Month: December 2024

Data Breaches and their consequences Risk Analysis and Security Strategy

What are the effects of downtime on your business?

I’ve talked in the past about what SMEs really care about when it comes to cyber security.  Do they really care about the technicalities of an attack or scam?  Do they really care about the technical aspects of a piece of protective software or hardware?  My argument is that they don’t give a damn.  What they want to know can be summed up pretty easily.

  1. How vulnerable are they to an attack and/or scam?
  2. What would be the effects if that attack or scam succeeded?
  3. What can they do about it, and how much will it cost them?

I wrote mostly about points a and c in a blog earlier in the year, https://hah2.co.uk/what-do-sme-owners-and-directors-want-from-cyber-security/, and I’ve included the link if you want to read it.  This time I’m concentrating on point b and the effects of the downtime that it creates.

Downtime following a cyberattack can have serious consequences for businesses, and individuals. We can categorise these into several key areas:

  1. Financial Costs
  • Lost Revenue: For e-commerce platforms, financial institutions, or other time-sensitive industries, downtime directly results in revenue losses.
  • Operational Costs: Companies may need to pay overtime to IT staff, hire external cybersecurity experts, or invest in replacement hardware or software.
  • Regulatory Fines: Non-compliance with regulations like GDPR or industry focused standards, due to downtime or data breaches can lead to significant fines.
  • Damage to Reputation
  • Loss of Customer Trust: Downtime can erode confidence, especially if sensitive customer data is exposed or if services are unavailable for extended periods.
  • Brand Damage: Affected organisations may face negative publicity, making it harder to attract and retain customers or partners.
  •  Operational Disruption
  • Service Outages: Critical systems might be offline, affecting production lines, supply chains, or essential services.
    • Loss of Productivity: Employees unable to access IT systems are effectively idle, causing delays in work and project completion.
  • Data Loss
  • Corruption or Deletion: Cyberattacks like ransomware can encrypt or destroy critical data, which may take days or weeks to recover, even with backups.
  • Intellectual Property Theft: If attackers steal proprietary information, it can be sold to competitors or leaked online.
  • Security Gap
  • Exploitation of Vulnerabilities: Downtime often exposes weak points in an organisation’s infrastructure, which may need to be patched or rebuilt.
  • Increased Risk of Future Attacks: Downtime may signal to attackers that the organisation is a viable target.
  •  Legal and Regulatory Implications
  • Breach of Contract: Failure to meet service-level agreements (SLAs) due to downtime can result in legal action from customers or partners.
  • Insurance Implications: Cyber insurance claims may be denied if the company failed to follow adequate preventative measures.
  •  Psychological and Social Impact
  • Employee Stress: Staff may feel pressured to resolve issues quickly, leading to burnout.
  • Customer Frustration: Extended downtime can alienate loyal customers, particularly in industries where continuity is critical, such as healthcare or finance.
  •  Broader Economic and Societal Impacts
  • Supply Chain Disruption: Downtime in one organisation can ripple through its partners, affecting entire supply chains.
    • Critical Infrastructure Risks: Attacks on essential services like utilities or healthcare systems can have life-threatening consequences.

I have blogged many times about the mitigation strategies you can take, that don’t need to break the bank, but the bottom line, proactive measures can significantly reduce the impact of cyberattacks and the associated downtime.  Understand your vulnerabilities and threats, base your spend on protecting against those threats, starting with the most serious, and then working down.  Don’t try and get to 100% security, it doesn’t exist, so understand what risks you find acceptable and what risks you don’t.

Cyber Awareness Training Working Practices

Work v Life Balance

A little change this week from my usual promotion of cyber security issues, prompted, at least in part, by the changes affecting SMEs by the budget, and also because I do tend to interact a lot with HR and recruitment company’s largely because of the amounts of personal identifiable information that they hold and their concern about those budget changes.

There are going to be different views about those changes, driven by lots of things ranging from political views to how they will impact individuals and I’m not going to pore oil on those differing views.  That’s not the focus of this piece.

My first 30 years employment, from age 15 to age 40, was spent in the public sector, 25 years in the Army and 5 years in the NHS.  I then left and spent 2 years in a UK company before moving on to a major US corporation, followed by 2 more major US corporations.  By that time I’d had enough and wanted to run my own business my own way.  A challenge which never stops but has its rewards.  The contrast between the attitudes in the UK and in the US are stark, even given that the UK has attitudes to employment and laws, which are much more onerous than they are in Western Europe.

