CYBERSECURITY & IT CONSULTING

POWERED BY GRAVOC

The Power to Protect Vital Information

Living and working in a connected environment has greatly enhanced business efficiency and accelerated communication. But it has also opened the door to lurking threats that could play havoc with your business unless you are prepared. Primary among these hazards are attacks against your company’s infrastructure, including your people, computers, mobile devices, and networks.

Know the Facts: 10 Eye-Opening Cybersecurity Statistics

  1. 85% of cybersecurity breaches are caused by human error.1
  2. 94% of all malware is delivered by email.2
  3. Ransomware attacks happen every 10 seconds.3
  4. 71% of all cyberattacks are financially motivated, followed by intellectual property theft, and then espionage.4
  5. Over 80% of cybersecurity events involve phishing attacks.5
  6. 42% of all cyberattacks target small businesses.6
  7. 77% of organizations do not have a response plan.7
  8. 20% of small businesses allowed remote work without having a cybersecurity plan.8
  9. 43% of small to medium-sized businesses (SMBs) haven’t yet adopted cybersecurity assessment and mitigation plans.9
  10. 37% of businesses were hit by ransomware in 2020; 32% of businesses paid the ransom to get their data back, at an average ransom of $170,404.10

The Power of Resilience

Protecting your networks and information has become more critical than ever. But even the most robust defenses can be defeated. A resilient business takes steps to prevent problems, but also has concrete plans in place to manage and recover from disasters that cannot be anticipated or avoided.

Gray, Gray & Gray in partnership with leading IT consulting firm GraVoc, has the resources necessary to do more to protect your networks and data. We help discover where vulnerabilities may exist and give you the power to build a shield around your company’s data. From system and process evaluation, to designing and deploying a protective security stack, to responding to attempted breaches, we stand ready to defend your business against cyber criminals.

Outsourced Cybersecurity Services

Cybersecurity is not a “do-it-yourself” process. The increasingly sophisticated threats and relentless pace of attacks require that an equally advanced defensive program be developed and implemented by a specialized organization – one that can provide the necessary technological skills and resources.

The outsourced cybersecurity risk management services provided by Gray, Gray & Gray and GraVoc are comprehensive, thorough, and continually updated to meet the latest threats.

A sound disaster recovery and business continuity plan (DR/BCP) is crucial in protecting your business from operational and reputational losses caused by major failures or disasters and cybersecurity incidents. In general, a DR/BCP is designed to reduce the disruption caused by these failures and disasters through a combination of preventative and response controls. We can assist with developing a DR/BCP to meet the following objectives:

  • Create a plan that is designed to maintain, resume, and recover mission-critical business processes in the event of a failure or disaster
  • Assign roles and responsibilities to key stakeholders and organize these roles to ensure proper management and oversight of the DR/BCP
  • Complete a comprehensive business impact analysis that considers the functions and processes of each department and assigns a recovery time objective and recovery point objective for each process
  • Design methodology to validate the DR/BCP through practical testing
  • Develop practices to periodically update the DR/BCP to reflect changes in operations and vendor relationships
  • Adhere to applicable regulatory guidelines and/or industry standards and best practices

We start with a gap assessment or gap analysis to evaluate an organization’s overall control environment and identify gaps. We use a 3-point rating system (high, medium, low) to indicate how significant the gaps identified are.

Our information security gap analysis helps to determine if your IT operations align with guidelines set forth by NIST and other industry standards. Ultimately, the objective of this review is to address potential gaps within your control environment in an effort to mitigate overall risk exposure.

The scope of the information security gap analysis includes:

  • Interviews with IT and information security personnel
  • Review of administrative, physical, and technical controls
  • Review of IT and security-related policies and procedures
  • Review of adherence to IT and cybersecurity best practices

Upon completion of this review we will provide a summary report outlining areas of improvement, control weaknesses, and recommendations for remedial action.

Once we have identified and prioritized the risks facing your operations, we take steps to minimize their occurrence or mitigate damage. Physical threats to facilities, equipment and inventory can be addressed by proven defenses such as fire suppression and control systems, perimeter security, and routine maintenance programs.

Hand-in-hand with a response plan is a business continuity plan that details how you will recover after a disaster occurs. For your company’s data and information this must include secure backup and archiving of critical files on a daily basis (if not more frequently). The backup must be automatic, digital and include secure off-site storage so that you can quickly re-establish access to files. This step may require an upgrade to your computing capacity and bandwidth.

It is important to identify which parts of your business would be most affected by cyberattack, natural disaster, fire or other catastrophe. We focus on assets that are both mission critical and irreplaceable. Using quantitative analysis, we prioritize risks which might damage or destroy those assets and disrupt your business.

For example, inventory lost in a fire can be replaced and the financial loss covered by insurance. But customer records that are compromised by a cyber hacker may be tainted and unrecoverable. Some risks cannot be anticipated (global pandemic or natural disaster), while others are more likely to occur (everyone is susceptible to ransomware).

Just as critical to ongoing operations are threats to business systems: computers, servers, mobile devices, networks and data storage files. A separate inventory and risk assessment will help to identify weaknesses in your cyber defense posture, which can be addressed in the development of a Written Information Security Plan (WISP), a document mandated by law in many states.

