Malicious software used to illegally mine cryptocurrency


Malicious software used to illegally mine cryptocurrency

compromise of the third-party JavaScript library ‘Browsealoud’

*Image for illustration only

During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance by National Cyber Security Centre (NCSC) below:

Advice for members of the public
  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here:
Advice for website administrators
  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.
In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:
  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.
We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
Advice for third-party JavaScript developers
  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.

we can help...

Certified Service - 56902444 Risk Management Mini Mark copy.png

Securestorm Director & Advisor to Public Sector, Tony Richards said "This is likely a result of improper security controls put in the place. That is why we insist the organisations that we work with to know exactly what is running on their systems, especially using when procuring third-party services or features. In addition to NCSC guidance on the matter, organisations need to consider the overall security maturity of the third-party service provider at that initial phase which helps to assess the level of risk that they may be exposed to at the outset".

If your organisation needs help risk assessing third-party services, give Securestorm a call. As NCSC Certified Cyber Security Consultants, we focus on advising our clients with a pragmatic lists of actionable solutions that allow organisations to make big changes, fast and most importantly remain Cyber Secure.




UK industries:"Boost Security or Face Fines!"


UK industries:"Boost Security or Face Fines!"

new Government ANNOUNCEMENT to protect essential services from cyber attack

The UK Government issued a press release that warned British industries to boost cyber security or face hefty fines for leaving themselves vulnerable to attack. Here are the key-points from the press article.

  • Organisations risk fines of up to £17 million if they do not have effective cyber security measures
  • Sector-specific regulators will be appointed so essential services are protected
  • National Cyber Security Centre publishes new guidance for industry

Link to the full article here.



The National Cyber Security Centre (NCSC), the UK’s centre of cyber excellence established in 2017, has published detailed guidance on the security measures to help organisations comply. These are based around 14 key principles set out in the NCSC consultation and government response, and are aligned with existing cyber security standards.


Cybersecurity is everyone's problem, not just the responsibility of IT departments.
Companies have to accept the fact that security has to be planned and implemented in to all business processes. Most organisations that deal with numerous consumer data may need to appoint, outsource or train key responsible personnel like CISOs, Information Security Officers and Data Protection Officers (DPOs).


By now most companies have build up a 'cyber-awareness', that they must protect and invest in information security and IT assets to reduce the risk of breach, loss or exposure of data, theft of resources, and overall brand reputation with addition to the hefty penalties that they might incur. The recent breach reports and news articles like the popular TALK-TALK incident are examples of why.  However, the challenge is how, particularly when most businesses lack the key skills to do so.

Looking for the right security partner can be a daunting task especially in a crowded marketplace. But there are some key factors to consider while looking for consultants that fit your purpose:

  • Trust: Find out if they have relevant industry accreditations. For example, being an NCSC certified Cyber Consultancy would be good start. It is not always about certifications over experience, but your selected security partner should hold relevant qualifications that suit your industry type.
  • Pragmatic:  It is essential that your security partner provides practical advice and solutions that are carefully analyzed and chosen to reflect the right balance of benefit and costs. That is why going for a 'one-size-fits-all' solution does not work. Depending on your organisation, a degree of flexibility is required due to factors such as firm’s size & strength, matrix, cyber-security culture and maturity.
  • Experience: It is important to know that you are getting the skill-set you paid for. Many large and reputed IT security vendors most often have the best online-presence but when it comes to experienced talents to actually fulfil clients responsibilities, they fall short. Our advice would be to get to know the team and look into their experience and client-delivery records.
  • Industry Exposure: Each industry has its own information security protocol to follow. Furthermore, there are also different security group of guidelines such as NIST, ISO:27001, etc that apply to different organisations. This is why choosing a partner with relevant industry exposure makes a difference in your security goals.
    - Are you a Government Body or SME/Large Private organisation ?
    - Or are you a regulated industry like Banking, Finance or Telecommunications ? 

why securestorm ?


Securestorm® are leading security experts who deliver pragmatic advice, practical solutions and solve security challenges across the Digital, Cloud, Cyber and Data Protection (GDPR) domains. With a combination of experience, expertise and strategic awareness, Securestorm offers technical and strategic consultancy, managed security services and solutions to clients across both Public and Private sectors.

Securestorm are a NCSC Certified Cyber Security Consultancy with demonstrable experience and proven delivery capabilities. Advanced security solutions and services include: Nol-ij® - Continuous Risk Management, Edgescan® - Full Stack Vulnerability Management, CybSafe® - Unified Cyber Awareness Platform, and Falanx MidGARD™ - Advanced Monitoring Platform.



The Ultimate Guide to DPO


The Ultimate Guide to DPO


Securestorm's experienced Data Protection Team has released has released an extensively researched guidance document to help understand roles, responsibilities, regulations, and applicability of Data Protection Officers to help clear misconceptions and promote better understanding for organisations that are considering a DPO role within their practice. 

Download our guide below or use our reading pane to preview the content:


DPO Guidance



Reach out to our knowledgeable GDPR Practitioners to address GDPR related questions, for invitation to complimentary GDPR learning sessions or to discuss your personal or organisational requirements. We advice clients across the Public and Private Sectors on all things Data Protection (GDPR/Privacy), Cloud & Cyber Security. 


Getting 'YOUR.COM' GDPR Compliant


Getting 'YOUR.COM' GDPR Compliant

a guide to gdpr compliance for your website

It’s only a few months until the General Data Protection Regulation (GDPR) comes into force, with May 2018 almost upon us. The new regulation created by the European Commission aims to standardize data protection procedures. Companies will be required to comply with measures regarding the data they hold and how it’s managed.

Data protection goes beyond being a legal necessity, but is also an important step in creating trust with your stakeholders, customers, clients and associates. It’s a process that requires transparency from your organisation and it's practices. There are several steps you need to take now in order to make sure you’re compliant with the new regulations, and we’ve presented a guide below to make sure you’re following best practices for your company's gateway i.e, Website:

For more guidance materials or tailored advice on GDPR & UKDP from subject matter experts, reach out to Securestorm here. We specialise in a range of Data Protection as a Service offerings including, GDPR Assessments, GDPR Planning & ManagementDPO Services, Data Protection Impact Assessments and Privacy Management Services, to name a few.



Beyond Tick-Box Training...


Beyond Tick-Box Training...

Securestorm, the NCSC Certified Cyber Security Consultants are proud to have officially partnered with CybSafe, the GCHQ-accredited cyber security awareness training solution to deliver an intelligent and constantly-evolving training software platform that gives organisations a level of expertise, insight, research and understanding that goes above and beyond traditional tick box training.

CYBSAFE-social media announcement-Twitter.png

Tony Richards, CTO, Securestorm said, "We are delighted to tie-up with CybSafe. As cyber security advisors working alongside multiple organisations across Government to Private sectors, we have always expressed how security awareness and training is not a 'tick-box' activity. With our partnership we are able to provide innovative and engaging security training helping organizations to really embed and sustain better behaviours when it comes cyber security. The goal here is to embed a resilient security culture throughout organisations."


