What does ‘The Metrix’ mean?

Metrix Pronunciation: /’mɛtrɪks/
NOUN (pluralmatrices /ˈmeɪtrɪsiːz/

The logical realm where in exists interrelation and inter-communication of otherwise disparate systems and bodies.

The Metrix was defined by Information Security company Unity Metrix and refers to a logical domain, be that real or virtual in nature, where multifarious communication methods serve to enable users and systems to intentionally or unintentionally interact and communicate. The metrix is not fixed in scope, but is dependent on a perimeter defined by the subject i.e. from the position of a computer the metrix could be seen to be simply the devices connected along the line to the network port, the mains power supply, wireless keyboard controllers etc. But from the position of a mobile phone connected to the same network the metrix would include the same devices (since it is also connected to the wireless network), but also the computer that it might be plugged into via USB, the carrier network and its subsequent connections, a Bluetooth headset and even the mains network if it happens to be charging. But communication can just as easily be audible and visual and therefore the metrix also covers direct or indirect human visibility, audio or any other method enabling the transference of information.

USE: The Metrix could be referred to as ‘The Local Metrix’ for instance in order to describe all communications possible within a specific physical constraint such as a building or rack, or ‘The Geophysical Metrix’ to describe similar connectivity based on location, but not necessarily bound or governed by any common administrative, physical or logical factors.

“There is a danger of data exfiltration by using power manipulation within the given metrix”

“The Metrix of the accounts office provides too many attack surfaces”

The company name Unity Metrix was spawned in reference to the unification of systems and controls that govern security within a defined metrix.

Why would I need a security audit?

It is widely reported that two thirds of businesses now suffer a compromise of some sort on a monthly basis, many of which end up costing thousands or even hundreds of thousands of dollars to rectify, IF IT IS POSSIBLE AT ALL. Your business is no different, you just don’t know about it yet. An audit will identify weaknesses in your business and help you shore up the defences. Protect yourself now for the same reason that you wouldn’t wait until your house burned down before you considered insurance?

I’m only a small business, surely nobody is interested in my data?

In a recent article in The Guardian they write: “not only are small businesses now firmly in the crosshairs of cyber-criminals, they are fast becoming their favoured target – and are often woefully unprepared.” The cost of not doing anything can easily outweigh the cost of improving your defences and the cost of doing nothing is rising by the day. Reports by the US National Cyber Security Alliance found that 60 per cent of small companies that suffered a breach went out of business six months after the attack.

Am I actually obliged to protect my business data?

The new EU GDPR regulations will establish one single set of data protection laws across all 28 European member states, replacing their own legislations by 2018. Data controllers have to now notify the appropriate supervisory authority within 72hrs. Fines of up to €20 million or 4% of global annual turnover, whichever is the greater, will be levied on companies who suffer a breach. Should the company cause any person to suffer as a result of a breach that causes any material or immaterial damage, that person will also have the right to claim compensation.

I already have an IT department/Consultant looking after such things?

Oh you think so? In the main the board and small business owners ASSUME that the IT department is protecting them, but they are not. Information security is not an IT function and whilst the best intentioned IT consultants do their best to secure your network (they usually do it under the influence of a raft of misconceptions), many vulnerabilities are not actually in IT at all. For example is it the job of the IT department to vet your staff? To organise clear-desk policies? To train users on social engineering attacks? Usually not!

Will I be 100% protected if I take your every recommendation?

Whilst we would love to say yes, there is no organisation anywhere in the world that is 100% protected. We are good at what we do so we will aim to deliver the best risk-mitigation strategy possible and that might even involve simply insuring against some risks. Either way it will be based on a solid business case designed to protect your business future, while you to grow your future business.

Cybersecurity, that’s just computers etc. right?

Whilst the information that we want to protect is usually in electronic form, the number of attack surfaces extend into many other aspects of your business. To that end our audits are not constrained to simply poking around at your network systems, but are far deeper and wider and encompass many non-IT related aspects.

I have an IT business, aren’t you a competitor?

We work closely with IT consultancies in order to a] Test the security posture of their clients b] reduce the culture of blame on IT for what is essentially a non-IT function and c] monitor and maintain the mundane and finicky stuff that IT departments hate such as virus guards and backup systems. But one thing we are definitely NOT, is an IT support company, we leave that to you and simply work with you to improve defences.

We can just do this ourselves can’t we?

The consultants at Unity Metrix are specialists in their individual fields, with many years of experience and qualifications. We are very used to learning about, witnessing and clearing up compromised systems, we have broad knowledge of myriad security products, vulnerabilities, mistakes and consequences and we spend our every-day dealing with things that your IT department might every see on rare occasions. That is why we are experts and why we will see the things that internal technicians often miss.

I have been compromised, can you help?

Yes, we can help. Our aim is to protect companies so that they never have to experience the fallout of an attack, but in that event we do have the facility to help to get you back on track.

What about disaster-recovery and contingency?

We can help draw up disaster recovery plans (DRP) for your business. We can also help with contingency planning, to help keep you running in the event of a system failure. In fact that is our raison d’être, just to keep your business running, period!

How do I secure my remote workers?

Having people all of a sudden work from home means that your attack surfaces (the points at which vulnerabilities could be exploited) have multiplied significantly. They may no longer benefit from the protection offered by your network and will certainly be more at risk of failings in compliance. NDAs that they may have signed will not apply to those in close proximity to the employee and make no mistake, information is money! The only way to properly assess your security posture and requirements is to have a third-party assessment, something which Unity Metrix do very well.

I trust my IT support people to do the right thing, so we should be fine shouldn’t we?

This is a little bit like asking an accountant to audit himself or asking a programmer to check their own code. Whilst they are probably very capable, professional people, who may be very good at what they do, it is bad practice to assume that they do everything right and in fact many regulations like PCI DSS and GDPR actually define the requirement to have some security features independently verified.

We are an IT support company, aren’t you in competition with us?

No, quite the opposite. Your best advice should always include third-party security audits. Furthermore we like to work with people like you and can enhance your service offerings by providing proper SOC offerings, so that you know your customer’s systems are being monitored, without having to devote internal resources to it.