3B Data Security’s team brings decades of combined experience with information security to service your needs. Our team have expertise and hands on experience both as consultants, investigators and as hand on practitioners within IT security. As we deal with data breaches every single day, we bring up to date knowledge of attack vectors and methods in use by hackers in the wild.
We partner with a broad range of information systems security products and can recommend suitable tools and help deploy, configure, and train your team on their use. Our approach is always vendor neutral, finding the most appropriate technology for your challenges and your budget.
3B Data Security is an approved PCI SSC Qualified Security Assessor Company (QSAC), which enables us to perform PCI Compliance consulting and assessment services to help merchants obtain certification against the Payment Card Industry Data Security Standard (PCI DSS). There are many aspects to a PCI project however, and one size does not always fit all, but ultimately our aim is the same: help to get our clients secure, and compliance will naturally follow.
At 3B Data Security we have a wealth of experience within our QSA team, with consultants drawn from various different sectors and backgrounds. Some of the QSAs have been dealing with payment security for in excess of 25 years and were involved in the application of the separate ‘Card brand’ data security standards which eventually developed into the PCI Data Security Standard (PCI DSS) as we know it today. Most of the key team members have also worked for other QSA companies during their careers and they have been able to build up an excellent business knowledge of what works well for clients – and equally what doesn’t. We pride ourselves in being able to give each client a tailored service, from simply assisting with the identification of the scope of the PCI environment, or working out which Self-Assessment Questionnaire (SAQ) is appropriate, right through to a full PCI assessment for Level 1 service provider or merchant, and the resultant Report on Compliance (RoC) and Attestation of Compliance (AoC) paperwork. We work with you to get the most out of the compliance process, ensuring that any benefits are identified early on and the scope of the PCI environment is manageable, not just for this year but for years to come.
There is no such thing as a ‘typical PCI project’ but some of the most common tasks include:
Using the industry knowledge we gain from working with ongoing PCI Forensic Investigations, we have the most up to date insight into the current threats faced within the payment landscape. Unlike the majority of PCI auditing companies, we have first-hand experience of these trends and we know how to protect your organisation from these risks. We don’t just care about ticking boxes, we want each organisation we work with to be secure and help them prevent the need for a PCI Forensic Investigation, and to be able to provide every cardholder with a safe environment to process card transactions. It is this approach that distinguishes 3B Data Security as a trusted, credible, and reliable partner.
If you need help scoping your PCI environment, performing a full PCI assessment, or anything in between, then get in contact and we can help you.
Storage and processing of client sensitive data, such as private personal information such as customer names, addresses, bank account details or credit card numbers have many commercial, legal and regulatory implications upon the processing entities.
If this data is compromised, inadvertently leaked, misplaced or simply stored longer than it should be, the processing entities run the risk of non-compliance and substantial fines from regulators such as the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and Credit Card Schemes like Visa, MasterCard, JCB, Discover and American Express.
This is in addition to the reputational risk and brand damage that is caused when an entity hits the news and it is made public that they have suffered a suspected or confirmed data breach. Trying to recover customer confidence and rebuild the reputation in a brand that has been a victim of a data breach is not a simple task, and could be crippling to a business’s future.
Under the Payment Card Industry Data Security Standard (PCI-DSS) and the Data Protection Act (DPA), certain types of data storage are not recommended at all or are prohibited. This data is often stored, be that on purpose, for testing and development of systems, inadvertently by errors in design and coding, legacy systems that have not been fully decommissioned or even stored on legitimate systems by hackers in order to harvest data during an attack.
After managing and forensically investigating hundreds of data breaches over the past decade, 3B Data Security have seen all variations on why data is stored and ultimately compromised by attackers, especially unencrypted cardholder information such as a Primary Account Numbers (PAN), CVV/CVC, cardholder names and addresses.
By proactively searching for unencrypted cardholder data across the computer network environment this data can be located, verified, securely erased and the processes that allow the data to be stored in the first place fixed for the future. This will help your business mitigate against the risks of storing unencrypted cardholder and PII data going forward.
Our experts in ISO 27001, Cyber Essentials and IASME Governance come from a variety of technical backgrounds, and have been involved in and managed IT operations, as well as managing a variety of compliance framework implementations within clients and organisations including complex ISO 27001 Management Systems. Having an understanding of the practical constraints and operational realities in fast-paced IT environments ensures a pragmatic and realistic approach to advising on any implementation.
