Category: Blogs & Videos

Written by Declan Thorpe – Cyberfort Information Security Consultant

Cyber incidents rarely begin with a clear warning. Most start with small signals, a login that doesn’t fit a pattern, a process running where it shouldn’t, a connection that looks out of place. The organisations that spot these signals early tend to have more options, more time and more control over what happens next.

The incident Co-op faced in April 2025 highlighted this reality. Public reporting shows that the organisation acted early, intervening before the attackers were able to move deeper into systems or attempt more damaging activity. Early intervention of this kind usually reflects an ability to recognise unusual activity quickly and understand enough about the situation to respond with confidence.

In a year marked by several high-profile retail cyber incidents, Co-op’s response stood out for its steadiness. The organisation acted early, demonstrating the value of understanding your environment well enough to recognise when something is out of place and intervene before the situation grows. The incident reinforced that visibility is more than a technical concept; it is a practical enabler of timely, confident decision-making that can meaningfully influence the trajectory of an incident.

A quick look at what happened

Co-op experienced a cyber-attack that resulted in unauthorised access to personal data belonging to a very large number of its members. Public reporting linked the activity to known threat actor group, DragonForce. While the attackers were able to copy certain data, they were prevented from moving deeper into systems or deploying destructive tools.

Co-op’s leadership later explained that the organisation had clear visibility of the attackers’ activity, describing it as being able to “see every mouse click.” That level of insight, based on what was publicly shared, helped the organisation understand what the attackers had accessed and how far the intrusion had progressed. This clarity supported the investigation and allowed decisions to be made based on observable activity rather than assumptions.

Even with early detection and containment, the attack created operational challenges. Stores experienced stock shortages, some customers encountered payment issues, and the organisation reported a noticeable financial impact. Additional one-off costs were incurred as part of the response and recovery effort.

Despite this, the outcome could have been significantly more severe. Early insight into the intrusion helped prevent escalation, reduce uncertainty and support a more controlled response. It also highlighted the value of understanding what is happening inside an environment before the situation accelerates.

Why this was really a story about visibility and early detection

The Co-op incident illustrated how much difference early detection makes during a cyber-attack. Many organisations focus on recovery, but this case highlighted the decisions that come before recovery even begins, the moment when something unusual is first noticed and teams need to decide what to do next.

Several practical realities became clearer.

Early detection gives organisations more time and more options

Spotting unusual activity early allows teams to intervene before attackers escalate their access or attempt more damaging actions. Time is one of the most valuable assets during an incident, and early detection effectively creates more of it.

Visibility doesn’t require a large budget

A fully staffed SOC is valuable, but not every organisation can afford one. What matters most is understanding your assets, knowing what “normal” looks like and having monitoring in place that highlights meaningful deviations. These fundamentals are achievable for organisations of all sizes.

Informed decisions depend on knowing your environment

When teams understand their systems, dependencies and typical behaviour, they can interpret signals more accurately and avoid acting on assumptions. Visibility supports clarity, and clarity supports better decisions.

Containment is most effective when guided by insight

Containment works best when teams know what the attacker has done and what they haven’t. That clarity comes from visibility, not guesswork. Early insight helps teams act with precision rather than disruption.

The incident showed that visibility is not just a technical capability, it is a foundation for better decision-making. When organisations understand what is happening early, they can respond with greater confidence and reduce the likelihood of a wider operational crisis.

What Organisations Can Learn and Apply Right Now

Incidents like the one Co-op experienced highlight how important it is for organisations to understand what is happening inside their environment before an intrusion has the chance to escalate. The lessons are not unique to retail, they apply across sectors, especially where operations and customer facing systems depend on accurate, timely insight.

The following areas stand out.

Know Your Assets

You cannot detect what you cannot see. Organisations benefit from:

  • a clear, current view of their systems
  • understanding which assets matter most
  • awareness of where sensitive data lives
  • visibility of external facing services

Asset visibility is the foundation on which detection capability is built, if you don’t know what is in your environment then you don’t know what you are protecting. It reduces blind spots and helps teams recognise when something is out of place.

Monitor What Matters

Monitoring does not need to be complex or expensive. What matters is:

  • logging activity from key systems
  • watching for unusual authentication patterns
  • tracking changes to critical configurations
  • alerting on deviations from expected behaviour

Even basic monitoring can surface early signals that something is wrong.

Establish Clear Escalation Paths

Early detection only helps if teams know what to do next. Organisations benefit from:

  • simple, well understood escalation routes
  • clarity on who investigates alerts
  • thresholds for when to act
  • confidence that raising a concern is the right thing to do

This turns visibility into action. It ensures that when something unusual is spotted, it does not sit unnoticed or unaddressed.

Use Early Insight to Guide Containment

Containment is most effective when informed by what you can see. Early insight helps teams:

  • isolate affected systems
  • prevent escalation
  • avoid unnecessary disruption
  • focus recovery efforts where they matter most

This is where visibility directly shapes the outcome. It allows containment to be targeted rather than broad, controlled rather than reactive.

Build Recovery on a Verified Safe Place

Recovery is easier and safer when systems remain intact, and the organisation has a clear view of the intrusion. Early detection helps preserve the conditions needed for:

  • restoring from trusted backups
  • validating system integrity
  • reintroducing services safely
  • avoiding reinfection

Safe recovery starts with early insight. When organisations understand what has happened, they can restore services with greater confidence and predictability.

Treat Visibility as a Resilience Capability

Visibility is not just a technical feature; it is a foundation for resilience. It enables:

  • earlier intervention
  • clearer decision-making
  • more accurate scoping
  • safer recovery
  • reduced operational impact

Organisations that invest in visibility are better positioned to respond calmly and effectively when the unexpected happens. It is a capability that supports every stage of an incident, from detection to containment to recovery.

A more constructive way to look at It

The Co-op cyber-attack was disruptive, but it also highlighted where organisations can strengthen their resilience. It showed how early detection can shape the direction of an incident, and how understanding your environment supports more confident decision-making.

Incidents like this are not just challenges, they are opportunities to learn. They reveal where visibility can be improved, where monitoring can be strengthened and where preparation makes a meaningful difference. They also remind organisations that resilience is not built on a single control or a single team; it is built on the combined effect of awareness, clarity and the ability to act at the right moment.

For many organisations, the most important lesson is that early detection is achievable. It does not require a large security operation or complex tooling. It requires knowing your environment well enough to recognise when something is out of place, and having the confidence to act before the situation grows. That capability, the ability to notice, interpret and respond, is what turns a potential crisis into a manageable event.

The organisations that take these lessons on board tend to respond with greater confidence and experience less disruption when the unexpected happens. They invest in visibility not because it prevents every incident, but because it gives them the insight, they need to make better decisions under pressure. You need visibility, awareness and the ability to recognise when something isn’t right.

Seeing clearly, and seeing early, can change the entire trajectory of an incident.

