Why Cyber Essentials Matters

Cyber Essentials is a government-backed scheme designed to help organisations safeguard sensitive information by implementing baseline security measures. Achieving a CE certification demonstrates to customers, stakeholders, and partners that your organisation is committed to cybersecurity best practices. It also provides an additional benefit—organisations with this certification may qualify for certain types of cyber insurance coverage.

Thrive: A Trusted Partner for CE and CE+ Compliance

Thrive is uniquely positioned to help SMBs navigate IASME’s compliance process, offering tailored services for both CE and CE+ certifications. Thrive’s role as a certification body ensures your path to compliance is smooth, efficient, and aligned with your business objectives.

Elevating Compliance with Cyber Essentials

For organisations looking to enhance their cybersecurity credentials with a Cyber Essentials (CE) certification, Thrive provides Readiness Assessments to help prepare for both CE and CE+ certifications, which include:

• Gap Analysis Report: Identifying areas of non-compliance with CE and CE+ requirements.
• Roadmap to Compliance: Detailed steps to address identified gaps and align with the certification standards.

Getting Started with Cyber Essentials

The first step toward compliance is obtaining the Cyber Essentials certification. This process involves completing a self-certified questionnaire, which is submitted online to the IASME portal. Thrive’s experts are available to support organisations in understanding and accurately completing this essential step.

Upon successful submission of the questionnaire, Thrive will assess whether the answers meet the requirements and issue the CE certification, confirming your organisation meets the baseline requirements for cybersecurity.

Once the Cyber Essentials certification is complete, Thrive will guide organisations through the CE+ certification process.

The CE+ Audit

Achieving CE+ certification involves a hands-on technical assessment of your systems. A Thrive-certified CE+ assessor will conduct a comprehensive audit of all in-scope systems, including:

• Representative User Devices: Ensuring secure configuration and malware protection meet requirements.
• Firewalls: Ensuring that only secure and necessary network services can be accessed from the internet.
• Security Update Management: Ensuring that devices and software are not vulnerable to known security issues

This rigorous evaluation ensures that your organisation’s cybersecurity measures are not only compliant but also resilient against commodity-based threats.

Choose Thrive for Your Cyber Essentials Journey

Thrive’s expertise as a certification body goes beyond issuing certificates. Our end-to-end support enables SMBs in the UK to confidently achieve compliance while strengthening their overall security posture. Key benefits include:

• Expert Guidance: Thrive’s team of cybersecurity professionals simplifies the certification process.
• Customisable Support: From self-assessments to readiness assessments and audits, Thrive tailors services to your unique needs.

Take the Next Step Toward Compliance

Cyber Essentials and Cyber Essentials Plus certifications are crucial milestones for any UK-based SMB aiming to improve cybersecurity. Thrive’s comprehensive approach ensures your organisation is not only compliant but also equipped to face future challenges.

Contact Thrive today to achieve CE and CE+ compliance, enhance your cybersecurity posture, and protect your business against the ever-evolving threat landscape.

The post How to Achieve Cyber Essentials Compliance with Thrive appeared first on Thrive.

“That’s a big step towards ensuring that there is resilience in the system. It’s not about crimes, it’s about resilience,”said José Manuel Campa, Chairperson of the European Banking Authority, one of three EU institutions behind DORA. The DORA regulation’s goal is to ensure the IT resilience and security of any financial entity (FE) in Europe and their Information Communications and Technology (ICT) providers, such as banks, crypto, insurance, and financial firms, even during severe operational impacts like denial of service (DDoS) cyber attacks and ransomware.

Today, a big challenge for the European Supervisory Authorities (ESAs) in the EU is to put together their own team for overseeing DORA.

On April 10, 2024, the ESAs launched their first recruitments to set up a DORA joint oversight team. This announcement came as part of the establishment of a fully integrated team within the 3 ESAs to carry out the oversight of critical third-party providers (CTPPs) required by DORA.

The joint oversight team includes a Director, Legal Experts and ICT Risk Experts. The EU has set up numerous consultations with FEs in Europe and conducted dry runs with a list of financial markets participants, such as very well-known banks in each EU member state and outside entities that do business in the EU. Much like GDPR’s scope, DORA is not limited to those based in the EU but applies to any companies working with EU FEs.

