Penetration Testing

Penetration Testing – What is it and why?

Penetration testing takes an offensive approach to security by mimicking techniques and methodologies that would be used by a real-life malicious attacker. It is often required to satisfy insurance and policy requirements.

Penetration tests take a simulated approach to finding vulnerabilities, weaknesses, and misconfigurations in Network, Web Application, Mobile, and Physical security.

The purpose of a Penetration test is to identify any vulnerabilities before an attacker does.
Penetration testing is not the only step in a strong security posture, but it should be used regularly alongside defensive management strategies.

Penetration testers need to know every way an attacker can get into a network, an attacker just needs to get lucky with one.

Infrastructure Penetration Testing
A company’s infrastructure, external or internal defines a group of computers that store sensitive data about employees, clients and often host business-critical software. If this information is stolen and released it can result in a serious loss of reputation, fines, and potentially criminal charges.
What are the benefits of Infrastructure Penetration Testing?
• To assess the infrastructure for security vulnerabilities that allow attackers to obtain sensitive information or compromise entire systems
• Improving the overall security posture, reducing your overall threat landscape
• Many regulatory bodies require Penetration testing

Consultant-led Penetration testing should take place every six months to ensure that all of your applications and infrastructure are in good shape and do not present any vulnerabilities or security misconfigurations.

If you would like more information on our Penetration Testing services, please contact us by clicking here. You can also find more out about Penetration Testing via the Government website, National Cyber Security Centre by following the link

We’re Hiring!

At TruStack our vision is to build a sustainable and socially responsible organisation that is trusted by our staff, our customers and our vendors to provide outstanding customer service and innovative solutions.

After a period of rapid growth, team TruStack are hiring for a number of roles!

Are you enthusiastic about telephony or networking and being part of an experienced team of industry specialists? If yes, we may be the perfect fit for each other!

If you are passionate about delivering exceptional customer service, solving complex problems and full of ideas then you might be the person we are looking for to join us at TruStack.

We have the following two roles available for immediate start;

  • Telecoms and UC Engineer
  • Systems and Networking Engineer

In return we will commit to a full on boarding schedule, a competitive remuneration package and access to ongoing personal development.

For more information and a full job specification, please email [email protected]

Please note we are not accepting applications from recruitment agencies at this time.

Blog Post – Tech Director, Russell Henderson on Cybersecurity and Agile Working

It is predicted globally that companies will spend in excess of $137 billion in 2020 to protect against cyber threats.  However, whilst there are varying estimates and predictions of the global cost of cyber-attacks on businesses this year, the highly regarded technology research company Gartner predict it will be around $3.9 trillion!

Cyber-attacks are no longer conducted just by individuals sitting in bedrooms. State and political sponsored cyber-attacks shape global economies and political landscapes.  The skills behind the attacks are increasing, the rewards for those committing the tasks are increasing, which means it is reasonable to predict more volume and more complexity of attacks in future.

Of all the possible methods of ‘attack’, Ransomware is certainly making itself felt at the minute for businesses. This is when malware encrypts a victim’s environment and the attacker then demands a ransom from the victim to restore access to the data upon payment. We’ve seen a number of attacks in recent months.  In a number of cases, unpatched systems or a weak password in the environment were the initial exploit, these attacks appear more opportunistic than targeted.  Other ever-present threats including phishing and other fraud-based scams which are directed at immediately compromising financial or personal details.

With the countless threats out there to businesses, it is important to have a security-first mind-set in the leadership team. Companies’ focus is so often on time to market, base line product cost and profit margin or process turn-around time. Rarely do you hear “let’s slow down and factor in security throughout the build process or the delivery mechanism”. Speed can, and often does, lead to mistakes or gaps appearing in security, especially when operating over multiple cloud platforms, applications development platforms and open systems.

Business leaders must build in time and cost to account for security throughout their areas of responsibility.  This includes having experienced security specialists involved, whether they are internal people trained up or external consultants and accepting that component choice maybe more expensive for components with better quality security.  Accepting that time scales may lengthen or costs will increase to enhance security is needed.  Also accepting that despite our best efforts you will never be 100% secure, or remain 100% secure, technology and the threat landscape moves at vast speed and what was very secure today can often be exploited tomorrow, a mind-set of continual improvement towards security is also needed.