Most businesses know that the human aspect of cyber security is important. They also know that they aren’t doing enough to address it and worry that they carry too much unnecessary cyber security and data protection risk as a result.

The issues preventing good cyber security behaviour from the everyday-technology-users within their organisations aren’t actually just knowledge and understanding. Many people are also Apathetic, Disengaged, Fearful or Confused.

These businesses want a cyber security awareness solution that demonstrably addresses the human aspect by changing behaviour, shows a demonstrable return on investment and marks them out as an organisation that can be trusted to take data protection seriously.

What is CybSafe?

CybSafe is Unified Cyber Awareness Platform. It is a data-driven, cloud-based software that addresses the human aspect of cyber security. In doing so it helps businesses to improve cyber security behaviour, visualise human factor vulnerability, and reduce cyber risk.

A Unified Cyber Awareness Platform

CybSafe is a Unified Cyber Awareness Platform that helps organisations intelligently address the human aspect of cyber security by focusing on ABC – Awareness, Behaviour & Culture.

It is advanced software that:

  • delivers GCHQ-accredited awareness training,
  • uses simulated multi-vector attacks and other methods to measure changes in behaviour, and
  • enables businesses to engage their people by keeping them informed and encouraging them to contribute their insight.

CybSafe helps organisations:

  • reduce their cyber risk,
  • build a positive cyber security culture,
  • meet their GDPR and other compliance requirements and
  • see a return on their investment.

It brings together (many of the aspects) a business needs address the human aspect of cyber security effectively.

  • Train & Educate
  • Change behaviour
  • Inform
  • Engage
  • Measure & Analyse
  • Visualise & Report

CybSafe is a platform that can either be delivered on its own (for businesses without the capacity to do more), or as a mainstay feature that is complemented by additional security awareness activity. It is the only GCHQ-certified training tool of its kind that delivers this.

An awareness programme should be an intelligently woven together series of activities that engage, educate, assess and inform Users. If done properly Users feel empowered rather than undermined. They also increasingly see the value in their understanding of cyber security and feel part of the collective solution. It’s a journey that takes many from ambivalence, disinterest and a feeling of inconvenience to interest, appreciation and sensible caution.

Most businesses don’t have the time, expertise or resource capacity to focus on the human aspect of cyber security as much as they should/would like.  CybSafe’s Unified Cyber Awareness Platform automates the provision of this activity making its delivery effortless on the part of busy professional people.

Who is CybSafe for?
  • For businesses that realise that they need no longer pay lip service to the ‘people component’.
  • For those that understand that they don’t have the staff, time or expertise to address this component effectively on their own.
  • Any organisation that would like to directly address the human factor in cyber security to reduce their chances of having a breach – and benefit from the insights and experiences of others whilst saving money in the process.

Like to know more ?

If you would like more information or advice on our range of Security Training and Awareness Programmes, get in touch here.



Awarded For Supporting Forces


Awarded For Supporting Forces

securestorm gets awarded for supporting forces 

Securestorm are pleased to have received the bronze award recognition from the Armed Forces Covenant - Employer Recognition Scheme (ERS).

  Certification Received in Recognition
We would like to thank you for your statement of intent to support defence personnel. The ERS recognises commitment and support from UK employers for defence personnel. The scheme awards employers who support those who serve or have served in the Armed Forces, and their families.

As part of our on-going commitment we particularly seek to support the employment of veterans young and old, through actively targeting veterans in employment campaigns, actively supporting industry training and work placement schemes and mentoring veterans within the industry. We now proudly carry the Armed Forced Covenant logo to show our membership and involvement. 

For more information on our involvement with the AFC or opportunities for Armed Forces, please get in touch with us on or visit our CAREERS page for latest vacancies.

Bronze banner.jpg



Honouring Our Armed Forces


Veteran To Cyber Security Professional 



Honouring Our Armed Forces


Honouring Our Armed Forces

Honouring Our Armed Forces


Securestorm has recently signed an official agreement to honour the Armed Forces Covenant.

By extending the support to the Armed Forces Community, we recognise the value Serving Personnel both Regular and Reservists, Veterans and military families contribute to our business and our country. By directly getting involved with the Armed Forces Covenant, we extend and re-affirm our beliefs by actively supporting initiatives, taking up causes and voicing their messages in our actions.

Embedding the 'Core' Principles in Our Culture

Our Armed Forces fulfil the responsibility of protecting the realm on behalf of the Government, sacrificing some civilian freedoms, facing danger and, sometimes, suffering serious injury or death as a result of their duty. Families also play a vital role in supporting the operational effectiveness of our Armed Forces. In return, the whole nation has a moral obligation to the members of the Naval Service, the Army and the Royal Air Force, together with their families. They deserve our respect and support, and fair treatment.

"We (Securestorm Ltd.) will endeavour in our business dealings to uphold the key principles of the Armed Forces Covenant"

Securestorm not only acknowledges this agreement as an initiative but also holds these values deep within the company culture and origins. In fact, Securestorm Co-founder & CTO, Tony Richards served in the armed forces before making his mark on the Cloud & Cyber Security domains as an industry leader & strategist, especially working alongside and solving challenges for Public Sector organisations like the Ministry of Justice, Youth Justice Board, Supreme Court, and GDS, to name a few.

Showing Commitment & Support in Our Actions

As part of our on-going commitment we particularly seek to support the employment of veterans young and old, through actively targeting veterans in employment campaigns, actively supporting industry training and work placement schemes and mentoring veterans within the industry.

"We (Securestorm Ltd.) recognise the value serving personnel, reservists, veterans and military families bring to our business"

Drawing from our expertise and specialism in the security field and using our partnership with organisations like Amazon Web Services, we are able to contribute to important schemes like the AWS Re:Start. We recently hired and mentored a young veteran who is now on the path to becoming a Cyber Security Consultant. Along the way, he recieved regular support, technical training and qualifications, customer facing experience and an all important work contract from Securestorm. You can read about his journey below:

'A Veterans Journey to Civilan Life'



Tony Richards, commented "With years of experience in the army as well as working in a trending industry, my team and I are able to provide the 'right' nurturing and 'balanced' mentorship required to help the members of Armed Forces pick up and apply new skills suited to them as well as transition back to civilian life. We have already seen some great success in our involvement and we will continually do so in all our future endeavours".

We also take this opportunity to encourage other organisations and associates in our community to support and take up this cause of supporting the AFC. This goes beyond getting veterans back to normal life as the industry needs to recognize what they have to offer. There is a big opportunity to fully develop veterans’ skills and train them to be specialists in order to meet the rising national skills shortage in technology, particularly the vast field of Cyber and Cloud Security.

