HIDDEN™ Framework Guide

What This Framework Delivers

HIDDEN is a simple framework that gives you a clear, shared view of your cyber security across six critical areas of your business, so IT teams and leadership can understand risk in the same way, and act on it with confidence.

It helps you see where you’re exposed, know what to fix next, and track whether you’re actually improving.

The framework answers six simple questions:

• Are your people strengthening your security, or putting it at risk?
• Do you have control over who can access what, and should they?
• Is your critical data protected, controlled, and used safely?
• If something went wrong, could you recover quickly and confidently?
• Are your devices secure, up to date, and under control?
• Is your network and cloud environment configured safely, or quietly exposed?

Rather than starting with technology, HIDDEN focuses on what actually matters: the outcomes you need and the capabilities required to support them. It centres on the core controls every organisation needs to operate securely.

For many organisations, the starting point is a Cyber Security Snapshot.

This is a simple, fast assessment that gives you an initial view of where you stand: highlighting obvious gaps, validating what’s working, and pointing to where to focus first.

From there, the HIDDEN Profile brings everything together into a single, clear picture.

So you can instantly see:

• Where you’re strong
• Where you’re exposed
• Where your biggest risks sit
• And how balanced your overall security really is

Instead of relying on assumptions or scattered reports, you have one view that anyone in the business can understand.

Who We Built This For

Are you a business that is dealing with the following?

• Limited in-house security expertise >
• A small IT team responsible for everything
• Technology decisions being made reactively
• Security investments that are difficult to justify
• Little visibility into where risk actually sits across the business

If so, the HIDDEN framework was built for you.

How We Bring It To Life

So what does this actually look like in practice?

Once you have a clear view of your security, the next step is turning that insight into meaningful progress. Most organisations move through a similar journey: from understanding where they stand, to improving, operating, and continuously evolving their security over time.

It typically looks like this:

1. Establish clarity

Start by understanding your current position.

This means identifying where gaps exist, how your controls are performing, and where your biggest risks sit.

Move from: “I don’t know where our gaps are.”
To: “We understand our current security posture.”

2. Put the fundamentals in place

With that clarity, you can focus on strengthening the areas that matter most.

This is about addressing key risks, improving core controls, and making sure the basics are working as they should.

Move from: “We know what’s wrong.”
To: “We’re fixing the fundamentals.”

3. Make security part of how you operate

Once the foundations are in place, the focus shifts to consistency.

Security becomes something that is monitored, maintained, and embedded into day-to-day operations, not something that’s revisited only after an issue arises.

Move from: “Security is a project.”
To: “Security is part of how we operate.”

4. Improve and adapt over time

As your business evolves, so do the risks you face.

This stage is about continuously reassessing, improving, and demonstrating progress, so you’re not just maintaining security, but strengthening it over time.

Move from: “We have security tools.”
To: “We can demonstrate security maturity.”

Internally at Babble, we refer to this process as AIME: Assess, Implement, Manage, Evolve.

But what matters most is the outcome:

Moving from uncertainty → clarity
From reactive fixes → structured progress
From assumed protection → proven improvement

This guide is designed to help business leaders and IT professionals:

Understand the six critical layers of cyber security

Identify common security gaps

Ask the right diagnostic questions about risk

Learn what “good” looks like for each layer

Discover practical ways to improve over time

By the end of this guide, you should have a clearer view of where your organisation stands today, and where to focus next.

Let’s dive in.

H — Human Risk

In HIDDEN, this is where risk often starts: people.

Goal: Turn your employees from the organisation’s largest security vulnerability into its strongest line of defence.

Most cyber incidents don’t begin with a sophisticated technical exploit. They begin with a moment of trust: a convincing phishing email, a rushed click on a malicious link, or a file shared with the wrong recipient.

In other words, cyber security starts with people.

But this isn’t about pointing fingers. It’s about understanding behaviour, and building habits that keep your people and your business safe.

Attackers increasingly rely on social engineering techniques designed to exploit human behaviour rather than technical vulnerabilities. Email impersonation, attempts to steal login details, and payment diversion scams are all examples of attacks that target people rather than systems.

At the same time, many organisations still treat security awareness as a compliance activity rather than an operational capability. A once-a-year training exercise that’s completed and then forgotten about until it’s time to do it again.

Employees may receive occasional training, but without ongoing visibility, it’s difficult to understand how behaviour is changing across the organisation.

• Which teams are most vulnerable to phishing attacks?
• Which employees repeatedly click on malicious links?
• Which departments are more likely to expose sensitive information?

These questions are often difficult to answer with confidence.

As a result, security teams are left reacting to incidents, instead of preventing them.

The Human Risk area of the HIDDEN framework focuses on turning security awareness into a continuous, measurable capability.

This includes building a culture where employees are equipped to recognise threats, report suspicious activity, and contribute actively to the organisation’s security posture.

By making behavioural risk visible and measurable, organisations can move from reactive awareness training to proactive risk reduction.

