Cyber Security Fundamentals

Tom Davies, CFO at CyberLab, explores the big question: Should you build an in-house security team or outsource to an MSSP?

In a recent CyberLab webinar with Logpoint‘s Director of Sales Engineering, Paul Gower, we delved into two critical areas of cyber security that are essential for protecting public sector organisations: Cyber Assessment Frameworks (CAF) and Log Management.

These frameworks, some of which are provided by the NCSC, provide the foundation for identifying, mitigating, and responding to cyber threats in a structured and effective manner.

As public sector organisations face increasing cyber risks, from data breaches to ransomware attacks, understanding and implementing robust cyber assessment frameworks and effective log management strategies is vital.

Cyber Assessment Frameworks (CAF) are designed to guide organisations through the process of evaluating and improving their cyber security posture. The recent webinar underscored that a key challenge for public sector bodies is ensuring that their security measures align with regulatory and compliance requirements, while also addressing the dynamic nature of cyber threats.

A CAF provides a systematic way to assess an organisation’s existing cyber security controls, processes, and policies. These frameworks are essential for identifying vulnerabilities, understanding risks, and establishing best practices for mitigating those risks. For public sector organisations, implementing a CAF offers a clear path to achieving a high level of resilience against cyber threats.

The key components of a cyber assessment framework discussed in the webinar included:

• Risk Assessment: Understanding the unique cyber risks faced by public sector bodies, such as the protection of sensitive citizen data and the security of critical national infrastructure (CNI).
• Controls and Policies: Ensuring that security controls and policies are well-defined and effectively enforced. This includes user access controls, data protection measures, and incident response protocols.
• Continuous Improvement: Emphasising the importance of regular reviews and updates to the cyber security posture, as threats and technologies evolve.

By adopting a CAF, public sector organisations can not only meet compliance standards but also ensure that they are proactively addressing security risks in an evolving threat landscape.

Log management emerged as another central theme in the webinar, with experts explaining its role in cyber security. Logs contain crucial information about system activities, user interactions, and network traffic. When properly managed, logs provide a valuable source of intelligence that can help organisations detect, analyse, and respond to security incidents.

For public sector organisations, log management is particularly important due to the sensitive nature of the data they handle. Effective log management enables security teams to track potential breaches, identify suspicious activities, and maintain a clear audit trail for compliance purposes.

The webinar emphasised the following best practices in log management for public sector organisations:

• Centralised Logging: Aggregating logs from various systems and platforms into a centralised location ensures that security teams have a comprehensive view of activities across the organisation.
• Real-Time Monitoring: Continuous monitoring of logs enables teams to identify and respond to threats as they occur, reducing the risk of delayed detection.
• Retention and Compliance: Retaining logs for the required period and ensuring that they meet regulatory compliance standards is essential, especially for public sector organisations that are subject to strict data protection regulations.
• Log Analysis and Automation: With the volume of logs generated daily, manual analysis can be overwhelming. AI-driven log analysis tools can automate the process of identifying anomalies and potential threats, allowing security teams to focus on higher-level decision-making.

A key takeaway from the webinar was the importance of integrating cyber assessment frameworks with log management strategies. Both components complement each other to create a more holistic approach to cyber security.

By aligning the findings from cyber assessments with real-time log data, public sector organisations can continuously evaluate their security posture and ensure that they are detecting and responding to emerging threats. This integrated approach can also help organisations improve their incident response times, reduce vulnerabilities, and strengthen overall resilience.

For example, during an active cyber attack, logs can provide critical insights into how an attacker is moving through the network, while the cyber assessment framework ensures that appropriate defensive measures are in place to respond to such threats. Together, these elements form a robust defence against the growing number of cyber threats targeting public sector organisations.

Secure Access Service Edge (SASE) is a modern approach that combines wide area networking with cloud‑delivered security to provide secure, reliable access to applications and data from any location.