As working from home is likely to become more commonplace in future, it is vital to account for this when considering security. Home networks tend to be far more open, with devices – including smart speakers, internet enabled sound bars, games consoles, smart lights, three or four smart phones, smart TVs – potentially sharing a network and broadband with multiple work devices.  All of this increases the possibility of a piece of malware, or ransomware finding a weakness and exploiting it, potentially allowing it to find and spread in the local network. Remote workers need strong security and those systems need stringent monitoring to protect the business data users operate with.

Businesses need layers of protection.  No business can rely on a single product, platform or device to protect its data.  An basic example of a layered approach would be to use a latest generation firewall to protect office or home locations and a quality antivirus platform for user devices and servers running on corporate networks.  Additionally, mobile device control and internal network inspection services products are also reasonable steps to take to protect sensitive company, user and client data.

How, where and what data is stored, what service or who is accessing it and how, is a significant consideration.  Security patching, despite being a large, time consuming task, is also important, as is password management: Weak passwords, or passwords that never change are an easy target or an initial exploit to gain access to a company’s resources.

A platform to ingest, correlate and report on the millions of logs generated by these security platforms is also a requirement. Having protection but it being masked by so much data and alerts you can’t see the risks to make use of it is pointless, many businesses now already have or are investing in SoC and SIEM solutions.

These are just some of the challenges and protection measures that TruStack consults around. There are hundreds more products and platforms that need protection and numerous ways to protect, each providing its own benefits and drawbacks and associated costs.

The best “last chance” method of protection you can have is to invest in a robust backup and recovery solution that benefits from an airgap within the solution to protect your data at rest.  This is the very last line of defence and if you find yourself compromised this is often the solution business call upon to recover and cleanse their systems.  The quality of your backup solution will determine if your data is available for recovery and how quickly it can be recovered.

In today’s ever more connected world we need to share or access data ever more readily with more applications and services at greater speed. However, the more open we become, the less secure we become.

It is a common belief that data is now the most valuable of global commodities, be it our personal data or corporate data. Be it for good or for negative purposes, demand to access this data legitimately or illegitimately continues to grow. With data residing in so many different locations – including clouds, corporate networks, mobile and other smart devices, backup media and locations, co-location centres and removable media – it is up to businesses to make sure they have done all they can to protect this information.

It is up to businesses to ensure they have a ‘security-first’ mindset from bottom to top to give them the best chance possible of this happening.

You can read more about our Cybersecurity solutions here or about our Agile Working solutions here.

Or please get in touch with one of the team on [email protected] or click here.

Agile Working Trends E-Book

Whether you call it agile working, remote working or flexible working, it’s changed the game for all businesses.

A well rounded agile working solution should include many or all of the aspects mentioned in the e-book. From Cybersecurity solutions including multi-factor authentication to Disaster Recovery solutions should the worst happen.

In May 2020 we decided to contact our customers to ask them about their ‘new normal’ working practices throughout the pandemic of Covid-19 and if there was anything they would have done differently if they could have.

You can download the e-book created by filling in the form below. You can also read what Commercial Director, Phil Cambers had to say about the findings by clicking here.

Agile Working E-Book Download

  • Hidden
  • This field is for validation purposes and should be left unchanged.

Data Classification: What it is, why you should care and how to perform it.

Many organisations have limited resources to invest in safeguarding data. Knowing exactly what needs to be protected will help you develop a secure plan so you can allocate your budget and other resources wisely.

The best place to start is by classifying your data. Classification provides a solid foundation for a data security strategy because it helps to identify the data at risk in the IT network, both on premises and in the cloud.

In this article, we will give the data classification definition and explore the steps involved in getting started.

What is data classification?

Data classification is the process of organising both structured and unstructured data into categories. It enables more efficient use and protection of critical data, including facilitating risk management, legal discovery, and compliance processes.

