Technology Resilience Score™

Cyber Security Controls

Security tools do not protect your business.

Most organisations have invested in cyber security tools. Antivirus, firewalls, email filtering and patching are all common. On paper, it looks like protection is in place.

But tools alone do not stop attacks.

Without active monitoring, proper configuration and a structured response capability, security controls become passive — and passive controls do not prevent breaches.

The Cyber Security Controls domain of the Technology Resilience Score looks at whether your organisation's defences are working as a coordinated programme, not just a collection of tools.

Is your security actively protecting the business — or simply present on paper?

What does Cyber Security Controls measure?

This domain assesses whether your organisation's security controls are effective, maintained and actively monitored. It focuses on four critical areas: endpoint protection, network security, email security, and vulnerability management. Typical areas reviewed include:

• →use of endpoint detection and response rather than traditional antivirus
• →firewall configuration, maintenance and review
• →email security configuration, including enforcement of protections such as DMARC
• →vulnerability scanning and patch management processes
• →whether alerts are monitored and responded to
• →integration between tools and operational processes
• →maturity of security configuration across systems
• →consistency of security controls across users and devices

This domain is not about how many tools you have. It is about whether those tools form a working defence.

Why this matters to business owners and operators

Cyber attacks are not theoretical. They are targeted, frequent and increasingly effective. An attacker does not need to defeat every control — they only need to find the gap that is not actively monitored or maintained. For business owners, weak security controls directly affect:

• →financial loss from fraud or disruption
• →exposure of sensitive or client data
• →operational downtime
• →contractual and regulatory obligations
• →client trust and reputation

What weak cyber security controls look like

• ✗traditional antivirus is used without detection and response capability
• ✗firewall configuration has not been reviewed or maintained
• ✗email security is left on default settings
• ✗protections such as DMARC are not enforced
• ✗vulnerabilities are patched inconsistently or reactively
• ✗alerts are not actively monitored
• ✗tools exist but are not integrated into a clear response process
• ✗security is treated as a set of products rather than an ongoing discipline

This creates a false sense of security. The organisation appears protected, but gaps remain that attackers can exploit.

What strong cyber security controls look like

A resilient organisation operates a coordinated security programme.

Endpoint detection and response identifies threats on devices. Email security blocks malicious content before it reaches users. Network controls are actively maintained. Vulnerabilities are continuously scanned and remediated.

Alerts are monitored and investigated. Incidents are contained quickly.

Security controls are configured deliberately, reviewed regularly and supported by a clear incident response capability.

In a strong environment, security is not passive. It is active, monitored and continuously improving.

How this affects your Technology Resilience Score

Cyber Security Controls is one of the 10 domains assessed as part of the Technology Resilience Score — and the highest-weighted due to its direct impact on breach risk. A weak score typically indicates that controls exist but are not operating as an effective programme. Improving this domain helps the organisation move towards a stronger overall score by creating:

Improving this domain helps by creating:

• ✓stronger protection against common attack methods
• ✓reduced likelihood of successful breaches
• ✓faster detection and containment of incidents
• ✓improved client and insurer confidence
• ✓a more defensible security position

Improving this domain is one of the most direct ways to reduce breach risk.

How LBT Resilience improves Cyber Security Controls

LBT Resilience starts with a Technology Resilience Assessment. We assess your organisation across all 10 domains, including Cyber Security Controls, and give you a clear score out of 5.

We then assess how your security controls operate in practice. This includes reviewing endpoint protection, email security, network controls and vulnerability management.

From there, we create a practical improvement plan. This focuses on moving from individual tools to a coordinated, monitored security programme with clear processes and accountability.

Because support and security are included as part of LBT Resilience, security is not treated as a one-off implementation. It becomes an ongoing, measurable improvement process.

Find out whether your security is a programme or just a toolkit

Most organisations believe they are protected because they have tools in place. Few can demonstrate that those tools are working together effectively. The Technology Resilience Assessment gives you a verified score out of 5, a clear view of your security posture and a roadmap to strengthen it.

Frequently Asked Questions