Adsure Services PLC is the holding company for TIAA Limited through which principle trading takes place.

TIAA Limited has been operating for over 20 years. We are now one of the largest specialist business assurance providers in the UK, offering our clients enhanced expertise in a wide spectrum of services.

Cyber Security is vital for for your business. It provides assurance that your business data is guarded to the highest standards and helps you stay in line with GDPR.

Submit the form below to get to find out how we could help your business!

Effective measures to help you improve Cyber Security Assurances

TIAA often has clients state that they believe they have suitable mitigations and measures in place to counter the cyber security risk. This, however, is often based upon false assurances such as:

  • ‘We have an annual penetration test.’
  • ‘We have cyber security as a risk on our risk register.’
  • ‘We’re too small an organisation to be at risk from a cyber-attack.’
  • ‘We have an accreditation which we renew each year.’

Executives and board members cannot be expected to have comprehensive knowledge of the complexities associated with Cyber Security. Their focus rightly remains on identifying what robust assurances can be obtained in relation to the risk levels, and the risk appetite.

As a starting point, it’s vital to understand the risks, and this is unique to each organisation. A single risk register entry stating “We may get hacked” is no longer sufficient. Cyber crime risks are complex, so the risk assessment needs to break down the risk into targeted areas. It’s good practice to use a framework like the National Cyber Security Centre’s 10 steps to identify the key risk areas and tailoring them to align to your organisational configuration. As a holistic approach, TIAA is able to offer a robust advisory “Cyber Security Maturity Assessment”, which will evaluate your operational maturity against the 10 steps. This uses a capability maturity model with clear markers to provide an empirical score which can assist boards and audit committees in spotting any gaps and developing appropriate mitigations. This can be invaluable and is a repeatable exercise which can then demonstrate the effectiveness of mitigations by tracking the maturity scores and feeding into an assurance framework. If required, TIAA can also provide a deep dive into each of these steps to provide a more bespoke assessment.

Effective training in eSafety remains a vital but often overlooked measure, in improving cyber security. TIAA offers modular training (either in person or remotely) to address this need, as well as eLearning tools. The training has been regarded as being highly effective in improving understanding and preparedness at all levels, from basic eSafety, through to management, board level, and IT First Responders.

The issue of the false assurance from an annual penetration test is a red flag we see often. This is usually due to the highly technical nature of the report, and the level of “fixes” that can overload IT teams. The annual penetration test doesn’t tell you that the latest changes made to a server by IT was implemented safely and did not affect security. It doesn’t tell you whether your public internet facing infrastructure is vulnerable to the latest vulnerability discovered. Nor does it tell you that the fixes reported in the last penetration test have even been successfully deployed in a timely manner.

TIAA recognises the challenges associated with keeping systems secure and patched. To address this assurance need, TIAA offer “vulnerability scanning as a subscription” service. Often referred to as a passive penetration test, this efficacious scan can be scheduled to meet your operational needs and budget, or be deployed as a call off service from an agreed number of scan credits, giving you ultimate flexibility. It can be used for infrastructure, web applications, cloud solutions and even connected third parties. Scanning can be specifically targeted e.g. for the latest exploit, or a comprehensive scan to OWASP vulnerabilities. The exact scan configuration can be defined as part of our investigative assessment with you, to ensure you are prioritising your efforts effectively.

As Business Assurance Specialists, with many years of cyber security expertise, we know what good looks like.

It is clear that cyber-crime threats are continually evolving both in frequency and complexity, but organizations are sometimes slow to respond.

TIAA has a team of specialists who can work with you to provide independent, constructive advice and support, to help you adopt good practices and enhance your cyber security measures. Act now to get assistance to help your organisation address cyber security risks. Don’t wait until next year’s pen test to find out that your organisation is vulnerable.

Here are 10 key takeaways:

  1. Engagement – this is not an IT problem, it is a business problem which requires board level engagement.
  2. “Know the prize” – the Information Asset Register is a starting point. You need to know what you could lose, and the scale of the risk.
  3. Baseline your operational maturity of Cyber Security, Data Management, and Disaster Recovery.
  4. Adopt best practices to address gaps in a timely manner.
  5. eSafety training is vital for everyone and at all levels. Ensure high privilege and high profile staff receive tailored training commensurate with their role.
  6. Leverage Artificial Intelligence tools, and continuous assurance such as ongoing vulnerability scanning.
  7. Understand the risk, and budget appropriately in line with organisational risk appetite.
  8. Drill and test the Disaster Recovery process – don’t wait for a live fire event.
  9. Understand your entire supply chain paying particular attention to connected parties or providers who hold your data.
  10. Backups are only as good as the last retore test – frequent full restoration checking is essential, as are immutable backups.