For years, it was up to users to classify data they created, sent, modified or otherwise touched. Today, organisations have options for automating classification of new data that users create or collect.

What is data discovery? 

Data discovery is the process of scanning repositories to locate data. It can serve many purposes, such as enterprise content search, data governance, data analysis and visualisation. When combined with data classification, it helps organisations identify repositories that might contain sensitive information so they can make informed decisions about how to properly protect that data.

Data security

To safeguard sensitive corporate and customer data adequately, you must know and understand your data. You need to be able to answer the following questions:

  • What sensitive data, such as intellectual property (IP), protected health information (PHI), personally identifiable information (PII), and credit card numbers, do you store?
  • Where does this sensitive data reside?
  • Who can access, modify and delete it?
  • How will your business be affected if this data is leaked, destroyed or improperly altered?

Having answers to these questions, along with information about the threat landscape, enables organisations to protect sensitive data by assessing risk levels, planning and implementing appropriate data protection and threat detection measures.

Regulatory compliance

Compliance standards require organisations to protect specific data such as cardholder information (PCI DSS), health records (HIPAA), financial data (SOX) or personal data (GDPR). Data discovery and classification helps to determine where these types of data are located so you can make sure that appropriate security controls are in place and that the data is trackable and searchable as required by regulations.

Guidelines for data classification

There is no one-size-fits-all approach to data classification. However, the classification process can be broken down into four key steps, which you can tailor to meet your organisation’s needs as you develop your general data protection strategy.

Step #1. Establish a data classification policy

First, you should define a data classification policy and communicate it to all employees who work with sensitive data. The policy should be short and simple and include the following basic elements:

  • Objectives – The reasons data classification has been put into place and the goals the company expects to achieve from it.
  • Workflows – How the data classification process will be organized and how it will impact employees who use different categories of sensitive data.
  • Data classification scheme – The categories that the data will be classified into.
  • Data owners – The roles and responsibilities of the business units, including how they should classify sensitive data and grant access to it.
  • Handling instructions – Security standards that specify appropriate handling practices for each category of data, such as how it must be stored, what access rights should be assigned, how it can be shared, when it must be encrypted, and retention terms and processes.

Step #2. Discover the sensitive data you already store

Now it’s time to apply your classification policies to your existing data. You could choose to classify only new data, but then business-critical or confidential data you already have might be left insufficiently protected.

Rather than trying to manually identify databases, file shares and other systems that might contain sensitive information, consider investing in a data discovery application that will automate the process. Some technology tools report both the volume and potential category of the data.

Step #3. Apply labels

Each sensitive data asset needs a label in accordance with your data classification model; this will help you enforce your data classification policy.

Step #4. Use the results to improve security and compliance

Once you know what sensitive data you have and its storage locations, you can review your security and privacy policies and procedures to assess whether all data is protected by risk-appropriate measures.

Step #5. Repeat

Files are created, copied, moved and deleted every day. Therefore, data classification must be an ongoing process. Proper administration of the data classification process will help ensure that all sensitive data is protected.


Data classification is not a magic wand that ensures data security or compliance with regulatory requirements by itself. Rather, it helps organisations identify the data most critical to the business so they can focus their limited time and financial resources on ensuring appropriate data protection.

For more information contact us here.

Data Owner vs Data Processor – Why You Need to Protect Your Own Data

There’s a common misconception among Software as a Service (SaaS) users that backup isn’t necessary for their data because it exists in the cloud – and that provider will backup and secure your data, right? Unfortunately, this is untrue. SaaS applications such as Microsoft 365 unfortunately are just as vulnerable to data loss as on-premise apps.

Why? Because the number 1 cause of data loss is human error. Staff members accidentally deleting files, opening phishing emails, accidentally downloading malware and more. 
Some scenarios where customers could lose data include:

  • Malicious deletion by a disgruntled employee or outside entity
  • Malware damage or ransomware attacks
  • Operational errors such as accidental data overwrites
  • Lost data due to cancelled app licenses

SaaS providers like Office 365 offer a convenient service to provide access to e-mail services, data storage, and collaboration tools. These features were traditionally offered from an on-premises infrastructure with services like Exchange server and SharePoint server, where the data processor and data owners tend to be the same thing.

