Skip Navigation
cybersecurity for consultants

Cybersecurity For Consultants & Small Consulting Firms: Action Plan

By Gary Peace
Leave a Comment

Across all industries, cyber-attacks are on the rise. “Supply chain” risk has been singled out as one of the biggest threats. And as consultants, we’re part of that supply chain.

(Listen to the podcast version of this in-depth article here)

The reason why it’s such a big risk? Most solo consultants and small firms invest little to nothing in security. We often see security as a cost. We also tend to worry less about compliance.

Why would hackers attack big corporate businesses with proper IT networks, protective monitoring, and security teams, when they can attack us — the one-man or one-woman consulting business owners?

Unfortunately, we are often the easiest and weakest link.

However, despite being the weakest link, it’s relatively easy for us to secure our and our customer’s data. By investing a little into our cyber security and compliance, we can make ourselves hard targets. And, we can use our newfound security posture as a sales differentiator; our competitors aren’t taking this seriously!

In this article, I’ve written 5 steps for you to make yourself secure against cyber-attacks, and more compliant with data protection laws. These measures are location-agnostic and will work wherever you operate your consulting business.

(NOTE: These steps are based on the requirements of the UK Cyber Essentials framework (a UK government standard), and others, and best practice data protection principles, taken from the EU and UK GDPR)

Why would hackers attack big corporate businesses with proper IT networks, protective monitoring, and security teams, when they can attack us — the one-man or one-woman consulting business owners?

5 Steps to Security & Compliance: Jump To Section

Orientation

Preparation

Response

Step 1: Discovery

Imagine you’re embarking on a long road trip. These journeys involve a starting point, a destination, and a passage between the two. Likewise, upping your security posture is a journey: and you must plan your route.

You need to know three things:

  1. Where you are starting from
  2. Where you are going (or where you want to end up)
  3. How you are going to get there

So, how do you know where you are starting?

The answer: assess what you are doing now, and what you already have in place.

Doing so allows you to establish a baseline security and compliance posture, and demonstrates how compliant you are (or not) with the standard or regulation you are measuring against, be it GDPR, ISO27001, NIST, Cyber Essentials, or others – If you follow these steps your are on the way to complying with one or all of these frameworks, at least in part.

Data Mapping: Take Inventory Of What You’ve Got

  • Map out your network. If you don’t have a network, identify what computers or mobile devices you have.
  • What operating systems do your computers and devices use? How up-to-date is the software on those devices?
  • What do those devices connect to?
  • What cloud services do you use (Hubspot, Zero, Survey Monkey, etc)?
  • Risk assess what information you hold (customer data, financial information, intellectual property, medical information, employee data, contractual information)
  • Create a document (“Inventory of information assets”) to collect and record this information (see suggested content headers, below).

You’ll find the information you’ll need for this process below (these are examples of the information assets which may be found in your organization).

This list is not exhaustive. Each organization is unique, and must specify its own assets:

Inventory of Information Assets

  • Unique reference
  • Asset category (people, applications, databases, documents, services, ICT, other equipment, etc)
  • Name of the asset
  • The name of the asset owner (departmental lead or another responsible person)
  • Asset description (significant information: location, back up methods, number of licenses, serial numbers for equipment and hardware, etc)
  • Impact (from your risk assessment)

Additional data protection requirements

  • The purpose of the processing activity.
  • The categories of personal data processed.
  • The recipients to whom the personal data have been or will be disclosed, including recipients in third countries.
  • Transfers of personal data to a third country, including the identification of the respective third country.
  • The proposed time limits for the erasure of the different categories of data.
  • Where possible, a general description of the technical and organizational security measures.
  • Department where the processing activity takes place.
  • The name of the system which processes the data.
  • Suitable safeguards for exceptional transferring personal data.
  • The name and contact details of the processor and each data controller
  • The categories of processing carried out on behalf of each controller.
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization.

