cyber is not...
Perhaps the greatest miscommunication/misconception within ‘Cyber Space’ (:-)) is that it’s an ‘IT problem’ or ‘Techie’ pursuit. It’s not; in fact, it’s not even close. Cyber is a ‘people’ problem with ‘human error’ the leading cause of 95% of all cyber security breaches. In other words, if human error was somehow eliminated, 19 out of 20 cyber breaches may not have taken place at all!
Your people will always be your first and last line of defence. Of course, technology plays a role in cybersecurity but don’t view Cyber Security as a product, i.e. something you buy, take out the box, plug in and press play! Consider Cyber Security instead as a process. It requires constant and deliberate effort to establish and maintain. After all, that same ‘human user’ is responsible for configuring and programming that ‘techie’ product to work with all the others.
Above all, cyber is not “* * SPECIAL * *””! It is ‘just another’ business risk. Focus on those business risks and not the infinite ‘cyber threats’ you hear of with each daily news report.
Consider an integrated, holistic approach to cyber security instead. This is where the need for Information Security and Cyber Security unite. For example, adopting an ‘Inside-out’ approach; first with the Business Strategy; primary risks (including cyber) to that strategy; and, finally, on the assets, processes and procedures essential to the achievement of that strategy.
By doing so, the business identifies its ‘Crown Jewels’, the critical business assets and associated processes which are essential to business success. Only then consider the internal and external threats that may pose a risk to those ‘critical’ business assets.
This approach enables a business to focus its finite cyber-protection resources to their greatest effect instead of spreading cyber investment across the infinite number of cybersecurity measures they could invest in.
If you haven’t already, book a call to discuss our Savvy Business or Savvy Franchise Programmes, which are designed to identify and protect your critical business assets and maximise your security ROI.
If you are already running a business cyber security programme, you may only need ‘bolt-on’ coaching or consultancy services under the Savvy Services Drop down menu. However, if you’re not sure of your need or wish to validate what you’re already doing with a ‘3rd-eye perspective’ (another view), give us a call or book in for a ‘Savvy Assessment.’
Our business is securing your business; Process over Product – People, Process & Technology.
Protect your business with one of our programmes or services…
Not sure where to start with Cyber Security, but want to understand your current cybersecurity posture?
Consider perhaps starting first with an assessment.
Cyber Savvy’s experienced professionals can undertake qualitative and quantitative cyber and information security risk assessments to identify the threats and vulnerabilities facing your organisation and assist you in making informed cost-effective decisions regarding control investment.
Recognising not all businesses are the same, we don’t believe in a one-size-fits-all approach. Therefore, our service is unique. Assessment can be made across the enterprise or focussed on independent projects or initiatives. Furthermore, we contextualise the assessment process based on your business risk appetite, size and sector of operation to gain actionable and meaningful insight into your business risk exposure.
But here’s the thing with assessments. While immensely effective, they are subjective, dependant on an individual’s subject matter knowledge, experience, and ability to analyse and evaluate each response and equate the real-term implications of any failure. Traditionally, assessors express their results using a traffic light system; Red, Amber, Green. But that doesn’t paint the whole picture; tie cybersecurity into wider business operations or allow for detailed analysis and evaluation to identify the ‘root-cause’ – That’s why we developed the Savvy Assessment!
Unique to Cyber Savvy, the Savvy Assessment reviews all aspects of the business ecosystem, removes subjectivity, and inserts objectivity. So here are some numbers to paint a picture of how ‘thorough’ our ‘basic’ assessment is!
We assess your business across ‘5’ cybersecurity lifecycle domains which encompass ‘108’ individual serials, and we take ‘4’ different measurements across ‘4’ control groups. We then conduct ‘average’ and ‘gap’ analysis, which forms ‘467’ data reference points. That’s a lot of information to take in, and you more than likely haven’t got the time or inclination to wade through all of that; if your role isn’t cyber! That’s why we present all of that data in ‘1’ single, easy to understand visual.
Should you wish to scrutinise the results, identify ‘control gaps’, ensure ‘defence-in depth’ or determine the best ROI for any investment, you can with the click of a button! The data is then visually presented through ‘9’ differing ‘lenses’ to drill down to a specific control group or stage in the security lifecycle. At Cyber Savvy we call this ‘sweating the data’! It maximises our assessment exposure, which incidentally takes the same amount of time and cost as a traditional consultancy assessment.
Your Results
The Savvy Assessment delivers fast results and cuts straight to the point, so you won’t be waiting weeks for a lengthy report to be produced; instead, your results are with you as soon as the assessor has finished. And because pictures paint a thousand words, at Cyber Savvy, we display your results in a Cyber Savvy Dashboard. This visual representation gives you absolute clarity of critical failings, areas of misalignment and opportunities to streamline and enhance your current security posture and business operations.
What’s more, the team will then conduct a call with you to talk you through the findings, recommended prioritisation of actions and quick wins to mitigate business risk to tolerable levels.