As DORA nears its enforcement date, the focus has been on the third-party risk management process and expectations. The feedback is contained in very detailed spreadsheet entries:

• Responses to public consultations on DORA.xlsx
• Responses to public consultations on DORA 1st batch.xlsx 
• ESAs published second batch of policy products under DORA | European Banking Authority

It is worth noting that the FCA (Financial Conduct Authority) in the UK also has operational resilience regulations coming into force in March 2025, and NIS2 requirements come into effect for all businesses in October 2024. In the US, the SEC is also mandating rules that focus on technology management and compliance expectations, especially around incident management and the definitions of severity, response and more. DORA also focuses on these points – for example, DORA introduces consistent requirements for FEs on management, classification, and reporting of ICT-related incidents.

DORA also details primary and secondary criteria for these incidents, and when they should be considered major incidents, with suitable thresholds. These include the percentage of FE clients impacted and the associated financial value of the impact. If they cannot be easily determined, estimates based on available data are acceptable.

Duration of the event (longer than 24 hours) and ICT service downtime (more than 2 hours) is another factor in classifying an incident as a major event.

One of the more challenging requirements, is that DORA states that all FEs are required to maintain and update a Register of Information (ROI) in relation to all contractual arrangements on the use of ICT services provided by ICT Third-Party Service Providers (ICT TPPs).

This is a complex document as shown from EU documentation below. Not least because most contracts may need to be re-written to accommodate DORA requirements, not least numbering each service for identification purposes, and highlight any critical service therein.

In May 2024, the EU organised a voluntary exercise for the collection of the registers of information (see above) of contractual arrangements on the use of ICT third-party service providers by the financial entities. Under DORA and starting from 2025, financial entities will have to maintain registers of information regarding their use of ICT third-party providers. In this dry run exercise, this information was collected from financial entities through their competent authorities, as preparation for the implementation and reporting of registers of information under DORA.

DORA Title II provides further harmonisation of ICT risk management tools, methods, processes and policies, as shown below. This categorization and harmonisation is aligned with ISO 27001 as we shall examine in part 3, when we look at various ways to achieve DORA compliance.

DORA Title II: Further harmonisation of ICT risk management tools, methods, processes and policies (Article 15)

The most recent big date in the DORA calendar was July 17, 2024. It is when the EU released its latest analysis of expectations and obligations for DORA, in terms of the EU systemic cyber incident coordination framework (EU-SCICF), kickstarting the process of how cyber incidents should be mitigated, with relevant DORA requirements met and reasonably achieved.

The EU’s ESAs have also recently been processing the most recent public consultation, with a view to determining further Regulatory Technical Standards (RTS), not all of which are information technology related, but technical in a business sense. Many are extensions of existing regulatory technical details, and as such, have built on lessons learned from earlier legislation.

Looking to the Future

The guidelines have already been adopted by the Boards of Supervisors of the three ESAs. The final draft technical standards have been submitted to the European Commission, which will now start working on their review with the objective to adopt these policy products in the coming months.
Many lessons have been learnt and challenges raised, where the EU believes that requirements are reasonable, but the industry may have other views, based on the cost of doing business to meet such requirements, and other considerations. It is not inconceivable that some FEs or ICT third parties will look to reduce or cease business in the EU, if the DORA requirements are overly onerous, as happened for previous regulatory legislation, for example, following the 2008 banking crisis.

In simpler terms, DORA ensures that financial institutions and technology partners are well-prepared to effectively handle disruptions and cyber risks.

It’s all about making sure our FEs stay strong and resilient!

Thrive has a crucial role in bolstering our client’s operational resilience through our own operationally resilient platform and business, reducing dependency on single systems, teams, or procedures, and enhancing risk management in the financial sector in alignment with DORA’s objectives. Contact Thrive today to learn more about how we can further support your organisation’s DORA compliance requirements.

The post Get to Know the Digital Operational Resilience Act (Part 2) appeared first on Thrive.

