IT Asset Management involves identifying and managing all assets in a company or organization’s IT infrastructure including hardware, software and data. Effective asset management can significantly improve cybersecurity through a more thorough and comprehensive understanding of an organization’s IT infrastructure.

What’s the most important asset for every organization?

Assets can be defined as anything within an organization that has the potential to generate value. This can include a wide range of things such as intellectual property, customer data, various types of technology such as hardware and software, physical locations, financial capital, and last but not least, the knowledge and skills of employees.

Essentially everything contributing to the growth and success of an organization is considered an asset.

In today’s digital age, cybersecurity is paramount to protect sensitive information and prevent data breaches. Companies, organizations and individuals must take steps to make their cybersecurity robust and effective. One effective way to achieve this is to implement asset management.

How implementing asset management can improve cybersecurity

• Identifying vulnerabilities
  Effective asset management allows an organization to identify all devices and software used in their IT infrastructure. This identification process can reveal outdated or vulnerable devices or software that are susceptible to cyberattacks. Once identified, these vulnerabilities can be addressed through updates, patches or replacements.
• Following and monitoring devices
  Asset management allows an organization to track and monitor the usage of all devices in their IT infrastructure. This monitoring can detect unusual or suspicious behavior such as unauthorized access or attempts to download malware. This information can help an organization respond quickly and effectively to possible cyber security incidents.
• Maintain an inventory
  Effective asset management ensures that an organization has an up-to-date inventory of all devices and software in their IT infrastructure. This inventory can help an organization keep track of the location and use of devices and create an accurate list of assets to be protected.
• Improving incident response
  Asset management can improve an organization’s incident response capability by providing a complete picture of its IT infrastructure. With this information, an organization can quickly and accurately identify the source of a cyberattack and take the necessary steps to mitigate its effects.
• Minimize conflicts and ensure optimal performance
  Asset management is a critical part of most business operations and includes various aspects such as IT operations, financial accounting, software licensing, procurement and logistics. While each of these areas may have unique requirements for its management, there is often overlap and interdependence. It’s important to integrate and coordinate management across an organization to minimize conflicts and ensure optimal performance.

Cleaning up assets that are no longer of use

To minimize risk and ensure optimal performance, it’s advisable to retain only the necessary systems and data. Redundant or obsolete systems or information that can’t be tied to the needs of a business should be decommissioned, with all associated data removed and relevant accounts or credentials disabled. Retaining assets that are no longer of use can increase vulnerability and expose information without any benefit. Cleaning up such assets helps reduce unnecessary risks.

In short…

Effective asset management can significantly improve cybersecurity by providing a complete picture of an organization’s IT infrastructure, identifying vulnerabilities, tracking and monitoring devices, maintaining an inventory and improving incident response.

Implementing asset management requires a comprehensive and structured approach, but the benefits are well worth the effort. By prioritizing cybersecurity and implementing effective asset management, organizations can protect sensitive information, prevent data breaches and ensure their continued success in the digital age.

While cybersecurity is an essential aspect of asset management, it shouldn’t be limited to just cybersecurity.

Need advice or help implementing asset management? Please feel free to contact us. We are happy to help!

OpenSight Summer Series

During the OpenSight Summer Series, we publish weekly blogs that elaborate on the following topics:

1. Risk management
2. Engagement and training
3. Asset management
4. Architecture and configuration
5. Vulnerability management
6. Identity and access management
7. Information security
8. Logging and monitoring
9. Incident management
10. Supply chain security

By implementing the security measures outlined in these 10 steps, organizations can reduce the likelihood of cyberattacks and reduce the impact of potential incidents. Learn more about the OpenSight Summer Series here!

Together, engagement and training can help an organization build a strong defense against cyber threats. By educating employees on the latest threats and best practices, an organization can reduce the risk of cyberattacks and minimize the damage from possible incidents.

A cyber security strategy puts people first and ensures that security measures are jointly designed to meet the practical needs of the organization in question. By fostering a positive cyber security culture where employees are encouraged to actively participate and make their voices heard, they can become one of the most valuable resources in preventing and detecting security incidents.