One of the first things that hits you in a US corporation is the expectation that you will work as long as they want you to, go where they want you to, and do what they want you to, all within the same salary.  Some managers are harsher than others of course, but the stock price will win every argument, and I well remember the Chairman of my first company openly admitting that they used staffing levels to control the stock price.  That meant that they would cut staff to keep the markets happy, without a second thought and absolutely hated that they couldn’t do that in Europe because of the employment laws.  The US employees had no such protection.

There were many examples of how employees were often impacted by the attitude of the senior management across the pond.  One such sticks out when I was running a team in the middle east.  Our weekends were Friday and Saturday, we worked Sundays.  One Friday the team had hired a boat, privately between us, and we were anchored offshore with the team diving off the boat into some very warm waters and having a good time.  My mobile phone rang, and I was told that I needed to get online and produce some stats that were needed immediately.  All the European teams were doing this.  I told him we couldn’t get to the office and even sent him some photos that I took with my phone to show him where we were and reminded him it was our weekend. 

Needless to say, I was reprimanded for this and told that I wasn’t being loyal.  I was a manager who insisted on looking after my guys (and gals) but that wasn’t universally appreciated by those above.

So, what is senior management often missing when they treat staff poorly, when they are demanding and even sometimes, demeaning.  Managers are looking for productivity, of course they are, without that the company goes under, but is a happy staff more productive than an unhappy one.  If we are paying a low wage and making staff claim UC to make it up, does that demean the staff member as well as putting the burden on the taxpayer.  Going back to my time in the Army in the late seventies, I remember being a Lance Corporal and qualifying for supplementary benefit, which I found demeaning.  Mind you it got worse, I was promoted to Corporal and no longer qualified and lost about a tenner a week – a lot of dosh back then.

Let’s now look at what a good work-life balance is going to give us.  Is it essential for maintaining overall well-being and improving not just the personal aspects of life, but also does it improve those professional aspects that increase productivity?  I’m not declaring myself one way or another and would prefer others to come to their own conclusions.

a. Improved Mental Health

  • Reduces stress and anxiety.
  • Helps prevent burnout by creating time for rest and self-care.
  • Encourages a clearer mind, enhancing focus and decision-making.

b. Enhanced Physical Health

  • Allows for regular exercise and proper sleep.
  • Reduces the risk of stress-related illnesses, such as heart disease and high blood pressure, reducing time off for illness.

c. Increased Productivity

  • Balancing personal and professional priorities leads to greater focus and efficiency at work.
  • Employees who are well-rested and satisfied with their personal lives tend to be more motivated.

d. Stronger Relationships

  • Allocating time for family and friends strengthens personal bonds and social support networks.
  • Improves communication and connection with families.

e. Greater Job Satisfaction

  • Employees who maintain balance are more likely to enjoy their work, feel fulfilled, and remain engaged.
  • Reduces turnover rates by creating a supportive work environment.

f. Personal Growth and Fulfilment

  • Provides opportunities to pursue hobbies, interests, and personal goals.
  • Encourages learning and development outside of work, leading to a more well-rounded life.

g. Better Work Culture

  • Promotes a positive workplace where employees feel respected and valued.
  • Encourages teamwork and collaboration by reducing tension and conflict.

h. Increased Creativity and Innovation

  • Taking breaks and engaging in diverse activities fosters creative thinking and problem-solving.

We can argue that a poor work-life balance on the other hand, can have wide-ranging effects, impacting mental, physical, and social well-being as well as professional performance. Here’s a breakdown:

a. Physical Health Issues

  • Increased stress levels: Chronic stress can lead to headaches, fatigue, muscle tension, and weakened immunity.
  • Higher risk of chronic illnesses: Conditions such as heart disease, obesity, and diabetes can result from prolonged stress and lack of physical activity.
  • Sleep problems: Difficulty in disconnecting from work may lead to insomnia or poor-quality sleep.

b. Mental Health Challenges

  • Burnout: Persistent overwork can result in emotional exhaustion, reduced productivity, and detachment from work.
  • Anxiety and depression: Long hours and the pressure to perform can exacerbate mental health issues.
  • Reduced focus and creativity: Mental fatigue from a poor balance impairs cognitive functioning and decision-making.

c. Professional Consequences

  • Decreased productivity: Overworking may initially boost

So, what do I personally, conclude from this and why do I care?  Well firstly I’m a human being and so should care and secondly, I’m a business owner and want my staff focused, productive, great for clients to interact with, responsive and who look forward to coming in every day, or at least most days, every day is probably a stretch.  I will also readily admit that some of these points aren’t my own, I have cribbed from some research I did into this area.

What is your take?  I would expect differing views and that’s OK, we all face issues every day in business, some we have in common, and some are unique to a particular business.  I’m not looking for an argument, just some mature reflection.

Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

Cyber Security Skills Gap

We often hear, particularly withing the Cyber Security industry itself, of a skills gap and a real problem recruiting and retaining cyber security professionals. Why and is it real or imagined?  There is a very useful report you can reference from the Department for Science, Innovation and Technology (DSIT), which I’d recommend.

Firstly, let’s look at the market.  As my regular readers will know, I work largely in the SME market, having come from the corporate market where I worked for many years.  Even there, true cyber security professionals were always hard to find and it’s very important to recognise the difference between cyber security skills and experience, and technical skills and experience.

Let me explain.  Within the SME sector there has always been the perception that technical skills were what is needed when putting in place protections against cybercrime.  That does seem to be changing, and I asked the question of a business audience a couple of weeks ago; did they think cyber security was a business issue or best left to the techies.  100% said business which is much different than when I first asked this group the same question 18 months ago, when about 80% said it was a technical issue.  This last result was somewhat heart-warming.

So why does technology get pushed so hard in that sector?  If we look at the corporate market for a moment, we’ll see that these organisations have a solid security team in place, run by a Chief Information Security Officer (CISO), who often reports to a Chief Information Officer (CIO) who is a board member.  This allows them to build a team covering most of the security skills needed, cyber generalists and governance, risk and compliance specialists amongst others, and techies as well.  They will often only outsource skills only needed now and again.  But even here they often struggle to recruit.

SMEs simply don’t have that organisation in place, and even at the top ‘M’ end of the market, those company’s knocking on the door of the corporate market, they still outsource most of their IT and with it, their cyber security.  The reason why an SME would choose to do this is obvious, it’s cost.  They can’t afford to employ even IT staff full time and those that do, often have one person whose main role is to keep on top of their outsource partner.

A big issue facing SME organisations is balancing limited resources with the growing complexity and volume of cyber threats. The lack of resources is compounded by an overall dearth of cyber-security skills in general, and a real lack of skills in mid-sized companies and the IT companies they often outsource to.

Allied to this issue is that many IT support company’s, focused on the SME market, don’t really have any more of a handle on cyber security issues and how to fix them, than the SMEs themselves.  This might sound harsh but consider that their business is all about selling in hardware and software licences, the more they sell, the stronger their business.  Obvious right?  That makes them focused on the technologies they sell, firewalls, anti-virus etc, and they will have technical skills needed to support and maintain those products.  That’s all fine but ask them some simple questions: 

  • Have they fully identified your security assets?  Security assets are not just hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.
  • Have they done a risk assessment on those assets.
  • Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level.  That is assuming they have spoken to you about what that acceptable risk is. 

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement. 

Cyber security professionals will focus on encompassing all aspects of protecting digital assets, IT systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorised access or attack. It is focused on People, Process and then Technology.

Technical security focuses on the technologies employed as controls to remediate the risks defined in the risk assessments carried out.  Risk assessment is essential because without it, you can’t be sure that you have the right controls in the right place doing what you think they are doing.  In other words, it helps to ensure that your spend is targeted correctly and you’re not wasting money.

And that last piece is what your local IT provider is not doing.  They look at tech, not the business.

Getting back to the skills gap, it’s clear that whilst that gap exists it probably isn’t hitting SMEs hard because they weren’t invested in those skills in the first place in the way the corporate market is.  SMEs tend to outsource those things that aren’t their core business, including IT, HR and payroll etc, so why not cyber security?  The answer is often because they don’t think they need to, often until it’s too late.  Having someone on tap that you can contact for advice and guidance is worth every penny.  Trust me – I’m a cyber security pro!

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services designed specifically for SMEs; at a price they can afford.  Our advice and guidance takes a unique look at the problems facing SMEs whilst calling on our vast experience working for the larger organisations and government departments.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or email

T: 0800 4947478

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

Scroll to top