While it may seem like a stretch that your choice in technology can directly affect your investment performance, the rising use of technology to allow funds to quickly adapt to the changing markets, employ high-frequency trades (HFTs), and implement automation tools that can be used for a myriad of reasons. Technology automation can also help reduce overall operational costs, enhance scalability of a fund, and improve overall fund performance.

Traditional financial models are still at the core of many hedge funds, but the use of technology should not be ignored. Building a robust tech stack can not only help your fund stay secure and compliant, but also stay competitive with other funds by shaving tenths of a second off lucrative trades and other strategic moves that can make you and your clients more profitable. Thrive offers a hedge fund-focused IT approach that takes advantage of its Hybrid Cloud, allowing funds to rapidly access information while maintaining regulatory compliance to ensure all trades and other financial strategies are done properly. 

Another critical aspect of building a successful IT stack is having 24/7 support to mitigate risk and ensure agility against bad actors trying to breach your network. Making sure that your clients’ data and your trade secrets are safe is critical for the continued success of your fund. Data leaks open a fund up to regulatory infractions, massive fines, and other potential consequences that can cost a lot of time and money to clean up. Allocating resources to a disaster recovery plan helps minimize data loss and provides fast, automated recovery of critical systems for protection against events that can devastate normal business operations while meeting challenging Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). 

Take your tech stack to the next level and ensure your regulatory compliance with Thrive today. Thrive provides managed IT services with 24/7 operators, so you don’t have to worry about potential threats and data breaches. Contact Thrive to learn more about how you can improve your hedge fund’s tech stack. 

The post Is Your Tech Stack Supporting Your Investment Goals? appeared first on Thrive.

Depending on your industry and geographical location, you may need to comply with various regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and more. Understanding which regulations are applicable to your organization is a significant first step, as this will form the foundation of your compliance efforts.

Conduct a Comprehensive Risk Assessment

The first step towards cybersecurity compliance is to conduct a thorough risk assessment. This involves identifying potential vulnerabilities and threats within your business’s infrastructure, applications, processes, and data management practices. Understanding your risks will allow you to prioritize your efforts and allocate resources effectively. A risk assessment also helps in tailoring your compliance strategy to address your organization’s unique needs.

Implement a Robust Cybersecurity Framework

A resilient cybersecurity framework can act as a foundation for your compliance journey. Consider adopting an established framework, like the CIS Critical Security Controls Implementation Group 2 that we leverage at Thrive. A framework helps provide a structured approach to implementing cybersecurity controls and best practices, helping you establish a strong foundation for your IT infrastructure and compliance. These frameworks also provide guidance to achieving a comprehensive approach to addressing the many facets of cyber risk.

Continuous Monitoring and Improvement

Cybersecurity compliance is a fast-changing and evolving process. Implementing continuous monitoring practices helps your business detect and respond to emerging threats in real time. Regularly assess and update your security measures to align with the evolving threat landscape and changing compliance requirements.

Leverage Technology Solutions

Technology can be a powerful tool in your IT toolbox to help achieve compliance. Investing in cybersecurity tools, such as intrusion detection systems, firewall solutions, security information and event management (SIEM) platforms, and vulnerability assessment tools can help you build out a robust cybersecurity framework. These technologies can help automate security tasks, provide visibility into your network, and facilitate compliance reporting.

Employee Training and Awareness

Human error remains one of the biggest cybersecurity risks. Conducting regular training sessions to educate your employees about cybersecurity best practices, data handling procedures, and the potential consequences of non-compliance will help mitigate haphazard risk. When your entire team is aligned with the importance of cybersecurity, the compliance journey becomes smoother and more efficient.

Achieving cybersecurity compliance is not just a regulatory requirement—it’s a crucial step in protecting your business and its stakeholders. Conducting thorough risk assessments, adopting a robust framework, continually monitoring for risk, leveraging technology solutions, and investing in employee training, can help streamline your journey to cybersecurity compliance. Thrive’s IT Compliance and Regulatory Consulting Services can help you reach and maintain these compliance goals with ease. Remember, staying proactive and adaptive is key to maintaining a strong cybersecurity posture.

The post Streamlining Your Journey to Compliance appeared first on Thrive.

