Compliance and Security Essentials
Guides|by Leanne Bevan|10 December 2024
As cyber threats and technologies advance, many regulations and cyber security frameworks have developed stricter requirements on the security solutions that must be in place for compliance. For some organisations, setting up or procuring security solutions can be a minefield. If you need security support, we are here to help.
Our guide on key cyber security frameworks provides information on the different frameworks that you should be aware of. It outlines frameworks that all organisations must comply with, as well as others that are industry, region, or project-specific.
We recently spoke to our cyber security expert, Scott Harrison, who shared some key security solutions you need on your 2025 security wishlist.
Penetration Testing
Penetration testing, often referred to as pen testing, is a security exercise where a cyber security expert attempts to find and exploit vulnerabilities in a computer system, network, or web application. This simulated attack helps identify weak spots in the system's defences that could be exploited by malicious attackers. A report is then shared with the organisation of the flaws and how to resolve them.
Pen testing is required for compliance with GDPR, ISO 27001, NIS 2, NIST, and PCI DSS.
Our recommendation
We work closely with Secure Impact who provide an in-depth pen testing service.
“We were very impressed with SI’s penetration test. The team was excellent, very professional from start to finish and the findings provided intelligent, targeted, and contextualised insight to our cyber security maturity allowing meaningful improvements to be made.” Paul Whittingham, Managing Director at Magic Internet
Learn more about what a pen test is in the video below:
Scott recommends a pen test as your first step towards improving your security approach as it helps you focus on which important areas you need to secure as a priority.
Cyber Security Awareness Training
Cyber security awareness training is an educational programme designed to inform and educate employees about the various aspects of cyber security. This training typically covers topics such as recognising phishing attempts, creating strong passwords, understanding the importance of data protection, and knowing how to respond to potential security threats. The goal is to equip employees with the knowledge and skills to protect personal and organisational information from cyber threats.
Employees are often the first line of defence against cyber threats, and their actions can significantly impact the security of your organisation. By educating employees effectively, you can reduce the likelihood of security breaches caused by human error, such as falling for phishing scams or using weak passwords. Additionally, a well-informed workforce can help identify and report potential threats more quickly, allowing you to respond promptly and effectively.
GDPR, HIPAA and ISO 27001 are just some of the regulations and frameworks that require security awareness training to be in place.
Our recommendations
For a comprehensive solution, we suggest KnowBe4 – it's one we use and love as there are many different types of training available to keep it engaging. In particular, the Inside Man series is a favourite; it’s an entertaining fictional series with a strong educational message showcasing the types of things that could happen in the workplace.
Other vendors like Libraesva, Acronis and Sophos are exploring the security training scene too. If you already use some of their other tools, it’s wise to consider their security training offerings too, especially for consolidation.
Firewall Protection
Firewalls act as a barrier between your internal network and external threats. They monitor incoming and outgoing traffic based on predetermined security rules, blocking unauthorised access. Firewalls are required for Cyber Essentials, NIST, HIPAA, ISO 27001, GDPR and PCI DSS.
Our recommendations
Sophos offers a great firewall solution. It delivers enterprise-grade protection, incredible risk visibility, and all the flexibility you need to power today’s most demanding distributed networks. It provides one of the best unified threat management protection available, that’s both easy to manage and offers unmatched value.
One of our Microsoft experts, Sam Barnes, also recommends the Azure Firewall; it is a powerful resource for anyone deploying on Azure or in a hybrid environment. It protects from Network layer 3 to Layer 7 and leverages the full power of the Cloud. Some of its key features include scaling based on demand, high availability of 99.99%, and seamless integration with other Azure services like Azure Monitor and Azure Sentinel. It can also act as an intermediary for virtual networks that aren’t peered, routing and protecting both internal and external traffic. The centralised firewall rules are especially useful for managing multiple subscriptions and virtual networks.
For businesses in highly regulated industries like finance or healthcare, there is a premium offering just for you. Premium features include using IDPS (Intrusion Detection Prevention System) to monitor malicious network traffic using a vast database of known threats and patterns. There is also TLS inspection to check encrypted traffic for threats before re-encrypting and sending it to its destination.
Identity and Access Management (IAM)
IAM solutions help manage user identities and control access to critical systems and data. These tools ensure that only authorised personnel have access to sensitive information, reducing the risk of insider threats.
Our recommendation
Microsoft Entra ID (Formally Azure Active Directory) is the IAM tool we recommend you use. And it is one we use ourselves.
Here are some of the benefits:
- Usage and Insights Reports: Adoption reports for Microsoft applications or MFA reports, and the ability to flag attempted fraudulent MFA verification attempts.
- HR-Driven Provisioning: Automatically provision user accounts when a new starter is added to the HR system
- Conditional Access Rules: Entra's automation policies trigger actions/responses and block malicious users.