For more information on our involvement with the AFC or opportunities for Armed Forces, please get in touch with us on Don't forget to visit our other helpful content and handy resources:



Cost Effective GDPR Compliance for SMEs


Cost Effective GDPR Compliance for SMEs

cost effective gdpr compliance for sme'S

According to the latest survey results, the majority of SME businesses are unsure about meeting the GDPR compliance deadline. Moreover, a large part of the business community is unsure of the overall relevance of GDPR to their core business model and operations as well as the overall cost of compliance and business disruption it may cause.

So what should businesses do?

orange banner 4.png


orange banner 4.png


orange banner 4.png


orange banner 4.png


orange banner.jpg


  • Determine the relevance of GDPR to your business and operating model: GDPR is not about data protection, it is about personal data protection. It is important that businesses determine the degree of personal data they use. 

Actual personal data usage may be very different from perception. For example – a simple weather updates portal. It does not need any personal customer data however it does store and processe the names, addresses, family details, bank account numbers, passport details, work authorisations, salaries, bonus payments and sick leave details of its 50 geographically spread agents. All of these are personal data and some are sensitive data

  • Reorganise asset ownership and limit liabilities: SME owners should take advice on  reorganising their business ownership and asset ownership. Numerous businesses start as one man idea and then evolve to become a small team. But, due to digital connect or a people based operating model, they collect significant personal data. Owning sensitive assets with associate compliance and liabilities can best be addressed by forming corporate entities and limiting individual liability. 

The corporate entity should be the owner of share capital and owner of assets including data/digital assets – even if the product is an app available online with a relatively small number of users.

  • Consolidate data ownership: Personal data is an essential element of business flow. Many SMEs use online software-as-a-service tools to manage their business processes and since one tool may not give them all functionalities, data often resides in multiple sets. It’s therefore critical that businesses build their data asset inventory and document who is owner/active custodian of data sets available. 

This is good business practice and will provide GDPR and compliance objectives.

orange banner.jpg


  • Establish and evaluate scope of compliance: Consult your legal advisor to determine your scope of compliance. SMEs often operate as virtual organizations with staff working in different geographies and governed under different cyber security and data protection laws. Similarly, digital product consumption is global. It is therefore critical that SMEs draw a clear scope of compliance.

The scope of compliance needs to be evaluated to identify possible risk avoidance strategies, for example switching to a same country cloud service provider. Why climb the hill when you can go around it?

  • Determine optimum compliance budget: Businesses need to establish an optimum compliance budget. It is important that management considers overall scale, sensitivity and competition parameters on personal data use. If a business uses significant personal data then GDPR compliance is a necessity. If however, GDPR compliance is also expected to offer competitive advantage then it’s important to have marketing team on-board and share some costs. Organisations can subscribe to numerous GDPR compliance services rather than making capital investments.
orange banner.jpg


  • Evaluate “DPO as a service”: GDPR requires an organisation to appoint a person in the position of Data Protection Officer - DPO. But, it gives flexibility to have the DPO position as a full time, part-time, shared or a contract resource.  In order to reduce cost whilst maintaining compliance, SMEs must explore the option of appointing a shared DPO.

The DPO credential requirements are quite unique and “DPO as a service” provides SMEs the most efficient and practical support on compliance. The business should evaluate the DPO’s personal competence, intellectual property and support team available to address the variety of challenges that GDPR compliance is expected to present.

  • Move to a managed service model with suppliers and insist on their GDPR readiness: Outsourcing or specialised sourcing is a great way of implementing efficiency and business compliance. Due to shared cost overheads, the impact of particular compliance drops significantly. In line with this strategy, organisations should move to a managed service model for the parts of their business operations which fit their outsourcing strategy. During the implementation of a managed service strategy as a business or efficiency initiative, specialised focus should be given on compliance. This should reflect in the contractual terms that are entered as well as the governance framework for performance management. 

The Data controller will continue to remain accountable, sourcing a specialised and compliant data processor may just relieve management of large recurring compliance investments.

  • Market your GDPR compliance as a competitive strength: SMEs need to market the GDPR compliance of their product and business to derive competitive leverage. Large businesses have much higher at stake in terms of penalties and brand loss but they also have compliance budgets and programs for internal systems and processes. These compliance programs include ensuring current and prospective suppliers are GDPR compliant.

Being ahead in the race for compliance and marketing it as a strength would avoid elimination on compliance grounds and lend a power advantage during techno-commercial negotiations.

  • Implement cyber security hygiene practices: The key concern of regulatory (ICO) wrath will originate from two sources - A serious complaint from a data subject on systemic non-compliance or security incidents of personal data leakage impacting individual privacy. It’s therefore important to note that more than 70% of security incidents result from weak implementation of security basics, e.g. “admin-admin” username-password combinations, out dated unpatched systems, common password sharing, firewall any-any configurations, more than need/role based access, insider collusion, etc. 

Implementation of good security basics (refer to Cyber Essentials ©) which includes managerial and technical controls gives moderately strong data protection assurance to business management and will shield against higher penalties.

  • Take insurance cover: If the business is focussed on personal data, it is critically important that the organisation has cyber insurance cover. 

This cost will provide the necessary oxygen in case of multiple controls failure. With a constant rise in cyber incidents and a higher participation of insider agents (employees, ex-employees, suppliers staff), data leakages by error can lead to fines, loss of goodwill, disruption of operations and significant erosion of customer confidence and revenue. There could be additional liabilities emerging from suits that may be filed by customers, investors or partners.

orange banner.jpg


  • Embrace privacy be design: SMEs need to make a fundamental shift on data governance. Their products, processes and customer interactions need to respect personal data from collection to disposal. They need to evaluate concepts of data minimization, data segregation, data retention, identity management, disclosures, consent and lawful/agreed processing norms. The concepts of the data lean organisation needs to be implemented.

This is a cultural change which DPOs are expected to drive as they operationalise their roles for GDPR compliance.

Check out our content & resources:


GDPR will drive "Data Lean" Organisations


GDPR will drive "Data Lean" Organisations



A Driving Force of 'DATA LEAN' Organisations

GDPR presents a unique opportunity for organisations to benefit from becoming “Data Lean”. This is a complete reversal of the current business mind-set where organisations collect maximum data about their current and potential customers because they believe it helps them to understand their needs better. The days of unauthorised data mining for upselling / cross selling certainly are numbered.

