Success stories

Our customers come in all shapes and sizes.

We work with organisations from all walks of life, with different ambitions and requirements. Explore how we’ve helped them reimagine everyday, and align technology with their culture and business goals.

Information security vs cyber security: key principles and differences

If your business is looking into how to prevent a cyberattack or data breach, it is important to first understand the different types of information security and their principles and differences. Find out more in this blog.

View case study >

What is zero trust security and how can it be implemented?

To stay safe in 2021, the entire approach to network security must be reconsidered. If you want to find out more about zero trust security and how it can be implemented, read this >

View case study >

Tackle IT security risks with these 5 strategies!

How can you keep your organisation safe from IT security risks? Explore these 5 strategies to protect your organisation, people and data.

View case study >

Information security vs cyber security: key principles and differences

Over the past two decades technology has advanced rapidly and fundamentally changed the way that businesses function. Whilst this has primarily been a positive experience for businesses, these advancements have also given rise to an increase in cybercrime. With the current prevalence of cybercrime, all organisations are currently at risk of falling victim to a cyberattack. Thankfully, many businesses are aware of the risk and starting to invest more time and money into protecting their data and systems.

If your business is looking into how to prevent a cyberattack or data breach, it is important to first understand the different types of security and their principles and differences. In this article we will discuss the definitions of information security and cyber security, the key principles of each and why they matter to your business.

What is information security?

Information security are the practices organisations implement to protect their business records, data and intellectual property. These practices ensure that both physical and digital data is protected from unauthorised access, deletion, corruption, unlawful use, or modification. The key information security principle is the CIA triad, which is a focus on the balanced protection of the confidentiality, integrity and availability of data.

What is cyber security?

Cyber security is a branch of information security including the practices an organisation undertakes to reduce the risk of a cyberattack. These practices are focused on technology to stop cybercriminals from accessing sensitive information, extorting money from users, or interrupting normal business procedures. Common cyber security practices include protecting networks, endpoints and educating users on how to avoid an attack.

Find out how vulnerable is your organisation is to cyberattack. Explore the benefits of a Cyber Security Posture Assessment here >

Key information security principles

The key information security principle is the CIA triad, this includes:

Confidentiality – Protecting confidentiality ensures that that any sensitive information is not made available or disclosed to unauthorised individuals, entities or processes. Countermeasures that protect confidentiality include defining and enforcing access levels for information, as well as avoiding password theft, device theft and ensuring sensitive data is encrypted.

Integrity – Integrity in the CIA triad is focused on ensuring that information has not been modified, and therefore can be trusted to be correct and authentic. Integrity can be comprised by a cybercriminal causing a data breach and modifying data for malicious reasons. Integrity can also be compromised by human error or poor access policies and procedures. Countermeasures that protect integrity include digital signatures, hashing, physical and digital intrusion protection systems, and strong authentication methods, including multi-factor authentication.

Availability – For a business to function effectively, it is important that information is available whenever it is needed. This means that all networks, systems, and applications are working as intended to allow authorised users access to resources as required. The key risks to data availability include hardware failure, natural disasters, denial of service attacks and human error. Countermeasures that ensure data availability include backups, data redundancy, denial of service protection and a comprehensive disaster recovery plan.

Key Cyber Security Principles

Network security – Network security includes any measure taken to protect the usability, security and integrity of a network and its data. This includes hardware and software solutions designed to stop cybercriminals from accessing a network or spreading malware within a network. Some network security measures include firewalls, network-wide email security and anti-malware software, and authentication solutions.

Endpoint security – Whereas network security aims to protect a network as a whole, endpoint security aims to protect the individual end-user devices that connect to a network, however there is overlap between the two. These endpoint devices include desktops, laptops, servers, smartphones and IoT devices. Common endpoint security solutions include privileged access management, endpoint protection platforms, device anti-malware, application control and patch management.

User Education and Awareness – A significant factor in keeping businesses safe from a cyberattack is ensuring users of networks and systems have an awareness of common attack vectors. Some common attack vectors include phishing emails, compromised or weak credentials, malvertising and brute force attacks. If an organisation runs regular cyber security education and awareness training it enables employees to detect a potential attack or breach of procedure before it is too late.

Why information security and cyber security matter

In 2021, the greatest threat to all businesses, regardless of size or industry, is a cyberattack or data breach. As the methods cybercriminals are using become more complex and attacks more prevalent, if your business has not secured their network, systems, and information, now is the time to start taking security seriously. If you want to find out more about how to implement a comprehensive information security or cyber security solution within your organisation, get in touch today.

What is zero trust security and how can it be implemented?

In 2020, the global average cost of a data breach was $3.86 million (USD). On average it took businesses 207 days to identify the data breach, and 73 days to contain it. Regardless of the size or industry, all businesses are at risk of a data breach as they store valuable information, especially customer data.

