Month: March 2026

Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

The Breach They Didn’t See

Last week, we wrote about managed detection and response, and how it benefits SMEs, at a price they can afford.  In that article, we did use a scenario where there was an inadvertent data breach, but the article concentrated more on how breaches can be detected, rather than prevented.  This week, we want to expand on how we can detect and prevent data leaks, and if they do sneak through, there is no such thing as 100% security, then how we can encrypt your most sensitive data so that any impact of a data breach is minimised.

Company profile

A small but growing haulage and cold store company that offers haulage of fresh produce from the grower to a cold store, and then onwards to the wholesaler.  It services growers mostly in their local area, a radius of about 4 counties in all directions.  This area covers a large agricultural sector which relies heavily on getting its produce to the wholesaler promptly, with minimal time in cold storage.

Phase 1: The Quiet Entry (Weeks 0–2)

An employee in the accounts team receives what looks like a legitimate email from a known software provider asking them to “re-authenticate” their account. The link leads to a convincing fake login page.

The employee unknowingly enters their credentials.

No alarms are triggered. The company does not have multi-factor authentication (MFA) enabled on this system.

Phase 2: Undetected Access (Weeks 2–8)

Using the stolen credentials, the attacker logs into the firm’s cloud-based CRM system. Because access controls are overly broad, the compromised account can view and export large volumes of client data.

The attacker:

  • Gradually downloads customer records to avoid detection
  • Accesses archived documents containing invoicing data and financial statements
  • Sets up a forwarding rule in the employee’s email to monitor communications

There is no real-time monitoring or anomaly detection in place, so this activity goes unnoticed.

Phase 3: Data Exploitation (Weeks 6–10)

The stolen data is sold on the dark web. Some clients begin experiencing:

  • Fraudulent loan applications in their name
  • Unauthorised bank transactions
  • Phishing attempts using highly personalised information

Still, the SME remains unaware.

Phase 4: The Discovery (Week 10)

A long-standing client contacts the firm after his accountant flags suspicious activity linked to financial activity, which the accountant deems suspicious.

He says:

“The fraudster replicated your invoice template but with different bank details. The invoice matched the activity between us which only we would know.  How did they do that?”

Initially, the company assumes it’s an isolated incident. But within days, two more clients report similar issues.

Phase 5: Internal Panic & Investigation (Weeks 10–12)

The company initiates an internal review and brings in external cybersecurity consultants. They discover:

  • Unusual login activity from foreign IP addresses
  • Large volumes of data exports
  • The compromised employee account is identified

At this point, leadership realises the breach has been ongoing for weeks, possibly months.

Potential Consequences

  1.  Regulatory & Legal Impact
  • Mandatory reporting to regulators (e.g., data protection authorities)
  • Potential fines for failing to protect personal data (e.g., under GDPR-like frameworks)
  • Investigations into inadequate security controls
  • Lawsuits from affected clients
  •  Financial Losses
  • Direct costs:
    • Incident response and forensic investigations
    • Legal fees
    • Customer notification and credit monitoring services
  • Indirect costs:
    • Loss of business
    • Increased Insurance Premiums
    • Potential Compensation Payouts

 Reputational Damage

  • Loss of client trust, especially critical in ‘just in time’ delivery systems
  • Negative media coverage
  • Clients moving to competitors
  • Difficulty acquiring new customers
  •  Operational Disruption
  • Systems taken offline during the investigation
  • Staff diverted from normal operations
  • Implementation of urgent security upgrades
  •  Client Harm
  • Identity theft
  • Financial fraud
  • Emotional distress and loss of confidence
  •  Internal Consequences
  • Accountability questions for leadership
  • Potential recruitments or restructuring
  • Pressure to overhaul cybersecurity policies
  •  Long-Term Strategic Impact
  • Shift from growth to damage control
  • Mandatory compliance upgrades
  • Board-level scrutiny of risk management

Key Underlying Failures

The breach wasn’t just bad luck; it stemmed from:

  • Lack of multi-factor authentication
  • Overly broad access permissions
  • No monitoring or alerting for unusual activity
  • Limited employee phishing awareness training

Summary Note

What makes this scenario particularly dangerous is that the company didn’t discover the breach itself; the client did. That delay significantly worsened the damage, turning what might have been a contained incident into a full-scale crisis.