GDPR compliance necessitates organisations to change their business practices and data management systems. For example:

  1. Data Minimisation: The concept of data minimisation requires that only necessary data is collected as relevant to the business objective of the activity. Today organisations manually and automatically collect unnecessary data from customers so they have the option to mine it for future business purposes. Under GDPR, Data Controllers would be prohibited in collecting unjustified large data sets.
  2. Rights of Data Subject & Responsibilities of Organizations: GDPR grants individuals the right to enquire and seek all their personal details with the organisation to be provided within 30 days. Similarly, individual’s right to be forgotten implies an individual may demand deletion of all his/her personal data in all systems with the organisation. In order to comply, organisations will require all of their databases that contain personal data to be integrated or centrally managed across modern and legacy systems. Hence the limited the number of databases that store personal data the simpler the life for data controllers and processors.
  3. Data Processing, Sharing & Consent: GDPR requires organisations to seek individual consent for the purpose(s) that their personal data shall be used. It also requires explicit consent on sharing of data with 3rd parties and associates. Specific and Explicit consent provisions tie the hands of the organisations to “creative analytics” of personal data. It also limits organisation freedom to data partnerships for cross sales. Stretching the use of data to gain marketing leverage would certainly encourage individuals to use their right to object and/or withdraw consent.
  4. Data Relevance and Deletion: GDPR requires organisations to inform individuals how long their personal data shall be retained at the time of collection. To comply - organisations will need to envisage the time utility of data before the data collection activity and delete data after it has completed the committed time-frame. Alternatively, individuals are empowered to demand deletion at any time. This balance of rights would ensure that organisations only keep relevant data with themselves and adopt an effective data deletion policy.

GDPR compliance will drive organizations to maintain only necessary personal data which they need for agreed business purposes. While the cost of storing data is declining the cost of managing and safeguarding isn’t.

The advantages of becoming “Data Lean” include limited exposure to data loss issues, customer liabilities, regulatory wrath and goodwill damages as well as reduced cyber insurance premiums for compliant organisations.




GDPR: Force for Good or an Evil Necessity ?


GDPR: Force for Good or an Evil Necessity ?

orange banner.jpg

GDPR: Force for 'Good' or an 'Evil' Necessity

by Alex Pavlovic - GDPR 'Strategist'

For those of you who were involved in the much maligned and, at the time, over-hyped Y2K or the ‘Millennium Bug’ you could be excused for thinking that with the General Data Protection Regulation (GDPR) there is a sense of déjà vu. 

The “It’ll never happen” versus the “sky is falling on our heads” camps seem to be resurfacing.


It’s been 20ish years since the Y2K project work started. I worked in a trading floor environment at the time and there was a huge, aka expensive, project to identify systems and processes impacted by the date change; the risks of doing nothing far outweighed the investment. Quite a few instances were discovered and we did identify issues with hardware and software.

Was it the end of the world like some predicted: No
Would it have impacted operations on January 2nd until they were fixed: Yes.  
Would we have been able to trade: hmm, tricky - quite a few database and spreadsheet issues were identified. But was it a timely overhaul of outdated systems and processes: Yes.

What the lead up to Y2K did do was focus staff, and most importantly, the executive’s & senior management’s attention to the risks and impact of not doing anything - sound similar to some current conversations ?  
The risks of doing nothing far outweighed the investment; at the time there were early and late remediation adopters.

Did that result in getting systems, infrastructure and controls updated (things which IT had been crying out for): Yes.


GDPR has rightly been identified and embraced by organisations (it could be said, long overdue) and plans are finally being developed to rectify the omissions in technical and organisational controls/measures. High profile projects once again have the Executives’ attention and support, albeit grudgingly in some cases.  Commitment for resource and budgets are once again being given and remediation work has commenced.  


If the controls aren’t implemented will it be the end of the world: No, though it could knock a hole in a company's finances.
Will it impact operations: it could do if a regulator orders a company to halt processing.
Will it be a timely overhaul of outdated systems and processes: I certainly hope so !

Thoughts ?
Leave your comments down below...



GDPR 'Strategist' &
Lead Consultant

Alex is a Lead Consultant with 25 years of IT, Audit, Information Security and Risk Management experience. He is a specialist in the GDPR and is an advisor and implementation manager for multiple clients across a wide range of industries.

If you are interested to run or participate in GDPR sessions, contact: 

Visit our content:



Cloud Champion


Cloud Champion

Meet techUk'S 'Cloud Champion'

Cloud is fundamental to the UK’s digital future. But an organisation’s decision to move to the cloud will mean organisational change. Leading employees, particularly IT professionals, feeling anxious about how the cloud will impact the way they work. This level of change will for many be a significant step change and cultural shift in how IT services are consumed. If not properly managed organisations could struggle to fully optimize the full potential of cloud.

The purpose of techUK’s ‘Cloud Champion’ campaign is to showcase technology leaders that are playing a leadership role in championing and supporting organisation’s move to the cloud. The campaign will highlight best practice by leaders that are creating cloud enabled organisations, across all sectors, and a cloud driven workforce that will be vital for the UK’s digital future.

Securestorm are techUK members and fully support the organisation's wider initiatives by  participating in meaningful dialogues, strategy measures and thought-leaderships. Read the recent coverage about the 'Trust In Cloud' initiative and access the research papers here.

About: Securestorm are dynamic cyber security experts that delivers practical advice with the aim of meeting and solving challenges across Cloud and Cyber Security domains. With a combination of experience, expertise and strategy, Securestorm offers guidance to clients across Public and Private sectors.
Securestorm holds several accreditations, notably being NCSC Certified Cyber Security Consultancy, Crown Commercial Suppliers, and ISO:27001. Furthermore, Securestorm are also industry prominent for its proven delivery capabilities.


Meet Chris: Army Combat Engineer to Cyber Security Professional


Meet Chris: Army Combat Engineer to Cyber Security Professional

a veterans journey to civilan life

                              Chris Smith, Royal Engineer                                         British Army

                            Chris Smith, Royal Engineer
                                        British Army

When Chris Smith, a Royal Engineer veteran, left the military recently he wasn't sure what to do next — a dilemma for many former military personnel.

But Chris eventually found his calling in the technology industry, and is now rapidly making the transition from military life to the professional services environment.  

Chris's move into technology began when he enrolled into the AWS re:Start initiative where his interest in the area of Cyber Security got him a work placement with Securestorm Ltd.

Chris said, "I was initially lost, but once I found out about the opportunities within Cyber Security and the support available to me, I knew this was my future. The Securestorm placement combined with AWS re:Start initiative gave me direction, confidence and re-assurance which is vital to anyone who is coming out the military and pursuing a completely new avenue. Most folks do not realize how daunting the transition to civilian life can be!"
Chris 3.JPG

Army Engineer

Typical Day at the Army

Chris 2.JPG

On a 'Mission'

Military life


Chris is now a Security Analyst for Securestorm Ltd., the leading Cloud and Cyber Security consultancy based in London. As a National Cyber Security Center (NCSC) certified organisation, Securestorm works closely with public and private sector clients advising on security matters. This gives veterans like Chris a first-hand working experience within a diverse setting and an all-round exposure facing various customers across the industry.

  Giving Veterans a Fresh Start in Technology

Building Talents: The AWS re:Start Programme for Military & Securestorm Placement Program

The AWS re:Start for Military is aimed at supporting members of the UK Armed Forces community and guards with training and job placement program. This program is designed to educate young adults, military veterans, members of the military reserve, those leaving the Armed Forces, and service spouses on the latest software development and cloud computing technologies. Securestorm are AWS partners and are heavily involved in getting new minds get the necessary training, education and development to make it in the field of Security.


