Month: February 2025

Cyber Awareness Training General Security Issues

Cyber Awareness Training

Investing in cyber awareness training is crucial, especially for SMEs who tend not to have the expertise and resource at their fingertips, to protect themselves against cyber-attacks and scams. Cyber threats are constantly evolving, and smaller businesses are often prime targets for attackers due to perceived weaker security defences. Your staff are key, they are the first line of defence, and potentially, your biggest weakness.  This means they must know what the threats are and what simple steps they can take to protect the business. 

Here are some key reasons why an SME should be seriously considering a cyber awareness training programme for their staff:

a. Protect Against Cyber Threats

SMEs face risks from phishing, ransomware, and social engineering attacks. Training helps employees recognise and respond to these threats before they cause harm.

b. Reduce Human Error

Most cyber incidents result from human mistakes and are not malicious in nature.  Cyber awareness training can significantly reduce mistakes such as clicking on malicious links or using weak passwords. Training teaches employees what security best practice means and how to adopt it.

c. Ensure Regulatory Compliance

Many industries have data protection laws (e.g., GDPR) and other industry led regulations (PCI, FSA etc) that require businesses to safeguard customer data. Cyber awareness training helps SMEs comply with these regulations and avoid fines and reputational damage.

d. Protect Business Reputation

A data breach can damage customer trust and brand reputation, potentially leading to lost business. Proactive cybersecurity measures, including training, help maintain credibility.

e. Minimise Financial Losses

Cyber incidents can lead to financial losses from fraud, legal fees, downtime, and recovery costs. Investing in training is a cost-effective way to mitigate these risks.

f. Strengthen Overall Security Culture

When employees understand cybersecurity risks, they become an active part of the defence strategy, fostering a security-first mindset across the organisation.

g. Improve Incident Response

Trained employees can quickly identify and report security incidents, enabling faster response times and reducing potential damage.

h. Stay Competitive

Many clients and partners prefer working with businesses that prioritise cybersecurity. Demonstrating a commitment to security can be a competitive advantage.

Awareness training doesn’t need to cost that much, and it can be delivered classroom based, either on site or online, or it can be automated.  The latter is often the preferred platform for an SME. 

Let’s take a look at the pros and cons of each method of delivery.

Classroom-Based Training

Pros:

  • Interactive Learning – Employees can ask questions, engage in discussions, and get real-time feedback.
  • Customisable Content – Trainers can tailor content based on specific organisational threats or employee skill levels.
  • Higher Engagement – In-person or live virtual sessions often result in better engagement and knowledge retention.
  • Hands-on Practice – Allows for simulations, group exercises, and real-world case studies.

Cons:

  • Costly – Requires hiring trainers, scheduling sessions, and potential travel expenses.
  • Time-Consuming – Employees must take time away from work to attend sessions.
  • Scalability Issues – Difficult to train a large workforce across multiple locations.
  • Inconsistency – The effectiveness may vary depending on the instructor’s expertise and teaching style.

Automated Training (often AI-Based)

Pros:

  • Cost-Effective – No need for in-person instructors or travel costs.
  • Scalable – Easily deployed across an entire organisation, including remote employees.
  • Flexible Scheduling – Employees can complete training at their own pace.
  • Consistent Content Delivery – Ensures all employees receive the same training material.
  • Trackable Progress & Reporting – Automated platforms provide analytics on employee performance and compliance.

Cons:

  • Limited Engagement – Lack of real-time interaction may result in lower retention.
  • Generic Content – May not always address specific threats or industry-specific risks.
  • No Immediate Feedback – Employees may not have an opportunity to clarify doubts in real time.
  • Potential for Click-Through Learning – Some employees might rush through without fully absorbing the information.

Which one is better?  This is somewhat subjective and will depend very much on the type of business you are, your budget and expectations.  Generally:

  • For organisations needing high engagement and tailored content, classroom-based training is ideal.
  • For large, distributed teams or cost-conscious businesses, automated training is more practical.
  • A hybrid approach, combining both methods, often works best—using classroom sessions for deep learning and automated modules for ongoing reinforcement.

Here at H2 we can offer both classroom based, in person or on-line, as well as an automated programme which can include induction courses and continual reinforcement.  This of course if the more cost effective solution for many SMEs.