Checklist of Assets (to collect)

People

  • Top management (members of the management board, members of the supervisory board, business unit managers)
  • Middle management
  • Employees & experts (e.g. system administrators, designers, security experts, etc.)
  • Other employees
  • Part-time external employees
  • External people who visit the organization

Applications and databases

  • Application software (licensed)
  • Freeware; shareware
  • System software
  • Various tools
  • Databases

Documentation (in paper or electronic form)

  • Contracts
  • Correspondence with clients and partners
  • Records
  • Logs
  • Manuals
  • Standards
  • Receipts
  • Equipment documentation
  • Training documentation
  • Internal documents
  • Decisions
  • Reports
  • Plans
  • Accounting records
  • Personnel documents

IT, communication and other equipment

  • Desktop computers
  • Laptops / Mobile Devices
  • Installation CDs
  • UPS devices &Power generators
  • Air-conditioning
  • Network equipment
  • Power cables
  • Servers
  • Telephones & Telephone Systems / Mobile phones
  • Printers / Scanners
  • Photocopiers
  • Backup tapes
  • Mobile storage media
  • Measuring equipment
  • Alarms
  • Vehicles
  • Cards and card readers
  • Safes
  • Keys

Infrastructure

  • Offices
  • Archives
  • Warehouses
  • Safes / Cabinets

Outsourced services

  • Electrical power supply
  • Communication links
  • ICT equipment maintenance
  • Information systems maintenance
  • Mail and courier services
  • Auditors
  • Consultants
  • Supervisory institutions

Step 2: Risk-Assessment

Next, you’ll begin to prepare by looking at 3 things:

  1. Confidentiality (can someone access the data that they shouldn’t?)
  2. Integrity (how accurate and up-to-date is the information you hold?)
  3. Availability (can you or your clients get to your/their data when you or they need to?)

You’ll also assess against the inventory of assets you’ve just created:

  1. How would a failure of any of one of those things impact your business?
  2. Identify what your most critical, sensitive & important data is.
  3. How to protect your data, according to the value you attach to it.

What this assessment enables you to do is to identify what’s most valuable: the information you make sure is locked away (if it’s physical) or placed into an encrypted folder (if it’s digital).

If it is digital, use two-factor (2FA) or multifactor authentication as an additional security measure. Always use 2FA if possible. It’s one of the single biggest factors in reducing your risks.

An easy way of visualizing value in data is to think of your jewelry or other sentimental possessions at home.

If you are going away or have strangers working in your home, you wouldn’t dream of leaving your most valuable possessions out on show and unattended. You would either hide them or lock them away.

Apply the same thought process to your information!

Know where your data is, what it is, and who know who has access to it. In addition, identifying all data processing activities involved is important for GDPR and other data privacy regulations.

A failure of one or more of the attributes [Confidentiality, Integrity, or Availability] may also require you to inform your clients, law enforcement, and or regulators of a data breach.

Using this process, you’ll get to a point where you have a comprehensive, documented list: an inventory of assets (equipment and information) that can be risk-assessed against threats and vulnerabilities. This enables you to make balanced and informed decisions as to what your “crown jewels” are and what you need to protect (as well as what you don’t need to protect).

If you are going away or have strangers working in your home, you wouldn’t dream of leaving your most valuable possessions out on show and unattended. You would either hide them or lock them away.

Threats, Vulnerabilities & Impact

Earlier, I mentioned threats and vulnerabilities. Here’s a breakdown of what those mean:

  • Threat: things that go wrong / things that can attack.
  • Vulnerabilities: leave the system “open” to attack/allow great impact or success.
  • Likelihood: how likely you are to be affected by an attack or threat.

A good way to visualize likelihood is to think about these three possible scenarios (below):

  • Earthquake: in the UK, these do happen — but they are small, mostly infrequent and cause little to no damage.
  • Flood: depending on where you are in the country and whether or not you are on a flood plain or next to a river, the chance of you being affected by flooding could be low or high.
  • Malware – If you leave an unprotected computer connected to the internet, it will become infected in a matter of hours. Phishing attacks are increasing. Organizations & their employees are subject to random and targeted attacks on a daily basis. The likelihood is high!

cybersecurity for consultants: scenarios flow chart

  • Impact: the successful exploitation of a vulnerability by a threat, to the Confidentiality, Integrity Availability of that asset. In business terms, this “impact” should have a monetary value.

Step 3: Cyber Awareness

Understanding the threats

Cyber awareness is the ability to understand the threats or risks from a cyberattack: both at home and at work, and how that impacts an organization’s vulnerabilities.