- Secure Collaboration: Enables smoother collaboration with a B2B tenant without prohibiting authentication and authorisation.
- Privileged Identity Management: Grant privileged users via strong authentication, adding an extra layer of protection.
Microsoft Entra has numerous licensing options to suit businesses of all sizes and requirements. From a free version, which offers essential identity and management features, to premium options which provide more advanced features such as entitlement management and conditional access policies.
Password Management
Having strong passwords and storing them safely is key as 81% of data breaches are due to poor password practices (Statistica).
Password management involves the use of tools and practices to securely create, store, and manage passwords for various online accounts and services. Password management helps protect against unauthorised access, simplifies the process of logging into accounts, and reduces the risk of security breaches.
Read our blog on why password management is a no-brainer.
Our recommendation
We recommend Keeper. Their easy-to-use solution unifies password management, connection management, secrets management and remote browser isolation into a single platform. The platform is managed by a powerful admin console that serves as a control panel, enabling visibility, security, control, event logging, auditing and compliance reporting across every user, device, and location within the organisation.
Managed Detection and Response (MDR)
Managed Detection and Response (MDR) is a cyber security service designed to help you protect your organisation from cyber threats through advanced detection and rapid incident response. MDR combines cutting-edge technology with human expertise to continuously monitor, detect, and respond to cyber threats early, in real-time. This minimises damage and downtime.
MDR offers access to skilled security professionals, and advanced tools, and helps businesses meet regulatory requirements while reducing false positives through sophisticated AI and human analysis.
Read our blog to discover more of the benefits of MDR and watch the video below:
Our recommendations
We recommend using either Acronis, ESET, or Sophos. Each has great offerings, and we can discuss which is the best fit for you in terms of features and pricing. These are also the vendors we recommend for anti-malware and endpoint security.
Backup and Recovery Solutions
Regular backups are essential for data recovery in case of a security breach or system failure. Backup and recovery software ensures that your data is safely stored and can be restored quickly.
Backup is required for GDRP, PCI DSS, HIPAA, NIST, SOX, and ISO 27001.
Our recommendations
Scott recommends the 3-2-1-1-0 backup approach to ensure full data protection and compliance.
Acronis and Veeam are popular choices for reliable backup solutions. We also offer our very own managed Microsoft 365 backup service (via our services team Climb Global Services). The service takes away the hassle of managing Microsoft 365 backup so you can focus on other important projects.
Compliance Management Software
Compliance management software helps businesses track and manage their compliance with various regulatory standards. It provides tools for auditing, reporting, and maintaining documentation required for compliance.
For instance, Cyber Smart is a brilliant tool we recommend if you’re looking to achieve Cyber Essentials and Cyber Essentials Plus.
Get your security essentials now
Don’t wait for a breach or a compliance requirement to push you into getting the tools you need to stay secure. Get multi-layered security now.
Security is a popular market with lots of providers out there to choose from. If you’re unsure or don’t have the time to research which ones are best for you, our skilled cyber security team is on hand to provide security advice and key information. Plus the best security solutions on the market. Get access to licensing advice, product demos, trials and very competitive pricing.
Complete the contact form below or book a meeting with our cyber security expert now.
“I found the cyber security team very attentive, non-judgmental, informative and willing to discuss all aspects of our requirements in a cheerful manner.” Dave Rogers, Information Technology Consultant, Masons Kings
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Leanne Bevan
Related News
Delphi 30 For 30 Webinars 2025
Tue 14 January 2025 - Fri 25 April 2025 6:00 pm - 7:00 pm GMT
Delphi’s celebrating its 30th anniversary this February. An incredible milestone. It’s come a long way since 1995. It’s kept up with the times, from working with AI to compiling apps for any platform out there from one elegant codebase. Celebrating...
Grey Matter Achieves Cyber Essentials and ISO 9001 Certifications
We are pleased to announce that we have achieved our Cyber Essentials and ISO 9001 certifications for another year. We want to do our due diligence as much as possible. And we can’t sell and promote the importance of cyber...
ACCU Conference 2025
1 - 4 April 2025 9:00 am - 4:00 pm GMT
We’re delighted to be a Gold Sponsor of the ACCU Conference 2025 in Bristol. It’s an event in the Southwest, so a little bit closer to home than usual for us. What is ACCU? The ACCU Conference, originally focused on...
Veeam Kasten v7.5: Revolutionising Kubernetes Backup and Recovery
Veeam has announced the release of Kasten v7.5, the latest version of its industry-leading Kubernetes backup and recovery solution. This new release brings significant advancements in scale, performance, security, and ecosystem coverage, empowering your organisation with brilliant resilience for your...