                  Interview: Meet the Recent Graduates

As the visionary head of Securestorm, CEO Mandeep Obhrai stated, "We are committed to our partnership with AWS as we embark on diverse initiatives from bringing innovative security solutions to supporting the community around us through a well-developed training and placement program. As a start-up with multiple achievements in our sector, we can help inspire, motivate and mentor new starters in technology on a very personal level with adequate support and nurturing along the way".
Army veteran turned leading Cyber & Cloud strategist, Tony Richards, CTO & CISO of Securestorm said, "While most former military personnel do not have cyber-security training, they do have compatible skills, teamwork spirit and are extremely focused by nature. These qualities are essential to our industry. Being receptive to learning, development and mentor-ship are perhaps more important than having only technical skills especially considering the fast-pace changes in the digital cyber industry.
Image uploaded from iOS (3).jpg
Image uploaded from iOS (2).jpg


  AWS Summit 2017 - CTO/CISO Tony Richards with AWS re:Start hire Chris Smith

AWS Summit 2017 - CTO/CISO Tony Richards with AWS re:Start hire Chris Smith

He also added, "We have a collective role to provide support for veterans. At Securestorm, we believe in building upon initiatives such as the AWS re:Start. This goes beyond getting veterans back to normal life as the industry needs to recognize what they have to offer. There is a big opportunity to fully develop veterans’ skills and train them to be specialists in order to meet the rising national skills shortage in technology, particularly the vast field of Cyber and Cloud Security.

get involved with us !

As part of our commitment to the industry, Securestorm provides a broad range of training, learning and development initiatives for our people to achieve their career goals.

For questions and queries related to Security advice or interviews please email: For current employment opportunities email: 


On Cloud 9


On Cloud 9

No. 9 brings a single iteration of 'G-Cloud'

G9 has officially replaced G-Cloud 7 (G7) and G-Cloud 8 (G8) to bring about consistent information about all services to bring more of the G-Cloud buying journey online.

Buyers and suppliers will be able to use one set of contracts for all their G-Cloud services.

securestorm on g-cloud 9

Securestorm has been officially been awarded G-Cloud 9 status following the success of the previous G-Cloud versions. Securestorm are committed to bring innovative as well as cost effective solutions and services that are practical to help Government organisations be secure from cyber-threats as well as manage resources effectively.  

Securestorm CTO, Tony Richards, added "It is great to be live on G9. Keeping in-line with the launch of previous G-cloud iterations, Securestorm is further committed to delivering more, offering streamlined services and exclusive solutions such as the award-winning EdgescanThis combined with our industry experience, delivery capabilities and subject matter expertise on trending threats will no doubt once again see us successfully solving security challenges for our clients across the Government." 

The following services by Securestorm can be found on the Digital Marketplace:




Cloud services such as Amazon Web Services or Salesforce are increasingly being used but often do not utilize all of the security options available.

Securestorm, an NCSC certified Cyber Security Consultancy, assists customers in defining their security needs and designing and assuring security of public, private or hybrid cloud services.


  • Certified under the NCSC Cyber Security Consultancy scheme
  • AWS Partner
  • Certified (CCP) Cyber Security Professionials
  • Cloud Security Alliance STAR Lead Auditors
  • (ISC)2 Certified Cloud Security Professionals (CCSP)
  • Cyber Essentials certified company
  • AWS secure for OFFICAL Architectal Design and Cloud Formation Templates
  • Leaders in secure OFFICIAL environments architecture design and review
  • Review of AWS or Salesforce Identity & Access Management permissions
  • Review security options chosen and those available against best practices
  • Assessment and review of AWS instances and configurations


  • Company certified under the NCSC Cyber Security Consultancy scheme
  • Deep dive Security Assurance and Audit previously conducted of AWS
  • Ensures compliant and secure cloud services for your organisational needs
  • Utilising the inherent security of cloud services for reduced complexity
  • Understanding of security options for current or future deployments
  • Recommendations for user role and privileges to meet business requirements
  • Improved audit and incident response capability
  • Expertise in delivering secure cloud services to existing G-Cloud customers
  • Deep dive Security Assurance and Audit previously conducted of Salesforce

Securestorm are actively working to champion Cloud Security best practices that enable Government and businesses to run more efficiently and cost effectively. Read about our contribution and best practices in a recently published research papers:



Edgescan - Continuous Technical Security Vulnerability Assessment

Edgescan is a managed, Continuous Technical Security Vulnerability Assessment service with continuous, security testing and system visibility that delivers a unique service combining full-stack vulnerability management, asset profiling, alerting and risk metrics. As official partners, Securestorm, an NCSC certified company, will assist customers with on-boarding the service and portal configuration.





Knack - "Low Code" Application and Database Pilot Development platform

Knack is an easy to use "Low-Code" development platform that Securestorm can provide as a pilot development service that lets you quickly build online applications and data databases as a proof of concepts. With Knack you can structure data, connect by linking related records together and extend data integrations.

Knack Low Code Development Platform Consultancy

Securestorm provides expert consultancy on how to use Knack, the "Low-Code" development platform, including: setup, configuration, management and development. Knack is an easy to use "Low-Code development platform", suitable for OFFICIAL information, that transforms data into powerful online databases, with clean interfaces, and requires no coding.




Nol-ij, the Continuous Information Risk Management Dashboard

Nol-ij is a cost effective, Continuous Information Risk Management Dashboard, that supports and streamlines governance, information risk management and security assurance through identification, evaluation, treatment and management of strategic, operational and project security risks, ensuring decision makers have the necessary information at their fingertips to confidently manage their risk portfolio.

Nol-ij Configuration, CUSTOMIZATION and Support Consultancy

Nol-ij, the Continuous Information Risk Assessment Dashboard can help organisations identify, track and minimize the information risks inherent in their systems and services. Securestorm provides expert consultancy to assist and enable organisations to setup, configure or even adapt and customize the Dashboard to their needs.



To request for a for additional information on any services tailored to your organisation's infrastructure, budget and considerations please get in touch via or call 0203 8655890 for advice and consultation. Additionally visit our technology services directory www.Informd.Online to view assurance reports services.


Road to Victory


Road to Victory


Securestorm Ltd. are pleased to announce that they have been selected as finalists in the Consulting Practice of the Year for the 2017 Cyber Security Awards. The Cyber Security Awards were established in 2014, to reward the best individuals, teams and companies within the cyber security industry. Excellence and innovation are core themes, throughout all categories. The Cyber Security Awards team, reviews the industry, looking for the best possible applicants.

The winners will be announced at the Cyber Security Awards dinner and presentation at the Chelsea Harbour Hotel on Thursday 29th June 2017.