Cyber Security
At Cyber Savvy, our business is securing your business. We provide leadership, technical understanding, intelligence and solutions to allow our clients to benefit from the enormous opportunities that the digital economy brings.
Our Cyber Security Consultancy services are focused on protecting data in electronic form; this is likely to include computers, servers, networks, mobile devices, etc. The aim is to ensure these assets are resistant to compromise or attack. Part of that requires identifying the critical data, where it resides, its risk exposure, and the ‘people’ ‘process’ and ‘technological’ controls you must implement to protect it.
Our Certified Cyber Security and Information Assurance consultants have experience with all economic sectors, Public and Private and possess industry-leading qualifications. These include; CISSP; CISM; CISA; CMIIA; PC.dp; CRISC; CeH; Tiger; CREST, and much more. We equally have Lead Implementor and Auditor qualified consultants within a range of ISO standards, including ISO’s 27001, 27005, 22301, 9001.
Utilising a combination of our experience, methodologies and toolkits, we can get you certified and secure to support your business growth aspirations and compliance needs.
- Audit and review
- Risk Assessment
- Risk Management
- Cryptographic selection, implementation and management
- Security Architecture as a service
- Incident Response
Information Security & Assurance Services
At Cyber Savvy, our business is securing your business. We provide leadership, technical understanding, intelligence and solutions to allow our clients to benefit from the enormous opportunities that the digital economy brings.
Our Cyber Savvy Information Security consultancy service is focused on your data, information systems and services, ensuring they are protected from unauthorised access, use, disclosure, disruption, modification, or destruction.
Our Certified Cyber Security and Information Assurance consultants have experience with all economic sectors, Public and Private and possess industry-leading qualifications. These include; CISSP; CISM; CISA; CMIIA; PC.dp; CRISC; CeH; Tiger; CREST, and much more. We equally have Lead Implementor and Auditor qualified consultants within a range of ISO standards, including ISO’s 27001, 27005, 22301, 9001.
Utilising a combination of our experience, methodologies and toolkits, we can get you certified and secure to support your business growth aspirations and compliance needs.
- Cyber Essentials (CE) and CE+
- ISO 9001
- ISO 22301
- ISO 27001
- PCI-DSS
- Virtual or Onsite CISO
- Virtual or Onsite Security Manager
Talk To Us About Our Information Security & Assurance Services
Security Testing
Savvy Security Testing provides you with a full understanding of the technical vulnerabilities within your security ecosystem and informs control effectiveness and the level of risk held by the business.
This can be considered a proactive measure to identify asset vulnerabilities in a safe, controlled manner and can support the business by;
- Making an assessment of business-critical applications, systems and services and their performance.
- Identifying vulnerabilities and suggested mitigations.
- Informing business risks
- Identify potential legal and regulatory non-compliance.
- Inform security incident response
Alongside our Savvy Assessment and Audit services, specialised technical assessments include:
Penetration Testing (PT)
Also known as ‘Pen Testing’, is the practice of actively trying to uncover and exploit vulnerabilities within a business’s security ecosystem. This method sees ‘ethical hackers’ testing all infrastructure elements from Servers and Routers to Switches, Firewalls and Endpoints, such as PCs and Laptops.
PT enables organisations to validate their security ecosystem from both an ‘internal’ and ‘external’ perspective.
Vulnerability Assessment (VA)
A VA aims to define, identify, classify and prioritise vulnerabilities in computer systems, applications and network infrastructure and recommend the appropriate mitigation or remediation to reduce or remove the risks.
This service provides the business with the necessary knowledge, awareness and risk backgrounds to understand and react to threats to its environment.
PT or VA?
A VA often includes a component of PT to identify vulnerabilities in an organisation’s personnel, procedures or processes. However, these vulnerabilities may not be detectable with network or system scans! Despite this, PT is not sufficient as a complete VA and is, in fact, a separate process.
In contrast, PT involves identifying network vulnerabilities before attempting to exploit them to attack the system. Although sometimes carried out in concert with VA, the primary aim of a PT is to confirm if the vulnerability exists. In a sense proving the theory.
While a vulnerability assessment is usually automated to cover a wide variety of unpatched vulnerabilities, penetration testing generally combines automated and manual techniques to help testers delve further into the vulnerabilities and exploit them to gain access to the network in a controlled environment.
- Penetration Testing
- Vulnerability assessment
Talk To Us About Our Security Testing Services
Data Privacy & Protection
We often hear the terms Data Privacy and Data Protection, and often the two terms are blurred into one. However, it is important to understand the difference between the two to understand the role they play within your business.
Data Protection is relatively straightforward in that it is the protection of the data. Where is it stored, how is it accessed etc. Data Privacy relates to who has access to that data and why they should have access.
Cyber Savvy data privacy services are concerned with the ‘appropriate and legal use’ of personal and sensitive personal data throughout the data’s lifecycle. This includes how data is collected, processed, stored, maintained, protected and disposed of irrespective of the format and systems used.