For more information about Cyberfort security services contact us at [email protected] and one of our experts will be in touch.

Cyber incidents often make headlines because of the disruption they cause, but they also reveal how organisations operate behind the scenes. The 2025 incident at Jaguar Land Rover (JLR) did exactly that, bringing into focus how closely its operations are connected to suppliers, shared systems and the wider manufacturing ecosystem.

What stood out wasn’t just the interruption itself, but the way it exposed the dependencies that keep a modern automotive operation moving. Supply chains in this sector are highly interconnected, and even a brief pause can surface links that usually sit quietly in the background. The JLR outage made some of those connections more visible and offered a practical reminder of how quickly operational pressures can ripple outward.

Seen through that lens, the incident becomes less about the disruption and more about what it revealed. It highlighted the level of interdependence built into today’s manufacturing environments and pointed to clear opportunities for organisations to strengthen their resilience. The lessons are practical, achievable and relevant far beyond the automotive sector.

A Quick Look at What Happened

When the cyber‑attack occurred, JLR paused parts of its UK production to contain the issue, restore affected systems and verify that operations could resume safely. What initially appeared to be a short interruption extended as teams completed recovery work and confirmed that core processes were stable.

The disruption affected several areas:

  • Manufacturing: some production lines paused and schedules were adjusted.
  • Supply chain: suppliers of all sizes experienced delays as orders and timings shifted.
  • Logistics: movements of parts and finished vehicles were rescheduled, creating knock‑on effects across transport networks.
  • Retail operations: downstream activity changed as production timelines moved.

Throughout the incident, JLR prioritised system stability and close coordination with partners. Production returned gradually, with a focus on safety and continuity across the manufacturing network.

The pause also offered a clearer view of how operational dependencies surface during unexpected events. It showed:

  • how quickly changes in one area can influence others
  • how reliant modern manufacturing is on shared digital processes
  • how important coordinated communication becomes when operations need to adjust at pace

This helps explain why the incident resonated beyond JLR itself. The effects were felt across a broad ecosystem of businesses, reinforcing the importance of understanding supply‑chain dependencies before they are tested.

Why This Was Really a Supply Chain Story

While the incident was centred on JLR, the wider context sits within the structure of automotive manufacturing. The sector relies on a broad network of suppliers, shared digital platforms and coordinated logistics processes, and any disruption naturally draws attention to how these elements interact in practice.

A few operational realities were highlighted during the pause:

  • Digital systems support day-to-day operations. Modern manufacturing uses a range of digital tools for ordering, scheduling, supplier coordination and logistics. When these systems are unavailable or slowed, it can influence how physical operations run.
  • Production processes are tightly timed. Automotive manufacturing typically follows structured, time-sensitive workflows. Even small changes to those workflows can create adjustments elsewhere, simply because the system is designed to move at a steady pace.
  • Suppliers notice changes quickly. When production activity shifts, suppliers often feel the effects early. Larger suppliers may have more capacity to absorb changes, but smaller businesses can be more exposed to sudden fluctuations.

Taken together, the incident illustrated how interconnected the automotive sector is. When a major manufacturer experiences a disruption, the effects can be felt across organisations of varying sizes and roles. It also provided a clearer view of where resilience measures can make a meaningful difference.

What Organisations Can Learn and Apply Right Now

Incidents like this are disruptive, but they also shine a light on where organisations can improve. The lessons aren’t limited to automotive manufacturing they apply to any business that relies on suppliers, partners or digital systems.

Here are the key takeaways.

Map Your Supply Chain

Most organisations have a list of suppliers. Very few have a clear picture of:

  • which suppliers rely on which systems
  • how data flows between them
  • where the single points of failure are
  • which suppliers are genuinely critical

A clear supply-chain map doesn’t need to be complicated but it does need to be accurate. And it’s an effective way to spot risks before they become problems.

This is especially important for organisations with complex operations. Without a clear map, it’s almost impossible to understand how a disruption in one area might affect another. JLR’s experience showed how quickly a single incident can ripple across an entire ecosystem.

Set Clear Security Expectations for Suppliers

Security requirements shouldn’t be vague or buried in contracts. They should be:

  • specific
  • measurable
  • regularly reviewed
  • aligned with your own risk appetite

If suppliers are part of your attack surface, and they are, they need to be part of your security strategy.

This doesn’t mean expecting every supplier to meet the same standards as a global manufacturer. It means setting expectations that are proportionate, realistic and clearly communicated. When suppliers know what’s expected of them, they’re far more likely to meet those expectations.

Limit Supplier Access to What’s Necessary

A common weakness in supply-chain breaches is overprivileged access. Suppliers often have:

  • more access than they need
  • access for longer than necessary
  • access that isn’t monitored

Follow the principle of least privilege:

If someone doesn’t need access today, they shouldn’t have it today.

This isn’t about mistrust; it’s about reducing the number of doors an attacker could potentially walk through. Access should be granted sparingly, monitored closely and removed promptly when no longer needed.

Build Segmentation into Your Architecture

Segmentation is an effective way to contain cyber incidents. If one system goes down, it shouldn’t take everything with it. In JLR’s case, the attack affected production systems across multiple factories a sign that segmentation could have reduced the blast radius.

Segmentation doesn’t eliminate risk, but it buys time. And in a cyber incident, time is everything.

It also helps organisations recover more quickly. When systems are segmented, it’s easier to isolate the affected areas, restore unaffected systems and bring operations back online in stages.

Test Your Response with Supplier Focused Scenarios

Most incident response exercises focus on internal failures. But real-world incidents often start elsewhere.

Useful scenarios include:

  • a key supplier going offline
  • a shared platform being compromised
  • a supplier’s credentials being used maliciously

These exercises don’t just test your technical response, they test communication, decision-making and the ability to keep the business running under pressure. They also help identify gaps that might not be obvious during day-to-day operations.

Strengthen Communication Channels with Suppliers

During a crisis, silence creates confusion. Clear, pre-agreed communication paths help everyone respond faster and more effectively.

This includes:

  • knowing who to contact
  • knowing how to escalate
  • knowing what information to share
  • knowing how to coordinate recovery

Good communication doesn’t fix the problem, but it makes sure that the people who need to know, do know. It also helps maintain trust both internally and externally.

When suppliers know what’s happening, they can take action to protect their own systems and support your recovery efforts. When they’re left in the dark, they can’t.

Build Contingency Plans for Critical Suppliers

If a supplier goes down, what’s your plan B? Or C? Or D?

Even a basic fallback plan can keep operations moving while the primary supplier recovers. It doesn’t need to be perfect it just needs to exist.

Contingency planning isn’t about expecting the worst. It’s about being prepared for the unexpected. And as JLR’s experience showed, the unexpected can happen quickly.

