Month: November 2023

SMEs and their Trials and Tribulations in regard to Cyber Security and Data Protection

Earlier this week I put a post on LinkedIn talking about why SMEs don’t take cyber security as seriously as they should and often just pay lip service to it.  I said I’d elaborate on that in the next newsletter.  Well, here it is.

When Cyber Security hits the news, and thus our consciousness, it’s nearly always in terms of breaches, regulatory fines, and business disasters, and nearly always concerning a major household name.  We don’t talk about the benefits that it can bring, particularly these days when businesses of all sizes are looking to drive efficiency through digitising their admin and operations.  Cyber-attacks on British businesses are increasing year on year.  When it comes to cybercrime, small and medium-size businesses are not exempt from the disruption that impacts large organisations. If anything, their size can make them more vulnerable as they are perceived as a softer target.

So why SMEs tend to underestimate the chances of being on the receiving end, and often play that down, is something of a mystery.  As is the mindset that it’s an IT matter, not a business matter, when nothing could be further from the truth.  Cyber security must be owned by the business owner or board and driven top down.  It cannot be left to an IT manager, or worse, a company under contract to provide IT services.

Let’s think for a moment about one potential aspect, supply chain security.  Many SMEs sit in a supply chain for a major company or companies.  In fact, for many it’s a critical part of their business, without which they could be in real trouble.  Their customer will spend money and commit resources to their own security and I’m willing to bet that somewhere in their contract with their suppliers, there will be a stipulation laying down some cyber security standards as a minimum that they must adhere to, which I’m also willing to bet that unless audited, are rarely being met.

Large organisations rely on a network of SMEs. If they operate within the EU, they are subject to the EU General Data Protection Regulation (GDPR) and if they operate only with the UK, then they are required to be in line with what has become known as UK GDPR.  The two are very similar indeed. Under both, data controllers (those that collect the data) are responsible for their own compliance as well as that of any third-party processors. Lax compliance in implementing regulations has in fact created a unique opportunity for those SMEs that make the effort to invest in cyber security. With so many damaging data breaches, large organisations are now starting to examine the security practices of any potential third party and seeking agreement with partners to ensure that secure systems are in place. It is the responsibility of the data controller to ensure that third parties within its supply chain take appropriate technical and organisational measures equal to their own.

The UK Government-backed framework Cyber Essentials Plus provides SMEs with a way to demonstrate their security credentials. By gaining Cyber Essentials Plus certification, SMEs can demonstrate that their cyber security has been verified and audited by independent experts. Auditable proof is often requested during tender bids as part of the warrants and liabilities process. Being Cyber Essentials Plus certified can leapfrog a business ahead of the competition.

Supply chains are only as strong as their weakest link and therefore require standardisation in terms of security across the whole chain. SMEs able to prove their cyber security credentials can differentiate themselves from the crowd and maximise on lucrative business opportunities. Some 65% of UK small businesses have no plans in place to deal with potential supply chain disruption, including cybercrime. Ensure your company isn’t one of them by staying ahead of the game – don’t lose business due to supply chain weaknesses.

I’ve already said that the main challenges that I come across is that SMEs do not accept that this is a business issue and continue to see it as an IT Issue.  Consider this; if an attack, say Ransomware, hits the business, who suffers?  Is it the IT department and/or the IT Support company you have under contract to supply your IT/Network?  Or is it the business that takes both a financial hit and reputational damage, perhaps losing contracts from the larger businesses they have been supplying?  You know the answer.  You can outsource your IT, but not your responsibility.

Let’s examine what stops SMEs from taking the view that it is in fact a business issue.  My experience of working with SMEs is that the two main issues are budget and resource, both of which are closely entwined.

SMEs do not budget for Cyber security.  They conflate this with their costs for IT support and will expect their IT support company to provide an adequate level of security within the services and products they supply.  I’ve talked before about this.  Most, if not all, of these companies are what is known as Value Added Resellers, or VARs.  What this means is that they sell other people’s products, firewalls, anti-virus etc. And of course, they push those products, ie the flavours of those products they sell, onto their clients.  The value added bit comes in the services they provide.  In terms of security that generally, although not always, means that their skill set is in the configuration and maintenance of the products they sell.

