Hi David, firstly could you tell us a little about the team at CyberAggress and the unique skills and experiences you each possess?
A: The company is built upon the skills of myself and Gillian. Gillian has an extensive background in the pharmaceutical industry overseeing drug trials. The pharma industry is highly regulated and data protection/anonymity is a key pillar much more so than other industries hence the tie up with GDPR and our information protection services.
I myself have a long career in development of equipment, hardware, firmware, application software, web application, from the pcb to the user! Having developed equipment for Military, Oil & Gas, Banking and Retail, low volume high value and high volume low value, building in security at the design stage and also retrofitting it at release is all too familiar to me.
I gained a CISSP (certified Information system security professional) after realising that I'd been soaking up so much information in my diverse career from either doing it or never ending reading on the subject, and I absolutely stand by the ethics of the certification and the profession.
Likewise I took the Certified Ethical hacker (CEH) exam just to see where my base skills were at. I passed, but let's be clear a CEH doesn't make you the ultimate hacker; but it was informative and thus my deep level of understanding is of great benefit to our clients.
What is your main mission as a company?
A: Our ethos is that security should aid business and not be a hindrance to it. Any security should be proportional to the real risks the business faces, not the mythical threat that the media may suggest. We primarily offer our services to the micro and small businesses of all types and aim to make the world of Cyber Security understandable so that the businesses can make informed choices for the right reasons.
What in your mind are CyberAggress’ main areas of knowledge and expertise? And how do these coalesce in the kind of service you deliver to your clients?
A: CyberAggress have a huge depth of knowledge of technology from the design of the components on the PCB up to the user interface, encompassing all communication methods and technologies, combined with a health dose of paranoia and cynicism! We like to keep things simple, and it seems so do our clients, we offer Cyber Essentials Basic and Plus, vulnerability scanning, information protection, IOT consultancy, network architecture guidance and often a sounding board to clients who need the complex broken down to digestible chunks that they can understand.
What is the nature of the projects CyberAggress has been involved in to date?
A: As a new business we have been pushing Cyber Essentials, as for many of our clients it's the first step to getting the fundamentals right. Being a self-assessment it can seem like a box ticking exercise but we see it as the start of real risk management and that's important for the business its customers and showing the ICO for GDPR purposes. Cyber Essentials Plus is where we can prove the value, even if a business has ISO27K it's best to check the key controls do work, but it's not a one-time fix it's all part of the people, process, technology and safety framework.
As our clients are often micro and small businesses the spectrum of risk management is huge, some of our micro businesses are defending against a local or foreign advanced persistent threat (APT), whereas some of the larger ones are doing little to nothing at all often stating "we have never had a problem before" it's unfortunate but they most likely do have a problem but are not aware of it. We can only help the willing!
You mentioned earlier you have a Certified Information Security Professional (CISSP) qualification. This is not only a qualification, but also membership of an exclusive international organisation. Could you tell us a little more about this certification and how CISSP manifests itself in your client relationships and past projects?
A: A CISSP (Certified Information Security Professional) qualification (which is very hard pass the exams and qualify for) shows a huge breadth of knowledge covering all aspects of information security, backed by a global organisation that selects its members very carefully. Those that have passed the exam and maintain the membership I feel have proven themselves as part of the journey to a CISO position, others that have never attempted or failed (I've met some that have tried 2-3 times) either aspire or put the qualification down and that's a shame, it's a very broad certification and with some subject concentrations in some aspects, those that have failed are undoubtedly excellent in a concentration but not the broad field.
In terms of the Cyber Essentials scheme itself, if you could summarise the benefits of an IT company undertaking the programme in a sentence, what would that be?
The benefits to an IT company gaining Cyber Essentials basic is showing that you are doing the right things. This should encourage their current and future clients to come to them, thus competitive advantage. Going on to Plus level is where we all want to be, i.e. proving that the defences are working, that should mean they sleep a little easier. But it's all part of the bigger picture, if an IT company passes a Plus, they have good processes and policies in place, the equipment is configured for security etc. If I was a potential client I'd want to use them over those that have no external accreditation even ISO27K, once again competitive advantage.
What form does the Cyber Essentials scheme take with CyberAggress?
When you come to us, you are given the options of the amount of extra support needed, the support we offer is asking questions of the business, understanding what they are doing and how they are securing the business with an eye to the principles of Cyber Essentials, some may feel that they just want to be assessed without help, which we can do as well. We can provide support and certify, I'm absolutely steadfast that the business will only pass if they meet the requirements. Even those that we provide support for, I will only pass if I believe they have been truthful. Those that go on to do the plus after will be audited to verify that the basic assessment was indeed correct, and that the systems stand up to testing. To be clear we as a business do not do hands on IT support or sell software so we are no threat to IT support companies in fact we want to work with them.
We’ve spoken to David Shuster of Managed IT experts who undertook the Cyber Essentials scheme with CyberAggress. He provided a glowing review. What are the key takeaways from the Cyber Essentials scheme that you hear from your clients’ feedback?
Managed IT Experts are true to their name, very well managed and a good solid team that know what they are doing. Many of those that complete basic feel much more confident that they are doing the right things but that doesn't come from purely the self-assessment but from the consultation and working with us. When a business takes on the Cyber Essentials Plus, they really get a feel for how secure their systems are, I like to work with the business and where possible where they might fail a test I will provide advice how it can be fixed, if they embrace and take action, I'll retest and move on. I'm also looking for other security aspects when I'm on site, like passwords written on the sides of monitors, doors/window left open to public spaces near IT kit, unlocked server rooms, lack of UPS's, some of the things people do can so easily be used against them but are often unaware, some are receptive to that, some are not, I have professional obligation to point these things out!