A More Constructive Way to Look at It

The JLR incident was a reminder that even well-established organisations can face unexpected disruption and that the strength of the response often depends on the preparation done long before anything goes wrong. Cyber incidents will always create challenges, but they also highlight where processes, relationships and systems can be strengthened.

For many organisations, the lesson is clear: resilience isn’t built in the moment of crisis. It comes from having tested response plans, clear communication routes and a realistic understanding of how suppliers, partners and digital systems fit together. The organisations that invest time in this preparation tend to recover more quickly, maintain trust more effectively and minimise the wider impact on their operations.

The JLR case showed how interconnected modern supply chains are and how important it is to be ready for disruption, wherever it originates. Treating supply-chain resilience as a core part of cyber security isn’t just good practice, it’s a practical step towards ensuring that when something unexpected happens, the organisation can respond with confidence rather than scramble to react.

Preparation doesn’t remove risk, but it does shape the outcome. And in a landscape where incidents are increasingly common, that preparation is what allows organisations to absorb the shock, protect their reputation and return to normal operations with far less disruption.

For more information about Cyberfort Supply Chain Security services contact us at [email protected]  and one of our experts will be in touch.

Cyber-attacks aren’t a dramatic, once‑in‑a‑lifetime set of events, these days they are part of routine operations and they hit organisations of every size. In 2025 we saw this play out clearly when Jaguar Land Rover, Co‑Op and Marks & Spencer (M&S) all found themselves dealing with serious incidents. It was a blunt reminder that no brand is too established or too well resourced to avoid being caught out.

When something like this happens, the technical response is only half the story. The other half, and often the part that decides whether customers stay calm or start losing trust, is how the company communicates. Clear and honest updates can stop a difficult situation from turning into a reputational mess.

That’s what crisis communications is about: being upfront, cutting through confusion and helping people understand what’s going on without adding to the panic.

In 2025, M&S showed what it looks like when a company takes that responsibility seriously. In this article we review what M&S did well, lessons other organisations can learn from M&S’s response to their cyber-attack, and provide practical, actionable steps for businesses who want to make sure they have the right incident response and communication plans in place should they be attacked.

A Quick Introduction to Crisis Communications

So let’s get started. First of all, what is Crisis Communications and why are they so important in an incident response process?

Crisis communications are the structured approach organisations use to communicate during unexpected, high‑pressure events, anything from a data breach to a product recall to a global pandemic. The goal is simple: protect people, protect trust, and protect the business.

Why does it matter so much today?

  • Cyber-attacks are increasing in scale and impact. 2025 was more evidence of the notoriety of cyber risk increasing, with attacks deeply affecting economic stability and business continuity.
  • Customers expect transparency. Silence or vague statements erode trust faster than the breach itself.
  • Regulators are watching. Poor communication can lead to reputational damage and regulatory scrutiny.
  • Social media accelerates everything. Misinformation spreads instantly if organisations don’t fill the information vacuum.

Done well, crisis communications can turn a chaotic situation into a moment of leadership. Done poorly, it can turn a technical incident into a reputational disaster.

What Happened: The 2025 Marks & Spencer Cyber Attack

In April 2025, Marks & Spencer disclosed a major cyber-attack that severely disrupted its operations. The incident was identified as a ransomware breach which forced the retailer to shut down automated ordering and stock systems, leading to empty shelves and significant operational strain.

The impact was substantial:

  • Online sales were brought to a standstill
  • Food shelves were left bare
  • The financial hit was enormous
  • Disruption lasted for months

Despite the severity of the incident, M&S managed to maintain customer trust and protect its brand reputation. And that wasn’t luck, it was through communication.

How M&S Communicated During the Crisis

While the technical details of the attack were complex, M&S’s communication strategy was refreshingly simple: be honest, be visible, and be human.

They Communicated Early and Openly

M&S didn’t wait for rumours to spread or for customers to notice empty shelves. They disclosed the attack promptly, explaining the nature of the disruption and its expected duration.

This early transparency helped:

  • Set expectations
  • Reduce speculation
  • Demonstrate accountability
  • Build trust during uncertainty

In a world where many organisations still try to “keep things quiet,” M&S chose clarity over concealment.

They Provided Regular, Timely Updates

Throughout the incident, M&S issued ongoing updates to investors, customers, and the media. Timely updates prevented:

  • Confusion
  • Misinformation
  • Customer frustration

And importantly, they showed that M&S was in control, even if at times the situation itself wasn’t.

They Used Clear, Accessible Language

M&S avoided technical jargon and focused on what customers needed to know:

  • What happened
  • How it affected them
  • What the company was doing about it
  • When things would return to normal

This is especially important in cyber incidents, where overly technical explanations can alienate or confuse audiences.

They Demonstrated Leadership Visibility

M&S’s CEO played a prominent role in communications, offering reassurance and outlining recovery plans. His public statements emphasised both transparency and determination, including the company’s intention to use the disruption as an opportunity to accelerate technology transformation

Leadership visibility signals:

  • Accountability
  • Confidence
  • Stability

And it reassures customers that the organisation is taking the incident seriously.

They Maintained a Customer‑Centric Tone

Even while dealing with operational chaos, M&S kept the focus on customer experience. Their messaging acknowledged the inconvenience, explained the impact on stock and online services, and reassured customers that restoring normal service was the top priority.

This empathetic tone helped mitigate the psychological impact of the attack, particularly the anxiety customers feel when their favourite retailer experiences a breach.

Lessons Other Businesses Can Learn from M&S

The M&S incident offers valuable lessons for organisations of all sizes, not just retail giants.

Here are the key takeaways.

Transparency Builds Trust -Customers don’t expect perfection, but they do expect honesty. Being upfront about what happened and what you’re doing to fix it is always better than silence.

  • Speed Matters –The first 24–48 hours of a cyber incident are critical. Quick communication prevents rumours and demonstrates control.
  • Consistency Is Key – Regular updates – even if the update is “we’re still working on it” keep stakeholders reassured.
  • Leadership Should Be Visible – A calm, confident leader can steady the ship and reinforce trust.
  • Empathy Goes a Long Way – Cyber-attacks are stressful for customers too. Acknowledging their concerns helps maintain loyalty.
  • Preparation Makes Everything Easier – M&S’s ability to communicate effectively didn’t happen by accident. It happened because they had plans, processes, and trained people.

Cyber‑Focused Advice for Businesses Preparing for Attacks

If the Marks & Spencer incident taught us anything, it’s that crisis communications doesn’t exist in a vacuum. It’s tightly woven into cyber readiness, technical resilience, and the ability to make decisions quickly under pressure. Here’s how organisations can strengthen their cyber posture and their communication capability at the same time.

Build a Real‑World Incident Response Plan

Not a theoretical document. Not a dusty PDF. A plan people can actually use at 2am when the ransomware alarm goes off.

It should include:

  • Clear roles and responsibilities
  • Playbooks for the most likely attack types
  • A rapid approval process for communications
  • A single source of truth for updates

A good plan removes panic and replaces it with muscle memory.