As organisations adopt hybrid work and cloud services, SASE helps maintain consistent security and user experience without relying on traditional, data centre‑centric designs.

CyberLab explains what SASE is, the core components, how it differs from Security Service Edge (SSE), and when to prioritise each.

SASE (pronounced “sassi” or “sassy”) converges SD‑WAN capabilities with cloud‑based security controls. Instead of routing all traffic through a central data centre, SASE enforces security as close as possible to the user, device or branch, and then connects to applications wherever they live, whether in public cloud, private data centres or SaaS.

At its core, SASE:

• Uses identity as the primary control point. Policies follow the user, device and context, not an IP address or fixed location.
• Delivers networking and security as a service, so controls are consistent and scalable.
• Improves user experience by steering traffic intelligently and enforcing security without unnecessary backhaul.

SASE brings together several building blocks. Individual features may already exist in many environments; SASE unifies them with a single policy and delivery model.

1) Software‑defined Wide Area Network (SD‑WAN)

SD‑WAN uses software to route traffic over multiple links such as MPLS, broadband and LTE. It prioritises important applications, improves resilience and reduces reliance on costly private circuits. Policies decide the best path based on performance, availability and business need.

2) Cloud Access Security Broker (CASB)

A CASB sits between users and cloud services to apply enterprise security policies. Typical functions include authentication, authorisation, data loss prevention, encryption or tokenisation, device posture checks, logging and threat detection for SaaS usage.

3) Firewall as a Service (FWaaS)

FWaaS delivers next‑generation firewall capabilities from the cloud. Instead of running and scaling on‑premises appliances, traffic is inspected in the provider’s fabric using a consistent rule set for all locations and users.

4) Zero Trust Network Access (ZTNA)

ZTNA replaces broad network access with explicit, least‑privilege access to specific applications. Every request is authenticated and authorised based on identity, device health and context. The principle is simple: never trust, always verify.

5) Secure Web Gateway (SWG)

An SWG protects users when accessing the web. It filters malicious content, enforces acceptable use policies, applies DNS and URL controls, and inspects traffic for threats and data exfiltration.

Security Service Edge (SSE) focuses on the security stack of SASE without the SD‑WAN element. SSE typically includes ZTNA, CASB, SWG and FWaaS delivered from the cloud. It is often the fastest path to modernise security for a distributed workforce when the underlying WAN is not being replaced.

• Choose SSE when the priority is to standardise and uplift security controls for remote users, branches and cloud access, while keeping the existing WAN in place.
• Choose SASE when you also want to modernise the WAN, consolidate providers and policies, and optimise performance end to end.

1. User or device connects from any location.
2. Traffic is steered to the nearest point of presence for policy enforcement.
3. Identity, device posture and context are evaluated.
4. Security controls are applied: ZTNA for private apps, SWG and CASB for web and SaaS, FWaaS for general traffic.
5. SD‑WAN selects the optimal path, delivering consistent performance and security.

This model removes unnecessary backhaul, improves visibility and simplifies operations with one policy plane.

1. Consistent security everywhere: The same policies apply to users in the office, at home or on the move.
2. Identity‑centric control: Policies follow users and devices, improving auditability and incident response.
3. Better user experience: Local breakout and smart routing reduce latency and improve SaaS performance.
4. Operational simplicity: Fewer point products, centralised policy and unified monitoring.
5. Scalability and agility: Capacity and features scale as a service, not by installing new hardware.
6. Stronger zero trust posture: Minimise implicit trust and reduce lateral movement.

1. Map use cases and traffic flows
   Identify who needs access to what, from where and on which devices. Prioritise high‑value applications and sensitive data.
2. Establish identity and device health as gates
   Integrate identity providers and device management so that policy decisions consider user role and device posture.
3. Start with SSE for quick wins
   Deploy ZTNA for private apps, SWG and CASB for web and SaaS, and FWaaS for consistent inspection. This can coexist with your current WAN.
4. Plan SD‑WAN evolution
   When ready, add SD‑WAN to consolidate connectivity, improve performance and complete the SASE model.
5. Consolidate vendors and policies
   Aim to reduce overlap and complexity. Fewer consoles and a single policy model make operations more effective.
6. Measure and iterate
   Track user experience, incident rates and policy coverage. Use findings to refine posture and roadmap.