Providing staff with the necessary skills and knowledge through awareness, engagement and training shows commitment to their well-being and emphasizes their importance to the organization. This not only protects the company, but also builds employee loyalty and increases the value of the organization.

Why are engagement and training essential parts of cybersecurity?

• Engagement:
  Cyber security engagement includes creating awareness among employees and users about the importance of cyber security, the risks and threats associated with it, and the measures they can take to protect themselves and the organization. Fostering a culture of cyber security encourages employees to be more vigilant and cautious when handling sensitive data or using technological devices.
• Training:
  Cyber security training is essential to provide employees with the knowledge and skills needed to recognize, prevent and respond to cyber threats. It helps employees understand best practices for securing their devices, passwords and online activities, as well as how to respond to incidents such as data breaches or cyberattacks.

The most important advantages of engagement and training

• Improved awareness regarding cybersecurity.
  Regular engagement and training initiatives can help make employees more aware of cyber security risks and threats, and provide them with the knowledge they need to prevent or report suspicious activity. Engagement and training can lead to a more vigilant workforce and improved organizational security.
• Reduced risk of cyberattacks.
  Engaged and trained employees are more likely to recognize and report security incidents or suspicious activity, which can reduce the likelihood and severity of cyberattacks. They can also implement best practices and security measures, such as strong passwords or two-factor authentication, which can further reduce the risk of a successful attack.
• Improved incident response
  Well-trained employees are able to respond to cyber security incidents more adequately, reducing the impact and shortening downtime. They can also work together to prevent incidents from recurring or spreading, improving overall incident response and recovery.
• Early detection of security incidents.
  Employees who feel safe to raise concerns and report incidents can often detect those incidents that go unnoticed by technology. This early detection can help minimize the impact of security incidents and prevent them from escalating.
• Improved organizational effectiveness
  Creating a safe environment where employees feel comfortable expressing their opinions and ideas can lead to better decision-making and more innovation. This can improve the organization’s overall effectiveness and competitiveness in the marketplace.
• Increased trust and loyalty
  When employees have the feeling that their opinion is appreciated and that they work in a safe, supportive environment, they’re more likely to be loyal to the organization and its targets. This increased loyalty can lead to increased job satisfaction, increased productivity and reduced employee turnover.

In short…

Understand that awareness is only the first step. While awareness is an essential first step, it does not guarantee that staff will follow the recommended behavior. It may be necessary to identify technical or cultural barriers and develop alternative solutions to ensure staff compliance with the recommendations and effective cyber security awareness campaigns. This requires tailored messages, sufficient time to assess impact, positive messaging and an understanding that awareness is only the first step. By applying these best practices, organizations can create a culture of cyber security and promote staff involvement in security initiatives

Getting help from trained professionals is something to consider. We at OpenSight can give advice and cyber awareness training to support your cyber security. Contact us today and we will gladly help you and your team move toward a better and more secure cyber environment

OpenSight Summer Series

During the OpenSight Summer Series, we publish weekly blogs that elaborate on the following topics:

1. Risk management
2. Engagement and training
3. Asset management
4. Architecture and configuration
5. Vulnerability management
6. Identity and access management
7. Information security
8. Logging and monitoring
9. Incident management
10. Supply chain security

By implementing the security measures outlined in these 10 steps, organizations can reduce the likelihood of cyberattacks and reduce the impact of potential incidents. Learn more about the OpenSight Summer Series here!

Cyber security is an essential part of the activities within any modern organization. It’s fundamental to have an extensive cybersecurity plan at your disposal in order to protect your organisation against financial and reputational damage caused by cyberattacks or data leaks. In this blog you’ll learn more about the ten essential steps for cybersecurity for organizations.

