Executive summary 

• This brief explores an anonymised case study of a protective security assessment conducted on an early-stage company that relied on cloud services to connect its small global workforce.

• This operational model created potential risks in the areas of security culture, training, international travel, and incident management. 

• Delivering a useful security assessment and recommendations for the organisation required recognising and tailoring methodologies to reflect its circumstances. 

Struggling to keep on top of security as your start-up scales?

Learn more about our Security for Innovation & Investment Service

Protecting value requires more than point solutions - it requires integrated protective security.

Case description

This case study concerns an early-stage services provider. The company was based in the UK but had a small globally distributed workforce. Cloud services were integral to the company’s operations, both to connect its workforce but also in the services it provided to its customers.

As a B2B service provider operating in a non-sensitive sector of the economy, the company’s threat environment was benign compared to many organisations that we have supported. Nonetheless, the company was aware that it faced a substantial ‘background’ threat from criminal threat actors. 

Our protective security assessment identified several challenges around the company’s remote- and cloud-first posture configuration. These ran the gamut from cyber security risks to the potential for insider threats and insecure international collaboration. 

Mitigating security risks emerging from the company’s configuration required looking beyond traditional security models that assume the existence of physical sites and in-person interaction between employees. 

Protective security challenges

Our assessment of the organisation’s protective security posture varied by domain. Cyber security maturity ranged from medium to low. The use of a shared cloud service workspace meant that the company was well-positioned to achieve a baseline level of cyber security; we observed some gaps where the company relied on employees to provide their own technology.

The company evinced some good working practices around security but these were often the product of individual contributors with experience from other roles. Security depended too heavily on the actions of these individuals, rather than being an organic function of the organisation. 

The dependence on a global workforce created challenges for the development of security culture, delivery of effective security training, and management of personnel security risk. Personnel being located in multiple countries created elevated risk around insecure international collaboration, while increasing the importance of personal security for business travellers. Although these risks were manageable at the company’s current size, we recommended that ad hoc approaches would be unsuitable as the company expanded further.

The company lacked a defined incident management function or processes. While this is common for organisations at this stage of development, the company’s distributed workforce rendered it particularly vulnerable to disruption during an incident. A simple, fit-for-purpose plan for incident management supported by tested back-up communication channels would have provided a significant uplift in posture, particularly if regularly exercised.

Tailoring assessment to company context

A key challenge with this assessment was making it relevant to the context of an early-stage remote-first company operating in a comparatively low-risk sector. Many organisations have preconceptions that security is not a major concern given their area of operations, or that it is primarily a technical issue for cyber security professionals. 

Part of the challenge in assessments such as this one is the unsuitability of some traditional protective security methodologies. Traditional methodologies often assume the existence of physical offices, manufacturing sites, and other facilities. These methodologies can equally downplay the critical role of third-party cloud-based providers in enabling connectivity and productivity in modern early-stage companies. 

An effective approach to protective security assessment must reflect the realities faced by companies operating in the modern globalised digital economy. This environment brings great advantages, but also introduces hard-to-quantify security risks and significant challenges around visibility into company infrastructure. 

Lessons identified

Small, widely dispersed teams require additional support to develop a strong security culture.

• Strong individual performers can deliver results in isolation, but socialising these learnings across the organisation requires work.

• Finding ways to enable ‘face-time’ between teams brings benefits, but also produces its own challenges around cost and travel security risk.

Incident management presents different challenges for remote-first organisations.

• The absence of physical offices and control over key infrastructure shapes the responses that are available to companies during an incident.

• Developing resilient communications channels and fallback systems is important to enable continuity during disruptive incidents. 

Assessment methodologies must reflect the realities of the modern digital economy.

• Assessment methodologies should not unduly penalise companies that do not have physical premises or that rely on third-party providers for core services.

• Adopting a tailored approach produces a more valuable document for the user, highlighting priority areas to address. 

At Tyburn, we specialise at countering evolving threats to risk-sensitive organisations. Our experts bring experience in government, military, and academia to bear in delivering solutions to challenging problems.