We saw a rise in the need for CISOs as COVID-19 introduced a sharp increase in cybercrime. In a 2021 IDG report, it was reported 78% of executives expressed a lack of confidence in their organization’s ability to deal with cyber risk. This confidence gap highlighted the need to have the right expertise in place to maintain a strong security posture in a world with unexpected and increasing cyber-attacks accompanied by constantly changing regulations.

No matter the size of your business, it’s imperative that cyber threats aren’t ignored. From large corporations to start-up businesses, there is vital information in play that can be hacked at any moment. For mid-market enterprises that need a strategic vision behind their cybersecurity efforts, it’s often impossible to find and/or afford a CISO, leaving them directionless in a fast-moving threat environment.  

To combat the CISO shortage, many companies have tapped into outsourced CISO services. It’s important to know the difference between your options, and what they can do for you. Fractional CISOs are part-time, on-site chief information security officers there to maintain a company’s cybersecurity as well as other IT roles within and/or outside the company. Virtual CISOs (vCISO) are outsourced, off-site security resources for businesses that can’t/don’t want to hire cybersecurity personnel as payroll employees or do not require a full-time, dedicated resource based on the needs of their organization. They collaborate with key organizational leadership to formalize cybersecurity policy, mitigate cyber risk through technical solution, and ongoing validation and improvement of cybersecurity programs.

 A fractional CISO might be more equipped to handle low cyber risk organizations while vCISOs have a wide breadth of expertise from a variety of mature clients. This results in vCISOs having access to the latest resources and their ability to deliver increased knowledge regarding current industry trends and regulations.

It’s important to consider which CISO service is best for your business, but in our eyes, the obvious choice is to engage in a vCISO service that offers exceptional benefits: promised cost savings, access to the latest and greatest technology and resources, and unmatched expertise in industry regulations (healthcare, financial services, legal, etc.).  Most importantly, a qualified cybersecurity resource like a vCISO will guarantee a proactive approach to cyber risk mitigation and provide your organization with the appropriate level of protection in today’s cyber landscape.

At Thrive, we emphasize the importance of maintaining a security posture through our comprehensive vCISO services: 

• Industry-leading information security program management
• Thrive’s vCISO serves as a trusted security advisor
• Information security governance and compliance oversight
• Information security program reviews
• Review of existing policies, controls, and security toolsets
• IT Management remediation plans
• Prioritized improvements for IT Management
• Incident response preparedness and annual incident response table-top exercise
• Center for Internet Security (CIS) framework implementation

Consider Thrive for your vCISO needs and learn more about our vCISO service and how our security-first NextGen Managed Services can help your organization.

The post Fractional vs. Virtual CISOs – How Leading Companies Are Upping Their Security Strategy appeared first on Thrive.

Thrive’s NextGen technology and managed services, including Cloud, Cybersecurity, Collaboration and more, optimize and protect critical technology ensuring government agencies are innovative, secure and efficient.

Take your organization to new heights with Thrive.

1. Reduced CapEx Spend Thrive’s NextGen technology and managed services are scalable and flexible to meet changing demands. We save your organization money by eliminating hidden operating costs and cutting upfront infrastructure and hardware costs with technology that reduces downtime and makes workflows efficient.
2. Efficiency Thrive’s decades of experience serving government agencies, combined with using digital collaboration platforms such as Microsoft 365, SharePoint and Microsoft Teams, will digitally transform your business from the ground up. Thrive’s secure Hybrid Cloud solutions are built to support the Cloud solution that best meets the needs of each organization’s compliance requirements.
3.  Enhanced Measures to Meet Compliance Requirements Thrive understands the unique complexities government organizations face. Thrive is uniquely positioned to meet this demand and future-proof your digital infrastructure operations, from industry-tailored Cloud and Cybersecurity services to a world-class IT platform.
4. Advanced Security As government IT systems grow in complexity, there is an increased risk of vulnerabilities, exploits and security breaches. Thrive’s Managed SIEM-as-a-Service (SIEMaaS), Disaster Recovery-as-a-Service (DRaaS) and Vulnerability Management with a 24x7x365 Security Operations Center protect your organization, uncover and mitigate risks and meet stringent regulatory requirements.