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Working Practices

Cyber Security Operations

Security operations is a complex subject and there is no doubt that it can be expensive and difficult, even for corporate organisations who generally have the resource, both financial and technical, to run a security operations centre (SOC), or at least can afford to outsource.  I saw an RFP from a housing society for a SOC and I would be very interested to see if that contract gets let once the organisation gets the quotes, because I would be shocked if they could afford it.

Their RFP based its premise on the introduction of a Security Information and Event Management system (SIEM), which.in itself, might suggest that they don’t really know what they are asking for, or indeed, what they want.  I base this on having designed, built and operated several such operations centres in the past.

Now before the SIEM vendors and resellers pile on, let’s be clear, SIEM systems have their place and are very useful in a SOC, although I would argue that they are most certainly not the end all and be all.  My focus these days is on SMEs and for an SME there are several reasons why a SOC and an SIEM may be over the top and a cost too far.

Whilst an SIEM system is a valuable tool for cybersecurity, it comes with several drawbacks, including:

a. High Cost

  • Expensive Implementation – SIEM systems require significant upfront costs for software, hardware, and licensing.
  • Ongoing Costs – Maintenance, updates, and skilled personnel add to long-term expenses.

b. Complex Deployment and Management

  • Difficult Configuration – Setting up a SIEM system to work effectively requires extensive tuning and integration with various security tools.
  • Frequent Fine-Tuning – To avoid false positives and negatives, organisations must continuously refine alert rules and correlation policies.

c. High Volume of Alerts and False Positives

  • Alert Fatigue – SIEM systems generate numerous alerts, many of which are false positives, overwhelming security teams.
  • Difficult Prioritisation – It can be challenging to distinguish between critical threats and routine events without proper tuning.

d. Scalability Issues

  • Performance Bottlenecks – As an organisation grows, more logs and data sources can slow down the system.
  • Expensive Scaling – Scaling a SIEM to handle increasing data volumes often requires costly upgrades.

e. Need for Skilled Personnel

  • Expertise Required – SIEM systems need cybersecurity professionals to manage, analyse, and fine-tune them effectively.
  • Shortage of Talent – Finding skilled SIEM analysts can be challenging and expensive.

f. Storage and Compliance Challenges

  • Log Retention Costs – Storing large volumes of logs for compliance can be expensive.
  • Regulatory Complexity – Ensuring compliance with data protection laws (e.g., GDPR) requires careful log management.

h. Limited Threat Detection Without AI/Automation

  • Reactive Approach – Many traditional SIEMs rely on pre-set rules, making them less effective against new or sophisticated threats.
  • Lack of Automation – Without AI-driven analytics, manual investigation can be time-consuming.

Having debunked the usefulness of an SIEM system for an SME, let’s look at what an SME could do to mitigate their cyber risks.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks. 

If you are not monitoring the effectiveness of the protections that you have spent good money on, how do you know it’s money well spent?  Are those protections doing what you think they are?  Monitoring is central to the identification and detection of threats to your IT systems. It acts as your eyes and ears when detecting and recovering from security incidents and it enables you to ensure that devices are used in accordance with your organisational policies.

Many small to medium-sized businesses struggle with stretched resources, lean budgets, and a critical technical expertise gap. This fight against sophisticated cyber threats and outdated systems turns them into easy targets for cybercriminals. Exposed and at risk, these businesses stagger on the edge of significant disruption, financial loss, and reputational damage.  Although on the surface an SIEM system might seem to be what an SME needs, it would not fit the profile of most SMEs, being too resource intensive and costly.

We have been researching the market, looking for a way of providing a security managed service that would serve an SME, at an affordable price.  And we think we’ve found it – no, we are SURE we have found it.  Simplicity is at its core, employing enterprise-grade technology to simplify and streamline the day-to-day work. Our unified platform and onboarding process, seamlessly detects, prevents, and responds to cyber threats in the most holistic, hassle-free, and cost-effective way.

We are offering a 14 day free trial and will cover:

  1. Email security.
  2. Cloud data.
  3. Automated cyber awareness training.
  4. External risk.
  5. Endpoint security.
  6. Secure browsing.
  7. Phishing simulation.
  8. And as an added bonus we can provide cyber insurance at a price which is directly linked to your risk score within or system.  The lower your risk, the cheaper the insurance.

