From start up to large organisation – Mapping the cyber security maturation journey
An imagined case study in four parts that follows the cyber security evolution of an organisation over seven + years as it matures from a start up to a large organisation.
Two friends, Hazel Nutt and Patti Cake shared a love of baking and in 2018, decided to set up a small patisserie business called Essential Cookies.
They began their journey by baking custom cakes, biscuits and pastries from a small commercial kitchen in their hometown of Bakeitwell. Initially, their focus was on delivering high-quality, handmade products to local customers through in-person orders and a simple website displaying their offerings.
This is the third part of a fictional case study that charts the cyber security journey of ‘Essential Cookies’ from micro patisserie to established dessert supplier using all the NCSC schemes as milestones.
Part Three – Becoming a larger organisation and a supply chain partner: 2024
Part Four – Ongoing operations and continuous improvement: 2025 and beyond
Part three – Becoming a larger organisation and a supply chain partner: 2024
By 2024, Essential Cookies has grown significantly, establishing a supply chain with multiple vendors for ingredients, packaging, and logistics. Essential Cookies has also become a trusted supplier for several large catering companies and high-end restaurants and some of their systems have been integrated with suppliers for real-time inventory management. As part of the supply chain, Essential Cookies is required to meet specific cyber security standards set by their partners.
What are their cyber security challenges?
Supply chain attacks: Being part of a supply chain makes Essential Cookies a potential target for attackers looking to gain access to larger, more lucrative targets.
Third-party risk management: Security risks can also run the other way and a security gap in the systems of a third party could undermine their own cyber security measures. In addition to gaining trust by demonstrating their own security, Essential Cookies needs to ensure that their vendors and partners also maintain adequate security to protect the entire supply chain.
What steps do they take to be more cyber secure?
Demonstrate a higher level of assurance: Hazel and Patti decide to certify their organisation to Cyber Essentials Plus to provide a higher level of cyber security assurance to their customers and partners.
Vendor risk management: They develop a vendor management policy to help ensure that all vendor relationships are managed consistently and effectively, reducing the risk of financial loss, legal issues, and damage to their company’s reputation. The policy helps them ensure that vendors are aligned with their objectives, values, and requirements for security and compliance. This includes a requirement for all third-party vendors to certify to Cyber Essentials.
Engagement with a Cyber Incident Exercising provider: Hazel and Patti decide to start working with an experienced professional, assured under the NCSC’s Cyber Incident Exercising (CIE) scheme. Their CIE provider can design and facilitate discussion-based table-top exercises as well as more in-depth, technically simulated live-play exercises and specifically tailor the exercises to the type of attack scenarios that are most likely to be a threat to a growing business like Essential Cookies.
How do these steps help?
Cyber Essentials Plus has the same requirements as Cyber Essentials but includes a technical audit of the IT systems to verify that the Cyber Essentials controls are correctly implemented. In this way, Cyber Essentials Plus certification gives a higher level of assurance that the business has been independently assessed and audited by an accredited security expert.
Essentials Cookies worked with a provider of cyber incident exercising(CIE). Their organisation is an Assured Service Provider(ASP) that has met the NCSC’s strict quality and security standards. Hazel and Patti were able to practise and refine their incident response capabilities in a hands-on manner and are now more confident that they are prepared to handle real cyber threats. The ASP brings years of industry experience and expertise to help them develop their response abilities and increase their cyber resilience.