Know Your Crown Jewels

You can’t protect everything equally. Identify:

  • Your most critical systems
  • Your most sensitive data
  • Your highest‑risk suppliers

This helps you prioritise both your technical response and your communications when something goes wrong.

Train Your People (Not Just IT)

Cyber incidents are cross‑functional events. Everyone needs to know:

  • How to report suspicious activity
  • What to say, and what not to say
  • How to route media or customer enquiries
  • How to avoid spreading unverified information

For example, Tabletop exercises are a great way to expose gaps and build confidence. At Cyberfort we recommend Incident Response plans are tested on annual basis as a minimum. The crisis simulation exercises undertaken should provide common attack scenarios tailored to your organisations specific sector so you can see where the communication, process and response gaps are in real time before an incident happens.

Prepare Customer‑Friendly Messaging in Advance

When an incident hits, you won’t have time to wordsmith. Pre‑prepare:

  • Holding statements
  • FAQs
  • Internal updates
  • Regulator‑ready notifications

Keep them simple, human, and jargon‑free.

Establish a Crisis Communications “Battle Rhythm”

Decide in advance:

  • How often you’ll issue updates
  • Who approves messaging
  • Which channels you’ll use
  • How you’ll coordinate with technical teams

This rhythm keeps everyone aligned and prevents misinformation from filling the silence.

Strengthen Your Technical Foundations

Good crisis communications are easier when your cyber basics are solid. Prioritise:

  • Access Controls
  • Regular patching
  • Network segmentation
  • Tested offline backups
  • Endpoint detection and response
  • Supplier risk assessments
  • Regular security reviews by a specialist MSSP

These controls reduce the blast radius, and the communication chaos.

Build a Culture of Early Reporting

The sooner you know something’s wrong; the sooner you can contain it. Encourage:

  • Zero‑blame reporting
  • Quick escalation
  • Transparency across teams

Culture is one of the most underrated cyber controls.

Final Thoughts – Communicating Through Chaos

Cyber-attacks are stressful, disruptive, and often expensive. But they don’t have to destroy trust. Marks & Spencer’s 2025 cyber incident showed that even in the face of major operational and financial disruption, strong crisis communications can protect a brand’s reputation and maintain customer loyalty.

By being transparent, timely, empathetic, and consistent, M&S turned a difficult situation into an opportunity to demonstrate leadership and resilience.

And the good news? Any business, large or small, can do the same with a bit of preparation.

Crisis communications aren’t about perfection. It’s about being human, being honest, and being ready.

As the saying goes ‘fail to prepare, prepare to fail’. At Cyberfort we believe ‘now’ is the time for organisations to start making sure they have the right tested incident response plans and crisis communications strategies in place. In today’s threat landscape it’s no longer ‘if’ you will get attacked it’s ‘when’. Those organisations who dedicate the right amount of time and effort to be prepared against cyber-attacks will find themselves with the ability to be more resilient and bounce back with minimal reputational damage.

For more information about Cyberfort Incident Response and Cyber Security Consultancy services contact us at [email protected] and one of our experts will be in touch.

Glen Williams, CEO of Cyberfort Group discusses why UK boards must lead with resilience, beyond compliance, to prevent costly breaches.

Infrastructure-level attacks

Despite growing investment in cybersecurity, many UK businesses remain critically exposed to infrastructure-level attacks.

They are under siege; from state actors, criminal groups and opportunistic attackers exploiting any weakness.

Too many are operating under a concerning illusion of safety, believing being compliant means being secure.

But compliance is not resilience and ticking regulatory boxes is no defence strategy.

The biggest vulnerability is not always a firewall or an unpatched system.

Increasingly, it lies at the top. This is the boardroom blind spot – a disconnect between the perceived and actual state of cybersecurity in UK organisations.

Many underestimate the scale, sophistication and speed of cyber-threats.

The result? A slow drift toward crisis – costing money, reputations, operations and in some cases, the very survival of the business.

Leaders must ask the hard questions: If we were breached tomorrow, could we still operate? How fast could we recover – and at what cost?

From airports to automakers: The threat is escalating

Recent attacks on Jaguar Land Rover, major UK airport ransomware incidents and other critical infrastructure show no sector is immune.

Attackers are more organised, more aggressive and increasingly focused on large-scale disruption.

These breaches often succeed not because defences are absent, but because they are insufficient.  

Many businesses still assume cybersecurity is ‘being handled’ by internal IT or third-party providers – often generalists, not specialists.

But when facing organised crime groups or state-sponsored actors, general IT skills fall short.

The analogy holds: No one would trust a nurse to perform brain surgery – so why expect an IT generalist to protect the core of a business against elite cyber-threats?

The numbers speak for themselves. Of the 2.7 million registered UK businesses, only around 51,000 meet Cyber Essentials standards.

So basic cyber-hygiene is still being overlooked. With critical infrastructure now a prime target, the stakes are rising fast. Cybersecurity must be led from the top, by boards.

Why compliance does not equal resilience

Regulatory compliance frameworks such as ISO 27001, GDPR, the upcoming UK Cyber Resilience Act and Cyber Essentials serve a valuable purpose.

They set minimum standards and enforce accountability, but structure alone is not protection.

Compliance does not mean a business can detect, respond to or recover from an attack.

In fact, many companies seriously breached in recent years were fully compliant – on paper – but not operationally ready.

It is entirely possible to pass an audit and still be breached the very next day.

Worse, compliance is often used as a proxy for resilience – but it is often a lagging indicator of risk.

True resilience means having expert-led, scenario-tested, continuously evaluated strategies that are regularly refined and adapted to new threats.

Anything less leaves businesses dangerously exposed.

What real cyber-resilience looks like

Cyber-resilience is not a product you buy nor a policy you publish.

It is the organisation’s ability to absorb shocks and continue operating with minimal disruption – even when under attack.

Resilience starts at the board-level. This includes recognising cybersecurity as a core business risk as well as bringing in trusted partners, such as NCSC-assured consultancies who can help prepare organisations before, during and after an attack.

Resilient businesses invest in more than software; they invest in strategy.

They rehearse their response so that when a breach inevitably happens, teams avoid losing time or capability. 

Access to experts like virtual Chief Information Security Officers (CISOs) or specialist placements support stronger governance.

Resilience also means going beyond annual assessments to include regular threat modelling, red teaming and incident response drills.

Preparedness must extend across the entire organisation: Leadership, technical teams and non-technical staff alike.

At Cyberfort, resilience is defined not by how quickly companies recover, but by how little it loses in the process – whether that is trust, uptime, data integrity, capital or brand reputation.

Accountability cannot be outsourced

Cyber-risk is business risk – it impacts revenue, reputation, regulatory standing and long-term viability.

Yet this reality is recurringly not landing where it needs to: In the boardroom.