During the OpenSight Summer Series, we will publish weekly blogs that elaborate on the following topics:

• Risk management
• Engagement and training
• Asset management
• Architecture and configuration
• Vulnerability management
• Identity and access management
• Information security
• Logging and monitoring
• Incident management
• Supply chain security

By implementing the security measures outlined in these 10 steps, organizations can reduce the likelihood of cyberattacks and reduce the impact of potential incidents.

In short, an extensive cyber security plan is critical for any organization seeking to protect its data, reputation, and finances. The ten topics discussed in this blog provide a comprehensive framework for developing an extensive cyber security plan that can effectively protect an organization from cyber attacks. In the coming weeks, we will explore each of these topics in more detail.
Want to learn more in advance? Contact one of our experts!

The transition to ISO 27001:2022. What is changing and what does it mean for your organization?

Why an ISO 27001 certificate?

Within the ISO standards world, it is customary to assess every five years whether a standard should be revised. The ISO 27001 standard, considered the standard for information security, was last updated in terms of content in 2013. The time for an update has finally come, and we will tell you all about the new ISO 27001.

De ISO 27001:2013, as we know ’em

ISO 27001 is one of the most highly regarded and globally used standards for information security. It is an international standard that describes the requirements for an Information Security Management System (ISMS). An ISMS is a structured framework of policies, procedures, processes and systems used to manage and protect information security.

The now outdated version, ISO/IEC 27001:2013, has special requirements that an ISMS must meet. These include identifying information security risks, establishing security measures and monitoring performances. By complying with the ISO/IEC 27001:2013 standard, organizations can improve their
information security processes, ensure data security and increase customer confidence. The standard applies to all types of organizations, regardless of size, location or industry.

The new ISO 27001 standard

As developments in the field of security continue at a rapid pace, it is customary to update security standards every few years. It’s therefore
striking that the current version of the ISO 27001 standard dates from 2013 and has not been updated for ten years. But, now exactly ten years later, a new update has been announced. Meet the ISO 27001:2022.

Transition period ISO/IEC 27001:2022

In short, with the new changes going into effect with the advent of ISO/IEC 27001:2022, organizations must re-evaluate their risk assessments and reset security measures. What does that mean for your organization?

On Oct. 25, 2022, the new version of ISO/IEC 27001 was released. During the 3-year transition period, existing certificates must be transitioned to the new version by Nov. 1, 2025. After October 2023, you cannot recertify for the 2013 version. From then on, the transition audit must take place during the next scheduled audit, but can also be performed earlier as a special transition audit.

Does your organization need to re-evaluate risk assessments and re-establish security controls? If so, you have a transition period of 3 years. The transition to ISO 27001:2022 can be done either at recertification or at the annual follow-up or control audit. At OpenSight, we are happy to help you certify for the new standards.

5 steps you can take to transition to ISO/IEC 27001:2022

1. Become familiar with the content and requirements of the new version:
   It is critical that you familiarize yourself with the new version of ISO/IEC 27001 and understand what the changes are and mean in content from the previous version. Does your organization already have the 2013 ISO 27001 version? Then you should focus mainly on the changes that the revision brings. These are mainly in ISO 27002, or ISO 27001 Annex A.
2. Train your staff:
   We can’t say it often enough. Make sure all employees in your organization are trained and understand the key changes and requirements. This will ensure that the entire team is up to speed on the new guidelines and practices.
3. Peform a GAP analysis:
   To meet the new requirements, it is important to use a GAP analysis to identify where your organization is already meeting them and where adjustments or additions are needed.
4. Establish an implementation plan:
   Based on the findings from Step 3, you can create a plan to meet the new requirements. Do set concrete actions and make clear deadlines for implementing these actions. Talk the talk, walk the walk.
5. Update your management system:
   After implementing the actions laid out in the new action plan, update your management system to meet the new requirements. This may mean modifying existing processes or implementing new ones. Make sure you properly document and communicate these changes within your organization.

To make the transition to the new ISO as smooth as possible, it is very important to start preparing on time. By following these steps you ensure that you meet the new requirements and that your certification is renewed on time. In doing so, the experts at OpenSight are always ready to help you with questions or for advice.