I’m not knocking that, it’s a perfectly acceptable business plan and has been around for as long as IT has been around.  But from a security perspective, it ignores the basics.  Whilst technology has come on in leaps and bounds, making it sometimes a nightmare to keep up with, the basic principles of security have never changed.  It is built on three towers, People, Process and then Technology.  If you haven’t got the right training and awareness in place, if your processes and policies aren’t sound, up to date and rolled out across the business, then all the technology in the world won’t protect you.  Risk management is crucial.  Understanding the threats to your business and how vulnerable you are to those threats, married to your assets (which aren’t confined to hardware and software), will inform you of the risks you face, in turn allowing you to focus your limited spend on the weakest areas first.

How you arrive at those risks brings us to the second point, resource.  It’s not just SMEs that don’t have the resource, but their IT support company rarely does either.  Cyber security professionals are expensive and very thin on the ground.  Perhaps buying in an advisor for a defined period every month, or on a retainer to be called off as and when required, is the way to go.

Another key plank is innovation.  Finding innovative solutions that SMEs can be sure are appropriate for their business, mitigating identified risks.  Of course, such innovations have also got to be affordable.  This is one of the reasons why many are adopting cloud services, not necessarily for security reasons, but for cost reasons ie no expensive infrastructure to buy in and maintain.  It’s also a reason why many security solutions these days are Software as a Service, SaaS, as again, no expensive infrastructure.

In summary, what I’m saying is that SMEs have to:

  • Accept cyber security as a business, not an IT issue.
  • Have a senior manager or preferably, board member, take responsibility for it.
  • Have an adequate budget. Of course, that will be subject to what you can afford.  Take advice on what is important and what can wait.  It just might save you a lot of time, money, and angst.
  • Have a defined strategy for improving your security stance, perhaps phased over budgetary periods.
  • Consider a standard such as Cyber Essentials or, for the larger SME, perhaps even ISO2700x.

Hybrid Working – Have We Really Got a Handle on the Security Issues?

The last few years have been strange, to say the least. But arguably the biggest effect it has had on the way we do business has been the necessity for working from home. Many SMEs had very little experience of this and were bounced into it with very little time to prepare, or to understand many of the implications of what this meant.

But perhaps the strangest thing of all, is that many SMEs still haven’t grasped the security implications of home working.  They have this belief that because they are working to a cloud environment, all is well and secure.  I only wish it were.  Now I’m not decrying cloud environments, quite the contrary, there are many reasons why all sizes of business should be going down this route, but it does come with its own set of issues.

Businesses of all sizes have been forced to transform their operations to support remote work and by and large have done well, but not without many challenges—including video conferencing burn out, (along with wishing they’d taken out shares in Zoom!!), and a yearning to actually work together in person again, someday.  We all realise that group working, face to face, is often necessary not just for efficiency, but because we are social animals.  Experience has taught many businesses many things, but strangely, to my mind at least, many have simply not grasped the potentially dire consequences in terms of Cyber security and data protection.

A distributed work environment i.e., personnel spread around various locations home working, creates critical challenges and new security threats as a result.  The speed with which this has happened has meant that many simply did not take this into account and if they did, thought, well, this is temporary and it won’t matter in the long run.  Well perhaps, but as many are now finding, there have been advantages to home working, not least a lowering of costs in terms of how much office space is actually needed to carry out the business function.  Many are now looking at Hybrid working i.e., from home with a day or two in the office during the week.  There are pros and cons to this outside of the scope of this article, and businesses will have to make their own judgements, but one thing is clear and that is that businesses need to understand the risks now inherent in distributed work, and need to get better are cyber security and data protection, in those environments.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers simply because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving corporate IT will be rewarded, it can still be an uphill battle.

I have long been saying that Cyber Awareness training for managers and staff is no longer a ‘nice to have’ and is now very much a necessity.  In fact, it is arguably the biggest quick win, giving the greatest potential return on investment that there is.  Of course, this means that companies have to understand what their threats, vulnerabilities and risks are, in order to assess exactly what training is going to be the most effective.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

AI – Good or Evil? A Clear and Present Danger to Cyber Security?

I’ve blogged about Artificial Intelligence (AI) before (click on General Security Issues and you’ll find it), in that blog I was concentrating on how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams.

The following is taken from CNN.