1. Treating SASE as a product rather than an architecture and operating model.
2. Lifting and shifting legacy allow‑all access instead of enforcing least privilege.
3. Ignoring identity and device posture in policy decisions.
4. Running overlapping tools without a plan to consolidate, which increases cost and weakens visibility.
5. Neglecting change management and training, which are essential for adoption.

CyberLab helps organisations assess where SASE or SSE fits, design a pragmatic roadmap and implement the right controls at the right pace. If your team would like to explore options or validate your direction, we are available for a free initial consultation to discuss goals, constraints and next steps.

We help organisations work securely from anywhere, with security that is consistent, proportionate and easy to manage.

Discover the key takeaways from the Securetour 2023 session “Protect Everything With Microsoft” as we delve into the wide range of comprehensive solutions and strategies provided by Microsoft. Explore how these offerings can safeguard and fortify your valuable digital assets in today’s interconnected landscape.

This article covers:

• Understanding the Cyber Security Landscape
• Microsoft’s Comprehensive Security Solutions

Securetour, the virtual cyber security event, brought together industry experts to share valuable insights and strategies for fortifying digital defences. In one of the sessions, Damian Andrews from CyberLab and Jon Davies from Microsoft (MS Link) shed light on the importance of robust cybersecurity measures and how organisations can benefit from Microsoft’s comprehensive security solutions.

This blog post explores the key takeaways from their session and highlights the role of Chess ICT and CyberLab in helping organisations strengthen their cybersecurity posture.

Cyber threats are more sophisticated than ever, driven by AI-powered attack vectors, deepfake phishing, and supply chain vulnerabilities.

Damian Andrews, Security Consultant at CyberLab, emphasised during SecureTour 2025 that organisations must adopt proactive, layered defence strategies to protect sensitive data, infrastructure, and intellectual property.

Jon Davies, Chief Security Advisor at Microsoft, outlined how Microsoft’s Secure Future Initiative (SFI) is transforming cybersecurity through AI-first principles and Zero Trust architecture. [microsoft.com], [microsoft.com], [microsoft.com]

Key Components of Microsoft’s Security Ecosystem:

• Threat Protection & Detection: Microsoft Defender and Security Copilot use AI and behavioural analytics to detect and respond to threats in real time. [microsoft.com]
• Identity & Access Management: Azure Active Directory (now Microsoft Entra ID) enforces multifactor authentication, conditional access, and identity governance to prevent unauthorised access. [microsoft.com]
• Data Protection & Compliance: Microsoft Purview and Information Protection tools help classify, label, and secure sensitive data across hybrid environments. [microsoft.com]
• Cloud Security: Azure’s built-in security controls, combined with Microsoft Defender for Cloud, provide visibility and protection across workloads, endpoints, and cloud services.

CyberLab continues to be a trusted partner in helping organisations implement Microsoft’s security solutions effectively. At SecureTour 2025, CyberLab showcased real-world attack simulations, incident response strategies, and AI-driven threat detection.

CyberLab Services:

• Security Consultancy: Tailored assessments and implementation support for Microsoft security tools.
• Security Awareness Training: Programmes to build a cyber-aware workforce.
• Managed Security Services: 24/7 monitoring, incident response, and continuous improvement.

CyberLab’s MDR service now integrates natively with Microsoft 365, Azure, and Intune, ingesting telemetry from Exchange Online, Teams, SharePoint, and Entra ID to detect phishing, MFA bypass attempts, and suspicious inbox rules.

In today’s digital-first economy, SMEs face increasing cyber risks – from phishing and ransomware to insider threats and misconfigured systems.

