How we did it

• Only 64% of categories were fully compliant, while 36% were partially met.
• Critical gaps in security awareness, incident response, and network monitoring led to successful penetration testing scenarios.
• Lack of MFA, weak network segmentation, and insufficient SIEM log coverage increased risk exposure.

• Weak employee awareness training leads to undetected phishing and social engineering attacks.
• Incident response and recovery plans are not adequately tested, resulting in uncertain real-world recovery times.
• Excessive network access between corporate and management platforms allows lateral movement.
• Inadequate monitoring and log coverage reduce detection capabilities for malicious activity.

Conclusion

The assessment revealed critical weaknesses in employee training, network segmentation, and incident detection, allowing undetected security breaches. By implementing immediate remediation steps and long-term strategies, the organisation can significantly enhance cybersecurity resilience and achieve full NIST CSF 2.0 compliance.

• Stronger security awareness training reduces the risk of phishing-based compromises.
• Defined recovery objectives (RTO/RPO) and DRP/BCP testing ensure operational resilience.
• Stricter network segmentation and MFA implementation mitigate unauthorised access risks.
• Enhanced SIEM monitoring coverage improves threat detection and response capabilities.

By continuously refining security policies and conducting regular audits, the organisation can maintain a strong cybersecurity posture aligned with industry best practices.