Jennifer DeStefano’s phone rang one afternoon as she climbed out of her car outside the dance studio where her younger daughter Aubrey had a rehearsal. The caller showed up as unknown, and she briefly contemplated not picking up.

But her older daughter, 15-year-old Brianna, was away training for a ski race and DeStefano feared it could be a medical emergency.

“Hello?” she answered on speaker phone as she locked her car and lugged her purse and laptop bag into the studio.

She was greeted by yelling and sobbing.

“Mom! I messed up!” screamed a girl’s voice.

“What did you do?!? What happened?!?” DeStefano asked.

“The voice sounded just like Brie’s, the inflection, everything,” she told CNN recently. “Then, all of a sudden, I heard a man say, ‘Lay down, put your head back.’ I’m thinking she’s being gurnied off the mountain, which is common in skiing. So I started to panic.”

As the cries for help continued in the background, a deep male voice started firing off commands: “Listen here. I have your daughter. You call the police, you call anybody, I’m gonna pop her something so full of drugs. I’m gonna have my way with her then drop her off in Mexico, and you’re never going to see her again.”

DeStefano froze. Then she ran into the dance studio, shaking and screaming for help. She felt like she was suddenly drowning.

After a chaotic, rapid-fire series of events that included a $1 million ransom demand, a 911 call and a frantic effort to reach Brianna, the “kidnapping” was exposed as a scam. A puzzled Brianna called to tell her mother that she didn’t know what the fuss was about and that everything was fine.

But DeStefano, who lives in Arizona, will never forget those four minutes of terror and confusion – and the eerie sound of that familiar voice.

“A mother knows her child,” she said later. “You can hear your child cry across the building, and you know it’s yours.”

Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people.  If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post and this time, it’s an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI.  It went something like this:

Earlier this year, a sales director in India for tech security firm Zscaler got a call that seemed to be from the company’s chief executive. 

As his cell phone displayed founder Jay Chaudhry’s picture, a familiar voice said “Hi, it’s Jay. I need you to do something for me,” before the call dropped. A follow-up text over WhatsApp explained why. “I think I’m having poor network coverage as I am traveling at the moment. Is it okay to text here in the meantime?” 

Then the caller asked for assistance moving money to a bank in Singapore. Trying to help, the salesman went to his manager, who smelled a rat and turned the matter over to internal investigators. They determined that scammers had reconstituted Chaudhry’s voice from clips of his public remarks in an attempt to steal from the company. 

Chaudhry recounted the incident last month on the sidelines of the annual RSA cybersecurity conference in San Francisco, where concerns about the revolution in artificial intelligence dominated the conversation. 

Criminals have been early adopters, with Zscaler citing AI as a factor in the 47 percent surge in phishing attacks it saw last year. Crooks are automating more personalized texts and scripted voice recordings while dodging alarms by going through such unmonitored channels as encrypted WhatsApp messages on personal cell phones. Translations to the target language are getting better, and disinformation is harder to spot, security researchers said. 

Scammers can and do, use every advantage, every advance in technology, to make a few quid.  It’s a nightmare trying to keep up with this and it is essential that you have some method, be it electronic (difficult), or procedural (an easier no cost option), to identify such scams.  Your staff need training but first you have to have someone on tap to keep you up to date with what’s going on.

As AI continues to develop and is taken into use more and more, we will see a clash between its proponents and the security world. That’s nothing new. Everytime there is a new development in applications, operating systems etc, there is always a lag before security catches up. This time however AI can be taken into use with low levels of skill, at a rapid pace. Cyber security needs to be on its metal, as do IT departments, CISOs, CIOs etc. Companies at all levels need to be on their guard.

Phishing

Phishing is todays leader, a subject which I’m sure you’ve heard a lot about but which is always worth a mention.

Phishing is a term used to describe cyber criminals trying to trick victims in to doing something by posing as legitimate organisations or people. This could be downloading malware disguised as an attachment, clicking on a malicious link, or getting financial details changed.

According to MetaCompliance 91% of all cyber-attacks start with a phishing email which is why it is so important to be aware of the tactics that these super social engineers use.

There are various different types of phishing which can take place on all of your devices, phone, and it doesn’t have to be a smart phone, tablet, laptop or desktop. A number of terms are used to describe these methods. Phishing is generally used to describe attacks via email, whilst Vishing is used to describe attacks via the phone and Smishing via text message.