How can this be prevented?

I have already said that there is no such thing as 100% security, and if anyone tells you otherwise, you need to take a long, hard look at them and recognise BS when you see it.  What we are trying to do is reduce your risk to a level you find acceptable for your business.  What we call the risk appetite.  That appetite will differ between businesses depending upon what they do and what can damage them, rather than the business next door.

Most Data Loss Prevention (DLP) systems are designed for the corporate market, are expensive and have a considerable admin and maintenance overhead.  All the things that SMEs simply can’t afford and don’t have the staff to run.  We took a good look at this and did a lot of research on the market.  We came up with a solution that works in terms of cost and overhead.  It allows us to offer a managed service at a price and service level that SMEs are comfortable with.

One of the things that we come up against pretty much every time we get into discussions with a prospective client is that they aren’t quite sure what data they are holding, and where it’s stored.  Now this seems strange.  You will no doubt argue that you are very clear about what you hold and where it is.  Well, maybe, but during the 14-day free trial we offer, I am pretty sure that we will discover things that will surprise you.

How are we different?

What we are offering is a unique, comprehensive, and autonomous data security platform that can transform how organisations secure their sensitive data. Unlike legacy DLP systems that are based on an event-driven approach and require extensive ongoing rules management built for LAN perimeters, our system is different. It is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in a world of no security perimeters, providing full coverage no matter where your staff are operating from, the office, home or on the move.   Moreover, our set-and-forget method requires little to no maintenance and can be up and running, securing data, in less than 3 working days.

Key principles

Perimeter-less world with hybrid cloud and on-prem usage

The local area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premise repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like Slack or WhatsApp), and 3rd party portals.  We provide an answer to this new data landscape with our cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

Remediate Data Risk rather than handle files

We provide a detailed breakdown of the data risk and leverage the data risk for data

flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Pre-emptive vs Reactive

Most DLP solutions try to prevent a data leakage event by blocking the exfiltration of the file. This approach has a couple of shortcomings:

  • It does not help with an external threat, like ransomware stealing data.
  • It requires an initial extensive effort of setting up all the blocking rules with ongoing maintenance.

Our pre-emptive approach provides an answer for both shortcomings by encrypting files automatically.

How does it work?

It is a cloud-based management platform coupled with a lean agent for workstations

(both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar Docker

instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and Personal Identifiable Data (PII) definitions, the system immediately starts scanning for sensitive data using smart patterns. It then quantifies data risk per PIl type in financial terms.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organisation.

Step 3: Data Risk Remediation by Encryption

Its patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption, takes as little as 72 hours.

The system not only pre-emptively encrypts sensitive private data in files, but it also transitions the data to a safe harbour, per all privacy regulations requirements. The solution helps organisations comply with all statutory data privacy regulations.

So, what does it do for you?

  • Sensitive File Discovery.  SMEs frequently have an incomplete picture of where sensitive data is dispersed and who has access to it. The system locates and maps sensitive data across all your systems, devices, and the cloud.
  • Data Risk Quantification

Actifile calculates the data risk for every PIl type by applying an algorithm that multiplies every PII record by its potential total damage, then aggregates that across all the files and PIl records of the organisation. The aggregation is across file types, file locations, and different silos to provide a complete data risk quantification. The quantification is always up to date, in real time.

  • Real-Time Data Flow Monitoring

The system works silently in the background, monitoring real-time data flow across your entire IT ecosystem through user activities at the endpoints. This real-time monitoring shows how much data is being exfiltrated outside the organisation or imported into it. The monitoring capability does not require any type of integration to the sending or receiving application or website.