OpenSight

Calling in a specialist is the wisest choice and saves a lot of time. The knowledge and experience of a specialist ensure a worry-free process. Moreover, an
independent auditor should be appointed. By taking OpenSight as a partner, you can be sure that the knowledge and experience is there to ensure the best possible process. Because of the specialized knowledge and experience in cybersecurity, you are guaranteed to obtain the ISO 27001 certificate.

Knowledge
OpenSight has been dealing with cybersecurity for companies for years. Originated out of an interest, developed into a passion and eventually formed into a company with helping services.

Experience
Numerous companies have previously partnered with OpenSight and as a result have achieved great successes regarding cybersecurity. From improved business processes to certifications and from consulting to implementations.

Documentation
Clear and accurate documentation is the foundation of cybersecurity. From the plan of action to checkpoints to recording calamities that have occurred and been resolved. In fact, most documentation is necessary for achieving and maintaining certifications. It also increases visibility into the progress and status of the management system.

Time Saving
With compliance software and help from OpenSight, you can minimize the pressure on the organization which saves an enormous amount of time. Consider, for example, the scheduling
of regular tasks that happen automatically according to the set frequency and other automations.

Integrations
Integrations with Microsoft Teams or Slack are frequently requested options. This allows tasks arising from management to be distributed within the organization. From our experience, many organizations benefit from using such integrations and maintaining, for example, their ISO 27001 management system. OpenSight can provide this.

Download the ISO 27001:2022 transition brochure

In short, with OpenSight’s service you can easily complete your certification or transition to ISO 27001:2022. You get access to experienced experts, independent advice and practical support in implementing security measures and management systems. Fill in your details below to download the brochure and find out how our ISO service can help your organization.

Is your organization sufficiently protected against the increasing threats of cyber attacks? In an era of digital transformation, it is essential to have a structured policy that focuses on cyber resilience. Criminals and malicious parties are constantly looking for vulnerabilities, and it is no longer a matter of ‘if’, but rather ‘when’ your organization becomes involved in a cyber attack.

At OpenSight, we understand the challenges organizations, such as SMBs and municipalities, face when it comes to cybersecurity. That’s why we developed the eCISO Service to support your organization in improving cyber resilience. With our service you’ll always have access to senior experts who are constantly working on security and who have experience in various sectors. They are uniquely qualified to shape your improvement process, so that your security initiatives will skyrocket.

Download the eCISO Service brochure

With OpenSight’s eCISO Service you’ll be able to improve your cyber resilience by accessing experienced experts, independent advice, and practical support in implementing security measures and management systems. Fill out your details below to download the brochure and find out how our eCISO Service can help protect your organization from cyber threats.

New European directives for cybersecurity have been in effect since January 2023: The Network and Information Security 2 (NIS2). These directives are applicable to a wide range of sectors. It’s very important for companies and organizations to comply with these directives. In this blog you’ll read what exactly the NIS2 means, which sectors are covered by the directives and how organizations should prepare for the NIS2.

What is NIS2?

The NIS2 legislation is an extension of the NIS legislation and aims to guarantee a higher level of security of network and information systems within the European Union. This is achieved by requiring Member States to adopt and implement appropriate security measures. The goal? Reducing the risks of cyberattacks and limiting their consequences. The NIS2 targets companies and organizations operating in vital sectors, such as energy, transportation, healthcare, and financial services, as well as other sectors that are critical to keeping our economy and society running.

Why is NIS2 compliance important?

Companies and organizations subject to the NIS2 have a very important task in the coming period: to be NIS2 compliant. Het niet naleven van de NIS2 leidt namelijk tot hoge boetes die kunnen oplopen tot wel 2% van de jaaromzet. But more importantly, NIS2 compliance is necessary to ensure digital security and prevent cyberattacks. The NIS2 directives require companies and organizations to take their digital security to a higher level and adapt to increasing cybercrime threats.

