Global Medical Tech Company Increases Cybersecurity Maturity Level by More Than 50% With CYE
The Challenge: Lack of Visibility and a Comprehensive Cybersecurity Strategy
As a leader in developing and producing critical and lifesaving medical devices, the medical technology company must consider the impact of possible cyberattacks on their operability, the satisfaction of customers’ supply demands, and regulatory needs. Although its team already had a strong focus on security, they lacked visibility and the ability to measure the effectiveness of their strategy. Therefore, they sought a comprehensive approach to their cybersecurity strategy and planning.
The company consulted with CYE’s experts, who immediately discussed and agreed with the company’s IT leadership team about which assets were the most critical and performed a broad organizational baseline security assessment. As part of this process, CYE penetration test specialists tested different attack scenarios, simulating a rogue employee and an external hacker.
The exhaustive penetration and vulnerability assessments comprehensively showed the available and most possible attack paths to steal business-critical data or compromise assets.
The Solution: Expert Mitigation Guidance, Implementation, and Testing
After the assessment, the company received a full report with the help of Hyver, CYE’s optimized cyber risk quantification platform. CYE and the company reviewed the findings in workshops and developed a mitigation plan that they discussed at biweekly meetings. CYE helped prioritize all the findings and categorized them into critical, high, medium, and low priority.
Over the course of ten months, the company worked on mitigating the findings. By the time they performed their next vulnerability assessment, the focus had shifted to internal attacks. The CYE team attempted to reach the company’s critical assets using different attack vectors while confirming and validating that the mitigation efforts had indeed been effective.
The company continued working with CYE to run internal training, including tabletop exercises on crisis communication with the executive team. CYE also did a security configuration review of the company’s product lifecycle management system, and a red team exercise to challenge and enhance security event detection and monitoring capabilities. In addition, CYE ran developer training for the company’s software development, IT, automation, and engineering solutions teams.
The Impact: Significant Improvement of Cyber Protection and Awareness
With CYE’s help and guidance and through the company’s diligent implementation, cybersecurity maturity improved dramatically in all areas. With identity management, for example, maturity rose 56% in just one year, while sensitive data management rose 51% during the same time.
In addition, working with CYE clearly transformed security awareness at the company. “What we experience is a growing maturity and understanding of what is necessary to protect our operations, in both the IT and the OT environments of the company, from the top management down to the individual specialists and engineers doing the work,” said the company’s head of information security. “We have experienced massive growth in awareness and skills among the people in IT and operations. We have also experienced a growth of acceptance for certain security requirements that must be implemented, and we have excellent buy-in and support from the senior management.”
For all these reasons, the company appreciates CYE’s value. “I am happy we work together with CYE,” the infosec head said. “I look forward to continuing this cooperation for many years because our security roadmap is an ongoing task. We find knowledgeable resources in CYE, and I think they greatly benefit us.”
“The number one value that we receive from CYE is cooperation on risk mitigation and improvement of cyber protection on different levels, be it policy, organization, or technical.”
The customer’s Head of Information Security