Too often, cybersecurity is viewed as technical – something IT should manage.

This mindset leads to underinvestment, poor response protocols and strategic blind spots in decision-making when it matters most.

Boards are responsible for resilience. Delegating without oversight or mistaking compliance for readiness, is a dereliction of that duty.

Leaders must ask the right questions, challenge assumptions and ensure cybersecurity is embedded in strategic planning.

When cyber is ignored at the top, the entire organisation is left vulnerable.

To close the boardroom blind spot, leaders must first make cybersecurity a standing board agenda item – not as an operational update, but a strategic risk discussion and treated with the same urgency as financial performance or operational risks.

Cybersecurity breaches can impact the balance sheet just as swiftly and severely as a major market event.

Second, boards must invest in education for directors.

While directors do not need to be technical experts, they must understand the business implications associated with cyber-threats.

Finally, success metrics must shift. Instead of measuring success by the absence of incidents, organisations should focus on the speed and effectiveness of detection, containment and recovery efforts.

Don’t wait for the crisis

The time of treating cybersecurity as an IT issue has long passed.

Cyber-risk now permeates every strategic decision – from M&A to supply chains.

The price of inaction is not theoretical – it is real and growing – just ask the companies that did not survive.

The fallout of recent breaches includes broken shareholder value, customer trust and long-term reputational damage that no insurance policy can undo.

Far too many businesses rely on generalist defences in a specialist threat environment.

Boards can no longer afford to sit on the side-lines.

Cybersecurity must be embedded into every strategic decision, not siloed as a compliance exercise.

The question is no longer if a breach will occur, but how well the organisation will be prepared to respond when it does.

Those who wait for the crisis to act will already be too late.

In this video Cyberfort CEO Glen Williams and Chair of Bluprintx Mark Humphries discuss why UK organisations need specialist cyber security support given the 50%+ rise in cyber security incidents in the past 12 months.

The video covers a range of topics which Cyber Security and C-Suite leaders need to be aware of to ensure their businesses remain secure, resilient and compliant in an ever-changing digital world. Watch the video to discover:

  • Three key pieces of advice for C-Level leaders when they are looking to improve their organisations cyber resilience
  • Why there has been a significant increase in attacks aimed at UK businesses in the past 12 months and the role AI is playing in this
  • The importance of undertaking a regular cyber security review from an NCSC assured provider to ensure organisations can benchmark and create continuous improvement plans for cyber security
  • Why Crisis Simulation Exercises are crucial for C-Suite leaders in making sure the right people, processes and policies are tested and in place before an attack happens
  • Why more due diligence and investment needs to be made in supply chain cyber security measures to protect an organisation from attack
  • The importance of partnering with an expert MSSP if your business does not have the right skills, knowledge or expertise in house to remain secure

Introduction

Secure by Design (SbD) was launched in July 2023 and its already transforming the way government departments and the MOD are implementing security. Perhaps one of the biggest changes to UK Cyber Security processes in the last 15 years, Secure by Design aims to ensure all of your systems, processes and data are secure from concept to its launch and then throughout its full lifecycle.

Before we delve deeper into the blog, it’s important to note that MOD Secure by Design and Governmental Secure by design are different. Despite having the same name, the same premise and the same objectives, their execution, delivery and assurance processes are different. They have different principles, different timelines and different maturity levels, with at present MOD Secure by Design being almost fully introduced into MOD programmes and projects. UK Government Secure by design is following suit and is ready to secure projects and systems with its 10 principles.  This article will be looking at the first and most transformative principle, Principle 1: Create responsibility for Cyber Risk.

For the first time, strategic leaders and leadership throughout projects/programmes will be empowered to be responsible and accountable for Cyber Security risk.  Some of these positions will have never encountered Cyber Security before. But by spreading the risk ownership and the understanding across the business/program/project, these projects/programmes will be able to deliver far more secure products and processes, with a far greater security lifespan.

Addressing the elephant in the room – businesses have never been the biggest lovers of major change. To understand these large scale governmental Secure by Design changes it’s important to know why these changes are being implemented, and to understand the benefits of Secure by Design.

Unlocking the Benefits of Secure by Design Principle 1Create responsibility for Cyber Risk

A key benefit of Secure by Design is how it affects leadership. Leaders at every level are decision makers and greater understanding of Cyber Security and its risks will ensure that leaders make better decisions.  By implementing Secure by Design principles leaders are able to make informed decisions, and better decisions will be made when leaders understand cyber risks. This empowerment towards leadership is not just at the executive level, it cascades down, resulting in leaders at all levels having an understanding of cyber risk and ensuring it is understood and mitigated. This creates a much more comprehensive risk understanding and security controls that are better informed, and therefore far more fitting.

Too often there is a disconnect between executive leadership and the technical teams responsible for securing systems. This gap can result in poorly informed decision-making, lack of investment, and incorrect prioritisation of risk mitigation. By clearly assigning cyber security responsibilities to stakeholders, such as CEOs, COO’s as well as Chief Risk Officers and Board Members, organisations ensure that cyber risk is treated alongside financial, legal, and operational risks.

Another major benefit of Secure by Design is that it aims to stop Cyber Security work being siloed, or existing in isolation. Cyber Security attackers will normally attack a wide surface, not just the security function, and so security needs to be in the forefront of everyone’s minds. By empowering security to staff throughout the business, rather than just the security team it not only spreads awareness but deepens the security scrutiny and allows security to be looked at from subject matter experts, potentially highlighting weaknesses that a cyber security team member would not be able to see.

A case study of where specific expertise has been siloed can be seen within NASA in the 1970’s, specifically during the challenger builds. Engineering teams identified that the ‘O rings’, a component of the lower rockets could fail, which could in turn lead to the entire failure of the launch. This severe risk was not fully understood by senior stakeholders’, and their findings were siloed within the rocket engineering team, unable to get their extreme risk findings correctly communicated or mitigated. This tragically led to the destruction of Challenger on launch and the loss of her entire crew.

By having all teams empowered to not just understand security risks but have influence over them gives the opportunity for projects and programmes to be more secure. Most organisations already do this for safety, and so security will now be no different.

The key challenges organisations must overcome

Of course, as with any organisational change there are challenges. The largest challenge so far observed in the Secure by Design rollout is leaders who are newly empowered to be responsible or accountable for cyber security being unwilling or unable to fully immerse themselves into the new role.

Many leaders face busy days, heavy workloads and hold a lot of responsibility already. With the changes being made some are being informed that they must take on more responsibility in an area they may be unfamiliar with. They may not welcome the changes and therefore will not commit to them as intended. A potential sign of this may be them trying to delegate this responsibility to another team member or someone within their team, pushing work deadlines back indefinitely or openly stating that they are going to refuse to partake. This unfortunately will mean that the delegation of security accountability at all levels will not be being implemented correctly, and that person is not only creating risk but a risk themselves.

