ESKA Security

Before attacking a company, threat actors conduct research and gather information from open sources.

A few Google searches are often enough to find:
• exposed services and admin panels
• old or forgotten subdomains
• leaked credentials
• the company’s technology stack
• employee email addresses
• information about internal infrastructure

Shodan helps attackers identify publicly exposed servers, VPNs, RDP services, open ports, and internet-facing systems the company may have forgotten about.

LinkedIn reveals team structure, employee roles, technologies in use, and people with privileged access, making it a valuable source for targeted phishing attacks.

GitHub repositories sometimes expose API keys, internal configurations, secrets, or code that helps attackers understand the architecture and identify potential entry points.

This is why external pentesting should always start with because real attackers almost always start there too.

More details in the article 👇
https://www.eskasecurity.com/post/what-attackers-see-when-they-google-your-company

Getting ISO 27001 certified is a major milestone and a demanding one. It requires significant effort from the team and a mature approach to information security management.

But the work doesn’t end there.

After certification comes a new phase - maintaining and evolving the Information Security Management System (ISMS) in a real operational environment. The first 12 months are especially important: this is the period when the system either becomes embedded in everyday business processes or gradually turns into a “set of documents for audit purposes.”

What typically changes during this phase?

🔸 Security policies stop reflecting real operational processes
🔸 Risk registers are not updated for months
🔸 Evidence of control ex*****on is collected only “before the audit”
🔸 Access reviews, vendor reviews, and internal checks become formalities
🔸 ISMS ownership becomes unclear across teams
🔸 Management reviews exist only as a checkbox exercise

At this stage, companies often struggle with surveillance audits or receive significant nonconformities.

In the article, we explore:
• what happens to ISMS after certification
• why most challenges appear within the first year
• which processes tend to degrade after the audit
• how to prepare for surveillance audits without last-minute evidence gathering

Read more: https://www.eskasecurity.com/post/iso-27001-passed-now-what-the-12-months-after-certification-that-most-companies-get-wrong

Startups and SMBs still see Governance, Risk, and Compliance (GRC) as a regulatory checkbox - something required, but not valuable. In reality, a well-structured GRC program delivers measurable business ROI.

🔸 Incident prevention
Regular risk assessments and properly implemented controls reduce the likelihood of cyber incidents and data breaches that can cost millions in downtime, recovery, and reputational damage.

🔸 Regulatory readiness
Automated compliance workflows and structured control evidence significantly reduce preparation time for SOC 2, ISO 27001, NIS2, while helping avoid penalties and last-minute stress before audits.

🔸 Business trust and faster deals
Strong governance and compliance maturity increase confidence among customers, investors and partners, often accelerating procurement and partnership decisions.

A business-aligned GRC framework helps startups and SMBs reduce risk exposure, demonstrate maturity to partners, and prepare for enterprise-level requirements.
When structured properly, compliance strengthens positioning instead of slowing growth.

Need help choosing the right approach for your company?
The ESKA Security team is ready to support you at every stage.