This system is deliberately aimed at 1-250 IT users in any business.  Most SMEs come in around 10 to 15 IT users, but we’re not precious about it.  It is a managed service, and we have our eyes on the glass and can mitigate your risks automatically, or in concert with you, depending on how you wish to tailor the service.  All this for a mere £12 per user per month.

General Security Issues Risk Analysis and Security Strategy

Governance, Risk and Compliance

…. or let’s call it GRC because it is a bit of a mouthful.  Two questions arise, firstly what does it mean, and secondly, does it really apply to SMEs?

To answer the first question GRC is a program that comprises those elements which, governed by the cyber-security strategy, provide cyber-security risk assessment, generate appropriate cyber-risk management policies and controls, and enable measurement of compliance with those policies and controls.  Let’s not forget those controls required by regulatory compliance which are required by legal and regulatory bodies. 

  • Governance is the process which dictates policy in line with the cyber-security strategy. Governance ensures that the organisation’s cyber-security policies are generated, adopted and amended within an organisation.  Governance may be derived from both internal requirements (e.g. audit, board direction, information security) and external sources (e.g. statutory and regulatory requirements).
  • Risk management is the process by which risks are evaluated in light of business requirements – and the organisation’s risk tolerance or appetite.  Risk management and mitigation policies and controls are then designed to achieve an acceptable level of risk to the organisation’s finances, data, reputation etc. The policies and intensity and number of the controls must be balanced against their cost and budgetary considerations, as well as the acceptable level of residual risk remaining once all controls have been implemented.  Risk management is also the means by which new risks from emerging threats and new business opportunities are assessed and reduced to an acceptable level.
  • Compliance is the process by which adherence to risk management policies and controls are measured and gaps are identified.   This function is performed by various individuals and teams, including internal audit, risk assessment teams, external regulatory agencies and third-party organizations.

OK, so far so good, but isn’t this all a little over the top for SMEs.  Well yes and no.  Firstly, every business must comply with the statutory regulations laid down by government and the requirements for governance laid down by various industry standards.  PCI is a good example of the latter.  If you don’t comply to PCI DSS standards, you simply won’t be allowed to take credit card payments.   Maybe not important to all businesses, but it is to many.

Secondly, it is a matter of scale.  Everyone in business does some form of risk assessment during the working day – is it safe to take this person on?  Is this a good bit of business to acquire or is it too risky?  Do we need to diversify?  Etc.  Even if your risk assessments aren’t formal and you are doing them on the fly, they are still relevant to your business.  Cyber Security is no different.  Your cyber assets, and in this case, we often mean your data, need to be risk assessed, ie assessing the risk to the business if it all goes pear shaped, and then the right controls applied.  This falls under GRC.

So, what kills GRC in business?  It’s often a lack of communication and understanding.  The lack of understanding comes from not having the relevant expertise to talk to, and I’m not referring to IT techies.  They are great at keeping your systems working, be they an in-house resource or a managed service IT company under contract. But they are not cyber security professionals.  The latter is a skill set recognised in the industry with its own qualifications and career path.

The lack of communication comes in when you have the relevant expertise to hand, usually outsourced, but the board is simply not listening to what they are being told.  So why is that?  Well, a big mistake made by some cyber security people is being too technical and speaking in jargon.  It doesn’t work and turns people off.  When putting across an argument it must be in plain English and be business focused.  Management has to see some form of ROI, even it that ROI difficult to measure, based as it probably will be on proving a negative, ie the controls are working because we haven’t been hacked, as opposed to, we haven’t been hacked so we don’t need to budget for this.  Another example is talking about phishing, ransomware, hacking etc, when the business wants to hear about insider fraud and intellectual property theft.

My regular readers will be aware of my adherence to the KISS principle – Keep It Simple Stupid.  So overly complex GRC tools and solutions won’t work with SMEs regardless of where they sit on the totem pole, either at the lower end of Small up to the higher end of Medium.  All GRC principles must be scaled accordingly, and any practitioner used to evaluate your GRC issues must have a firm grasp of the business and apply GRC principles to support that business in a way that the management can immediately see its value.  Not easy but very much doable.

When working for HP I had 2 teams, one was techie and the other, focused on GRC, was not so techie and I kept that separation as it was very important.

I am always happy to have a conversation around this subject.

Scroll to top