layer 1 layer 2 layer 3 layer 4 layer 5 abstract shapes

Securing success: Maintaining good security posture beyond the first score

Posted 6th March 2024

Cyber security is high on the agenda for most businesses. With cyber-attacks increasing in scope and frequency, and WFH and BYOD policies complicating the attack surface, it’s important for businesses to be proactive about protecting their systems. In most cases, they are, and many have taken steps to understand their overall security posture by performing a security score assessment. But what happens when you score well?  

Even a good security score should only ever be considered a starting point for improvement. 

In this blog post, we take an in-depth look at security posture, detail how you can get your own security score, and explain why strong security posture needs to be an ongoing pursuit and a constant consideration… 

What is security posture? 

Security posture is essentially the overall cyber security strength and resilience of an organisation. It encompasses the policies, processes and technologies in place to protect sensitive data and systems from potential threats, and takes stock of security resources including software, hardware and personnel. It is a wide-ranging measurement of a business’s cyber defences, including vendor risk management and penetration testing, and a good security posture means a business can identify, manage and respond to security risks quickly and effectively. 

Why do businesses need a good security posture? 

The importance of a strong security posture cannot be overstated. Not only does a good security posture help businesses safeguard the IT environment and shore up cyber resilience, it also instils confidence among key stakeholders in an era that’s plagued by cyber-attacks, data breaches and leaks of sensitive customer data.  

In many ways, a solid security posture is not just a good defence mechanism; it’s a strategic asset that can enhance your competitive edge and protect your business’s reputation. It does this by: 

  • Protecting valuable assets: A robust security posture gives you oversight of your most valuable assets (including sensitive data and intellectual property), as well as the risks and vulnerabilities that threaten them, so you can take steps to protect them. 
  • Maintaining customer trust: Customers are well aware of the cyberthreat to businesses, and they know their data is vulnerable when it’s being held by any third-party organisation. Having and communicating a strong security posture helps to reassure customers, clients and partners that you take the security of their data seriously and that you’re taking a proactive approach to protecting it.   

Why is security posture an ongoing commitment? 

In the same way that cyber-attacks are an ongoing threat, cyber security needs to be an ongoing consideration. Cyber threats are constantly evolving, becoming more complex and more sophisticated by the day, and what may have been sufficient protection yesterday almost certainly won’t be enough tomorrow. And because cyber threats evolve, so must your defences. 

Performing regular audits, updates and training programmes are essential for helping you stay ahead of emerging risks and potential vulnerabilities. It can also be helpful to follow a recognised cyber risk framework (such as the NCSC’s 10 Steps to Cyber Security guidance), to provide reassurance that you have the most comprehensive and robust measures in place at any given time.  

Why security posture can weaken over time 

It’s not just the emergence of new types and methods of cyber threats that can challenge the ongoing strength of a business’s security posture. Several factors within the business can contribute to the weakening of security posture over time too. This includes: 

  • Outdated software and hardware: Failing to keep security tools, software and systems up to date can create vulnerabilities in previously secure areas. 
  • Lack of resources: Real-terms cuts to IT budgets can lead to a weakening of security posture as cheaper but less-secure alternatives are sought, and some protective measures are dropped altogether. 
  • Inadequate training and awareness programmes: Without continuous communication and training around new and evolving threats and cyber risks, you remove your first line of defence against attack: an informed team. 
  • Complacency: After achieving a high security score, some businesses can become less vigilant, thinking they are adequately protected for the future, too. 

How to check your security posture score 

It’s important to get into the habit of regularly monitoring, maintaining and improving your security posture, so knowing how to check your security score is a crucial first step.  

For the many businesses leveraging a Microsoft environment, there are tools within the Defender portal that run the tests, perform the checks and do the calculations for you. The resulting report gives you a Secure Score, presented as a percentage, for your security posture. The higher the percentage, the stronger your security posture, and the better protected your business is. A Secure Score of around 80% is considered good, but the higher the better. 

The report will also flag up any vulnerabilities and suggest steps for remedying them, so you can ensure the security of your environment is always being improved.  

Businesses that don’t use an environment like Microsoft or AWS can conduct an in-house security posture assessment, ideally against an accepted cyber security framework like NIST or NCSC guidance. Research has shown that businesses following a framework for cyber security are much more resilient than those that don’t, so it’s good practice anyway. Alternatively, you could commission a security posture assessment from a third-party cyber security specialist that is designed to help you: 

  • Identify and manage the value of your data 
  • Define the vulnerabilities and security risks of valuable assets 
  • Determine if you have appropriate, reliable and efficient security measures in place 
  • Better control risk exposures and strengthen cyber defences with a concrete plan of action. 

Steps to take right now to improve your business security posture 

To bolster your business’s security posture and ensure it remains strong over time, consider implementing the following practices immediately. 

  1. Regular security audits: Conduct frequent security audits and security posture assessments to identify vulnerabilities and weaknesses. Address any issues promptly. 
  1. Employee training: Commit to investing in ongoing cyber security training for your teams to ensure they are up to date about the latest threats and best practices. 
  1. Updates and patch management: Implement a robust update and patch management system to ensure all software, applications and systems are up to date with the latest security and bug fixes. 
  1. Incident response planning: Have a well-defined Cyber Incident Response Plan in place to ensure your business can respond and recover quickly and effectively in the event of a security incident. 
  1. Secure partnerships: Partner with trusted cyber security vendors, providers and experts for additional support and guidance. 

An ongoing commitment to cyber security 

Achieving and maintaining a strong security posture requires a proactive and ongoing commitment. At BCN, we know that by understanding the reasons behind a deterioration in security posture and taking immediate action to address vulnerabilities, businesses can create a more resilient defence against cyber threats.  

But it’s not just a box to tick; it’s a journey, and it’s one we’re committed to sharing with our customers.  

BCN’s Cyber Security Pledge is the cornerstone of our commitment to helping customers achieve and maintain the highest levels of cyber security. It includes our promise to get all our customers Cyber Essentials certified by the end of 2024, but it also means that, through continuous monitoring, proactive risk management and ongoing delivery of education and awareness training, we’re empowering our customers to safeguard their own digital assets and mitigate all cyber risks effectively.  

We believe all organisations should approach cybersecurity in a strategic, phased way to ensure the correct controls are in place. We see cyber security as a journey, and believe that understanding where you are on this journey is the crucial first step to improving your security posture.  

If you’re not sure where you are on this journey, this is where we come in. With a BCN Readiness Assessment, we work with you and determine where you are now and help plot your best next steps.  

Talk to our Security experts today

Book your cyber Readiness Assessment down down down