Apart from those general terms we also have more specific ones:

  • Spear phishing – this is where publicly available information is used to make the messages appear more believable. Data breaches are a great source of this information as the details released are those which you would expect to be kept secret. For instance, if you received an email with your username and password in, you are likely to believe it.
  • Whaling – this is like spear phishing in that it is very targeted but this time the criminals are either targeting senior leaders of the company (in the hopes that compromising their accounts will enable a higher level of authority and access to sensitive data) or will impersonate a senior leader to get an action to come about (such as sending a high value payment).
  • Angler phishing – this is where cyber criminals use notifications or direct messaging within social media applications to entice someone to act, clicking a link for example.
  • Pop-up phishing – this is where criminals place malicious code in the small notification’s boxes, called pop-ups. They can also use a web browsers notifications feature so when you visit a website and the pop up says that the website wants to show notifications, clicking the “allow” button downloads malicious code.

What you really want to know is how do you spot a phishing attack and what should you do about it? Criminals are getting more sophisticated in the campaigns that they are operating, and it can be very difficult to detect some of these, but there are a few things that might help you to spot a phish.  Below are some ploys in general use:

  • Urgency – “this has to be done NOW!”
  • Authority – from CEO / senior member of staff – but is it their style or a unusual request?
  • Mimicry – impersonation of a trusted individual or organisation
  • Curiosity – “OMG! Have you seen this?”

You can also look out for:

  • Grammar and spelling  – does it make sense, is it addressed to you or “recipient”
  • Email address  – look at the full email rather than just the first name that you recognise
  • Hypertext – review URL before clicking, ensuring you look at the whole of the URL.

What should you do? 

Report it – If you think you have received a phishing email, then you need to report it. Your business should have a policy about this, and your staff should understand what they need to do, whether they have fallen victim or just received it. Your staff can be a huge asset in protecting your company against phishing attacks so empower them to question the communications they receive from everyone.

The NCSC has an add-in which you can use in business versions of Outlook to report phishing emails directly to them so that they can investigate and potentially remove the threat. This could also help to keep phishing in mind when staff receive an email, like a little nudge.  It’s free and should be a no brainer.

Next We thought we’d take a look at some specific industries and we have picked on Estate Agents to go first, although arguably, much of this could equally apply to several service industries including financial advisors and solicitors.

Estate Agents hold large amounts of personal data, much of which is financial and therefore has to be held for 7 years and this makes them vulnerable to data breaches (which of course applies to many other sectors). The data held will pertain to the purchase and/or sale of property. This will require details of payments, confidential client IDs, bank account details and the like. Nothing surprising there. I’m sure many hold this data securely and maybe even encrypt it. But they also upload such data to 3rd party sites to market properties, sometime more than one and that’s when human error can creep in. Internal mistakes are the biggest single cause of data breaches, and whilst malicious activity from cyber criminals is a reality, it falls somewhat behind the internal breach.

The Data Protection Act 2018 may be a subject to drive you into a coma. However it’s a really important subject that you need to have a good working understanding of. Why, I hear you ask? It’s all about that GDPR stuff isn’t it, not a problem now that we’ve left the EU. And even if there is a law, Data Protection doesn’t really affect us smaller organisations, it’s something the big companies have a problem with but we’re OK. Aren’t we? Well no, you’re not. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’.

All organisations, regardless of size, must make sure the information is:

·      used fairly, lawfully and transparently

·      used for specified, explicit purposes

·      used in a way that is adequate, relevant and limited to only what is necessary

·      accurate and, where necessary, kept up to date

·      kept for no longer than is necessary

·      handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

This can become a really big financial issue. Rarely if ever is a single persons record lost, it’s nearly always multiple records. There are now law firms offering no win no fee deals for people wanting to sue following a disclosure of personal data, and that’s on top of any fine you might expect from the ICO.

I’ll never get tired of pushing security awareness training, of having solid processes and policies which are rolled out and that staff are fully aware of. That will sort out much of the potential for data breaches. There are of course other issues but the basic principle of understanding the risks you face and targeting your spend and resources on those specific risks, hasn’t changed since the proliferation of IT started 30 years ago.

Supply Chain Security, Spear Phishing and Remote Working

Reports on Cyber trends abound, and you could be forgiven for thinking that they are often produced by organisations trying to sell you something. And I might be tempted to agree. Am I any different, well I’ll leave you to judge but I do think that it is very important to educate, and not just sell, into the SME market. I’ve said many time times before, that the SME market has been badly served by the Cyber security industry, in that it tends to get ignored. However, that doesn’t mean that they are any less at risk, or any less important to the UK economy. Quite the reverse. I do read several reports about cyber trends, and if I think they are of use, then I do pass them on via this newsletter. I have read one recently which I think is worth passing on. It highlights 3 different scenarios, all of which I have blogged about in the past. They are, in no particular order, supply chain attacks, spear phishing and attacks against hybrid workers. These are clearly not exhaustive, but they are relevant to SMEs.

An often forgotten element of Cyber security lies within a company’s supply chain.  Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.  Why, well the problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products, and they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation, or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Spear phishing is a more targeted cyber-attack than phishing. Emails are personalized to the intended victim. For example, the attacker may identify with a cause, impersonate someone the recipient knows, or use other social engineering techniques to gain the victim’s trust.  In other words, this is what might be referred to more as a scam than a cyber-attack, but it is no less illegal.

The common characteristics of spear phishing emails are not unlike traditional phishing scams:

  • The email uses email spoofing to masquerade as a trusted person or domain. …
  • Social engineering is employed to create a sense of urgency to exploit the victim’s desire to be helpful to a friend or colleague.

Hybrid working has been the subject of several of my blogs and newsletters of late.  We are all now seeing the ‘new normal’ and are embracing it to some extent.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are planning to adopt a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.

As organisations of all sizes begin the decision making process which allows them to seriously consider the recalibration of their operating model to adapt to the new normal, then there is a real need to re-evaluate their cyber security stance, involving policies, processes, people training and technical defences.

Cyber criminals have used this shift in working patterns to their advantage and their attacks have increased hugely, across the globe.  Working from home has increased the footprint of IT operations whilst weakening its defences and the scope for cyber criminals to develop new attack methods, new scams, and to generally increase their revenue, exponentially.

Cyber-attacks and data breaches tend to only hit the headlines when it’s a large company involved.  However, SMEs are hit every day, but for somewhat smaller sums of money and there is an argument that often these attacks go unreported to protect reputations and even go undiscovered for long periods of time.  Data breaches do get reported because of the requirement to make such a report to the Information Commissioners Office, but even then, actions taken by the ICO often fly under the radar.  For instance, this year alone there have been over 40 fines by the ICO, many to companies categorised as SME.  A finance company was fined £48k and a solicitor was fined £98k.  You can research all of this on google if you want confirmation.

A bit more on Ransomware, at the risk of over emphasising it, not that I think you can.

According to the NCSC, responsible for cyber security in the UK, ransomware continues to be a clear and present danger to UK companies, both at the Enterprise and SME level. It has now become the most significant cyber threat facing the UK, with the impact of an attack on critical national infrastructure stated in the UK National Cyber Strategy 2022 as potentially as harmful as state-sponsored espionage. There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for. I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up. There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

How much better if you can avoid getting hit in the first place.  Here I list some ways that you could perhaps use to avoid the problem.

  1. Arguably, the biggest and most effective step an SME can take is Cyber Awareness Training for staff. It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.
  2. The next reasonably low-cost thing that ties in with Cyber Awareness Training and a security strategy is robust, well thought out policies and procedures, that have been rolled out across the work force and are monitored to ensure they remain relevant and that they are understood by all. Giving an employee the means to check what they should do if they suspect there is something nefarious going on, is simply giving them support, it is not there to catch them out or to use as a stick against them.  Many SMEs don’t have any such policies in place and many others have downloaded specimens from the internet, topped and tailed them and expect them to be enough, which they very rarely are.
  3. Next think about your backup strategy. Even when you are using a cloud-based provider, that doesn’t necessarily mean that your data is secure, although many providers would disagree, at least in their advertising.  How much better to have a strategy whereby your data is backed up overnight to a magnetic media storage point, which can be taken off line and stored in secure storage.  If you do that, then if you are subject to an attack and your data is locked up, you can have some or all workstations wiped and reloaded, and then have data restored from the tape, all of which would not take most SMEs off line for more than a day.  You then have a breathing space to sort everything out in the longer term.
  4. Email remains the top attack vector for many attacks and this is one of them. There are many products on the market that will tell you that they will block as many malicious emails as possible, and many of these are very good at what they do.  For an SME, it will nearly always come down to a matter of cost and some of these products are more expensive than others.  Unfortunately, there are still a considerable number of SMEs out there, either using the cheapest anti malware product they could find, or even a free product.  You get what you pay for and if its free, you’ve got a problem.  Any product you choose to use must be mitigating an identified risk.  If a risk hasn’t been properly identified and a product selected that covers that risk off, as well as it can be covered off, then you’ve quite possibly wasted your money.

There is a product on the market from a company called Platinum-HIT, which takes a very innovative approach to this.  Quite simply it blocks any executable not on your whitelist from running.  It takes a free 30 day evaluation for it to profile your network and build a list of executables that are in use daily by users.  So those that run your applications, email etc etc, and produces that list for human inspection.  Once agreed, that becomes your whitelist.  It’s extremely effective and so far, we haven’t found another product that takes this approach in blocking all forms of malware, including ransomware.

The overall message I would like to put across to all SMEs, is that you are just as vulnerable as anyone else, to this, and many other attacks.  Have you identified your risks?  Have you identified ways to mitigate those risks, enabling you to maximise your defensive spend.  Or, have you just bought into an argument that says that you have a firewall and some anti-virus, you’re using a cloud provider and you’re therefore covered?  I’d welcome the opportunity to have that debate with you.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Zero Trust Security Strategy – What is it and how does it apply to SMEs

Zero Trust Security is being put forward as a paradigm shift in cyber security and the future of data protection. So, what is it, and is it relevant to the SME market?

To answer the first part of that question, it is a framework for securing infrastructure to secure it against the attacks posed by modern cyber criminals’ hell bent on relieving businesses of their hard earned cash.  It uniquely addresses modern challenges such as securing remote workers, hybrid cloud environments, phishing, and ransomware attacks.

So, a primary driver for the development of Zero Trust platforms was the COVID pandemic and its aftermath, simply because the real paradigm shift was in working practices driven by the lockdowns initially, but subsequently embraced by many as a much cheaper working environment (smaller workplace = smaller costs), which many are finding hasn’t impacted their productivity.  However, it comes at a cost unseen by many in that their security was very much compromised.

As a result of this many firms have had to implement changes in their infrastructure in an attempt to shore up the somewhat reactive stance, they had to take to keep their businesses running during the lockdowns.  If this was only just changing out desk top machines for laptops and moving to much more reliance on cloud services, it has meant a sea change in their working practices.  Many more SMEs are looking for Software as a Service (SAAS) to avoid expensive infrastructure either on premise or on cloud, and others are looking towards managed services, something they simply wouldn’t have entertained before COVID.

All of this has produced a significant rise in malware threats at all levels and sizes of business.  Ransomware has become a very real threat to SMEs and it is simply a fact that many pay up simply because the criminals ask for a modest amount but then of course, they have almost always done unseen damage, such as putting in a back door to your system because they will come back to the well and second and third time, and they have almost certainly already stolen any data that might have a value.   How much better to stop them before their malware takes effect.

Let’s just go back to what is Zerto Trust and review the statement above that it is a framework for securing infrastructure.  OK great, but what does such a framework look like.

First off Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.  So that means that you have to have a security strategy, something most SMEs don’t have and don’t really know how to approach it.

Arguably (I say arguably because if you put a bunch of security consultants in a room and ask a question, the result will be a row if not a punch up), there are 3 main pillars of a zero trust strategy:

  • Trusted identities. Protect user access and keep control of device identities to secure the digital journey.
  • Endpoint protection.
  • Network security

So, what I’m saying here is that it isn’t just one thing, one product, one system, but a combination of several factors that together, provide defence in depth and in that, whilst technology changes, the strategy hasn’t.

This is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

The problem for SMEs as always, is that they don’t have the expertise or the budgets to go down what they think of as a complex and expensive road.  Here at H2 we’ve taken that on board, and we have researched the market extensively and believe we have come up with some risk managed, zero trust solutions which are appropriate to SMEs and very affordable.