We offer a range of services within our enterprise governance consultancy:
Who is IASME?
The IASME Consortium is the accreditation body for the government-backed Cyber Essentials certification scheme and the award-winning IASME Governance standard. Based on international best practice, IASME Governance is risk-based and includes key aspects of security such as incident response, staff training, planning and operations as part of your route towards business growth and international recognition.
Our team are highly experienced with developing, refining and implementing controls, policies and procedures to ensure compliance to a wide variety of regulatory requirements, including ISO 27001, GDPR, Cyber Essentials and regulatory requirements. Several of our staff work as Lead and Technical Auditors for external bodies, including IASME, UKAS, and TuV UK to name a few.
Whatever size of organisation you have, you will want to ensure that you maintain competitive advantage, provide excellent services, and maintain a high level of protection for your information assets. Large organisations often add a Chief Information Security Officer to their board, but Small to Medium Enterprises (SMEs) might struggle to justify the expense. 3B Data Security can bring this crucial role within your budget.
Large organisations need someone full time reporting at a board level on the security posture of an organisation, but they usually come with high wage demands. The Chief Information Security Officer (CISO) manages everything from security strategy and budgets, to anything security related, including physical controls.
For a Small to Medium Enterprise (SME), this is not a luxury that can be easily afforded or needed full time, this is where the virtual role adds value. The virtual officer is easier to budget for and can be flexible to the organisation's needs as you do not have to worry about holidays, employee contracts, or what happens if they leave. A 3B Data Security Virtual Chief Information Security Officer is typically not just one person, but instead an entire organisation of specialists with a vast amount of experience that can be called upon depending on the project.
The VCISO role adds to the capability of the organisation and takes nothing away. At the end of the engagement, the skills and knowledge remain, either transferred to another individual or encompassed within company policy, process, and procedure. Therefore, the organisation need not be concerned with directly retaining skilled and scarce resource, at a time when the demands on security management are at an all-time high.
The Benefits Overview
In May 2018, we saw the introduction of the EU General Data Protection Regulation, and in the United Kingdom, we got an update to the Data Protection Act for 2018. Under section 4 of the EU GDPR, it became a requirement for organisations meeting specific criteria to appoint a Data Protection Officer. Article 37 outlines the designation for the appointment of a Data Protection Officer, whilst Articles 38 and 39 outline requirements for the position of and tasks allocated to the Data Protection Officer.
Why do I need a Virtual Data Protection Officer?
Consequently, the legislation changes meant that organisations needed to find a resource to be able to meet this legislation or give the role to an existing member of staff. A Virtual Data Protection Officer (VDPO) can take that responsibility on behalf of the organisation and be flexible in how they support the organisation without impacting too much on cost.
Typical projects that a Virtual DPO would address include:
The experience of 3B Data Security’s team in a variety of information security disciplines, including backgrounds in investigations, IT Operational Management and Data Protection enables us to provide you with expert resource on a “time shared” basis, enabling compliance, assurance and knowledge of the up to date regulatory position in respect of Data Protection.
Ensure that you do what is possible to secure your organisational IT operations by implementing the controls recommended by the UK Government through their Cyber Essentials scheme. Use our supportive and cost-effective Cyber Essentials consultancy services.
The Cyber Essentials scheme is an established UK Government scheme which recognises and accredits the efforts undertaken by organisations to improve their cyber security posture.
From April 2020, it is managed exclusively by an organisation called IASME. The overall programme aims to improve the preparedness and security of UK businesses against cybercrime. The Cyber Essentials standard is becoming an increasingly important certification for businesses to secure.
Certification to Cyber Essentials is a mandatory requirement for suppliers to the public sector and for many organisations it is a steppingstone to achieving other standards, like the PCI DSS or ISO 27001.
Many organisations, especially smaller and newly established businesses, have limited controls developed or implemented to secure and protect their data and information systems and IT operations. Using Cyber Essentials as the first step on a journey towards better information security is a great starting point and provides a foundation to progress towards ISO 27001.
The first stage of the process is to undertake a self-assessment against the criteria of the Cyber Essentials standard, which will then be assessed by a Certification Body. 3B Data Security is one of the Certification Bodies appointed by IASME to conduct these assessments.