What Good Looks Like

In organisations with strong human risk management:

• Security awareness is part of everyday behaviour, not a one-off activity
• Employees regularly participate in realistic phishing simulations
• Behavioural risk is visible across teams and departments
• Reporting suspicious activity is simple and encouraged

Over time, employees develop the confidence to question unusual requests, verify unexpected communications, and raise concerns when something doesn’t feel right.

Instead of being the weakest link, your people become an active layer of defence.

Ask yourself:

• How many phishing simulations have you run in the last six months?
• Do you know which users or teams represent the highest behavioural risk?
• How do employees report suspicious activity today?

If these are difficult to answer, Human Risk may currently be a HIDDEN risk in your organisation.

I — Identity Management

In HIDDEN, identity is where hidden access risk builds over time.

Goal: Ensure only the right people can access the right systems, in the right way, at the right time.

Today, attackers don’t always break into systems. More often, they log in.

As organisations adopt cloud platforms, SaaS (software-as-a-service) applications, and hybrid working models, the way people access systems has fundamentally changed.

Employees now connect to the apps, data, and services they need to do their jobs from different devices, in different locations, and across different networks (often all within the same day).

In that environment, confirming that someone is who they say they are — securely and consistently, wherever they are — has never been more important.

This is why identity has effectively become the new ‘security perimeter’.

However, identity management often evolves organically over time. New accounts are created. Access permissions change. Privileges are granted temporarily, and not always removed.

Gradually, this creates an environment where access control becomes fragmented and difficult to manage.

Without structured identity governance, organisations often accumulate:

• Unused accounts belonging to former employees
• Excessive administrative privileges
• Inconsistent authentication policies across systems

These issues often remain unnoticed until something goes wrong.

When login details are compromised (through phishing, password reuse, or other attacks), attackers can move through systems using valid credentials, often without triggering traditional security controls.

The Identity Management area of HIDDEN focuses on establishing structured, governed access control.

By strengthening authentication and controlling privileged access, you reduce the likelihood of unauthorised access, and limit its impact if it occurs.

What Good Looks Like

In organisations with mature identity governance:

• Multi-factor authentication (MFA) is enforced across users and administrators
• Authentication is adaptive and risk-aware
• Privileged access is tightly controlled and regularly reviewed
• Joiner–mover–leaver processes are defined and consistently applied
• Access rights are kept up to date and removed when no longer needed

Identity becomes a visible, governed part of daily operations, not something that changes over time.

Ask yourself:

• Do all users and administrators have MFA enforced?
• How often are privileged accounts reviewed?
• What is your process for joiners, movers, and leavers?

If these are difficult to answer, Identity Management may be a HIDDEN risk in your organisation.

D — Disaster Recovery

In HIDDEN, recovery risk is often hidden in assumptions.

Goal: Ensure your organisation can recover quickly and confidently from incidents or failures.

Many organisations believe they are protected because they have backups in place.

But backups alone don’t guarantee recovery.

During incidents such as ransomware attacks, backup systems may be targeted, corrupted, or found to be incomplete.

In other cases, backups exist, but haven’t been tested.

These situations often reveal a key assumption: that recovery capability exists simply because backups are present.

In reality, recovery depends on:

• How quickly systems can be restored.
• Whether backups are usable.
• Whether processes are defined and tested.

Without this, downtime can be longer and more disruptive than expected.

The Disaster Recovery area focuses on ensuring recovery capabilities are reliable, tested, and aligned with your business needs.

What Good Looks Like

In organisations with mature disaster recovery:

• Backups are monitored and protected
• Recovery processes are documented and tested
• Critical systems are prioritised
• Incident response plans are clearly defined
• Leadership understands recovery expectations

Confidence comes from testing, not assumption.

Ask yourself:

• When was your last successful restore test?
• If ransomware struck today, what would your recovery process be?
• What downtime could the business realistically tolerate?

If these are difficult to answer, Disaster Recovery may be a HIDDEN risk.

E — Endpoint Protection

In HIDDEN, risk appears when devices are managed differently across the business.

Goal: Create a consistent and secure baseline across all devices.

Every device connected to your systems and data represents a potential entry point for cyber criminals.

Laptops, mobile devices (both company-owned and personal), servers, and workstations are all doorways into the business.

In many SMB environments, endpoint security is handled in different ways across the organisation:

• Devices may run different operating systems.
• Security configurations can vary between teams.
• Laptops are often managed very differently from mobile devices.

As employees work across multiple devices, locations, and networks, this lack of consistency creates gaps that are difficult to see (but easy to exploit). For example, patching may depend on manual processes that take time, and security tools may generate alerts that are never fully investigated.

This is what attackers take advantage of: once they gain access to an endpoint, they can move laterally, escalate privileges, and access sensitive systems.

The Endpoint Protection area focuses on creating consistency, visibility, and control across all devices.

What Good Looks Like

• All devices follow a consistent security configuration baseline.
• Systems are regularly patched.
• Endpoint activity is monitored.
• Alerts are reviewed and acted on.

Over time, organisations can detect and respond to threats earlier, before they escalate.

Ask yourself:

• Who is actively monitoring your endpoints today?
• How quickly would you detect a threat?
• When were endpoint alerts last reviewed?

If these are difficult to answer, Endpoint Protection may be a HIDDEN risk.