Month: September 2025

General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Cyber Security Architecture

In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture.  So, I thought it was worth discussing it further.

What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should.  Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.

I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

Of course, these days that is often exacerbated by the increasingly popular remote working.  I know not every company has embraced this, but many have and have not through the security implications.

Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

Do You Have a Handle on Your Cyber Maturity Stance?

Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

During the assessment, we typically examine various aspects, such as:

  • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
  • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
  • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
  • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
  • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
  • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
  • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

Cyber Awareness Training Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Working Practices

Cyber Security is a Business Issue

This is a subject I return to quite often and it’s all about how cyber security is viewed by many SMEs, and I’ll explore why that view appears to be paramount.  I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

We tend to flood potential clients with adverts and articles, mainly focused on technology.  Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

Let me give you a couple of quotes.  The first comes from a renowned Harvard scientist and cyber security specialist.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’  The second comes from Stephane Nappo, Vice President and Global Chief Information Security Officer for Groupe SEB, ‘It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.’

Boil that down and they are saying that this is not an IT issue, it’s a business issue.  That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture.  Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to give the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  Let’s just remind ourselves of the quote from Bruce Schneier:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware

SPOOFING

I’ve mentioned spoofing quite a bit in various posts and blogs, but what exactly is it?  Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else, attempting to gain our confidence to get access to our systems, steal data, steal money, or spread malware. These attacks come in several forms, including:

  • Email spoofing
  • Website and/or URL spoofing
  • Caller ID spoofing
  • Text message spoofing
  • GPS spoofing
  • Man-in-the-middle attacks
  • Extension spoofing
  • IP spoofing
  • Facial spoofing

Cyber criminals aren’t all that original and spoofing is another con to fool us into taking some form of action that the criminal wants us to take; in other words, it’s a more technical variation on a con artists skill set.  Very often, merely invoking the name of a big, trusted organisation is enough to get us to give up information or take some kind of action. For example, a spoofed email might inquire about purchases you never made. Concerned about your account, you might click the included link.

From that malicious link, scammers will send you to a web page with a malware download or a faked login page, complete with a familiar logo and spoofed link to a web page, for the purpose of harvesting your username and password.

There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on victims falling for the fake. If you never doubt the legitimacy of a website and never suspect an email of being faked, then you could become a victim of a spoofing attack at some point.

Let’s look at some types of spoofing.

Email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. An example of this is the fabled CEO attack whereby a spoofed email is sent to someone in your accounts payable department attaching an invoice from a fake supplier and purporting to come from the CEO or other senior manager, with the instruction to pay the invoice now, without delay, and sounding like the senior manager is angry about something.  Of course, this is quite easy to defend against by having a rule in place that if a suspect email is received, the alleged sender should be contacted for verification.  Be aware though, if you simply reply to the email, it will go back to the scammer, you must open a fresh email or make a call.

Phishing emails will typically include a combination of deceptive features:

  • False sender address designed to look like it’s from someone you know and trust, maybe a friend, coworker, family member, or company you do business with. 
  • In the case of a company or organisation, the email may include familiar branding, e.g. logo, colours, font, call to action button, etc.
  • Spear phishing attacks target an individual or small group within a company and will include personalised language and address the recipient by name.
  • Typos. Email scammers can be lazy and often don’t spend much time proofreading their own work. Email spoofs often have typos, or they look like someone translated the text through Google Translate.

Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent, down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Cybercriminals use spoofed websites to capture your username and password (aka login spoofing) or drop malware onto your computer.

Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn’t. Scammers have learned that you’re more likely to answer the phone if the caller ID shows an area code the same or near your own.

Text message spoofing or SMS spoofing is sending a text message with someone else’s phone number or sender ID. If you’ve ever sent a text message from your laptop, you’ve spoofed your own phone number to send the text, because the text did not actually originate from your phone.

Man-in-the-Middle (MitM) attacks can happen when you use free Wi-Fi at your local coffee shop. Have you considered what would happen if a cybercriminal hacked the Wi-Fi or created another fraudulent Wi-Fi network in the same location?

Extension spoofing occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of “filename.txt.exe.” The criminals know file extensions are hidden by default in Windows so to the average Windows user this executable file will appear as “filename.txt.”

IP spoofing is used when someone wants to hide or disguise the location from which they’re sending or requesting data online.

Facial spoofing might be the most personal, because of the implications it carries for the future of technology and our personal lives. As it stands, facial ID technology is limited. We use our faces to unlock our mobile devices and laptops, and not much else. This is likely to spread, and the use of AI makes facial spoofing more likely.  Imagine if we advance to using facial recognition to make online payments – scary stuff.

There’s a lot more to this subject, for instance, how do you spot it?  How do you protect yourself against it?  The best form of defence is simply cyber awareness training, something you’re probably getting fed up hearing from me.  But it’s simply a fact that your staff can be your first line of defence, or your biggest threat.

Malwarebytes have published a more detailed article on this subject but even that needs some understanding and explanation.

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Tools

HOW DO HACKERS HACK?

I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common.  Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal.  But I suppose hacker is less of a mouthful.

What is Hacking?

Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

Profiling

One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people.  Favourite open sources of information include:

  • Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram.  Do you have a social media policy in your company?  Do you lay down what an employee can and cannot say about your company on their personal social media pages?  Do you have a designated person in the company who handles your company’s profile on social media?
  • Company Website:  You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published.  I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.
  • Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.
  • Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently.  The same issues that appertain to social media apply here. 
  • Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

With all of these things you’re walking a bit of a tightrope.  You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away.  Use generic email addresses and phone numbers and limit the information you give in profiles.

Phishing and Pretexting

Another favourite is phishing and pretexting.

  • Phishing Emails: We all know, or at least I hope we know, what phishing is.  Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity.  In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company.  That just requires a response showing a signature block, so the phishing email might seem very innocuous.
  • Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

Favourite Reconnaissance Tools

Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations.  This is why it’s essential to regularly scan your network for these weaknesses.  Ports can be opened for a particular reason and never closed again.  It’s a common fault.

We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where  operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials.  When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords.  You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

Psychological Profiling

In terms of cybercrime, who’s heard of psychological profiling?  Cybercriminals analyse:

  • Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.
  • Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold.  Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

  • LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.
  • Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).
  • Technical Probing: Use of phishing or malware to breach a target’s employer.

Conclusion

In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process.  All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

Scroll to top