The Cyber Essentials scheme covers the core information security approaches, policies, and controls that even the smallest organisations can implement quickly and easily. There are five core areas which are covered in the assessment:
A successful self-assessment can lead to the awarding of a Cyber Essentials certification. Following that, your organisation may (within three months of your Cyber Essentials certification) proceed with an external assessment against the Cyber Essentials Plus certification.
This assessment tests the same five controls, but would involve a technical audit that the controls are operating as described. This would involve an audit, plus some penetration testing against your system, and a basic phishing campaign to test the preparedness of your organisation. A successful audit would lead to the Cyber Essentials Plus certification.
3B Data Security can assist you throughout your journey towards Cyber Essentials (Plus) certification through advice, gap analysis, and policy development. We can of course also assist as a Certification Body for the scheme.
3B Data Security have investigated and implemented Microsoft Office 365 (now branded Microsoft 365) for a number of years, and because of this have spent a lot of time helping our clients secure and lock down its functions and improve the default security posture of a 365 system.
There are many different options that can be tailored to different use cases and differences in user knowledge or functions required for different organisations.
We have also investigated several hacking attempts and compromises against Microsoft 365 systems which again we learn from and wish to help others prevent similar instances. Understandably, we are seeing an uplift in Microsoft 365 related attacks and Business Email Compromises given the enforced push towards working from home. Ergo, the need to secure these systems is even more prevalent than before.
Consideration and knowledge of the security features and hardening configurations of Microsoft 365 is often overlooked or simply assumed to be there by default. Once the system is up and running, or the on-premises mailboxes imported and operational, or the licensing working, it is often ignored until an incident occurs. This is usually because of inadequate attention to the security elements in the planning and implementation stages and leaving the settings to their defaults.
Part of the Microsoft 365 security hardening lockdown service is undertaking a security gap analysis of the setup, configurations, functions, and features in use with the 365 system.
We will then provide guidance, recommendations and feedback for improvements, and highlight risks and also potential unknown features of the 365 system that can be installed, enabled or implemented to help improve the security, governance, or system hardening and management of the devices and system usage.
We can also help customise the features for different types of users, groups and job roles or increase the security for those risky users such as administrators, etc. We can review the global 365 settings, email configurations, Microsoft Teams, OneDrive, SharePoint, Intune configuration, and security hardening options.
The result is a more robust security posture and improved governance, even if it is just increasing the list of known unknowns and risks, and/or informing the decision makers of what potentially could happen to allow the risks to be registered.
We are also happy to help implement the appropriate recommendations and work with the relevant people to make positive changes, rather than just giving you a report that you still have to action.
3B Data Security delivers a broad range of cyber security services to clients of all sizes – from large multinational organisations to small independent organisations. The principal objective of our services is to reduce the risk for clients in their use of information systems and their stewardship of data. A complimentary, tailored service package can be created, appropriate to the risk, size, and budget of any organisation.
The team at 3B Data Security has worked hard to ensure the delivery of a World Class service to our clients. We have sought and maintained accreditations in the most relevant Information Security fields as a demonstration of the effectiveness and technical validity of our services and methodologies. We maintain an active programme of staff development to ensure that clients can benefit from the latest methods and technologies.
With experience in the public and private sector, retail, finance, ecommerce, utilities, and government institutions, the 3B Data Security team are highly experienced in a range of areas within the broader Information Security spectrum and are used to working across disciplines and with project teams. Through working with us using our Trusted Advisor Service, you get the following benefits:
Our overall model – the Continuous Assured Security Programme (CASP) – draws together services across the Information Security spectrum. The mixture of services necessary in the case of your organisation may require a unique blend of these services. This list is not exhaustive, but should give you an understanding of the capabilities and support available to you through our Trusted Advisor Service.
Understanding that no two organisation’s needs are the same, 3B Data Security has developed a comprehensive set of services which may be combined individually or together according to the specific needs of your organisation.
3B Data Security work with insurance underwriters and syndicate management agencies to evaluate and manage all aspects of cyber security risk. Direct services for the insurance market include the services below. In addition, we can proactively work with your insured organisations to lower the levels of cyber risk associated with their businesses as part of your risk evaluation process, through evaluation, audit, monitoring and other services we provide.
The main direct services we provide include: