Month: September 2024

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy Security Tools

How are Mid-Market Businesses Faring Regarding Cyber Security

Mid-sized businesses are under as much pressure to keep the organisation secure as are the larger corporates but without the deep pockets that those larger corporates have.  Because of this they are also fast becoming the easy target that we often view small businesses as being, but with a larger payload for the cyber-criminal.  In fact, in 2023, 59% of medium sized businesses suffered a cyber-attack or data breach in the UK. 

The biggest issue facing mid-market organisations is balancing limited resources with the growing complexity and volume of cyber threats. The lack of resources is compounded by an overall dearth of cyber-security skills in general, and a real lack of skills in mid-sized companies and the IT companies they often outsource to.  Key aspects of this challenge include:

1. Resource Constraints: Mid-market organisations typically lack the budget and personnel to implement robust, enterprise-level cyber-security solutions. They may not have dedicated security teams, forcing IT departments to manage cyber-security alongside other duties. This dilutes skills and leaves them vulnerable to sophisticated attacks.

2. Rising Threat Sophistication: Cyber-criminals are increasingly using advanced tools and techniques, such as ransomware, phishing, and supply chain attacks, now enhanced with AI, which often outpace the security capabilities of mid-sized businesses. These organisations are prime targets because they are often seen as less protected than larger enterprises but more valuable than small businesses.

3. Compliance and Regulatory Challenges: As regulations like GDPR, FCA, and industry specific mandates grow, mid-market companies struggle to meet compliance requirements without the same level of support and infrastructure that larger organisations can afford.

4. Lack of Cyber security Awareness: Employees at mid-market organisations may not have adequate training on cyber-security best practices, making them vulnerable to human error, such as falling for phishing scams or weak password practices.

5. Third-Party Risks: Mid-market companies often rely on third-party vendors for various services, but they may lack the resources to thoroughly vet these vendors’ security postures, leading to vulnerabilities in their supply chain.

Addressing these issues requires mid-market organisations to prioritise cyber-security despite resource constraints, invest in scalable security solutions, and foster a strong security culture throughout the organisation.

There is a very real difficulty in breaking out of this cycle.  The mind set of most board members is to focus on the core business and keep costs to an absolute minimum.  Costs are important in a mid-sized business, especially one where margins may be tight.  IT budgets will focus on items, both hardware and software, that are required to keep the revenue flowing and its cyber-security solutions, including data protection solutions, are often seen as nebulous because there is no obvious return on investment.  CIOs/CISOs/IT Directors are often left trying to prove a negative, ie we haven’t had any security issues because we have protections in place, as opposed to we haven’t had any security issues therefore we don’t need to budget for protections.  It’s a years old argument that never seems to have a resolution. 

However, breaking out of this cycle, this thought process, is very important.  Cyber threats, what we refer to as the threat landscape, are evolving at a frightening pace, often enhanced using AI.  This will further compound any argument about budget simply because there is this need to keep pace with the cyber-criminal, and those of us in this industry know that we have always been playing catch up.

So how do we do it?  Not an easy answer but one way that some mid-sized organisations are now looking at is managed security solutions.  The provision of SOC (Security Operations Centre) solutions, in a shared way, as we do with cloud services for example, makes managed security more affordable.  Many of the large enterprise organisations also make use of managed security solutions for the reasons of cost.  On site solutions are not just expensive in terms of hardware and software, but also staffing costs, training etc, can be exorbitant.  So, sharing those costs becomes very attractive.

Of course, there is no one size fits all solution and most managed service providers will have a set of services it provides, and do not tailor their services simply because it would make them too complex and expensive to provide, somewhat obviating the whole reason for doing it in the first place.

To make sure that you have the level of protection that you need, then you must do some up front work, maybe getting some consultancy that will save you money in the long run, by getting the protections and levels of service in place that you actually need.

There are several solutions around and organisations that provide them, and I do recommend that you shop around.  Some are better than others and the CrowdStrike issue hasn’t done the reputation of managed services much good.  Here at H2 we offer solutions for both monitoring your technical estate, your user actions, email, cloud services etc, as well as your data protection issues providing monitoring of any compliances that you may need, including UK GDPR, PCI DSS as an example.

If in doubt give us call, we’d be delighted to chat it over, offer a demo and a FREE trial lasting up to 30 days for the data protection solutions and 14 days for the more technical solution.

Cyber Awareness Training Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Another Rant about Cyber Awareness Training

I make no apologies for having another rant about this subject, because it’s so important and easy to do.  Recently I put up a poll on LinkedIn asking about how important it was felt that cyber awareness training was.  The poll got a lot of views but very little interaction, which is very disappointing.  It tells me that either people out there have little interest in it, don’t consider it a priority, or even a necessity, or don’t understand it’s importance to the safety of their systems, data and staff.

Very simply put Cyber Awareness Training is the quickest and cheapest win you can make in the fight against the cyber-criminal.

Cyber awareness training is an essential component of modern organisational security strategies. It equips employees with the knowledge and skills necessary to recognise, respond to, and mitigate cyber threats. Let’s look at some key advantages of implementing cyber awareness training:

1. Enhanced Security Posture: Employees who are educated about cyber threats can identify potential risks and take proactive measures to protect sensitive information. This collective vigilance strengthens the overall security framework of the organisation.

 2. Reduction in Human Error: Many cyber incidents stem from human mistakes, such as falling for phishing scams or mishandling sensitive data. Cyber awareness training helps mitigate these errors by teaching employees how to recognise red flags and adhere to best practices.

3. Improved Incident Response: Training empowers employees to respond effectively to security incidents. By understanding protocols and reporting procedures, they can act swiftly in the event of a breach, minimising potential damage.

4. Cultivation of a Security Culture: Regular training fosters a culture of security within the organisation. When employees prioritise cybersecurity in their daily activities, it becomes an integral part of the organisational ethos, enhancing overall resilience.

 5. Compliance with Regulations: Many industries face stringent regulatory requirements regarding data protection and cybersecurity. Cyber awareness training helps organisations comply with these regulations, reducing the risk of legal penalties and reputational damage.

6. Increased Employee Confidence: Knowledgeable employees are more confident in their ability to navigate the digital landscape safely. This confidence can lead to greater engagement and a more proactive approach to cybersecurity.

7. Cost Savings: By preventing cyber incidents through effective training, organisations can save significant costs associated with data breaches, including legal fees, recovery expenses, and loss of business reputation.

8. Adaptability to Emerging Threats: The cyber threat landscape is constantly evolving. Cyber awareness training keeps employees informed about the latest threats and trends, ensuring they can adapt their behaviours accordingly.

9. Strengthened Team Collaboration: A shared understanding of cybersecurity risks encourages collaboration among teams. Employees are more likely to communicate about potential threats and share knowledge on best practices, leading to a more cohesive defence strategy.

10. Customer Trust: Organisations that prioritise cybersecurity demonstrate their commitment to protecting customer data. This commitment builds trust with clients and partners, which is crucial for maintaining long-term relationships in today’s digital economy. In summary, cyber awareness training is a vital investment for organisations looking to enhance their cybersecurity defences. By equipping employees with the knowledge and skills needed to identify and respond to threats, organisations not only protect their assets but also foster a culture of security that benefits everyone involved.

And the reality is that it doesn’t have to cost a fortune.  It can in fact be done very cost effectively, in such a way that it doesn’t require staff to spend time in the classroom by automating the courses and having them delivered online, allowing staff to carry it out in their own time. 

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

Is Cyber Security about Tech or the Business?

It’s simply a fact that many owners, managers, directors etc, believe that cyber security is a technology issue and is best left to those guys in IT who understand that stuff.  Here at H2 we spend a lot of time and effort trying to educate C level people, that it really is a business issue, although it has significant input from the techies.  It’s a business issue because breaches can have a significant financial and reputational impact.  It’s also an IT issue because it involves implementing technical measures to protect systems and data.  Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

The crux of the issue though, is that it must be led by the business, and at board level.  It requires a strategy to be followed, which is laid down at board level and which is focused on the goals and aspirations of the business, especially when your IT is outsourced.  You can outsource your IT, but you can’t outsource your responsibility.

A valid argument is that the proliferation of security tools creates an illusion of safety.  Organisations, large and small, often believe that by deploying a firewall, antivirus software and maybe some other tools, such as intrusion detection systems, they are adequately protected.  This ignores the fact that such tools are controls put in place to mitigate risks identified and qualified in terms of importance, in a risk assessment and unless the benefits they bring are properly identified, and the solutions placed and configured correctly, they may well not be doing what you think they are doing.  This thinking can also introduce significant third-party risks into your domain.  The most recent example of this is the CrowdStrike issue which caused so much chaos throughout the globe.

To be fair to most companies in the smaller and mid-market arenas, their focus is on obtaining IT solutions as cost effectively as possible, and with the minimum of support costs.  Cost control is vital to most.  This means that they are extremely reluctant to spend money on what they see as not being part of their core business.  Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.  Unless they have a well thought out risk managed strategy, they are wide open to slick sales pitches which push products.  The rub is that in order to have that well thought out strategy, it means spending on what they see as expensive services that can seem somewhat nebulous, not something they can see and feel, and there is that vague feeling that they are being led to do something that really isn’t all that important.

The approach most take is to trust their IT provider to give them the protections they need.  Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model.  What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because of cost constraints, is targeted where it’s needed and will be most effective.  In other words, the technological approach taken by most IT support company’s will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections are fit for purpose?  Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

How do we approach this then?  First and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

The difference between assessing day to day business risk and assessing risk to cyber assets, is one of understanding.  What is a cyber asset?  In this context insert the word ‘information’ instead of cyber.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers probably in a cloud somewhere (cloud storage and access is a whole other subject) and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  And we haven’t even thought about changes in working patterns.  How many of your staff now work remotely some or all of the time.  I could go on.

How can we be sure where all this information is and how important each bit is to the business?  How can we assess this risk to the business, if information is lost or otherwise compromised?  What about ransomware, phishing scams etc?  The good news is that some of this can now be automated and managed for you at an affordable price and you can even arrange a 14 day totally free trial to assess its effectiveness.

General Security Issues Risk Analysis and Security Strategy

AI and Risk Management – What’s Changed?

The answer to the question posed is, quite simply, nothing, in terms of risk management.  The process of analysis of the threats posed to any particular organisation or infrastructure, the assessment of how vulnerable that organisation is to those threats, and the application of controls to bring down the risk to an acceptable level, remains pretty much the same.

Of course, the threat is changing, quite considerably, with billions being invested globally in the field of AI, which is affording huge advances in technology which brings with it great benefits but also new risks which are potentially more dangerous than those associated with current IT systems.

There is guidance coming out from several sources internationally on these risks and how to address them, but the EU has gone one step further and is producing the first comprehensive continental legislation on AI, the EU AI Act.  Unlike most countries guidance, it is not voluntary but will become law and has real teeth.  It wouldn’t be a shock to find other countries following suite.

The EU AI Act focuses on impacts to the rights, freedoms and safety of the public within the EU but is nevertheless a landmark legislative proposal by the European Union aimed at regulating artificial intelligence across its member states. Proposed in April 2021, the Act seeks to establish a comprehensive legal framework for AI that ensures the technology is developed and used in a way that respects fundamental rights, safety, and democratic values.

Here are the key points of the EU AI Act:

1. Risk-Based Approach

The Act adopts a risk-based classification system that categorises AI systems into four risk levels:

  • Unacceptable Risk: AI systems deemed harmful (e.g., social scoring by governments) are banned outright.
  • High Risk: AI systems with significant potential to impact safety, rights, or wellbeing (e.g., biometric identification, critical infrastructure) must meet strict requirements regarding transparency, accuracy, oversight, and documentation.
  • Limited Risk: Systems with moderate risk must comply with transparency obligations (e.g., AI chatbots must inform users they are interacting with AI).
  • Minimal Risk: Systems with negligible or no risk (e.g., spam filters, AI in video games) are largely unregulated.

2. High-Risk AI Regulation

For high-risk AI systems, the EU AI Act imposes stringent regulatory requirements. These include:

  • Thorough risk assessments before deployment.
  • Ongoing monitoring during use.
  • Ensuring traceability and transparency in the system’s decision making processes.
  • Compliance with technical documentation and human oversight standards.

3. Prohibited Practices

Certain AI uses are banned outright because they are considered to violate fundamental rights. Examples include:

  • Real-time remote biometric identification in public spaces for law enforcement purposes (with some exceptions).
  • AI systems that exploit vulnerabilities of specific groups, such as children or the elderly.

4. Governance and Enforcement

A new European Artificial Intelligence Board (EAIB) will be created to oversee the implementation of the AI Act. This body will work alongside national regulators to enforce compliance across the EU.

5. Penalties

Non-compliance with the AI Act can result in hefty fines, with penalties of up to €30 million or 6% of global annual turnover, whichever is higher, for serious violations.

6. Promoting Innovation

While the AI Act imposes strict controls on high-risk systems, it also includes provisions to encourage innovation in the AI sector. It proposes the creation of regulatory sandboxes, controlled environments where companies and public institutions can test AI systems under the supervision of regulators before full deployment.

7. Scope

The AI Act has a broad scope, applying not just to companies and institutions based in the EU, but also to non-EU organisations that place AI systems on the European market or whose AI systems affect individuals within the EU.

The EU AI Act is significant because it represents the first major attempt globally to create a legal framework that balances the benefits and risks of AI. It aims to position the EU as a global leader in AI regulation, prioritizing ethical AI development while promoting safety, transparency, and accountability.

As I said earlier, there are other sets of guidance being issued but they are not enforceable and can be adopted in whole or in part or ignored.  The US Dept pf Commerce National Institute for Standards and Technology (NIST) and the UK National Cyber Security Centre (NCSC) have issued such guidance.  The NIST guidance for example covers Harm to People, Harm to an Organisation and Harm to an Ecosystem.  But it remains just guidance.  On the upside it is all based on sound risk management and for those of us who have been steeped in that culture, almost for as long as information security has been taken into the IT sphere, that is music to our ears.

If you want to know more or to chat over the issues, drop me a message.  I’d be only too pleased.  If you are interested in knowing a bit more about risk management then this article might be of interest to you https://hah2.co.uk/still-on-the-subject-of-cyber-resilience/.

Scroll to top