Thrive gives government organizations peace of mind with a comprehensive, proactive security strategy with technology solutions. Read more in our recent industry brief here. Click here to contact us today to solve and manage your organization’s Cybersecurity and Cloud needs.

The post 4 Ways Thrive Helps Government Organizations appeared first on Thrive.

Security experts are seeing a significant number of Exchange servers getting “backdoored” by malware that lets threat actors maintain update-resistant and “stealth” access to the IT infrastructure of a targeted organization. Despite its long-held reputation as a reliable on-premise workhorse for email that allows for total administrative control, many of our clients are starting to see this beloved server as legacy technology. Exchange has limitations that become more noticeable as companies migrate to the cloud, namely, modern authentication and other security features that are unavailable in Exchange environments.

There is no business strategy without a cloud strategy.

The lasting business shift to remote and hybrid work has prompted slow adopters to finally embrace the cloud. Some statistics show nearly 90% of organizations have adopted the cloud for at least some of their business applications, though it appears that for some, the decision to let go of their legacy or hosted email system remains a challenge.

The major benefits of migrating to Microsoft 365 can be broken down into three categories:

• End-user productivity
• Security and compliance
• Scalability and cost-efficiency

Growing companies need more than just email. Around 80% of Fortune 500 companies have already undertaken data migration to Microsoft 365, and start-ups to medium-sized organizations are now following this trend. Smaller organizations are implementing Microsoft’s productivity suite into their everyday operations and utilizing its set of tools to drive business productivity at a flexible, calculable cost.

… and Re-Think Productivity.

Cost reduction is frequently cited as the core driver for migration plans, however there are many arguments in favor of taking the leap to the new Microsoft 365 including an array of novel tools, product updates, and the opportunity for new workflows and routines. Yes, migration can be a complex task, but it’s one that brings many benefits:

• Upfront cost certainty 
• Preserves business agilily
• Enhances organizational communication
• Boosts employee productivity and reduces downtime
• Streamlines IT operations

And there is no need for Capex spend on hardware, software, data center space, ever. Here are some additional benefits for your in-house IT department:

• Flex user count up or down very quickly
• More times than not the mailbox size quota is substantially greater with Microsoft 365
• No need to audit MS licensing, as all licenses are included
• No need to patch or keep servers up to date
• No need to patch or update Office versions
• Users are spread out among many servers so a single server outage does not impact all users
• Guarantees compliance with industry-specific, local, and national regulations, such as HIPAA, SOC 1, 2, & 3, ISO/IEC 27001, CIS Benchmarks, CDSA, and more
• Faster onboarding with Thrive Customer portal integration

How can Thrive’s Cloud-First, NextGen Managed Services help your business? To discover more, please CONTACT US.

The post It’s Time to De-Risk with Microsoft 365 appeared first on Thrive.

Proposed in February 2022, the rule is designed to promote a more comprehensive framework to address cybersecurity risks for advisers and funds, including their ability to effectively respond and recover from a cyber incident, while also strengthening investors’ confidence in the security of their investments. The proposed changes impact disclosure requirements, include a mandatory 48-hour incident reporting requirement, and establish new record keeping requirements for advisors and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.

How will your cybersecurity program perform during its next regulatory audit?

Financial organizations, such as banks, investment firms, private equity firms, wealth management firms, hedge funds and more are facing new and growing market pressures, technology disruptions and cyber threats, seemingly on all fronts. Thrive has decades of experience working with financial services firms worldwide building risk mitigation and compliance programs that help companies protect their data and grow their business.

Our Financial Operations Platform helps our clients by making it easier to navigate regulatory processes and meet standards – on time – thanks to its simplified compliance reporting capabilities.

A member FS-ISAC, Nicsa and AIMA, Thrive is here to help your firm navigate the complex world of financial services technology and regulatory best practices to improve data security posture while generating value to your business operations. Our consulting team provides assessment services specifically tailored to evaluating registered investment advisors – contact us today to learn more.

The post What Does the SEC’s New Cybersecurity Rule 206(4)-9 Mean for Investment Advisors and Private Funds? appeared first on Thrive.