Now let’s think about what this means in a SaaS environment, the data processing task has moved to a cloud service where you don’t need to worry about it anymore, however you are still the data owner. This means that you are still responsible for how the data is protected.

In this example, Microsoft’s responsibility as a data processor is bound by the Service Level Agreement, they operate to which guarantees that the service they offer will be available. As of Q1 2020, O365 has a 99.98% up time, or to put that into perspective, an average of 17 seconds downtime per day. Microsoft operates a resilient infrastructure, which meets stringent security qualifications such as Cyber Essentials PLUS and hardware-level resilience by operating its services from multiple data centres in dedicated regions around the world.

All of this is great for providing a service, but it doesn’t protect the data within those services that you as the data owner are responsible for. Let’s assume you have a business requirement to maintain 7 years’ worth of email data when that data lived on-premises, that requirement doesn’t suddenly go away when you move the data to the cloud. Equally, if e-mails were deleted or were subject to some kind of ransomware attack, you would rely on a backup to recover the data. The same thing still applies when the data is running in a SaaS service like O365.

This is where products like Datto SaaS Protection comes into play. For more information on how we can help or a free demo, send us an email on [email protected] or call us on 0191 2503000

Handy Hints For Agile Working – Office 365

  • Did you know with Office 365 you can access all of your business applications by going to From there you can access everything that you need for the ability to work agile, including Word online, Outlook web access, Excel online etc.

    IT Admins should still be aware that multi-factor authentication should be in place when accessing any apps online.

    Learn more about Thales by clicking HERE

  • Don’t think of Office 365 as just your day to day applications limited to your computer, you can use Office 365 on up to 5 devices licence dependent, for example your tablet or smart phone. You can use OneDrive or SharePoint as a central point to store, share and access information from any device and any location. 

    Remember to keep in mind that Microsoft doesn’t back-up any of your files or data and you will need another solution such as Datto to help protect against loss of information should anything happen.

    Learn more about Datto by clicking HERE

Struggling with Office 365 or Agile Working? You can contact us by clicking HERE!

Handy Hints For Agile Working – Microsoft Teams

Use tech to stay connected – sometimes you can feel cut off from what’s happening in the office when working remotely. By using video calls and instant messaging you can catch up with your coworkers, request information and bounce ideas around the team helping you to feel connected.

1. Did you know that you can send out Team’s conference call details from either within the Teams App or  from Outlook for a handy free of charge conference? You can also upgrade to audio conferencing licencing to include global dial in details.
2. User beware – do you have external contacts within your Teams in Office 365? Be careful when adding attachments that are for internal viewing only!

3. Did you know when on a video conference you can blur your background. You may have confidential information in view of those on your call! You can also use covers for your webcam to ensure you are ready before going live.

4. Double check your audio before starting a Teams call! Do you have your laptop connected to other home devices such as your Echo Dot?!

5. Be careful what you are sharing! Only share the screen that you want to share, you could be sharing important emails, customers details or confidential information.

6. Use of applications – did you know there is a whole host of applications you can add into your Teams, applications such as Trello, Flow, Yammer ect.

7. Did you know that you can record all of your Teams meetings for future playback? Just make sure that you tell the team before you do this!

Struggling with Teams or any other aspect of Agile Working? Why not contacts us? We would be happy to help!

Organisations Growing Together as TruStack Supports NCFE in Business Transformation

Almost a decade after they partnered for the first time, two of the North East’s most forward-thinking and flourishing organisations are looking forward to a healthy future together.

Digital business experts at TruStack have completed a transformation of IT systems at NCFE, a leading provider of educational services for more than 170 years.

TruStack was formed last year after the merger of SITS Group, PCI Services and Pivotal Networks, with SITS installing NCFE’s IT infrastructure back in 2013.