It’s also knowing what to do when an attack happens.

Increased cyber awareness can have a significant and positive impact on cybersecurity.

According to the latest studies (and my own experience), the most disruptive attack starts with a fraudulent email or from being directed to a fraudulent website through a phishing attack!

So, at the conclusion of Step 3, you now know:

  • What and where your assets are.
  • The threats and the vulnerabilities against those assets
  • The impact of the threats acting upon the vulnerabilities

You know what the risks are. Now, you’re prepared to act.

The most disruptive attack starts with a fraudulent email or from being directed to a fraudulent website through a phishing attack!

Step 4: Protect Your Data

Technical Measures

  • Firewalls and Routers stop unauthorized access to or from your network and systems.
    • Make sure your internal firewall is enabled on your router and or in your anti-virus or operating system.
    • Change any default administrative password to an alternative or disable remote administrative access entirely
    • Use a second authentication factor (2FA or MFA)
    • An IP whitelist can limit access to a small range of trusted addresses.
    • Block unauthenticated inbound connections by default.
  • Software Updates and Patch Management
    • Make sure all software is as up-to-date as possible and as soon as updates become available (its a requirement under the UK Cyber Essentials scheme to do this within 14 days for all critical / important updates)
    • Enable auto-updates
  • Malware Protection
    • Install and use anti-malware or anti-virus software (free software is fine to use also, just have something — even if you use a Mac!)
  • Access Control
    • Keep access to your data and services to an absolute minimum
    • Don’t use your administrator account for normal day-to-day operations. If a hacker gains access to your username and password then they would have access and control over everything!
  • Secure Configuration
    • Properly configure web and application servers to reduce vulnerabilities and only provide necessary services.
    • Dont share your passwords between applications! Your password will get compromised at some point and you dont want hackers being able to access multiple accounts using the same leaked password.

Organization Measures

Have you ever been asked for someone’s phone number, but because you’re not organized, you can’t find what you’re looking for?

Imagine this on a much larger scale with years worth of data and a host of people you share data with: people who might have access to your email and other expensive or sensitive information. This is why you need to organize and protect your company information.

You can’t just get away with technical controls. You do need information governance measures too, for both security and compliance purposes!

Without them, you will not be able to comply with data breach investigations, Freedom of Information Requests (FOIA), or Data Subject Access Requests (DSAR’s). You may be personally liable and subject to litigation or fines by regulators or victims of a breach.

Data / Folder Structures

Organizing files on a computer is just like organizing anything else.

Imagine you’re organizing your wardrobe. You might sort each type of clothing into separate piles. Then you pair the socks together and then group all the shirts and tops together by color.

If you don’t, you might not be able to find the right pair of socks when you need them. That’s how most clients I come across typically treat information and files. “We” save files randomly to our desktop and document folders and end up wasting time every day searching for files.

Setting a simple folder structure will help — just like dividers in filing cabinets help with paper files.

Folder structure is the way folders are organized on your computer. As folders are added over time, you can either keep them at the same level —like Folders 1, 2, and 3 in the chart below — or nest them within each other for a hierarchy — like Subfolders 1.1 and 1.1.1 below. Nested folders make it easier to find specific files, because you don’t have to search through all your files at once.

secure folder structure for consultants

 What Makes a Good Folder Structure?

The best folder structure is the one that fits your business or organization. Do you operate using financial quarters? Then use a new folder for each quarter. Or do you work around projects? Then use a new folder for each project.

Searching your folders and finding files should be seamless and easy. If it’s not, then anyone else who needs to find, use or access your data will find it impossible. Come up with a folder structure that works for and by the whole organization. The other thing to keep in mind is that if you have a data breach, you need to know what’s gone. Being able to do this quickly means that you can limit the damage (and cost) to you and your business in the fastest way possible. It also means that a court or forensic examiner doesnt have to crawl all over your network and all of your data, because you cant guarantee where the data was when you got hacked!

If you want to maintain your folder structure long-term, you must ensure that everyone understands and follows it. So, it will need to be formalized:

  • Create a template: Copy and paste it every time you start a new project or task.
  • Use keywords for folder names: Remember, you can search for files using folder names; the more specific, the more quickly you’ll find what you’re looking for.
  • Keep folders unique: Make sure you’re not keeping information or documents in two different places for the same project).
  • Make a flow chart: Don’t worry about remembering where everything is. Use a flow chart as an aid.