Full Audit and Indelible Log

We automatically log all data-related events, including data ingress and egress and the creation of sensitive data. You can instantly audit back to specific dates, times, and locations. The log is never deleted, covering you in the event of a breach. You also have the option to generate alerts on specific events and to integrate the alerts to 3rd party systems, such as SOC or SIEM.

  • 3rd Party Integration and Reporting

3rd party event integration: Everything that we capture can be seamlessly integrated

into a third-party security central system (SOC or SIEM). Users can capture and correlate all events that happen within the organisation.

Online and offline reporting: Conveniently export system reports and analyses in PDF format and white label them as required.

Risk Remediation by Encryption

Automatic encryption is a fast and convenient remediation process that secures sensitive data across your entire IT ecosystem, including remote devices and the cloud.  Even if data is stolen or misplaced, the AES 256 encryption mechanism prohibits bad actors from opening or using the file.  Invisible decryption allows employees to automatically use encrypted files with no latency and without the need for a password. Your employees can work without disruption, but sensitive data remains useless to any hostile actor. Automatic decryption by channel enables users to automatically decrypt any encrypted file when it’s attached to an application. The system easily meets the demands of modern high-tech working environments. Delayed encryption gives you the flexibility to balance security with the demands of daily workflows. You can create a pragmatic, tailored approach to the management of sensitive data.

In a nutshell, this service is designed to protect your data from being stolen or inadvertently leaked by employee action.  It is a layer below intrusion detection and prevention, stopping the scenario outlined above, where a cybercriminal had infiltrated the system and was exfiltrating data without the knowledge of the organisation.  If they had been using this system, their data would have been encrypted and useless to the attacker.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Working Practices

Watch, Detect, Protect:  Detecting Cyber Attacks Before They Start

Imagine a small business owner who runs a 25-person company providing financial services to firms and individuals. He knows cyber threats are “a thing,” and in fact, one of his customers required basic security controls before signing a contract. And so, he took advice from his network provider, a local IT reseller, and he purchased a bundle: antivirus software, a firewall appliance, and a cloud backup service.

From his perspective, everything seems covered:

  • The antivirus dashboard shows green checkmarks.
  • The firewall has flashing lights and a web interface that he never logs into.
  • The backup system sends a weekly email saying, “Backup completed successfully.”

But here’s the reality:

He has no meaningful way to tell if any of this is actually protecting him.

A few subtle issues are happening behind the scenes:

  • The antivirus hasn’t detected anything, not because threats aren’t present, but because it’s misconfigured and only running quick scans.
  • The firewall rules were set up once by the reseller and never reviewed; several unnecessary ports are still open.
  • Backups are completing, but no one has ever tested restoring them, so they may be incomplete or unusable.
  • Staff occasionally click phishing emails, but those incidents go unnoticed because there’s no monitoring or reporting in place.
  • He doesn’t have a clear idea of what data he is holding and what that data may reasonably be classified as, i.e. highly sensitive or sensitive, or not sensitive at all.  Neither does he really have an idea who has access to what, either at a user level or worse, at an administrator level.

One day, an employee unknowingly installs malware from a phishing link. The attacker gains access to the company’s systems and quietly exfiltrates sensitive client data over several weeks.

Throughout this entire period:

  • No alerts reach any level of management in a way they understand.
  • No KPI or metric tells them, “You are under attack”, or even “your defences are being exercised.”
  • The tools continue to report “all good” because they are measuring activity (i.e., scans completed), not effectiveness (i.e., attacks prevented).
  • He assumes that “no news is good news.” In reality, he’s operating in a visibility gap:
  • He doesn’t know what “normal” vs “suspicious” looks like.
  • He has no baseline metrics (i.e., number of blocked threats, phishing simulations, patch status).
  • He lacks independent validation (like audits, vulnerability assessments, or even simple security reports translated into business terms).

So, when a client later informs him of a data breach traced back to his company, it’s a complete shock. From his perspective, he did everything right; he bought the tools. But he never had a way to measure whether those tools were correctly configured, actively working, or aligned to real threats.