Not-for-profit organisation NCFE, which designs and certifies technical qualifications as well as offering assessment and educational technology solutions, decided to update its systems to keep pace with the organisation’s growth.

NCFE was pleased to continue its long-standing relationship with TruStack, a business which prides itself on giving clients ‘innovative solutions and expert support’.

Nick Evans, NCFE’s Information Security Manager, said: “TruStack has always supported us on our business journey. We feel that they are almost an extension of our own team.

“Our engineers trust their engineers. That respect between the organisations from an engineering level to managerial level has been born from a long-term relationship between us.”

“However, there was nothing to say that we were definitely going to go with TruStack for the project, but when it came down to it no one else could provide the same level of support and respect that we have received from them.”

“I have always felt they are not there just to make money from a client – they care. They had a vested interest in making sure the project was successful and that is what they did.”

In the past five years NCFE has seen its turnover more than double and its workforce increase from around 200 to more than 450 employees.

Security is vital to NCFE, with the organisation contributing to the success of millions of learners at all levels, in a range of sectors.

From September, it will take responsibility for delivering one of the government’s new T-Level qualifications, with five more to follow in 2021.

Lindsey Gibson, Head of Group IT at NCFE, added: “We help learners from all walks of life to progress in their education and into employment, in line with our core purpose to ‘promote and advance learning’.

“We are firmly focused on the future and TruStack is a key partner in helping us to grow and increase our reach and impact.”

TruStack’s engineers spent eleven days planning for, and delivering, the project at NCFE’s head office at Quorum Business Park, in Newcastle-upon-Tyne, with the project going live in December.

Liam Holliday, TruStack sales manager, said: “It was a case of giving NCFE a platform to host its business applications that would last well into the future.

“We pride ourselves on getting things right first time, and we are pleased things have turned out so well for NCFE in the latest stage of our partnership.”

He added: “We can never rest on our laurels. We see every opportunity we get like it’s a new business.

“By treating every customer like a new customer we give ourselves the best chance possible of winning their business next time.”

TruStack works with hundreds of companies across the North East and beyond, including several of the North East’s Top 200 companies including Unipres (UK) and Vertu Motors.

Other clients include the Natural History Museum and Collingwood Business Solutions.

TruStack has its head office on the Northumberland Business Park, Cramlington, with a branch office situated at the Evolve Business Centre, Houghton le Spring.

If you are interested in finding out more, head to or call 0191 250 3000.

Note to news desks

For further information, please contact Phil Cambers on 0191 250300

For more information on NCFE please go to

Top Tips for Office 365 Security and Availability

Have you already moved, thinking of moving, or currently migrating to O365 and unsure of what security precautions you should be taking? We run through the basics that all administrators should be implementing.

  1. Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users. There are a number of different vendors that offer this, whether in the form of physical or virtual tokens.
  2. Enable unified audit logging in the Security and Compliance Centre. This will give you the ability to view activity per user across all 365 apps. 
  3. Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
  4. Disable legacy email protocols, if not required, or limit their use to specific users. Legacy protocols do not support modern authentication methods with MFA. The protocols include IMAP, POP and SMTP. These protocols can be disabled tenancy wide or per user, if you need to use legacy protocols for certain users.
  5. Configure Conditional Access. This gives you the ability to block access from certain countries and enforce MFA etc. When studying audit logs, you will see most attacks come from certain countries. Is there ever a time any of your users need to access O365 from China or other well-known sources of attacks? If the answer is no then utilise conditional access to reduce the attack surface of O365.
  6. Implement Cloud App Security. When data is uploaded to the cloud how do you know its safe virus/malware free? With cloud app security data is scanned and can be quarantined reducing the risk of a user downloading an infected file. Without this level of protection, you are relying on perimeter security if the user is inside the corporate network, then endpoint security which is the last defence. We recommend a layered approach to security, adding multiple layers will increase the chances of a zero-day threat, and potentially stop a threat before it even enters your network.  
  7. Managed anti-spam. Not only does this reduce the volume of spam, malicious content etc, it can also give your employees access to emails if/when Office 365 goes down.

You can find more out about our services here.