SafetyDetectives spoke with the head of US operations for Bridewell, Chase Richardson, about the changing landscape of cybersecurity, the primary goals of penetration testing, staying ahead of hackers, and more.
Thank you for taking some time to speak with us today. What is your background and your current role at Bridewell?
It’s a pleasure to meet you! I’m speaking to you from Houston’s Energy Corridor, where I lead US Operations at Bridewell, a global cyber security services firm. Bridewell opened its doors in the US last year, following a decade of rapid and spectacular growth in the UK. We provide 24×7 managed detection and response services and cyber security consultancy for the world’s most trusted and highly regulated sectors, including critical national infrastructure (CNI) and financial services. Our incredible team of security experts are passionate about helping complex global organizations reduce risk and build cyber resilience amid rising cyber threats.
Before joining Bridewell last year, I was a founding member of another cybersecurity services firm in Houston. One of my proudest achievements was helping to grow the business from 5 to 50 employees in just four years. My experience in the field has allowed me to specialize in several key areas, including cyber security risk, governance, penetration testing, security operations, and data privacy. I also hold an MBA from Emory University and Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP/US) certifications.
What makes Bridewell unique in the crowded field of cybersecurity?
Unlike many standard cyber security providers that try to be everything to everyone and ultimately spread themselves too thin, Bridewell is proud to specialize in critical national infrastructure. Our deep experience and dedication to this one area means we have a unique understanding of the specific cyber security challenges facing CNI, enabling us to deliver on complex security operations where other providers have previously failed.
Also, as a global company with a UK headquarters, Bridewell has a significant edge in the US market. The UK has long been ahead of the US when it comes to having mature cyber security regulations, and the Bridewell US team are able to adapt elements of these more established frameworks. Comprehensive guidelines and legislation, such as the Network and Information Systems (NIS) Regulations, have been in place for several years now in the UK, whereas US regulations are generally more state-specific and limited in their scope. With Bridewell’s deep experience and expertise in a different region, valuable lessons can now be applied to a relatively young US regulatory market.
What are some of the worst cyberthreats you’ve come across, and how do you help prevent them?
Ransomware continues to be among the most devastating, debilitating, and costly attacks an organization can face. What’s more, we are seeing the rise of sophisticated ransomware gangs, who operate very much like any modern tech company and have an extraordinary level of skill in writing malware, performing intrusions, and extorting money.
Bridewell helps to protect organizations against ransomware threats through proactive cyber threat intelligence and comprehensive monitoring, ensuring real-time, end-to-end visibility across networks. But to get the most from these defensive technologies and processes, organizations must first establish a baseline of cyber security hygiene. They need to fully understand their business environment – including the location of their key assets and data – to identify potential vulnerabilities and prioritize their resources accordingly.
These robust measures are crucial – not just from a security standpoint but from a regulatory one, too. Data privacy regulations are evolving rapidly across the US, and obligations often vary from state to state. To avoid regulatory fines and negative press, organizations need to proactively keep up with these state-specific changes and variations and ensure that their cyber security processes are aligned.
What are the primary objectives of a penetration test, and what can organizations gain from conducting one?
Penetration tests are vital when it comes to checking the effectiveness of an organization’s technological controls at a specific point in time. To cover the broad spectrum of cyber threats, these tests can be external or internal: external pen tests simulate attacks from outside the organization’s network perimeter, while internal pen tests focus on insider threats and compromised user accounts to assess the strength of internal security controls. Both tests are designed to uncover any vulnerabilities and weaknesses within organizations’ systems and networks.
By testing exactly how far a malicious actor could go inside a company’s network or cloud environment – and what data they could steal – penetration tests help organizations identify and understand the gaps in their cyber security posture, so that they can be plugged before they’re exploited by real attackers. Pen tests will either validate the strength of a company’s existing technological controls, or shed light on previously unseen vulnerabilities and weaknesses, so every organization stands to benefit from conducting one.
But these tests can only provide a snapshot of a moment in time, which is why organization-wide penetration tests must be carried out at least annually. Meanwhile, when onboarding new vendors, organizations should request and review each vendor’s pen test results before granting them access to company data. Application-level penetration tests should also be performed during software development or alongside any software changes, so that vulnerabilities can be identified and managed on a case-by-case basis.
As technology evolves and improves, so do hackers; how do you stay one step ahead to create a safe environment for your clients?
Organizations of all sizes should be developing and implementing a robust, actionable cybersecurity program. Cyber security is never a one-off project; it’s an ongoing endeavor, so at Bridewell, we work closely alongside our clients to ensure their programs are manageable, maintainable, and tailored to their unique security needs and challenges.
To keep pace with the changing threat landscape, these security programs must be agile enough to be adapted as organizations onboard new vendors and introduce new technologies. This is particularly important as supply chain risks grow in breadth and volume. Attackers are increasingly targeting third-party vendors as the weak link in a company’s security chain – so organizations must strengthen their risk management processes as they adapt to new ways of doing business.
What steps should a small business owner take to improve their web security against hackers and data leaks?
Hacking incidents and data leaks can devastate small business, leading to significant financial and reputational damage. Therefore, business owners should continually practice cyber hygiene measures, such as multifactor authentication (MFA), regular software and system updates, and ongoing staff training, and ensure they have a robust and manageable cyber security program in place.
Most small businesses will not have the resources to assemble a whole team of cybersecurity specialists in-house. But instead of being a barrier for firms, this should be seen as an opportunity. By partnering with a trusted cybersecurity provider, small businesses can be supported in outsourcing or automating some of their security processes while receiving regular maintenance and monitoring from a team of external experts. This means they can take advantage of cost-effective and scalable cyber security without the need for a dedicated in-house team.