This is a common SME problem: security is treated as a one-time purchase rather than an ongoing, measurable process. Without clear, understandable metrics or external validation, the owner is essentially flying blind, relying on reassuring dashboards instead of actual evidence of protection.

The question then becomes what can an SME do to protect itself from these issues.  The first problem is to recognise that they don’t have any in-house resource that can deal with these problems, and neither can they afford such a resource. At best, their IT systems are overseen by someone who has another primary function and hasn’t got much time to deal with IT issues, has no technical background, much less a cybersecurity background, and whose responsibility lies with liaising with their network provider. 

Now, let’s deal with the network provider that supplied the security tools.  These companies work to Ts&Cs that will concisely lay down what services they provide under any network maintenance contract.  Such contracts may include administration of the network, adding and taking away access rights, or they may just refer to routine maintenance and troubleshooting.  Whatever it is, an SME must have a clear understanding of what those Ts&Cs say.  You may be under the impression that they are covering things that they simply aren’t.  This is often the case with cybersecurity.  This is because they themselves don’t have a handle on how cybersecurity hangs together. They concentrate on supplying products such as firewalls and AV, and on how to install and configure such products.  They may also handle AV updates, and in that case, you need to be very clear about how they do that and how they assure you that it is done.

Be clear, I’m not denigrating these companies or the services they supply, simply pointing out that they work to strict service levels as laid down in the contract and will often not step outside of these.

To sum up, we are now at the point where we recognise that SMEs in general do not have a handle on how effective their security actually is, on where their sensitive data sits and how it’s accessed and handled.  They don’t have anyone on staff who has an understanding of cybersecurity, and there is a good chance that their network contract doesn’t include any sort of security monitoring and alerting.  The question now becomes, is there anything they can do about it?

Until quite recently, what we called protective monitoring, which is now more formally called Managed Detection and Response, along with Data Loss Prevention Systems, were very much out of reach of an SME on financial terms, and as such the majority of SMEs didn’t just not invest in them, they never really knew about them because the corporate level providers, never pitched to them because they knew they couldn’t afford it.

There are now systems on the market, AI-driven, that have managed to hit a price point that an SME can afford.  These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.  You don’t need to understand AI; it’s built into the system and operates seamlessly.  What it does is to allow one operator to manage multiple clients at the same time, because the AI does the heavy lifting.  In this way, not only is the system itself affordable, but the managed service it supports also becomes affordable.

To maximise its cost effectiveness, it has additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes, making it more attractive.  The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown Security Operations Centre (SOC).  Delivering it as a service reduces cost by cutting out the need for an in-house team.

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department.  It provides peace of mind; you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a very short video which you can find on the Features Section on my LinkedIn profile.   But if you don’t want to view that, what follows is an introduction to what the service offers.

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring
  • Auditing your data, identifying what is sensitive and what isn’t; providing file-level encryption and tracking data movements around your network and where it goes when sending it to outside agencies.

In short, it provides the business benefit of reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built into it.  Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection, would come at additional cost, and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

  • Identify outdated software, misconfigurations, and exposed services
  • Prioritise risks based on severity
  • Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen. It is a proactive risk reduction instead of reactive damage control.

The system also offers built-in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

  • Test employee awareness safely
  • Identifies high-risk users
  • Reinforces learning through practical scenarios

It helps reduce successful phishing attacks and reduces the likelihood of credential compromise or ransomware infection.  Such simulations are an integral part of cyber awareness training.

The system also assists in building a security culture (CBEE Awareness Training Programme).  A structured awareness programme:

  • Trains staff on cyber hygiene and data protection
  • Covers password security, social engineering, safe browsing, and more.
  • Assists compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly and turns employees from a security liability into a security asset.