The SEC thus identified this as one of its 2021 priorities and has proposed rule amendments to improve cybersecurity risk governance disclosures.³

Thrive’s cybersecurity solutions can help secure both your data and your assets. Employing both proactive and preventative measures, our cybersecurity consulting and solutions reach well beyond typical reactionary support. Early detection means we’re able to stay ahead of growing and ever-evolving cyber threats—and protect your business. Cybersecurity is a sound investment in your firm’s future.

Taking a good hard look at your current cybersecurity posture now can help secure a solid future in many ways, including:

• Building investor confidence
• Gaining a thorough security vulnerabilities assessment
• Going into Investor audits fully prepared
• Ensuring ongoing financial regulator compliance

Early detection means you’re able to stay ahead of growing and ever-evolving cyber threats—and protect your business. To learn how our team can build customized cybersecurity solutions for your firm, contact us today.

1. Source: EY, October 2021, “How cybersecurity risk disclosures and oversight are evolving in 2021”
2. Source: Risk Based Security report, January 2021. Based on roughly 3,900 publicly reported breaches globally in 2020.
3. Source: The National Law Review, September 2021

The post Is It Time to Take a Hard Look at Your Cybersecurity? appeared first on Thrive.

This new law prohibits the Superior Court of Connecticut from assessing punitive damages against an organization that implements reasonable cybersecurity controls, such as the NIST Cybersecurity Framework or CIS Critical Security Controls.

Essentially, as long as the cybersecurity approach utilized by a business is up to industry standards and considered reasonable in its capacity as a security platform, then neither the cybersecurity firm nor the businesses utilizing their services can be held legally liable in the case of a damaging cyberattack that exposes PII or other sensitive information.

This law, along with federal laws under discussion, highlight that C-Level Executives and Boards of Directors need to be as concerned with cyber risk as they are traditionally with fiscal risk. The stakes are just as high and proper approaches to risk mitigation are required to maintain business solvency.

So if your business is located in Connecticut, Ohio, or Utah (or if you want to proactively follow best practices to help protect personal data and shield your company from legal harm), what steps should you be taking?

1. Assess Your Current Cybersecurity Security Posture Against the NIST or CIS Frameworks

Both the NIST and CIS frameworks provide valuable direction to an organization’s overall approach to assessing and improving its cybersecurity posture. Beginning with the identification of vital assets in need of robust protection, these frameworks serve as actionable guides to enhancing the defense of that data & continually evolving protocols as more information becomes available. These frameworks lay the ground for organizations to begin by implementing essential security services and further implement more full-spectrum advanced engineering coverage.

2. Prioritize Solutions and Services that Help Comply with the Framework

The CIS framework takes a priority-based approach with regards to security protocol, whereas NIST is considered to focus more heavily on assessing and reducing overall risk. Whichever framework you choose for your organization, prioritizing and protecting your most valuable assets first is the goal. Complying with your chosen framework may include implementing a NextGen firewall, end-user workstation security, or advanced patching services. Thrive offers these services unbundled to enable the creation of a custom solution tailored to the needs of each client.

3. Create a Plan to Stay Up to Date as Frameworks Evolve

To help keep organizations protected, the CIS and NIST frameworks are continually updated, which is reflected in HB 6607. Organizations have six months from when the changes are published to re-comply with the frameworks to maintain compliance under the law.

Perhaps one of the biggest benefits of working with a security-first MSP is that their team of Certified Information Systems Security Professionals (CISSPs) can focus on staying up-to-date on the latest threats and breaches while you focus on your organization’s operations. In an ever-changing technology landscape, keeping up with best practices can be a headache. But no matter what approach you take, ongoing testing, validation, management, and reporting are key to its effectiveness.

Conclusion

By financially incentivizing adherence to well-established frameworks, these laws make cybersecurity a C-level, and even board-level, area of concern. They help establish clear targets for companies, which is critical in an era of non-stop marketing hype around new technologies and the constant news cycle around the latest attacks and bad actors. Plus, these laws should ultimately help safeguard all of our data, making criminal actions less of a moneymaker.

If you’d like to talk with a Thrive cybersecurity expert about how to navigate laws like Connecticut HB 6607, please contact us today and request a free assessment.

The post What Do Cybersecurity Laws like Connecticut HB 6607 Mean For Your Business? appeared first on Thrive.