You wouldn’t want everyone accessing the keys to your city if they didn’t need to, as it would invite greater and unnecessary risk. So when we talk about ‘Data Privacy Readiness’, it is important to understand the context of Privacy vs. Protection.
Our services help your business;
- Understand the types of personal data it holds.
- Understand how they process and transfer the data (the data flows).
- Understand how to protect the data.
- Understand what legal and regulatory considerations there are.
- Make informed risk-based decisions and assessments of:
- Existing systems.
- New projects and initiatives.
- The selection of new IT products.
Adopting a proactive approach to Data Privacy and Protection, additionally places your business at an advantage; better placed to adapt to changes in technology (e.g. Cloud ISO27018 Cloud protection of Personally Identifiable Information (PII)) as well as UK and International Legal and Regulatory change inclusive of the General Data Protection Regulation.
- Data Privacy Readiness, Assessment & Audit
- Outsourced Data Protection Officer
Talk To Us About Our Data Privacy & Protection Services
Information Governance
What do we mean by Information Governance (IG)? For one, there are varying definitions of ‘information’ out there, so it’s important to understand the context and how it applies to your business.
IG is the term used to understand how the information within your business is managed, stored, used, prioritised, and critically, the processes and accountability surrounding the day-to-day interaction with said information.
We often see reliance on technology, more specifically software programmes, to store our internal business documents. Still, the management and responsibility of these documents are at the core of IG.
Establishing and maintaining effective procedures for the secure management of information should be embedded with an organisation’s culture, from the Board of Directors down to the front-line employees and aligned to, and embed within, Organisational Strategy and Policy.
Key processes and accountability must be built into the business to adhere to Information Governance UK regulation, the Information Commissioner’s Office, and Data Protection requirements. Organisations who are unable to demonstrate good IG can suffer the impacts of significant fines and severe damage to reputation.
- ISO certification; 27001; 9001
Talk To Us About Our Information Governance Services
Savvy Training (Enterprise-wide Training)
We can provide your entire workforce a bespoke General Data Protection Regulation (GDPR), ISO27001, Payment Card Industry compliant security awareness training package. And when we say bespoke, we mean BESPOKE. Each individual in the company will go on their own learning journey based on their job role and the threats they are likely to encounter in their day to day duties.
All of our training videos, of which we have 65+ are thematic-based and bite-sized, no longer than two minutes in length. We adopt the proven learning principle of ‘little and often’, ensuring we maintain audience attention and the business doesn’t compromise on productivity. Longwinded training videos cram in too much detail, take too long to complete and get put off in favour of a pressing workload.
Along with the training content, our training is accompanied by bitesize quiz sessions to understand the necessary concepts and practices.
In terms of implementation, we can deliver our training content whichever way best suits your business; email, Slack or MSTeams. Still too busy in the office? Not to worry, all of our training is mobile-friendly so can even be done on the move. In essence, our training formats work around the individual’s schedule and preferred learning habits to create a human firewall in their role, whether in-office or working from home. Content is always growing also and continually updated to reflect new threats and challenges such as COVID19, zoom-bombing, collaborative tools and remote working habits.
In keeping with our appetite for data and analytics, we measure everything.
From an individual perspective, we chart engagement, attendance and their overarching awareness score and measure this in a group or enterprise-wide setting to identify vulnerable groups or high-risk behaviours across the business. Understanding this information allows us to reconfigure their individual or group training plan accordingly.
To supercharge your employee knowledge, look at running this training package in conjunction with the ‘Targeted Individual Training Programme.
Targeted Individual Training Programme
Running in parallel to the Savvy Training Programme we also operate individual employee Risk Assessments to measure human knowledge and behaviours within the workplace. Through a number of programmed serials, we determine, on an individual basis, employee vigilance towards Phishing, handling of sensitive material, physical security, home working, social media use and a great deal more.
The targeted assessment takes the enterprise-wide training programme to another level by providing actionable insights to vulnerable departments and roles, which informs broader security awareness training programme priorities.
Using Marginal Gains Theory, our training methods focus on making small improvements, little and often, at the macro-level (the individual), resulting in much more significant gains across the enterprise over time and in aggregation. Affecting change to individual employees at this level with ‘focussed intervention’ is proven to substantially increase individual and team performance over time.
Talk To Us About Our Savvy Training Services
The Training Academy
Offers a full range of 1-minute videos designed to be relatable and easy to remember so they can be applied when needed. The training implements the principles of microlearning with short lessons that are easy to consume, over a longer period of time to maximise the learning effect.
We launch new content every month to help stay up-to-date with the latest cybersecurity threats and attack vectors.
Interested in training your entire team? Let us take care of that for you without the excessive cost of money and time.
Don't wait until it's too late to secure your business
If you have any queries about how we can help you manage your cybersecurity, get in touch today!
Hannah, Managing Director and Toby, CEO and Strategic Director