Data Classification

Why do data classification? We’re not in the Secret Service!

Just as you might lock away your valuable jewelry at home while leaving the everyday jewelry on the dressing or bedside table, you should be doing the same with your data.

But how do you tell what is valuable to the organization and what isn’t? How do you work out what your crown jewels are? You do this by working out what is important, valuable, or sensitive to your organization, and then classifying it accordingly. On a basic level, the classification of data makes it easier to secure, locate and retrieve.

Don’t get too complicated with it. Have 3 or 4 levels max.

Know where your data is, what it is, and who know who has access to it.

For example:

  1. Restricted – for the info that would cause catastrophic damage if it were leaked, lost or corrupted
  2. Confidential – for info that would cause substantial damage if it were leaked, lost or corrupted
  3. Internal – for info that would cause minor inconvenbience or embarrassment if it were leaked, lost or corrupted
  4. Public – This is the info that goes on the website and into marketing material, so no issues at all with it being out in the open.

* * Think about the Confidentiality, Integrity and Availability definitions mention earlier in “Risk Assessment”.

Controls

What is a “Control”?

Once you have completed your risk assessment, you document the “controls” to reduce the risk toward individual assets.

A control (or safeguard) is a countermeasure to a vulnerability. ISO defines it as a “means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature”.

The selection of a control should be appropriate to you or your firm, and also the risk. Cut your cloth accordingly. If you aren’t Goldman Sachs, don’t try and be. Do what is required to mitigate the risk in the best way possible. It doesn’t have to be expensive or complicated (and it shouldn’t be). Be pragmatic and use some common sense. But be comprehensive in your use of controls; you can use more than one!

Think of a fire door.

A control measure against the door being propped open and used by employees might be to install an alarm on it that alerts when the door is opened.

An additional control example: fencing to stop passers-by from accessing the building if the door is propped open.

A control against malicious software and viruses would be having an antivirus installed on your computer. None of these things are difficult.

Look at your risks and apply controls against them all. You might wish to eliminate or reduce the risk. You might decide to try and reduce it in some way, just tolerate or accept it, or you might try and transfer it by buying cyber insurance. There are many ways to deal with the problem. Just remember to document those controls and the rationale behind them.

Step 5: Compliance / Audit

Monitor, Auditing, and Review

If you don’t check that the measures you put into place work, then your cyber security efforts are wasted.

This is where you’ll audit your work thus far.

An audit gives you and your clients the reassurance that you’re doing what needs to be done to protect them (and their data) from threats.

Audits are an important part of security and compliance. They’re designed to check that the controls are applied and working. They help identify “non-conformities” and opportunities for improvement.

Audits should be regular and planned. They should review both technical and process areas. They should reference the results of previous audits. Any non-conformities identified should be translated into actions taken without delay to solve the problems — and to remove their causes.

By following these 5 steps, you’ll be well on your way to having a comprehensive cybersecurity for consultants plan in place: keeping your and your client’s data safe.


gary peaceGary Peace served with Scotland Yard’s, Metropolitan Police for 18 years, and was involved in high-profile and sensitive enquiries at a national level within UK. Including 8 years investigating police corruption at the highest levels. He was also responsible for investigating all information leakage from and misuse of the force’s corporate IT network. As a consultant Gary successfully established and ran the Digital Forensic Laboratories for the UK regulator, the Competition and Markets Authority (CMA). Gary investigates insider threats and internal corruption allegations and implements technical and management systems to counter those issues and build out cyber resilience and incident response measures. Clients include Government, Private Clients, HNW and business.

Want a Proven System to Grow Your Consulting Business? Here’s How We Can Help

We’ll work hands-on with you to develop a strategic plan and then dive deep and work through your ideal client clarity, strategic messaging, consulting offers, fees and pricing, business model optimization, and help you to set up your marketing engine and lead generation system to consistently attract ideal clients.

Schedule a FREE growth session today to apply for our limited capacity Clarity Coaching Program by clicking here.

Leave a Comment, Join the Conversation!