Risk Management and is it applicable to SMEs?

An interesting and thorny question, but one that deserves examination. Perhaps the biggest argument I can make regarding SMEs, is that without fully understanding the risks you are exposed to, how can you be sure that you are spending you limited funds in the most effective way, or in a way that is actually doing some good. I threw that last bit in because I come across situations all too often, where an SME is wasting money and resources because they don’t have a handle on security risks.

Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them.  Wrong.  Ask them some simple questions:

  1. Have they fully identified your security assets? Security assets are not just   hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.
  2. Have they done a risk assessment on those assets.
  3. Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level. That is assuming they have spoken to you about what that acceptable risk actually is.

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement.

  1. Tech

Describes the protection of networks, computers, programs, and data from unauthorized access or attack. It is a branch of cyber security which is focused on protecting computers, networks and programs from unauthorized access to data either by hackers or other malicious players. Technical security consists of tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers.

  1. Business

Encompasses all aspects of protecting digital, including computer systems and networks, from unintended or unauthorized access, change or destruction. Cybersecurity includes controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack.

Cybersecurity also has a larger role in protecting organizations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.

Bottom line folks – you can outsource your IT, but you can’t outsource your responsibility.

Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. And whilst we would all like to abolish risk, that won’t happen.  There is no business without some risk, the trick being to minimise to an acceptable level.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined?  Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium, or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.

Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber-attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

Cyber Awareness Training and its worth to the business

I’m going to cover off a couple of subjects today, starting with an excerpt from a Data Breach Investigation Report by Verizon, from which I am openly cribbing. The bit that initially grabbed me attention was the number of recorded business email compromises (BEC) reported which have apparently, doubled over the past year, with this threat comprising nearly 60% of social engineering incidents studied.

The report was based on an analysis of 16,312 incidents and 5199 breached over the past year and the report suggests that BEC is now more common than phishing in social engineering incidents, although phishing is still more prevalent in breaches.

Social engineering, that is to say the gathering of information and profiling a target company is a very real reason why most breaches involve a high proportion of human interaction.  It is especially prevalent amongst senior management who are often exposed to such attacks.  In fact, I reported last week that AI is now being used to spoof emails and even phone calls, purporting to come from senior management, instructing staff to carry out an action that will involve some form of financial penalty.

This means that the protections in use against this type of attack can’t simply rely on technical solutions, but that staff must be made aware of, and kept up to date with, the latest techniques, as they will be the ones who will be targeted in the first instance.  Training must also involve senior management; they are most certainly not immune.

As I go around the SME community, it never ceases to amaze me that many SME owners don’t see the value of cyber awareness training for their staff, and I can’t help wonder why not.  After all, we would argue that it is one of the single biggest wins against cyber-crime that an SME can take, at a minimal cost in turns of time and money.  So why do I think this is?

Statistics reveal that around 60-70% of UK SMEs have suffered a cyber-attack, and amongst those, only 11% had cyber cover. While we are beginning to slowly see a rise in the number of businesses seeking insurance cover after becoming more aware of the risks of cyber-attacks since the pandemic, we still have a long way to go.  Now, cyber insurance is another very thorny issue which really deserves a blog of its own.  However, briefly let’s say that there are many clauses in most, if not all, policies that will require named precautions to have been taken, before any pay out can be considered, and those pay outs are not common, shall we say.

Returning to the subject of Cyber Awareness training, this is a favourite hobby horse of ours, particularly as it affects non-technical staff where it is vitally important for both managers and employees to make them aware of what they could be facing.  If you don’t know what threats exist, them how can you look out for the signs, and how can you effectively target your security spend.  Likewise, staff must know what to look out for, how attacks are formulated and how they are carried out.  A good motivator for staff is that, to put it bluntly, their jobs are on the line if the business is hit badly and loses money.  Most SMEs are involved in businesses where cash flow is king, and they simply can’t afford the kind of hits that are being experienced almost daily now.

It cannot be stressed enough that whilst your staff are your greatest asset, they can also be the biggest threat regarding cyber security.  Most data leaks are caused not be personnel doing anything deliberately wrong, but by doing things they didn’t know they shouldn’t, and by not fully understanding the processes in place to fight off such attacks.

