Safety Detectives: Please share your company background, how you got started, and your mission.
SecureFLO: SecureFLO is a cybersecurity and privacy compliance consulting firm located in Arlington, MA, just outside Boston. Unfortunately, the news regularly reports on data breaches and the significant numbers of customer records hacked or critical business data stolen. Businesses face both financial costs as well as damage to their reputation when their data is compromised. We help companies protect their business data from cyber-attacks and data breaches and comply with the privacy standards and regulations that apply to their industry.
Our client list includes financial services, healthcare, insurance companies, and software-as-a-Service (SaaS) companies. Each industry vertical has a unique set of privacy standards and regulations that apply. And there are lots of acronyms to describe those laws and standards.
For example, many firms want to attain ISO 27001 certification and adhere to NIST guidelines. Healthcare firms need to comply with HIPAA. Financial services companies need to comply with NYDFS. Firms selling to the US Defense industry must meet DFARS requirements. Companies doing business in California must be CCPA-compliant, while companies in Europe must comply with GDPR. Software companies typically seek to be SOC2 certified. There are many other standards. That’s why businesses hire SecureFLO to help them sort through all the details and achieve compliance and certification.
I founded the company in 2011 after working on consulting at Deloitte & Touche LLP, one of the largest professional services firms in the world. My goal for SecureFLO is to offer cybersecurity and privacy consulting best practices and a standards-based approach to small and midsize companies without all the overhead of a large consulting firm.
SD: What is the main service your company offers?
SecureFLO: We group our cybersecurity and privacy compliance services into three areas: Assess, Respond, and Protect. Most engagements begin with a variety of assessments and other tests. For example, a risk assessment could evaluate the client’s vendor and supply chain. We often perform penetration tests and vulnerability scanning by attempting to breach web apps, mobile apps, or the client’s network infrastructure. A configuration assessment would look at the software, hardware, and endpoints settings to identify potential security risks. We’ll even check whether employees are susceptible to phishing attacks, which could compromise essential business data.
In the “Respond” group of services, we develop and implement a plan to fix or “remediate” risks found in the assessment phase. We might deploy new security technology or update existing technology and correct configuration issues. We can train employees to recognize and respond to potential cyberattacks that target them directly.
Our services in the “Protect” category include working with clients to improve their processes to reduce their risk of cyberattack. Process improvements might establish (or strengthen) the governance and controls over who can (and cannot) access various types of business data. We also help clients identify approaches to respond to security incidents and create a disaster recovery plan. We can help clients select and deploy various security solutions to increase their security posture and resilience against cyber threats. We have established partnerships with software vendors that we feel offer excellent solutions. Examples of solutions we might deploy for a client include threat intelligence monitoring, firewall/honey pot, consent management, secure email, and multifactor authentication.
For midsize or larger companies, we typically work with their IT Security and compliance teams. For startups and companies with limited technology and compliance staff, we can act as their fractional Chief Information Security Officer (CISO). As the client’s on-demand CISO, we will design and manage a complete security and privacy compliance program.
SD: What is something unique that helps you stay ahead of your competition?
SecureFLO: We constantly monitor the threat landscape for current and emerging cyberthreats. Our technical staff educates themselves on new cyber threats and technology and pursues certifications that enhance their skill set. We also continually evaluate new technology solutions to determine whether and how they can improve our client’s ability to prevent and respond to cyber threats and data breaches.
SD: What do you think are the worst cyber threats today?
SecureFLO: The rise in remote work since the pandemic significantly increases the threat points now that many employees now work from outside the traditional office. Also, sophisticated hackers have devised novel ways to deceive employees into unknowingly revealing sensitive data or providing an opportunity to gain access to their company data. We offer both services and training for companies to help prevent a successful phishing attempt.
Additionally, we see patching or patch management programs have become critical to managing risk and preventing data breaches. Monitoring traffic and access for threats from various sources and at endpoints is another measure for companies to prevent and/or block cyber-attacks.