The best way to remedy this so far has been to educate these leaders in the importance of the security work and the new responsibility they hold, and to ensure that their workload is balanced well enough that they can correctly adapt to the changes.

Final Thoughts

The first principle of Secure by Design sets the tone for the entire framework: security begins with leadership. When executives take ownership of cyber risk, they signal its importance throughout the organisation. They unlock the necessary resources, drive cultural change, and support the technical teams in making security a core part of every decision, and creating programmes, systems and projects that are secure, by their design.

As cyber threats continue to evolve in scale and sophistication, especially with AI and quantum threats on the horizon, creating clear responsibility for cyber security risk is not just good practice, it’s now an essential pillar of resilience.

How Cyberfort can help?

At Cyberfort we specialise in helping organisations understand their comprehensive cyber risk landscape and put the best governance in place. We ensure cyber security and resilience is built into systems, processes and policies from the start of a product or service lifecycle. This enables organisations to align security with business objectives, existing systems, and industry regulations consistently.

Our teams are experienced in aligning business strategy with Secure by Design principles, starting with clear responsibility at the top. If you’re ready to take a proactive approach to cyber resilience, contact us at [email protected] or visit our website here.

The rise of AI tools has been the fastest technology adoption curve in history. In under two years, millions of small businesses have started using tools like ChatGPT, Claude, and Midjourney to write marketing copy, summarise reports, or answer customer questions.

But as AI gets smarter, the risks become sharper and so does the need for governance.

The Double-Edged Sword of AI in SMB’s

AI can turbocharge productivity. It drafts documents, analyses trends, and automates repetitive admin at a fraction of the cost of human time. But behind the promise lies a fundamental truth: AI is only as safe as the data and instructions you feed it.

When staff paste client information, financial details, or internal plans into public AI tools, that data can be stored, processed, and used to train external models. It leaves your organisation permanently exposed, even if the upload was “just a quick test.”

Real-World Warnings

  • Samsung engineers accidentally leaked confidential source code by asking ChatGPT for help debugging it.
  • AI-generated phishing and voice cloning are now indistinguishable from the real thing -cybercriminals use these tools to impersonate CEOs and authorise fraudulent payments.
  • Marketing teams have faced copyright and privacy disputes after publishing AI-generated content built on protected data.
  • One SME experimenting with agentic AI bots – autonomous systems that act via APIs – accidentally flooded its internal Slack with thousands of automated messages, paralysing workflow for a day.

These aren’t hypothetical. They’re the early warning signs of a new risk class: AI misconfiguration and misuse.

Governance Is the New Firewall

AI governance doesn’t mean bureaucracy; it means boundaries. Businesses need to start taking this seriously and start by mapping where AI touches their business. For example, key questions which should be asked to assess where and how AI is being used in a business include:

  • What tools are employees using?
  • What data do they process?
  • Where do outputs go (to clients, websites, systems)?

Then, once you have answered the questions, a one-page AI Usage Policy should be created covering:

Approved tools and when to use them.

Data rules – never input confidential or identifiable information into public models.

Oversight – who reviews outputs before publication.

Accountability – who owns AI risk in your organisation.

Once you know where AI sits in your workflow, your MSP can help enforce controls like data loss prevention, sandboxing, and access logging.

The “Human in the Loop” Principle

AI is powerful but not autonomous. Even so-called “agentic” systems need human supervision.
Every AI-driven process should have a human checkpoint before any irreversible action happens (emails sent, payments triggered, data deleted).

Think of AI as an intern – fast, tireless, but prone to confidently getting things wrong.

Security Opportunities

There’s good news too: AI can strengthen your defences when used wisely. Modern detection tools use machine learning to identify anomalies faster than human analysts ever could. AI can summarise logs, flag risky behaviour, and help non-technical teams spot patterns they’d otherwise miss.
The difference between risk and reward is control.

Policy, People, and Partnership

The SMB advantage is agility, you can adapt faster than enterprises. Use that agility to get ahead with a few simple practices:

  • Assign an AI Lead to track developments, risks, and opportunities.
  • Include AI in your risk register and data governance policies.
  • Educate your teams: if they don’t understand how AI handles data, they can’t use it safely.
  • Work with your MSP to implement guardrails, such as API monitoring, MFA, and content-filtering on AI platforms.

Final Thoughts

AI isn’t the enemy. It’s the next evolution of productivity, and those who learn to govern it early will win. But governance can’t lag behind adoption.

As one security researcher put it: “AI doesn’t just make your business faster – it makes your mistakes faster, too.”

The question isn’t whether you’ll use AI; it’s whether you’ll use it safely. For more information about Cyberfort AI governance, risk and security services contact us at [email protected] and one of our experts will be in touch.

In this video Glen Williams (Cyberfort CEO) and Emily Rees (Cyberfort CFO) discuss why directors of UK companies should be focused on addressing the cyber security risks their businesses are facing. The video covers a range of topics including the importance of undertaking a cyber security audit by a specialist cyber security company to assess your company’s security posture, why supply chain cyber security measures should be focused on given the recent attacks on UK businesses and how to embed cyber security into your companies risk register for improved cyber resilience.

Cyber security has evolved into a board-level issue, a defining factor in business resilience, continuity, and reputation. Yet too often, it remains an IT sub-category rather than a strategic risk discipline. Many organisations still rely solely on their Managed Service Provider (MSP) to handle security, but the truth is, MSPs weren’t built for today’s threat landscape.

To protect your organisation effectively, you need a specialist Managed Security Service Provider (MSSP) working in tandem with your MSP. One that brings the depth, visibility, and threat expertise your IT partner can’t reasonably maintain alone.

The Modern Reality: MSPs Keep You Running – MSSPs Keep You Safe

In most small and mid-sized organisations, the same team responsible for patching servers and resetting passwords is also expected to manage firewalls, monitor alerts, and handle incident response. They’re dedicated professionals, but they’re not security analysts.

That’s where gaps emerge. Activity gets mistaken for assurance: antivirus is installed, firewalls are ticked off, backups exist somewhere, yet crucial elements like threat intelligence, 24/7 monitoring, and incident containment are missing.

An MSP’s mission is uptime, availability, and efficiency. An MSSP’s mission is resilience, detection, and response. You need both to operate safely.

The Cost of Relying on “IT Security”

Recent high-profile breaches tell the same story, again and again.

When responsibility for cyber risk is dispersed or delegated to people without specialist training blind spots multiply silently.

  • Third-party risks go unchecked
  • Incident responses are improvised
  • Data governance is inconsistent

Traditional MSPs are invaluable for keeping systems working; but without an MSSP watching the threat landscape, vulnerabilities fester unseen until they become headlines.

Cyber Is a Business Risk – Not a Technical One

Modern resilience isn’t about who patches the server; it’s about who owns the risk. Cyber events today carry legal, financial, and reputational consequences. They demand not just technology, but governance, reporting, and continuous assurance.