A managed system such as this can also help with compliance & insurance requirements.  Many SMEs now face:

  • Regulatory obligations
  • Supply chain security requirements
  • Cyber insurance conditions

Having a managed service, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME:  Cost Predictability & Simplicity.  As a managed service, everything is:

  • Subscription-based
  • Centralised under one provider
  • Fully supported by trained personnel

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms, you are getting executive-level risk reduction with a simple value:

  • Reduced likelihood of business interruption
  • Reduced financial exposure
  • Protection of brand and customer trust
  • Clear reporting and measurable risk reduction

All through this article, I’ve talked about cost-effectiveness.  So, what does this service cost?  I’ll add the BBC caveat – other systems are available!!  We charge £15 per seat per month for the technical system and £15 per seat per month for the data leakage protection system. Discounts are available for clients who take both systems, and you get a lot for your money.  It’s a 30-day rolling contract, no long-term lock-in, simply 30 days’ notice to quit.  We also offer a totally free 14-day trial that is fully functional, so you can see the outputs from your own system, rather than look at demos with dummy data.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

What is Security Architecture, and what does it mean for SMEs?

Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats.  Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done.  What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows.  OK, I’m being a bit simplistic, but you get the idea.  Once that’s done, the security architect has something to work with to start putting in security layers.  As the design evolves, so does the security architecture.

So now let’s look at the real world.  Most SMEs are way past this phase, with their systems having grown organically as the company grows.  SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc.  Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model.  That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware.  A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking.  Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort.  And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model.  First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access.  Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control.  It took some persuasion and education to bring many of these owners/managers around.  These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure.  But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system.  It is vital to ensure that only the right people have access to the right systems.  SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them.  Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk.  But it doesn’t have to be expensive.  Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD.  I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

  • Mandatory Multi-Factor Authentication
  • Conditional access policies
  • Single Sign-On (SSO)
  • Privileged identity management
  • Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

  • Endpoint detection and response (EDR)
  • Device management
  • Encryption

Controls it should cover include:

  • Automated patching
  • Encryption:
  • Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
    • File-level encryption works by encrypting files that you have deemed to be sensitive and need protection.  It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission.  Sounds complicated, but it really isn’t, and it can be shown to you very easily.
  • Application control
  • USB restrictions
  • Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

  • Anti-phishing protection
  • Attachment sandboxing
  • URL scanning
  • DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

 Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

  • Next-generation firewall
  • VPN or Zero Trust remote access
  • Network segmentation
  • DNS filtering

Good firewall segmentation would include:

  • Company devices
  • Guest WiFi
  • Servers
  • IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure.  Again, this needs some controls, which could include:

  • Secure configuration monitoring
  • Data leakage prevention
  • Access monitoring

Key policies may include:

  • No public file sharing by default
  • Alert on impossible travel logins
  • Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised.  Controls might include:

  • Data classification
  • Data leakage prevention
  • Full disk and file-level encryption

Policies might include:

  • Prevent the sharing of sensitive records externally
  • Block download of sensitive files on unmanaged devices
  • Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

 Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

  • Immutable backups
  • Offline copies
  • Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten.  Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top.  That is no longer the case.  There are systems now available specifically for SMEs.

Typical SME approach:

  • Centralised log collection
  • Security alerts
  • Managed detection and response

Many SMEs outsource this to an MDR provider like H2.  I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation.  Cyber awareness training is a subject that I bang on about all the time.  It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

  • Security training platform
  • Phishing simulation
  • Acceptable use policy
  • Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past.  You need to be prepared for security incidents.  This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

:

  • Incident response playbooks
  • Legal and breach notification procedures
  • Disaster recovery and business continuity plans
  • Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information.  It really is something SMEs should consider and need to take advice about.  Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Supply Chain Security

WHY SMEs NEED a CYBER SECURITY STRATEGY: PROTECTING GROWTH and REPUTATION

For small and medium-sized enterprises (SMEs), cyber risk management is the business process of identifying and addressing digital threats to protect operations, revenue, and reputation. Rather than just a technical IT task, it is a strategic function focused on ensuring business continuity and managing potential financial losses. 

For many SMEs, one of the most effective ways to secure a business is to follow the UK government’s National Cyber Security Centre (NCSC) recommendations. These five steps are designed to be cost-effective and provide protection against the majority of common cyber-attacks. 

  • Secure your data with back-ups.
  • Protect with strong authentication (MFA).
  • Keep devices and software up to date.
  • Guard against malware.
  • Train staff on cyber awareness, phishing in particular.

