Anonymous Cyber-Security Case Study

Something different for this month’s blog. We’ve prepared a cyber-security case study.

Over the years, we’ve helped hundreds of businesses protect themselves from cyber-crime. This example is typical. We thought it was a great way to highlight the threats you need to prepare for, and the ways that the team here at Chalvington can help.

The Customer

This client asked to remain anonymous, so we’ll call them Customer X. They’re a successful small business handling a lot of government contracts.

The Concern

Customer X were concerned about the risk of phishing and unsure about their employees’ knowledge of phishing techniques. If just one person inadvertently revealed something confidential like their login details, this could lead to a major breach.

A data breach could cause financial and reputational damage to any business, but Customer X’s reliance on government contracts was an added risk factor. Not only could it make them a target for cyber-criminals, but any breach could jeopardise their government work.

Considering what was at stake, they deemed that this potential knowledge gap needed addressing. That’s when they came to Chalvington for help.

What we did

We proposed a two-pronged approach, focusing on two potential vulnerabilities. One was Customer X’s employees and their knowledge of phishing techniques, and the other was the company’s systems.

We addressed potential weaknesses in the IT infrastructure by implementing multi-factor authentication, which made them less vulnerable to hackers and any form of password theft. We also introduced email filtering, so that suspicious emails would be flagged automatically.

Our other objective was to assess staff knowledge and to help fill any knowledge gaps with security awareness training. This began with a gap analysis questionnaire for all staff, so that we could gauge any shortfalls in their knowledge. The results of this revealed key areas for improvement, including how to stay secure when working remotely.

The next step was training to bridge these gaps. We produced training courses for all staff, as well as bespoke materials for people with more specific knowledge gaps. The courses were short and to-the-point, with interactive elements to maintain engagement. They concluded with multiple-choice tests, to reinforce the learnings and demonstrate that they had been memorised. Customer X’s management team were able to monitor the results of these courses throughout.

We further tested employees’ awareness of scams by simulating a phishing campaign. We emailed their team members with a dummy phishing email, and tracked their responses. The results showed that over 20% had opened the email and 5% had clicked the link, but nobody handed over information. 

This was largely positive, but the fact that people had opened the email showed a need to bolster awareness. We enrolled all staff on beginner and intermediate phishing courses, and continued to send monthly simulated phishing emails to monitor whether there was any ongoing cause for concern. So far, since the training, the results of our monthly simulated phishing campaigns have been much more positive, showing clear evidence of increased staff awareness.

The Results

As well as peace of mind and greater staff awareness, Customer X has felt two important business benefits as a result of Chalvington’s work. One is that they have made themselves even more appealing as a government contractor, because they have proof of continuous cybersecurity training.

In addition, it allowed them to meet the compliance criteria as they worked towards their ISO 27001 certification for information security management. This mark of excellence will reassure potential customers, especially those in sectors with stringent confidentiality requirements like healthcare, government and law. Customer X is expecting to attract more new business as a result.

The Conclusion

Customer X did the right thing – they identified a risk and prevented a potential problem before it arose. Unfortunately, many businesses and other organisations don’t adequately address these concerns until after they’ve suffered an attack. By that point, the reputational and financial damage is done. When we reflect on this case, we’re reminded of the old adage that prevention is better than cure.