Awards judge Karla Jobling said “there were more applicants this year than ever before and to be selected as a finalist is a great achievement. The Cyber Security Awards really focus on success and innovation, and we look for those who have passion, for what they are achieving within Cyber Security. I am excited to celebrate with all finalists in June, and announce those that judges feel are deserving winners.”

Mandeep Obhrai, CEO Securestorm stated "We are proud to be finalists for the best consulting practice of the year.  Over the past few years cyber-threats have evolved and we have been marking our success based on how we have delivered practical solutions to critical cyber challenges faced by our high-profile clients. This approach has carried us far and earned us the title of being the industry experts." 

Tony Richards, CTO Securestorm said on the occasion "This is a good motivation for our achievements. We have been hard at work getting on-board a number of specialist Cyber Security frameworks and among the few who are NCSC Certified for various cyber security services from the very start. We hope to use this news to fuel our drive for furthering our technical expertise in the industry."

About the Cyber Security Awards

Situated at the luxury 5* Chelsea Harbour Hotel London, the Cyber Security Awards is a leading awards event for the cyber security industry. The event consisted of reception drinks, 3 course meal with wine, coffee and petit fours. The cyber security awards is the ideal event to gain recognition for your success within the cyber security industry. At the awards, you can expect to network with leading industry professionals from consultancies, technology firms, defence businesses, FTSE 250 and public sector bodies.

About Securestorm

Securestorm Ltd. are leading cyber security experts that provides practical advice with the aim of simplifying challenges in the domains of Cloud and Cyber Security. With a combination of experience, expertise and strategy, Securestorm brings innovative delivery and subject matter expertise to the industry across Public and Private sectors. Securestorm are NCSC Certified Cyber Security Consultancy for Risk Assessment, Risk Management, and Audit & Review. Furthermore, Securestorm are also an approved CCS, CESG, Cyber Essentials and ISO 27001 certified consultants with presence on the G-Cloud, Cyber Security Services 2 and Digital Outcomes and Specialist 2 frameworks.


State of Malware


State of Malware


NHS Malware 2.jpg


'Ransomware' got the nation taking


The NHS cyber-attack that hit hospitals across the UK is said to have been part of the biggest ransomware outbreak in history and it could ramp up again this week as people return to work. UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks.

Some 16 NHS organizations including several hospital trusts have had their files scrambled by a variant of the WannaCrypt, aka WanaCrypt aka Wcry, nasty. Users are told to cough up $300 in Bitcoin to restore their documents. Services in other countries – including Russia, Taiwan and Kazakhstan – were also affected by similar hacks. Experts say the virus, called exploits a vulnerability in Microsoft Windows software that was first identified by American spies at the NSA.

Doctors have been reduced to using pen and paper, and closing A&E to non-critical patients, amid the tech blackout. Ambulances have been redirected to other hospitals, and operations canceled.

industry experts ANLYSIS


Securestorm's approach to tackle high-impact attacks such as the NHS breach is the same that has proven to be effective with other high-profile organisations. We look at problems practically and holistically. This enables us to deliver innovative and tailored approach that suit the organisation while placing considerations on resources and other factors like cost and time.


Tony Richards, CTO of Securestorm who actively works-alongside Government organisations has been monitoring and advising organisations to help defend and protect against such attacks added, "Microsoft released a fix, or patch, for the issue in March prior to the dump. However computers that did not install the update, or could not due to the age of the software, would have been left vulnerable to an attack". He also stated how the use of Abatis HDF software would have helped these organisations to protect, defend against the very same attacks while proving to be cost-effective at the same time. Subsequently, he tweeted - 

Mandeep Obhrai, CEO of Securestorm analysed the importance of long-term organisational planning along with embedding a security culture that is practical. He recommends:

  • Robust business continuity planning
  • Crisis and incident response planning
  • Excellent security hygiene policies and user awareness 
  • Up-to-date patch and vulnerability management 
  • Access control and user privileges are important
  • Back-up data using relaible solution for protection. 

'Beating ransomware is about preventing it rather than reacting to it. Invest in awesome Cyber Security !' 
- Mandeep Obhrai, CEO

Securestorm can offer expert advice and consultancy services to organisations while developing the overall security posture, maturity and culture. We have lead, integrated with and supported multiple teams within organisations to be cyber ready. As such there is no one-stop solution for incidents but this is where consulting us benefits organisations as are accredited and experienced to adeptly look into different areas. Read about our case studies here.

For the ransomware incident, we have identified Abatis software as one of the solutions as defense. The following are features and benefits of this particular software.

‘A Disruptive Zero Day Defence’ solution against HACKERS'



Securestorm Ltd., London based Cloud and Cyber security experts and NCSC Certified Consultants have officially partnered up with ABATIS, a UK based Cyber Security Awards 2015: Innovative Product of the Year winner to offer a resilient, cost-effective and agile solution that stops zero day attacks.

Abatis is deployed on end point workstations and servers to enforce corporate security policy and provides detailed analysis and audit information.

  • Less than 100KB Kernel Level Protection
  • Preserves the integrity of whatever device it is installed upon
  • Protects All Windows and Red Hat Linux





  • "Effective at stopping all attempts to write malware to the permanent storage of the device regardless of system privilege"
  • "Abatis Stopped 100% of all malware in comparative tests where 8 well-known Anti-Virus tools scored between 30% and 55%”
  • Provides an APT HUNTER-KILLER ability not seen in any other tool
  • Safe to use in mission and safety-critical real-time systems and SCADA environments
  • Provides TOTAL Control over USB Devices




"Defence Against Crypto Locker and Other Ransomware“

Ransomware is one of the fastest growing methods for cyber criminals to extort money. Abatis stops these attacks dead. Ransomware is one of the fastest growing methods for cyber criminals to extort money from their victims. In the first six months of 2014 cyber criminals made over $100 Million in extortion, many of these victims had no option but to pay up or lose sensitive corporate information. Abatis stops these attacks dead.




Fast, Light and Efficient

  • "Saves 7% of the energy consumed by the device, servers run 8°C cooler, saving £35 / €50 / US$60 per server per annum”
  • Imperceptible performance impact
  • Up to 40% performance (speed) improvement compared to traditional AV
  • Massive improvement in laptop battery duration


  • Making Security Management Simple and Cost-Effective
  • Central Management Console (CMC) provides facilities to:
  • Install on an estate
  • Retrieve and analyse logs
  • Push policy updates to Abatis individually, in groups or globally
  • Web based application
  • SIEM-like dashboard


Abatis is a host based software only solution that is implemented as a kernel driver on Windows platforms. It intercepts and mediates file write access to the computer’s permanent. It is designed to help enforce system and file integrity without complex management overheads. It achieves this security objective by exercising robust access control over the writing of executable files and user-defined files (protected files) to a computer. It protects against unauthorized modification and denies unauthorized write operations.

While Abatis blocks unwanted executables by default, the Abatis system administration can define files for integrity protection according to the computer’s roles. Ideally, Abatis should be deployed on a newly installed ‘clean’ operating system. From this secure initial state (baseline), Abatis will prevent malware infection then on.