However, no two businesses are the same.  They will all have certain threats and vulnerabilities in common, and adherence to the NCSC guidelines will set you on the right path, as will schemes such as Cyber Essentials, and many of you will either have gone down that route or will be actively discussing it internally.  But there will still be differences, perhaps only nuances, that can drive a hole through your defences, and that is why you need a risk management strategy to ensure you have built robust defences.

Establish clear security responsibility

Key elements:

  • Appoint a security owner (even part-time or Fractional
  • Make sure you have an overarching security policy under which you have more detailed and targeted policies.
  • Institute regular security reviews

The second point is one that is often downplayed or overlooked altogether by SMEs.  Many of the protections that you may need will be procedural rather than technical.  They will require robust policies and processes that are enforced and audited.

The Business Case for Cyber Risk Management

Cyber incidents are not just “IT glitches”; they are economic events that directly impact the bottom line. 

  • Revenue Protection: Downtime can freeze sales, stop production, and prevent invoicing, leading to immediate cash flow gaps.
  • Liability & Compliance: Breaches of sensitive data (like customer or staff records) can trigger legal fees, regulatory fines (e.g., under UK GDPR), and mandatory reporting costs.
  • Market Advantage: Demonstrating robust security, such as achieving Cyber Essentials accreditation, is often a prerequisite for winning major contracts and building customer trust.
  • Survival: Reports indicate that 60% of small companies go out of business within six months of a major cyberattack due to recovery costs and reputational damage. 

Core Strategic Pillars

Effective management focuses on Outcomes, not just tools.

  • Identity Control: Ensuring only the right people have access to specific business data. Multi-Factor Authentication (MFA) is a non-negotiable standard to prevent unauthorised access.
  • Data Integrity: Maintaining secure, encrypted, and regularly tested backups so the business can “rewind” to a stable state if files are locked by ransomware.
  • Operational Resilience: Building a plan to stay trading even during an incident. This includes defined roles for who contacts IT, legal, regulators and customers when a breach occurs. 

Risk Treatment Options

Not all risks can be fixed; business owners must decide how to handle each one based on their risk appetite

  • Mitigation: Investing in security controls (people (awareness training), process and technology) to lower the likelihood of an attack.
  • Transfer: Using Cyber Insurance to shift the financial burden of recovery, legal fees, and business interruption to an insurer.
  • Acceptance: Acknowledging low-impact risks where the cost of fixing them outweighs the potential loss.
  • Avoidance: Choosing to stop a high-risk activity altogether, such as retiring an old, insecure software system. 

Human Capital as a Defence

Since over 80% of breaches involve human error (such as clicking phishing links), staff training is the most cost-effective “firewall” an SME can implement. Regular, simple awareness sessions turn employees into a proactive detection layer. 

What does a practical strategy look like for an SME

Start with Risk Assessment

Before buying tools or even setting a budget, understand what you must protect.

Key actions:

  • Identify critical assets (customer data, financial systems, IP).
  • Identify main threats (phishing, ransomware, credential theft).
  • Map who has access to what.
  • Prioritise highest-impact risks.

Typical SME top risks:

  • Phishing attacks
  • Ransomware
  • Weak passwords
  • Unpatched systems
  • Cloud misconfiguration

Successful phishing attacks, ransomware, and weak passwords nearly all stem from poor cyber awareness by staff.  Knights of Old, a transport company employing over 700 people, went under within two weeks following a ransomware attack that was the result of a poor password being cracked, allowing the criminals to install the relevant code.

