Addressing Cybersecurity Vulnerabilities Without An In-House IT Staff
Initially, Seasons Living, which provides safe and vibrant senior living communities across Queensland, engaged Mangano IT to address the organisation’s legacy applications and end-of-life infrastructure, including various PBX telephony systems and on-site servers.
However, early conversations revealed that Seasons Living did not have someone internally who was managing IT from a strategic perspective. Not only did this result in operational inefficiencies and disruptions for Seasons Living, it also left the company vulnerable to cyber-attacks — as well as the costs associated with resolving a breach and the potential for significant reputational damage.
Making Security a Priority at Seasons Living
Mangano IT’s security specialists worked closely with Seasons Living’s CEO to undertake a detailed review of the company’s systems, including identifying critical services and infrastructure in order to manage risk associated with those assets. As a part of this work, Mangano IT leveraged its deep bench of talent to evaluate each of Seasons Living’s infrastructure, comparing their configurations against best practice standards.
Further, Mangano IT mapped Seasons Living’s risks against National Institute of Standards of Technology (NIST) guidance to gain improved visibility into security risks, as well as a methodology for managing prioritised risk moving forward. By mapping Seasons Living’s baseline status against specific NIST CSF subcategories, Mangano IT was able to generate an overall snapshot as to which NIST CSF categories the company has addressed and its remaining gaps, in addition to providing a standard against which the company can measure its progress over time.
The NIST Cybersecurity Framework (CSF) provides a customisable, digestible methodology to identify and manage cyber risk within an organisation and prioritise the most effective use of resources.
Paul Mangano, Managing Director, Mangano IT
Going Beyond Standard Security Assessments
The result of Mangano IT’s work was a 150-page Security Assessment, which set out 40 recommendations based on the risks. Compared with market-standard automated security scans, the hands-on nature of Mangano IT’s in-depth technical risk assessment process helped to identify risks that would have otherwise gone undetected by Seasons Living.
Both short-term and long-term recommendations were included in Mangano IT’s reporting, as was a separate document detailing the prioritised risks identified and a corresponding three-year implementation plan. Importantly, these findings were presented not as technical documentation, but as a PowerPoint business case. This ensured that both the risks identified and Mangano IT’s recommendations would be accessible to all members of Seasons Living’s team, regardless of their technical fluency.
Mangano IT’s robust risk assessment gave us important line of sight on the extent of our potential risks and ensured we could rate, prioritise and address these as part of an ongoing program of security improvements.
Tracey Silvester, CEO, Seasons Living
Some of the key risks identified by Mangano IT include a lack of visibility and prioritisation of cybersecurity risks on Seasons Living’s part, identity and access management (IAM) issues — including the use of shared accounts and multifactor authentication (MFA) not being enforced on all accounts — lax network restrictions, and a lack of data loss prevention (DLP) efforts, such as email security measures and insider threat protection.
Improving ‘bring your own device’ (BYOD) device policies, deploying insider threat protection measures, disabling legacy authentication, enhancing internal network protection, and developing business continuity and incident response plans were all examples of opportunities identified for Seasons Living to improve its security posture as well.
Taking Action to Build a Secure Future
Throughout this initial phase of its work with Mangano IT, Seasons Living has improved security by implementing Microsoft InTune to manage application provisioning on user devices, creating safeguards that allow users to access applications without compromising security, establishing stronger BYOD protocols, and implementing an additional Office 365 backup.
Implementing other ‘quick wins’ recommended by Mangano IT work — such as restricting guest usage of the company’s corporate WiFi network — ensure that Seasons Living is already seeing measurable improvements from its investment in security.
In addition, the company will have a clear plan to follow in the event of a cybersecurity incident. Combining Mangano IT’s templated incident response protocols with a tabletop exercise that allowed their guidance to be tested and customised for Seasons Livings’ needs means that — should a breach occur — both the business impact and cost of responding to a breach will be minimised.