For most corporate environments, Abatis is rolled out at stages and there may be extant undetected infections on systems – often referred to as Advanced Persistent Threats (APTs). Abatis' unique operation and extensive audit log allows the malware to be identified. Abatis can also reveal rootkit infections and facilitates the subsequent removal of such programs.




orange tick.jpg

Securestorm are authorized re-sellers of the Award winning software and management console solution from Abatis that helps stop malware cost-effectively and right from the get-go.


With Securestorm, you get unparalleled expert advice, excellent customer care support and guidance pre-and-post on-boarding process giving our clients peace of mind and massive savings on cost, time and resources.

To request for a for additional information on malware & ransomware defense and protection tailored to your organisation's infrastructure, budget and considerations please get in touch via or call 0203 8655890 for advice and consultation.



Small Budgets Cripple Cyber Security Efforts of Local Governments


Small Budgets Cripple Cyber Security Efforts of Local Governments

Small Budgets Cripple Cyber Security Efforts of Local Governments

A survey of local government chief information officers finds that insufficient funding for cyber-security is the biggest obstacle in achieving high levels of cyber safety.

Inadequate budgets are the largest obstacle for local government chief information officers in obtaining the highest level of cyber security for their organization, according to a survey released by the International City/County Management Association.

According to 411 respondents in the Cyber security 2016 survey, 32% reported seeing an increase in cyber attacks to their organizations within the past 12 months. But despite this increase, more than half of the CIOs surveyed found steep obstacles still stood in their way of achieving the highest level of cyber security as possible.

Survey respondents pointed to these reasons as the barriers to obtaining high cyber-security levels:

  • 58% noted inability to pay competitive salaries
  • 53% attributed small cyber-security staff as the main obstacle
  • 52% cited overall lack of funds

Although adequate funding was listed as the top need in achieving the highest level of cyber security for local governments, improved cyber-security policies ranked as No. 2, followed by government employees having a better understanding of cyber-security as No. 3, according to the survey.


"The threat landscape is ever evolving"

Rather than treading over old ground, it’s time to step forward to address the ever widening gap between criminal capability and intent, and our capability to defend ourselves. While the National Cyber Security Center (NCSC) initiatives are in place and taking effect for the long-term goal of securing the nation as a whole, the industry needs to work-along side these measures to ensure progress and continuity as a collective unit.

As NCSC Certified Consultants actively working closely with the Government sector we strongly believe:

  • getting the basics right could prevent 85% of breaches
  • that moving to a secure culture by actively working with teams will change mindsets
  • measuring that culture periodically will help review and fix gaps
  • sharing information between departments and organisations will unify the common goal of being secured
  • building capability internally will lead to long-term resource, time and cost savings

Securestorm has worked with clients facing constraints when it comes to budget, expertise and security culture gaps by way of offering practical solutions that addresses the organisational goals when it comes total cyber security. Recently, Securestorm signed a partnership with Edgescan Ltd. to bring a solution that provides the necessary flexibility & efficiency to departments facing such hurdles. Securestorm also offer services to on-board and manage the solution so that internal resources can focus on other organisational priorities. This ensures cost, time and resource savings while receiving expertise that can transform the entire security culture of the organisation. 

Read about managed CONTINUOUS security vulnerability assessment service

Edgescan takes into account cloud security by focusing on internal and external vulnerabilities (web applications as well as network infrastructure). It also delivers the flexibility, simplicity and manageability that organizations need to take control of cyber security and prevent web and network attacks. Edgescan is a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiency, lowering your overall cost of ownership.

As official Edgescan G-Cloud suppliers and certified consultants, Securestorm can offer expert services that helps lessen the burden on your security team and improve overall organisational security posture by:

  • Providing continuous visibility to your on premise and cloud environments
  • Freeing your security team to work on more strategic priorities
  • Satisfying compliance with regulations
  • Safeguarding your critical data
            Presenting Vulnerability Management Service at SOCITM SPRING 2016

         Presenting Vulnerability Management Service at SOCITM SPRING 2016

          As partners, Securestorm are official G-Cloud Suppliers of Edgescan solution

       As partners, Securestorm are official G-Cloud Suppliers of Edgescan solution

meeting opportunity: Securestorm & edgescan at infosecurity

Securestorm will join Edgescan at Infosecurity Europe, 06-08 June at Olympia, London. Visitors can learn about full-stack vulnerability management solution



The Edgescan Vulnerability Assessment & Management by Securestorm is available to procure via the G-Cloud space. The service information can also be found on our own assured service directory 'Informd.Online' with a free registration for Government departments.

To request for a trail or for additional information on the vulnerability assessment and management approach tailored to your organisation's infrastructure, budget and considerations please get in touch via or call 0203 8655890 for advice and consultation.


'Trust in Cloud'


'Trust in Cloud'

Building Trust in the Security of Cloud


tech-UK represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 900 companies are members of tech-UK. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK.

The event marked the launch of tech-UK's Building Trust in the Security of Cloud papers and a panel discussion with leading cloud industry figures on building trust in the security of cloud computing.

The series of papers are aimed at addressing common trust and security concerns, as well as misconceptions, surrounding cloud services. Despite many years of raising awareness of the benefits offered by cloud computing some negative perceptions remain about the security of cloud services that are holding back cloud adoption and its benefits. Given the importance of cloud computing to the UK’s digital future it is vital that the cloud security messages and advice being delivered today are relevant to how cloud services have evolved, address the concerns being raised by cloud users and are communicated to and understood by the right audiences.

To ensure this happens tech UK has been working with cloud computing and cyber security industry experts to develop a series of papers aimed at providing information and advice for consumers, SMEs and local government leaders that are looking to get the most out of cloud computing. The following papers will be launched and discussed at the event:


 Securestom's Tony Richards, CTO/CISO/Cyber and Cloud Security Strategist at the Panel Discussion Committee for  Building Trust in the Security of Cloud

Securestom's Tony Richards, CTO/CISO/Cyber and Cloud Security Strategist at the Panel Discussion Committee for Building Trust in the Security of Cloud

As tech-UK Member organisation and industry experts, Securestorm directly worked with tech-UK and other industry members to discuss, research and build the cloud topic papers.

Securestorm's Tony Richards, CTO/CISO/Cyber and Cloud Security Strategist, was also involved in the event panel discussion on 24th April 2017 providing insights and answering audience questions on cloud security with relation to Government, Consumers and upcoming challenges such as Brexit and policy changes.

Securestorm are NCSC Certified Cyber Security Consultants with diversified interest in the Cloud Security domain working Public and Private sectors. With experience, knowledge and expertise Securestorm are actively working to champion Cloud Security best practices that enable Govt. & businesses to run more efficiently and cost effectively.