For this reason, businesses and security professionals alike are constantly searching for the best method of securing a network from all threats.

Traditionally, most businesses use a castle-and-moat approach to security. This is where the focus of security is on the network perimeter and most of the security investment is in firewalls, proxy servers and preventing intrusion from outsiders. In theory this approach seems logical, however it has some key limitations.

The castle-and-moat approach allows those within the network access to all data. This means that even if the moat is effective at keeping intruders out, it doesn’t stop users with compromised identities or insider threats. It’s also outdated as it was built for traditional networks and does not consider how networks have changed as businesses move to the cloud.

Is your organisation at risk? Book a free cyber security health check with our expert team to find out >

Cyber security and hybrid work

With the workplace fundamentally changing, as hybrid work becomes the new norm, the traditional castle-and-moat approach is no longer viable. When all employees worked in an office space if a machine tried to access a network from outside the office it would raise a red flag. Now with employees working from home it is important to be able to accurately authorise and authenticate users, regardless of where they are physically located.

In order to overcome these limitations businesses must change the way they view network security; this is where the zero trust security model comes in.

What is the zero trust security model?

The zero trust security model assumes that there are malicious actors both inside and outside a network. Therefore, no users or machines are automatically trusted, and all requests must be authenticated and authorised. This verification is based on all data points, including user identity, device health, service or workload, classification and anomalies. Another key principle of the zero trust security model is least-privilege access. This states that users should only have access to the data they need to do their job, and nothing more.

Why move to a zero trust security model?

The zero trust model greatly increases security and is a security model that considers how digital transformations have fundamentally changed businesses and their networks. This is particularly important as many organisations keep their data in the cloud, rather than on-premise.

The modern network does not have clearly defined perimeters to protect, so the zero trust model moves the perimeter to each individual file. This model, especially the least-privilege access principle, significantly reduces the risk of an insider threat. As users can only access the data necessary to do their jobs it means they cannot access sensitive data that could be shared maliciously or accidentally.

How to implement a zero trust security model in your business

There are multiple principles in the zero trust security model, and your business may already have implemented some of the necessary technology. However, transitioning to a comprehensive zero trust security model takes time and significant planning as it involves completely rethinking how a business views security.

The key to successfully implementing zero trust architecture is to first take inventory of existing mechanisms and technology. It is important to consider how traffic flows through the network and what is currently controlling the flow. From there the business must implement the necessary technologies and policies in line with the zero trust principles. This includes identity access management, endpoint management, in-app permissions, data protection, and infrastructure and network security. Once your business has implemented all the necessary technology and policies it should be regularly reviewed and iterated upon to dynamically enforce policy changes.

The zero trust security model is a modern rethinking of what constitutes a comprehensive security solution for a business. It overcomes the limitations of the castle-and-moat approach and greatly reduces the risk of a data breach, even one due to an insider attack. However, the road to zero trust is not simple, and it takes time and expertise to ensure that all the potential benefits are realised. If your business is considering moving to a zero trust security model, and need some expert advice, please get in touch with our cyber security practice.

Tackle IT security risks with these 5 strategies!

IT security is a hot topic. Companies everywhere need to watch out for new viruses, incidents of ransomware and malware, with cyberattacks more of a risk now than ever. Here are 5 strategies for tackling IT risks.

As a business owner, you need to know that your IT security, networks, storage and devices are secure. Under GDPR and other regulations you also need to take every reasonable step to safeguard the data that you are entrusted with, and to keep your confidential information – such as financial and client details – secure.

Cyber threats can come from any angle. In the IT industry, these are known as attack vectors. Hackers and criminals can try and access your networks and secure data through internet connections, software, email, and even Excel and PDFs aren’t safe.

The question is, as a business owner, how do you reduce the risk of falling victim to a potentially crippling cyber attack?

Find out more about our Cyber Security Posture Assessment to understand your organisation’s security posture and reduce IT security risks >

The following steps don’t require an expensive outlay in technology or cyber security solutions – many ‘out of the box’ SaaS solutions can help shore up you defences without breaking the bank. Best practices like good password hygiene and cyber threat awareness raising exercises don’t need to cost your business anything, and could actually save substantial amounts of money and reputational damage if they prevent an attack. Have you implemented the following?

5 ways to mitigate IT security risks

#1: Passwords

It sounds simple, even obvious, but whenever you, or your employees, leave a device – a tablet, phone or computer – alone for a moment, make sure it’s protected with a strong password. It is far too easy to assume you’re safe when working in an office with colleagues. But what if someone is looking to steal data? What if a client is in the building? Or a contractor that you don’t know?

Without a password, you are taking too much of a risk and haven’t taken a reasonable step to mitigate a serious and avoidable security risk.