Other important measures

  • Implement Strong Identity & Access Controls
  • Secure Endpoints and Devices
  • Protect Email and Users
  • Backup and Ransomware Protection
  • Network Security
  • Incident Response Plan
  • Third-Party Risk Management

In short, what we call a ‘Lean” Security Stack might include:

  • MFA + identity management
  • Email security filtering
  • EDR on endpoints
  • Automated patching
  • Secure backups
  • Firewall
  • Security awareness training
  • Encryption

This covers 80–90% of real attacks. The last piece of advice to those wanting to do this properly is not to try to do it all yourself.  You are not experts in this field any more than I am an expert in yours.  Working together with a cybersecurity professional, you can identify what, out of everything that is written above, is really going to give you the protection you need in your particular field, and what might be a nice-to-have, rather than an essential.  You can then prioritise the fixes by both importance and cost, maybe implementing fixes over several budgetary periods

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Data Leakage Explained for SMEs

Stopping data leaks from your organisation is an important part of data protection; it is a subset, if you like, of that ever-evolving subject.  The rules are evolving here in the UK, with new legislation coming online, and there is a wide requirement that starts with a good mindset and sound rules and processes to guard your most sensitive data.  We refer to data leakage when talking about a service we provide to SMEs, which we don’t like to frame as data protection because it is, as I said, a subset of the requirements.  However, it is an important subset that lies at the sharp end of the whole thing.

First of all, let’s clarify what Data Loss Prevention (DLP) is.  It is a cybersecurity strategy that identifies, monitors, and prevents sensitive information from being accessed, shared, or transmitted without authorisation, whether accidentally or maliciously, across endpoints, networks, cloud services, and email systems.  In short, DLP stops sensitive data from leaving where it shouldn’t.

Sounds great until you investigate such systems, which can be extremely effective if you are a large corporate organisation.  That’s because these systems can be very expensive, difficult to set up and come with a heavy admin burden.  It’s not terribly surprising that SMEs don’t know much about these systems because the organisations that market them simply don’t target SMEs. After all, SMEs, in general, can’t afford them.

A data leak, however, can be one of the most damaging incidents an SME can face. Unlike large enterprises, SMEs often have fewer financial reserves, less technical expertise, and limited crisis-management capacity, making the impact proportionally greater.

Threats to an SME from Data Leakage

Taking a quick glance through the threats to an SME business from a data leak:

Financial Loss

  • Legal costs from customer or partner lawsuits.
  • Compensation payments to affected individuals.
  • Incident response and forensic investigation costs.
  • Business interruption losses during system shutdowns.
  • Regulatory fines (e.g., under data protection laws such as GDPR).

For SMEs, even moderate fines can significantly impact cash flow or survival.

Reputational Damage

  • Loss of customer trust.
  • Negative media exposure.
  • Damage to brand credibility.
  • Loss of competitive advantage.

SMEs often rely heavily on local reputation or niche trust; once damaged, recovery can be slow and costly.

Loss of Customers and Contracts

  • Clients may terminate contracts.
  • Prospective customers may choose competitors.
  • Larger partners may require stronger security compliance before continuing relationships.

Operational Disruption

  • Systems may need to be taken offline.
  • Data recovery efforts consume time and resources.
  • Staff productivity drops during investigation and remediation.

Theft of Intellectual Property

  • Loss of trade secrets.
  • Exposure of proprietary processes.
  • Competitors gaining access to confidential pricing or strategy information.

Increased Cyber Targeting

Once breached, a company may:

  • Be seen as an “easy target.”
  • Experience follow-up phishing or ransomware attacks.
  • Appear on dark web data marketplaces.

What are the Requirements of a Data Leakage Protection Solution?

In a nutshell, a solution that would fit an SME should be proportionate, cost-effective, scalable, and manageable without a large in-house security team.

Such a system needs to:

  • Identify sensitive data (customer data, financial records, IP).
  • Classify data based on sensitivity.
  • Map where data is stored and who has access.

It needs role-based access control (RBACS) using a least privileged principle, with multi-factor authentication and strong password policies.  It needs encryption at rest, preferable file level encryption, and use TLS for encryption in transit with secure key management. Such a system needs to be set up with monitoring, logging, alerting for suspicious activity and periodic audits.  It needs backup and recovery.  