Not yet NIS2 compliant? These are the consequences:

There’s no exact number available of EU companies that are already fully compliant with the NIS2 directives. However, companies that fall under the mandatory sectors must be NIS2 compliant. This applies not only to large companies, but also to small and medium-sized enterprises. It’s important to realise that the NIS2 directives aren’t optional and there are high fines for non-compliance.

In addition to the financial consequences, it can also lead to reputational damage if a cyberattack occurs due to non-compliance with the NIS2 directives. You should not only strive to be NIS2 compliant to avoid fines, but also to ensure digital security and maintain the trust of customers and partners.

How to become NIS2 compliant

Although the NIS2 went into effect back in January, organizations and companies still have some time to prepare for it. According to the planning of the National Cyber Security Center (NCSC), the NIS2 legislation won’t fully come into force until 2024. In the meantime, organizations can use different tools like the Risk analysis roadmap of the Digital Trust Centre. In addition, it’s wise to appoint a NIS2 compliance officer who is responsible for the implementation and compliance of the NIS2 directives within the company. This is because the NIS2 has major consequences for companies and organizations in Europe, including the Dutch business community.

The most simple solution for NIS2

Do you want simplicity and certainty? Choose the help of OpenSight! With the help of Cyberday, our experts get to work on your cyber security Cyberday offers transparency for you as a company, expertise for cybersecurity solutions and necessary documentation and logging to comply with cybersecurity standards such as NIS2. All this in combination with the help, advice, and watchful eye of cybersecurity experts from OpenSight.

Please feel free to contact us for a consultation. We are happy to help!
Or download the NIS2 brochure.

As of January ’23, all companies and organisations within Europe have to comply with the new NIS2 directives. A major difference with previous legislation is that the NIS2 includes sanctions and the board can be held accountable if insufficient action has been taken in the area of Cyber Security. Because the guidelines of the NIS2 apply to considerably more sectors and branches, it’s important that SMEs in the Netherlands and in other European countries get their act together. In this blog you can read what you as a company must comply with and what exactly the NIS2 entails.

What is NIS?

NIS is short for Network and Information Security and is the first legislation in Europe in the field of cyber security. (The NIS has also been in force in the Netherlands since 2016 and has been converted in the Netherlands into the Wet Beveiliging netwerk- en informatiesystem [WBNI]. This guideline motivates companies and organizations to organize and tighten their digital security.) With the sharp increase in cyber-attacks, the European Commission presented a new EU security strategy in 2020: the NIS2.

Where the NIS is limited to only the large companies in vital sectors, like drinking water supplies and telecom, the NIS2 goes a step further. The NIS2 definitely will have a bigger impact on EU business. This mature version of the NIS focuses on three pillars of security:

• Security risk mapping;
• Protection and detection to mitigate risks;
• Limiting the consequences of cyber incidents.

With the NIS, many companies still get away with complying with the GDPR (AVG in the Netherlands) and other ‘basic rules’. But now that the NIS2 guidelines are in force, many companies really have to pull out all the stops when it comes to cybersecurity.

Do you want to know more about how to approach this, or are you curious how compliant your organization is at the moment? Our experts are ready to answer your questions!
Or download the NIS2 brochure.

Adopt a risk-based approach to information security.

Taking risks is a natural part of doing business. Risk management forms the basis for decisions and creates a healthy balance between threats and opportunities. Both are necessary to achieve the organizational objectives as well as possible. Risk management in the cybersecurity domain ensures that an organization’s technology, systems and information are protected in the most appropriate way and aligned with the things that are important to your organization. A good approach to risk management is embedded throughout the organization and complements the way you manage other business risks.

Risk management in security

Every organization has to do with risks. Most people are aware of the fact that you simply cannot erase or avoid every risk. It’s all about getting the balance. Risk management is the ideal process that helps make decisions with the right balance between threats and opportunities to best achieve organizational objectives. Risk management in the security domain helps with protecting data (and all concerned systems and technology) in an organization and deploying limited resources where it will have the greatest impact. You can make better decisions through risk management, but for this to happen, it must be embedded in the organisation.