     Highlights from  'Building Trust in Cloud Session'

    Highlights from 'Building Trust in Cloud Session'

    Also launched is techUK’s “Cloud First. Policy Not Aspiration paper which focuses on the importance of the UK Government’s Cloud First policy being more than just an aspiration for ensuring effective public sector adoption and usage of cloud and how Government can become a loud and vocal cloud champion. The paper makes a number of recommendations that must be taken forward in order to build great trust in the security of cloud services and increase the adoption of cloud within the public sector. These recommendations and the importance of clear roles and responsibilities organisations for building greater trust and security in cloud computing across both the public and private sector and how to take forward tech-UK's work on this area.

    Access the Cloud papers here:

    About: Securestorm are dynamic cyber security experts that delivers practical advice with the aim of meeting and solving challenges across Cloud and Cyber Security domains. With a combination of experience, expertise and strategy, Securestorm offers guidance to clients across Public and Private sectors.
    Securestorm holds several accreditation, notably being NCSC Certified Cyber Security Consultancy, Crown Commercial Suppliers, and ISO:27001. Furthermore, Securestorm are also industry prominent for its proven delivery capabilities.








    Securestorm Ltd., Cloud & Cyber Security Experts and UK National Cyber Security Centre (NCSC) Certified Cyber Security Consultancy have officially launched is an online Common Technology Service directory for cloud services that have been audited and security assured by Securestorm against the UK National Cyber Security Centre’s (NCSC) Cloud Security Principles. In-line with the UK Governments ambition to reduce repetition and share security assurance information between government organisations, Government Security representatives can register for an account to gain access to the detailed reports.

    Securestorm are NCSC certified for the specialist areas of Information Assurance Audit and Review, Risk Assessment and Risk Management and hold various cloud security credentials further backed up by great industry experience and delivery in the public and private sectors. has been developed for referencing assured technology services allowing for users to have an overview, access relevant information and thus make an informed decisions on the security status. Government Users can register for an account, allowing access to the detailed, Cloud Security Principles Assurance Audit Reports.

    Easy Icon-Based Classifications

    Securestorm has designed the directory with custom icons using a traffic light labelling system for security assurance snapshot. Research has shown that the traffic light system has proven to be successful model for multiple sectors. Therefore, applying this principle Securestorm has mapped assurance levels (i.e. Assured, Not Assured, Weak Assurance and Not Applicable) to categories of importance covering core areas such as: Personal Data, Medical Data, Financial Data, as well as security functions such as: data location, protection of data in transit, legal jurisdiction, audit, identity and access control, and physical security.


    Friendly & Informative Layout gives users a holistic overview of the services security right up front with detailed but easy to narrow down services information through our custom assurance icons.


    Readily Available Information

    Clicking on the relevant service allows for accessing general information about the service. Registered Government Account holders get access to a fully detailed and referenced Cloud Security Principles Assurance Audit Report.


                                  Security assurance icon explanation


    Users can navigate the services list and click on the relevant service after shortlisting based on our custom assurance icons

    Users can click on services to pull of descriptions and relevant links asscotiated

    Other Essential Resources from Securestorm

    For more information on our, feel free to reach out to: for support or queries. For access to other resources from Securestorm such as Digital Apps, Cloud and Cyber Security Guidance articles, Thought-Leaderships and Case-studies, visit or navigate our links below.


    You Are Only As Strong As Your Weakest Link… MSPs Under Cyber-Threats.


    You Are Only As Strong As Your Weakest Link… MSPs Under Cyber-Threats.

    The following news story is result of an uncovering report as presented by the NCSC:

    Advice on managing enterprise security published after major cyber campaign detected

    • Third parties who manage large organisations’ IT services attacked
    • NCSC leading investigation in partnership with Cyber Incident Response partners
    • Advice urges enterprise security teams to discuss risk with Managed Service Providers

    TARGETED expert advice aimed at Managed Service Providers and their customers has been published after a global cyber attack was uncovered by a multi-organisation collaboration led by the National Cyber Security Centre (NCSC).

    The attacks are against global Managed Service Providers (MSPs), which are third parties who help to manage large organisations’ IT infrastructure and services. MSPs are particularly attractive to attackers because they have privileged access to other organisations’ systems and data.

    Due to the incident affecting mainly larger organisations, the NCSC believes the risk of direct financial theft from individuals is unlikely.

    The attacks provide a reminder about the importance of organisations choosing and monitoring their outsourcing partners carefully, so the NCSC has posted a range of advice on their website about what people should be done to mitigate against risks.

    Ciaran Martin, CEO of the government’s National Cyber Security Centre Said:

    “This scale of hostile activity is significant and our intervention is aimed at giving the UK the ability to tackle this threat head-on by giving organisations the tools and information they need.

    “We always encourage enterprises to discuss this threat with their MSP, even if they have no reason to believe they have been affected. This incident should remind organisations that entire supply chains need to be managed and they cannot outsource their risk.

    “The response to this attack is an example of the new NCSC at work with our partners. It would not have been possible to uncover the scale and significance of this incident as quickly without our close partners in Cyber Incident Response (CIR) initiative, including PWC and BAE Systems.”

    The guidance reflects the technical advice and mitigation measures offered to U.K. industry and government departments on the Cyber-security Information Sharing Partnership (CISP) platform.

    Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately.

    The NCSC recommends that MSPs who are unwilling to work closely with customers or are unwilling to share information should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk.

    The NCSC, which is part of GCHQ, is the UK’s technical authority on cyber security. The NCSC was opened by HM The Queen in February 2017 and provides a single, central body for cyber security at a national level. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. 

    The UK government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. A five year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9billion of transformational investment.

    Finding Reliable, Trusted & Assured Experts Through NCSC Seal Of Approval

    The NCSC, set up in October 2016, is part of GCHQ and amalgamates government agencies dealing with cyber security. The NCSC was set up to help protect our critical services from cyber attacks, managing major incidents and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations. Their vision is to help make the UK the safest place to live and do business online. NCSC certification serves as seal of trust, assurance and reliability for procuring services.

    Certified Cyber Consultancies will have demonstrated to NCSC that they have;

    • a proven track record of delivering defined cyber security consultancy services
    • a level of cyber security expertise supported by professional requirements defined by NCSC
    • the relevant Certified Professional (CCP) qualifications

    And that they;

    • Manage consultancy engagements in accordance with industry good practice
    • Meet NCSC requirements for certified professional cyber services companies

    Certified Cyber Security Consultancies commit to:

    • Complying with a code of conduct (see Section III of the Professional Cyber Services Application form)
    • Maintaining their cyber security expertise


    Securestorm as an NCSC certified Cyber Security Consultancy, are 1 of 3 companies who specialize in IA Audit and Review. Securestorm can undertake the Independent Security Assurance Reviews and IA Audits of Managed Service Providers as advised by the NCSC in light of this new attack. Additionally, Securestorm are also certified to carry out Risk Assessment & Risk Management with experience across Central government, Digital services for Government, Wider Public Sector.