For SMEs specifically, the solution should be:

  • Affordable and scalable
    • Cloud-friendly
    • Easy to manage
    • Automated where possible
    • Supported by managed security providers (if no internal team exists)

How Do SMEs View Such Systems

All too often, we come up against the attitude that such a loss is very rare amongst SMEs, and the threat doesn’t justify the expenditure.  That is often because this is a very under-reported issue, and those that are reported are just the tip of the iceberg.

What Is the Source of the “Tip of the Iceberg” Claim?

The idea comes from multiple types of evidence:

Incident Response & Forensics Data

Cybersecurity firms (e.g., Mandiant, CrowdStrike) publish threat intelligence showing:

  • Many breaches are only discovered during unrelated audits.
  • Cyber criminals often maintain access for long periods.

 Academic Research

Studies in cybersecurity economics suggest breach reporting underestimates actual intrusion frequency due to:

  • Asymmetric information.
  • Underreporting incentives.
  • Detection bias.

Threat Intelligence Monitoring

Security vendors monitoring criminal forums consistently find large datasets being traded that were never publicly linked to a disclosed breach.

Bottom Line

The consensus among cybersecurity professionals, regulators, and researchers is that publicly reported data breaches represent only a fraction of actual incidents.

The conclusion is based on:

  • Detection lag data.
  • Forensic investigations.
  • Legal reporting thresholds.
  • Dark web intelligence.
  • Academic economic modelling.

How Can an SME Protect Itself?

Having waded your way through the reasons why SMEs don’t see much data on this subject and therefore don’t see the threat, I’m going to reward you with the pitch.  Yes, H2 does have a managed solution that is designed, priced and operated specifically for SMEs.  It’s a solution that isn’t as comprehensive as a full enterprise-grade DLP solution, but it does do the job for an SME.

The key advantages for a small or medium-sized enterprise (SME) of using our service in practical, business-focused terms are: 

Automates Data Discovery and Protection

The service automatically finds, classifies, and assesses sensitive data (such as customer information, IP, and financial records) across endpoints, servers, cloud applications, and remote devices without manual scanning. This saves SMEs considerable time and decreases dependence on specialised security personnel. 

Proactive Risk Reduction

Rather than just alerting after an incident, the service can automatically encrypt or block sensitive data based on risk level, minimising exposure before a breach happens. This helps avoid data leaks and insider mishandling. 

Real-Time Monitoring and Alerts

The platform continuously tracks data movement and access, sending notifications for unusual activity. This keeps SMEs aware of potential threats or policy violations, even without a full-time security team. 

Simplifies Compliance

The service helps businesses meet data privacy rules like GDPR, PCI, and others by providing reports, audit trails, and documented controls, making audits and regulatory compliance far easier. 

Low Maintenance and Fast Deployment

Designed to be lightweight and “set-and-forget”, it can be deployed quickly with little disruption and minimal ongoing management, which is ideal for SMEs that don’t have large IT/security teams. 

Cost-Efficient Risk Management

By automating complex security workflows and reducing reliance on manual processes or legacy tools, SMEs can keep security budgets lean while still achieving strong protection. 

Centralised Visibility

It comes with a dashboard where you can see where sensitive data resides, who accessed it and what its risk level is, providing clear, actionable insights rather than fragmented logs across multiple systems. 

Supports Remote & Hybrid Work

Because it works across cloud, endpoint, and server environments, the service helps secure data no matter where employees work or where the data lives, particularly useful as more SMEs adopt remote/hybrid models. 

Reduces Human Error

With automatic classification and encryption, the service helps guard against accidental disclosure, which is a common risk in smaller organisations without dedicated security training. 

In summary, for an SME, the service can deliver data leakage protection, risk reduction and compliance support without the heavy cost or complexity typically associated with traditional data loss prevention (DLP) or manual security practices. 

Cost is something that is guaranteed to concentrate the mind of the SME owner.  This service is priced specifically for SMEs at £15 per user per month.  There is no contractual lock-in, and a client can quit with 30 days’ notice.  We also offer a 14-day trial to allow a client to see the benefits of the system using their own data, rather than a demo with dummy data.  We’d be delighted to discuss this with you further.

Scroll to top