Adopt a risk-based approach to information security.

Taking risks is a natural part of doing business. Risk management forms the basis for decisions and creates a healthy balance between threats and opportunities. Both are necessary to achieve the organizational objectives as well as possible. Risk management in the cybersecurity domain ensures that an organization’s technology, systems and information are protected in the most appropriate way and aligned with the things that are important to your organization. A good approach to risk management is embedded throughout the organization and complements the way you manage other business risks.

Risk management in security

Every organization has to do with risks. Most people are aware of the fact that you simply cannot erase or avoid every risk. It’s all about getting the balance. Risk management is the ideal process that helps make decisions with the right balance between threats and opportunities to best achieve organizational objectives. Risk management in the security domain helps with protecting data (and all concerned systems and technology) in an organization and deploying limited resources where it will have the greatest impact. You can make better decisions through risk management, but for this to happen, it must be embedded in the organisation.

What are the advantages of risk management?

Good risk management is about:

• the right information to improve decision making;
• helping delegate decision-making across the organization while maintaining appropriate board-level oversight;
• Providing a foundation to adapt and respond effectively to new threats and opportunities as they arise;
• Whether you are new to cyber risk management or are trying to assess the effectiveness of existing approaches, providing an accurate understanding through guidance. In doing so, you get a better picture of what a good approach to risk management looks like in the context of your organization.

Think about how employees interact with technology, systems and services

How employees deal with the various systems, networks and services within the organization is also something to think about. How are employees supported to do this in a safe and usable way? If you include this in risk management, the cybersecurity risks of the organization are further mitigated. Systems include people, processes and technology: the way cyber risk management is deployed must take into account these different elements and how they interact with each other.

Choose a cybersecurity risk management approach that fits the organization

Consider which approach to cybersecurity risk management, or a mix of approaches, is right for your organization. There are countless tools, methods, frameworks and standards to choose from. This depends on the standards or regulations that are followed within the organization, costs and/or level of knowledge. The most important part? Go for an approach that is right for your organization and that reveals good risk information about the systems and services. It is not always necessary to carry out a detailed risk assessment. Using a baseline such as Cyber Essentials to provide information about the basic controls needed is often enough to protect against most cyber risks.

Do you want to know more about the correct implementation of risk management? One of our experts will be happy to help you on your way!

There are a lot of different definitions of the word ‘hacker’ available on the internet. The most commonly accepted definition of hacker is the following: a person who uses computers to get access to data in somebody else’s computer or phone system (without permission). Of course, there are different degrees of hacking and there’s also a difference in what kind of hackers there are. For example, there are hackers who don’t mean to inflict any harm, but do fall under the definition of ‘hacker’. This blog will tell you more about the different types of hackers.

Different types of hackers and their characteristics

In a previous blog on our website you could read more about the different forms of hacking and how you can protect yourself against these cyber-attacks. But every hacker works differently. Below is an overview of the different types of hackers that exist and how they operate.

Green Hat Hackers

Green hat hackers are the rookies of the whole bunch. This type of hacker just started learning about hacking and computer security. They oftentimes focus more on gaining knowledge and improving their skills than engaging in cybercrime. Green hat hackers are seen as the group in the middle: often morally grey and not as skilled as both the white hat hackers and the black hat hackers.

Script Kiddies

Last on the list of popular hackers are the script kiddies. Script kiddies are a type of hackers that use pre-existing tools and scripts, often without a full understanding of how they work, to attack computer systems and networks. They’re called “script kiddies” because they rely on scripts and tools written by others instead of on their own expertise. This is exactly why they usually aren’t taken very seriously as hackers, or at least, the degree to which they pose a threat. This group of hackers are often students and/or teenagers.

Protect your data

There are a lot of ways to get hacked. That is why it’s of importance to protect your accounts, systems and network against the different forms of hacking. As you can read in this article, there are also ethical hackers and security experts that you can call in to test the security of your company.

If you want to know more about hackers, types of hacking or need help with the security of your company, please contact one of our experts!