MSSPs specialise in that domain. They complement MSPs by providing:

• Proactive threat monitoring and response
• Advanced detection capabilities (EDR/XDR/SIEM)
• Compliance support aligned to frameworks like ISO 27001 and NIS2
• Executive-level risk reporting that boards can actually act on

In short: your MSP keeps the lights on; your MSSP makes sure no one’s breaking in while they’re on.

Evolving the Partnership: MSP + MSSP = Resilience

The relationship between your MSP, MSSP, and internal leadership should form a three-way partnership.

  • The MSP manages infrastructure, availability, and productivity
  • The MSSP manages threat posture, monitoring, and incident readiness
  • The business owns governance and decision-making

This collaboration creates shared visibility and clear accountability. It prevents the common scenario where everyone assumes “someone else” is watching for threats, until it’s too late.

Building Competence Without Building a Department

You don’t need an in-house security team to operate securely. You need the right structure:

  • An internal Cyber Owner who bridges leadership and suppliers
  • A trusted MSP maintaining day-to-day IT operations
  • A specialist MSSP delivering dedicated detection, response, and governance

This model lets organisations achieve enterprise-grade protection without enterprise-level overheads.

Culture Over Checklists

Technology is only half the story. Resilient organisations invest in cyber culture – awareness, curiosity, and accountability across every level. An MSSP can help embed this mindset, turning security from a compliance burden into a competitive advantage.

Final Thoughts

Running cyber security without a specialist MSSP is like running finance without an accountant, the basics may get done, but exposure builds quietly until something breaks.

Your MSP keeps your business operational.
Your MSSP keeps it secure and resilient.

Together, they create the visibility, assurance, and confidence that define a modern, trusted organisation.

For more information about Cyberfort cyber security services and how we work with organisations to help them become secure, resilient and compliant email us at [email protected] and one of our experts will be in touch.

Secure by Design sets a framework of Principles for the delivery of digital capability with cyber security and risk management at the core. This blog article explores how continual assurance measures: Vulnerability Management and Security Controls Testing ensure that delivery Principles including Principle 5: Build in Detect and Respond Security and Principle 7: Minimise the Attack Surface continue to be effective through-life by implementing Principle 9: Embed Continuous Assurance.

Vulnerability Management is a critical component of ongoing security assurance, providing risk owners with continuous evidence that the system’s security controls and capabilities are functioning as intended. This assurance spans the full lifecycle of a system from development to deployment and into ongoing operation.

Security Controls Testing verifies that security controls and capabilities continue to function as intended, especially after deployment and during system operation. Combined, they support the application of Secure by Design, building a resilient security posture.

Key Benefits of Vulnerability Management and Controls Testing

Secure by Design principles embedded into the development process, ensures that activities and controls such as threat modelling, secure coding, continuous testing, access controls, encryption and monitoring have validation mechanisms in place. In the next section of this article, we explore what the key principles are for vulnerability management and controls testing, highlighting the key benefits organisations can realise by adopting a Secure by Design approach.

Risk Mitigation and Management
Principle 5; emphasises proactively embedding detection and response mechanisms into systems and services during design and development, and not as an afterthought. This foundation allows vulnerability management to be more proactive, focusing on preventing vulnerabilities rather than just reacting to them. These Secure by Design controls serve as baselines, enabling automated detection of deviations or misconfigurations.

Ongoing vulnerability management supported by controls testing ensures that risk mitigation continues to be effective. Vulnerability identification, assessment and remediation provides risk owners the evidence that continuous monitoring validates that controls remain effective against evolving threats.

By documenting vulnerability trends, patch cycles, and remediation effectiveness, organisations can demonstrate compliance with internal security standards and regulatory requirements.

Security Controls Testing confirms that identified security controls remain effective in mitigating risks over time. This provides evidence that risk management remains effective, giving confidence that security posture across the system’s lifecycle remains.

Sustaining an excellent security posture after deployment is crucial, as systems can become vulnerable due to configuration drift, outdated software, or new threat vectors. Continuous validation through testing identifies where changes may have occurred and provides opportunity to resolve them, realising several benefits:

• Security measures continue to deliver protection as intended.
• Controls are not bypassed or degraded over time.
• The service continues to mitigate known and emerging risks.

Verifying operational effectiveness of controls post-deployment, ensure that updates, patches, or changes have not compromised system security and that security policies are applied and enforced. This helps to identify deviations from approved baselines or misconfigurations and prevents drift from security standards that can introduce new vulnerabilities.

Tracking Progress and Maturity
Ongoing vulnerability management and through-life controls testing helps track how effectively the implementation of Secure by Design principles are across the organisation including:

• Trends, gaps, and analysis of recurring issues can help to refine the secure development lifecycle and ensure continuous improvement.
• Metrics from vulnerability management such as time to patch, frequency of critical vulnerabilities, or compliance with baseline configurations support strategic objectives.
• Track maturity in Secure by Design adoption.
• Identify gaps in implementation or effectiveness.
• Adapt and improve processes to close those gaps, aligning with continuous improvement.

Reinforcing Secure by Design Through-Life
Vulnerability management is central to the success of other Principles, supporting the measures adopted by validating that they remain effective or providing opportunity for improvement. It covers the ‘Detect’ part of ’Detect and Respond Security.’  and involves continuously:

• Identifying known weaknesses (e.g., unpatched software, misconfigurations).
• Assessing the risk and severity of those vulnerabilities.
• Prioritising and remediating based on impact.
• Monitoring for signs of exploitation.
• Testing to confirm resolution of vulnerabilities and that they do not reappear.

Integrating Vulnerability Management with other through-life assurance and operational measures ensures a more robust security management programme. These include:

Controls Testing: Regular testing validates that security controls (like patch management, access controls, logging) are effective in mitigating vulnerabilities and risks.
Logging, Monitoring & Alerting: Vulnerability scanners, SIEM tools, and endpoint detection systems provide real-time visibility into potential threats exploiting known weaknesses.
Incident Detection & Response: When a vulnerability is exploited, fast detection and coordinated response limit damage and prevent recurrence.
Continuous Iteration: Threat landscapes evolve, so vulnerability management must be a continuous process, not a one-time event.

Having minimised the attack surface (Principle 7) during the design and build of the capability, Vulnerability Management and Controls Testing helps to identify new attack vectors and validate that the capability can remain resistant.

Continuously scanning for and identifying known security weaknesses across systems, applications, and networks – detects vulnerabilities early.
• Unnecessary or outdated services/components can be disabled or removed.
• Exposed ports, APIs, or services can be secured. This reduces the number of potential entry points, shrinking the attack surface.

Vulnerabilities are prioritised based on severity, exploitability, and asset criticality:
• Issues are prioritised, preventing adversaries from targeting easily exploitable paths.
• Unused or low-utility components that present elevated risk can be removed or replaced.