With 43% of UK businesses reporting cyber incidents in the past year and SMEs accounting for over £3.4 billion in losses annually, robust cyber security is no longer optional – it’s essential for survival.

While achieving “cyber security nirvana” may be unrealistic, SMEs can build layered defences that offer confidence and resilience against evolving threats.

1. Next-Generation Endpoint Protection

Traditional antivirus tools are no longer sufficient. SMEs should invest in modern endpoint protection that uses behavioural analysis to detect threats—even those not yet catalogued. These solutions monitor suspicious activity and respond in real time, offering proactive defence against ransomware and malware.

2. Patching and Vulnerability Management

Unpatched software remains one of the most exploited attack vectors. With Cyber Essentials v3.2 now requiring patches within 14 days for high-severity vulnerabilities, SMEs must implement automated patching and maintain visibility across their IT estate.

3. Security Awareness Training

Human error is a leading cause of breaches. Regular training helps employees spot phishing attempts, use strong passwords, and follow secure practices. Simulated phishing campaigns and interactive modules can dramatically reduce risk.

4. Modern Firewalls

Next-generation firewalls offer dynamic threat detection, application-aware filtering, and integration with endpoint tools. These systems adapt to changing network behaviours and reduce manual rule management, making them ideal for SMEs with limited IT resources.

5. Disaster Recovery Planning

A well-tested disaster recovery (DR) plan is critical. SMEs should identify business-critical systems, define recovery time objectives (RTOs), and choose appropriate backup technologies. Regular testing ensures that recovery procedures are effective and actionable when needed.

Security tools are only effective if properly configured. SMEs should conduct regular penetration testing, phishing simulations, and DR drills to validate their defences and uncover gaps before attackers do.

Cyber Essentials and Cyber Essentials Plus remain vital for SMEs seeking to demonstrate baseline security and win public sector contracts. The 2025 updates emphasise cloud security, BYOD coverage, and stricter patching timelines.

Cyber security can feel overwhelming, especially for small and medium-sized enterprises (SMEs) with limited resources.

But there are simple, high-impact actions that can dramatically improve your organisation’s security posture. David Dixon, Security Testing Pre-Sales Consultant at CyberLab, outlines five practical steps every business should take.

Smartphones and tablets often access sensitive business data but operate outside the safety of office networks.

SMEs should:

• Identify what data mobile devices can access (e.g. email, Teams, OneDrive).
• Use mobile device management (MDM) tools like Microsoft Intune or Sophos Mobile to control access and enforce security policies.
• Ensure devices are encrypted, password-protected, and remotely wipeable.

Phishing remains the most common attack vector for UK SMEs.

To reduce risk:

• Apply the principle of least privilege – limit account access to only what’s necessary.
• Train staff to spot phishing signs: suspicious links, urgent language, poor grammar, and unexpected attachments.
• Implement a clear reporting process for suspected phishing emails.
• Use tools like Microsoft 365’s Phishing Investigation feature to automate detection and response.

Unpatched software is a major vulnerability.

SMEs should:

• Maintain an inventory of devices and software.
• Enable automatic updates and apply patches within 14 days of release.
• Monitor for end-of-support products and replace them promptly.
• Use vulnerability scanning tools to identify gaps missed by manual checks.

Weak passwords are a top concern for SMEs in 2025.

Strengthen access controls by:

• Enforcing multi-factor authentication (MFA) for all users, especially admins.
• Providing password managers to help staff create and store strong credentials.
• Avoiding frequent forced password changes – only reset when compromise is suspected.
• Monitoring for compromised credentials on the dark web using services like HackRisk.

Technology alone isn’t enough – your people must be trained to use it securely.

Build a strong security culture by:

• Offering regular awareness training and phishing simulations.
• Encouraging prompt reporting of incidents without fear of punishment.
• Making security part of everyday conversations, not just IT’s responsibility.