Moving on, and unashamedly cribbing from another article, this time from Forbes, which was all about the need to prioritise cyber security and the culture needed to promote it continuously throughout the organisation.  This of course, continues to reinforce the need for adequate cyber security awareness training throughout year, and not just as a tick in the box, point in time exercise.  A very real perspective, not just at the SME level but at all levels of business size, is that “cybersecurity is a cost centre”, a cost to the business that doesn’t help drive revenue and therefore it’s an expense line item; expensive employees, expensive tools and processes that can hinder operations. With the explosion of internet connected everything constantly collecting data, security is a SALES DRIVER. Being secure and having the ability to prove it (via audits/certs) builds TRUST and makes for a stronger brand. For most SMEs it is already well known that if they want Government contracts or want to be in the supply chain for bigger company’s servicing Government contracts, then Cyber Essentials and Cyber Essentials Plus, is a must, so It is time to shift the old mentality and to start focusing on how security can help drive sales and revenue.  We are seeing a shift in that direction, albeit slowly, but even so, many in SME management are reluctant to embrace this reality. It often takes a customer, or potential customer, to carry out due diligence before placing an order, to convince an SME to take this seriously.

UK GDPR

UK GDPR just won’t lie down, and as citizens we shouldn’t want it to as it provides us with a great deal of protection against the unwanted use of our personal information.  Businesses on the other hand can find it somewhat onerous, although it doesn’t have to be.  Once you understand it’s basics, following the rules isn’t all that difficult, or so you’d think.

The Information Commissioners Office publishes penalty notices that it enforces against breaches of the Regulations, on its web site, and arguably one of the biggest differences between the current Regulations and their predecessors, is that this time, the ICO has real teeth, something that many companies find out the hard way.

I breach raises some questions for any company of course, such as how will this effect customer and supplier confidence?  How much will it damage the brand and what will be the reputational fall out?  All of that before remediation costs and any penalties from the ICO kick in.

As I said above the Data Protection Act 2018, based as it very much is on GDPR, is a very different beast from its predecessor.  The ICO now has powers to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing.  Such penalties are intended to be effective and proportionate, rather than punitive, and are judged on a case-by-case basis.

These penalties come in two flavours, firstly the higher maximum amount, which is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Ouch!

Then there is the standard maximum, which applies If there are infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Still Ouch!

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

DPA/GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  So how does that work for most SMEs?  How many process sensitive information that could threaten individuals’ rights?  What is sensitive information?

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
  • trade-union membership.
  • genetic data, biometric data processed solely to identify a human being.
  • health-related data.
  • data concerning a person’s sex life or sexual orientation.

So how much of this type of data is likely to be held by the average SME?  Well, that depends very much on what that company does for a living.  Whilst many companies, such as manufacturers for instance, will be holding personal data regarding its employees and possibly some data concerning their client base, all of which it is lawful to hold, and should not pose a great problem to process and store securely within the Regulations.  However, when you stop to think about it, there are a considerable number of company’s out there that process large amounts of personal data and are required to hold it for many years because of other legislation.  For example, financial data must be held for 7 years, and many companies’ deal with financial data.

Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as a regular activity and prejudicial to an individual’s rights. Think about financial advisors, estate agents, pharmacies, solicitors, recruitment agencies all of whom hold huge amounts of personal information.  I recently spoke to one financial advisor who told me that they had received a Data Subject Access Request (DSAR), from a client.  This essential means that under the Regulations, anyone is allowed to submit a DSAR and have that organisation declare exactly what data it holds on that person, why and for how long.  It took a partner offline for nearly 10 days to identify that data, before they could declare it.  It’s also worth knowing that there is a time limit on how long you can take to satisfy that requirement.

On the ICO website it lists a solicitor who were fined £98,000 for failing to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.  Solicitors are excellent on telling you what to do to ensure you stay within the law, but they are not always all that good at telling you how to do it.

GDPR compliance requires that companies who process or handle personal data and have more than 10-15 employees must appoint a Data Protection Officer (DPO). A DPO will help with the maintenance and regular monitoring of data subjects as well as the processing of special categories of data on a large scale.  Personal data is any information which is related to an identified or identifiable natural person. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it.  There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP.  These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed.  Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost.  If you don’t like it, we take it away.

Scroll to top