Vulnerability management often uncovers over-privileged accounts or services, or components running with unnecessary permissions.
• Controls Testing identifies if gaps exist and then by remediating these findings, organisations can enforce the principle of Least Privilege and Minimised Functionality.
• These improvements ensure that only essential capabilities are exposed.

Vulnerability data informs threat models.
• Helps understand real-world attack vectors and the likelihood of compromise.
• Supports asset and risk management in focusing mitigation efforts where they matter most.

Ongoing vulnerability assessments ensure newly introduced components do not expand the attack surface unnecessarily. Supported by Controls testing, this validates that updates, patches, and configuration changes have not inadvertently reintroduced risk.

Vulnerability management is not just a technical function it is a continuous, evidence-based assurance process. When integrated within Secure by Design practices, it provides risk owners with confidence that security measures are both present and effective, supports the detection and resolution of implementation gaps, and helps ensure that systems remain resilient throughout their operational life.

Understanding the key challenges

Vulnerability management plays a crucial role in upholding Principle 5 and Principle 7, which emphasises the need for integrated capabilities to detect, respond to, and recover from security incidents. Principle 7 advocates reducing the number of exploitable points in a system, but in practice, achieving this while managing vulnerabilities is complex. Consequently, aligning vulnerability management practices with this principle comes with several challenges:

Visibility Gaps & Poorly Defined Ownership and Responsibilities:

  • Challenge: Incomplete asset inventories, and unmonitored/unscanned systems make it hard to detect vulnerabilities across the full attack surface. The lack of clarity over who owns which assets or components with users/developers unknowingly increase the attack surface.
  • Impact: Undetected vulnerabilities in these “blind spots” if exploited, hinder both detection and timely response. This leads to gaps in vulnerability remediation, attack surface monitoring, misconfigurations, unsafe code practices, and ignored security guidance.

Integrating DR Tools with Complex and Dynamic IT Environments:

  • Challenge: Modern infrastructures (cloud, containers, microservices) changing rapidly and the lack of integration between vulnerability scanners and SIEM (Security Information and Event Management) and/or EDR (Endpoint Detection & Response) platforms.
  • Impact: The constant changes make it hard to maintain an up-to-date view of the attack surface and it also limits the ability to correlate vulnerabilities with active threats or incidents, reducing effectiveness in prioritising or automating responses

Prioritisation of Risks & Patch Management Delays:

  • Challenge: Security teams may struggle to prioritise which vulnerabilities require immediate attention due to limited context (e.g., threat intelligence, exploitability, asset criticality). Once they have decided on a priority, patching can cause downtime or affect business operations, leading to delays.
  • Impact: Prolongs vulnerability exposure, especially in high-risk systems. Time and resources may be wasted on low-risk issues, while critical threats remain unaddressed.

Outdated Vulnerability Data and Integrating Legacy & Complex System Updates:

  • Challenge: Modification, update or decommissioning of older systems often results in significant cost or disruption. Careful consideration must be taken when updating components (e.g., third-party libraries, firmware, OS) as these can break existing functionality or introduce new vulnerabilities. And relying on outdated vulnerability databases or incomplete scanning (e.g., failing to detect zero-days or misconfigurations) does not help. Legacy systems may not have been developed with SbD principles in mind and can have undocumented vulnerabilities.
  • Impact: These systems increase the attack surface and may have un-patchable vulnerabilities. They can introduce weaknesses or incompatibilities in otherwise secure environments. This weakens the ability to proactively detect or prepare for exploitation attempts. It also becomes difficult to ensure that security controls still function post-update.

Organisational Silos:

  • Challenge: Vulnerability management is often handled by separate teams from incident response or threat detection.
  • Impact: Creates communication gaps, slows coordinated response, and leads to disjointed security workflows.

How a specialist Cyber Security Provider can help organisations to address these challenges

To help organisations overcome these challenges organisations who do not have the in-house skills, expertise or knowledge should engage with a specialist cyber security services provider. A reputable cyber security services provider should have a track record of and be able to deliver holistic and managed cyber security services which keeps people, data, systems, and technology infrastructure secure, resilient, and compliant. For example, at Cyberfort  we provide National Cyber Security Centre assured Consultancy services that leverage our technology, hosting, and Security Operations capabilities to Identify and protect against cyber-attacks, detect and respond to security incidents.

Our Managed services provide vulnerability management that integrates with threat detection capabilities, connecting scanners with SIEM and/or EDR platforms for better context and automation.

  • We use Risk-Based Prioritisation, leveraging common risk and severity scoring methods such as CVSS, asset values, exploit availability, and threat intelligence to prioritise vulnerabilities.
  • We implement continuous monitoring as a shift from periodic scanning to continuous assessment and detection.
  • We break down silos and encourage cross-team collaboration between vulnerability management, SOC, and IT operations.

Additionally, we reinforce the continuous monitoring regimes through proactive and reactive controls testing. Reactively done in response to risk or incident resolution, providing assurance that controls are in place and effective. Proactively testing controls baselines can be crucial for either identifying controls weaknesses which lead to risks or mitigating issues before they become risks in the future by validating controls are effective. Whilst vulnerability management tends to focus on the technology landscape, controls testing can consider validation of the people, process, and procedural controls.

Reactive testing from external audits has included the review of Joiners, Movers, Leavers (JML) processes, to identify issues within the Leavers part of the current JML process that is in place that were resulting in unrevoked accounts.

Proactive controls testing conducted as a gap analysis against expected policy implementations to ensure that conformance by the business and those supporting the business in functions. An example of this validated that contractors with permission to craft and modify code held the correct vetting status, as per the businesses vetting policy set in place by the CISO.

Final Thoughts

Vulnerability management in the context of security assurance across the system lifecycle is challenging because it demands continuous effort, adaptation, and validation. It can however be effective in minimising the attack surface when integrated with asset discovery, risk analysis, and threat modelling. Organisations can increase the security return on investment and comply with the security principle of “necessary and sufficient” using only what’s required to deliver a secure, functional service.

Security Controls Testing within the ‘Secure by Design’ lifecycle ensures that security controls operate effectively throughout the system lifecycle, not just at deployment of a system going live. When integrated correctly into a Secure by Design security programme, it delivers continuous assurance to risk owners by validating the ongoing mitigation of risks, enabling timely detection of failures, and reinforcing organisational security posture, while also proactively identifying and closing gaps before risks arise.

While Secure by Design embeds security into every stage of the system lifecycle, ensuring that it continues to perform as intended, requires more than simply good initial design. These through-life concepts and Principles, delivered effectively can allow organisations to respond to the changing threat landscape, minimising the impact of systems becoming vulnerable, but this requires effective threat intelligence and resources to maintain the services.

For more information about Cyberfort Secure by Design consultancy services and how we can help your organisation to become secure, resilient and compliant contact us at [email protected].

Cyberfort
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.