These cybersecurity measures should include investment in secure hard drives and uninterruptible power sources, advanced email and phishing protection, data encryption and secure archiving, dark web scanning and monitoring, and cyber security training for all employees – typically the weakest link in the cyber security chain.

Cloud storage of data is currently the most reliable way to secure data while providing quick access when required. We’ll recommend a cloud environment that is right for your business and your needs, that it is truly secure and will be readily scalable when your company’s growth necessitates expansion.

We will prepare an “immediate response” document to provide a step-by-step game plan for reacting to a cyberattack or other catastrophic event. Easy to follow checklists help guide company leadership in stabilizing operations and getting things back on track as quickly and efficiently as possible.

Being prepared to respond to a cyber attack or ransomware demand starts with something as simple as a company contact list, with names, phone numbers and email addresses of critical personnel who should be contacted in the event of an event. Each member of the management team should be assigned a recovery role and trained how to execute it.

Other checklists cover critical steps such as data recovery procedures, incident reporting requirements, equipment replacement lists, customer communications processes, and mitigation of damage to key assets. Time is money, so the plan should include a recovery time objective to make repairs, restore systems and minimize downtime so you can resume operations as rapidly as possible.

Additional Cybersecurity Services

Our Governance, Risk, & Compliance (GRC) services help improve your overall security posture by reducing risk exposure, ensuring compliance with industry and government regulations, and aligning with information security standards and best practices.

Currently, there is a nearly universal requirement for all organizations to have a Written Information Security Plan (WISP) to comply with state data security laws. We see the development of your WISP as an important basis for creating a robust cybersecurity environment.

A WISP includes steps your company is taking to identify and address threats to stored information and the systems in which it resides, spells out the administrative, technical and physical safeguards by which an organization protects the privacy of the personally identifiable information it stores. When regulators or prosecutors investigate a breach, having a WISP in place demonstrates a commitment to meeting security requirements.

In addition to working with your IT team to prepare a compliance-ready WISP, we have the resources to implement and document the security steps included in the plan. This includes physical security measures, a multi-layered security stack, measures to secure cloudbased data and remote work devices, employee training and testing, and the documentation and reporting necessary to meet compliance requirements.

Regular IT audits provide an independent and objective review of your IT infrastructure, control configuration and regulatory compliance through in-depth testing and expert analysis. We’ll help identify gaps in compliance, controls and processes, and update systems to meet the latest cybersecurity threats.

Are you ready to repel the next cyberattack? Our Penetration Testing Services help you identify, understand and resolve configuration and security vulnerabilities before they are exploited by real-life attacks. Our expert team of Information Security consultants use sophisticated technology tools to scan and identify potential risks to your information system environment.

The weakest part of any cyber defense plan is the people behind the wall. Your employees – at all levels – are the easiest way for cyber criminals to gain access to your system. It is essential to implement formal cyber security awareness training for all current employees, and to make cyber security training part of onboarding all new hires.

A key component of the training is security awareness testing, including social engineering exercises like simulated phishing campaigns. Controlled and documented testing of your staff can help determine if they are adequately trained to identify common attack methods such as phishing emails and attempted malware infiltration. A dedicated Learning Management System (LMS) helps to track staff participation and identify potential clickers.

Personnel are also an important part of business continuity. Everyone should have a role to play and, wherever possible, should be cross trained in other aspects of the business to ensure a backup is available. Knowledge transfer and multi-role training can even help smooth transitions when an employee is promoted or leaves the company and must be replaced.

We also offer digital security workshops to raise the level of awareness of personal responsibility in preventing cyberattacks, phishing and malware intrusions.

In collaboration with GraVoc, we provide Virtual Chief Information Security Officer (vCISO) services to businesses in need of assistance with security advisory.

Our Virtual CISO services connect your business to our team of certified security professionals with over 25 years of experience in managing governance, risk, and compliance for organizations across a variety of market sectors.

Drawing from our diverse experience and expertise, our information security team provides your business with hands-on assistance to implement tailored and sustainable security governance programs. Our services cover general advisory to policy and process development to budgeting and strategic planning and help your organization maintain a strong security operation in any capacity.

Our Certifications

Our Information Security Certifications Include:

  • CCNA Security – Cisco Certified Network Associate Security
  • CISM – Certified Information Security Manager
  • CISA – Certified Information Systems Auditor
  • CRISC – Certified in Risk and Information Systems Control
  • CEH – Certified Ethical Hacker
  • CISSP – Certified Information Systems Security Professional
  • ECIH – EC-Council Certified Incident Handler
  • OSCP – Offensive Security Certified Professional
  • CDPSE – Certified Data Privacy Solution Engineer

The Power to Move Forward

Expecting the unexpected is the hallmark of a visionary business leader. But it is even more important to plan ahead in anticipation of potential dangers and disasters. Taking steps to avoid cyber threats and vulnerabilities is essential, but so is having a “moving forward” plan to recover from disruption and restore operations as quickly and efficiently as possible.

We can help manage the risk posed by cyberattacks, malware, ransomware, and other threats, as well as develop a comprehensive response plan that creates a more resilient and resourceful organization.

The Advisor Newsletter​

Sign up for our newsletter and receive tax tips, event invitations, important reminders and more. 
Join Now!

News & Events

Lead Contact

Nathaniel Gravel

CISA, CISM, CRISC

Contact Us Today!

Discover how we can give you the power to do more.

Scroll to Top