An IT team or external provider should also make sure that the passwords on every device – including personal mobiles – that contain sensitive data are secure. Don’t make it easy for cyber attackers. Use a combination of upper and lower case letters, numbers and symbols. In the world of passwords, longer more involved combinations are statistically far more secure. It sounds simple, but you run a much higher risk of a data breach without secure passwords.

If your office has public WiFi, you need to take the same approach with this password, and make sure it is changed every few months. Put a password policy in place for everything that constitutes an attack vector, therefore mitigating the risk of a cyber breach.

#2: Virtual Private Networks (VPN)

With smartphones we can work anywhere. Many professionals access emails and sensitive documents on the go, wherever they are, often over public WiFi.

Public WiFi and phone networks aren’t secure. Neither is the WiFi in your house or favourite coffee shop. Sure, network providers take every reasonable step to maintain high levels of security, but that doesn’t mean that cyber attackers haven’t found ways to implement attacks that steal data.

The only way to guarantee the security of your company’s data on-the-go is with a virtual private network (VPN). Once this is setup, your employees and anyone else who needs to access work email and files can do so through a secure network that can be monitored and protected. Again, maintain a password policy that changes every few months for an extra layer of security and be careful who is granted access.

#3: Multi-factor authentication

Another way to increase security is with multi-factor authentication. When logging in, a code can be sent to a registered mobile device. The person trying to gain access then needs to enter that code and the login sequence is complete. It is a common feature of financial service websites, the Government gateway and many other secure websites.

It is recommended that you provide that extra layer of safety for your network and employees. It can involve two or more steps, depending on how critical the systems being accessed.

#4: Remote lock-down/wipe

Finding out that your phone or laptop has been stolen is a nightmare. Especially when this is a company device full of sensitive information.

Make sure you have a lock-down and wipe procedure in place that can be implemented automatically 24/7. Whenever possible, ensure this is something an employee can initiate themselves through access to a secure website or on another device they own, even if that is a personal phone or laptop.

Wiping a computer or phone after it has been taken needs to happen quickly, which is why this isn’t something that should wait until the next working day. Even if a cyber criminal is able to hack the password you want to make sure there is nothing for them to find and potentially use to damage the reputation of the company.

#5: Use access prevention and controls

Do you know where all of your secure data is and who has access?

If not, then this is something you need to get serious about. In any company, there are always going to be files that need to be more secure than others. Know what they are, where they are and ensure there are ways to control and monitor access.

Set passwords and an access protocol around the relevant files and systems that are more sensitive. When access is granted, make sure any files that are downloaded are only accessed on secure work devices, or through the VPN. Have policies in place so that staff know they’re not allowed to send sensitive documents to personal devices.

Learn more about Identity and Access controls here >

Finally, provide regular training and cyber security awareness raising exercises so your staff understand the risks, adhere to cyber security policies, and know what to do if they suspect an attack or attempted breach.

Point them in the direction of our Cyber Security Vulnerability Quiz to test their knowledge and identify where further training could help.

With these security measures, your data should be safer and risks of being hit with a cyber attack are reduced. Taking measurable steps to improve security will keep your company compliant under GDPR and other regulations designed to protect customer data.

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

0845 680 8538
hello@cloudbusiness.com

Cookie	Duration	Description
__cfruid	session	This cookie is set by the provider Cloudflare. This cookie is used for load balancing and for identifying trusted web traffic.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__RequestVerificationToken	session	This cookie is set by web application built in ASP.NET MVC Technologies. This is an anti-forgery cookie used for preventing cross site request forgery attacks.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
MS0	30 minutes	No description available.
MSFPC	1 year	No description available.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
__lotl	5 months 27 days	This cookie is set by the provider Lucky Orange. This cookie is used to identify the traffic source URL of the visitor's orginal referrer, if there is any.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_lo_uid	2 years	This cookie is set by the provider Lucky Orange. This cookie shows the unique identifier for the visitor.
_lo_v	1 year	This cookie is set by the provider Lucky Orange. This cookie is used to show the total number of visitor's visits.
_lorid	10 minutes	This cookie is set by the provider Lucky Orange. This cookie is used to identify the ID of the visitors current recording.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
ANONCHK	10 minutes	This cookie is used for storing the session ID for a user. This cookie ensures that clicks from advertisement on the Bing search engine are verified and it is used for reporting purposes and for personalization.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year 24 days	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_gd1624628211813	session	No description
AADNonce.forms	session	No description available.
CONSENT	16 years 6 months 6 days 10 hours 23 minutes	No description
DcLcid	3 months	No description available.
GetLocalTimeZone	session	No description
lfuuid	9 years 7 months 6 days 10 hours 24 minutes	No description available.
MC1	1 year	No description available.
SM	session	No description available.
SRM_B	1 year 24 days	No description available.
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Success stories

Information security vs cyber security: key principles and differences

What is zero trust security and how can it be implemented?

Tackle IT security risks with these 5 strategies!

Information security vs cyber security: key principles and differences

What is information security?