Author: Kevin Hawkins

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Supply Chain Security

What are the questions business owners ask when considering cyber security?

Another good question, or perhaps it should be, do they ask any questions, other than cost, about cyber security, or do they leave everything up to their IT support, whether contracted or in house?

What is the cost of ignoring cyber security?

Perhaps this is the first question that they should be asking.  The financial hit of a data breach can be crippling, especially for the smaller businesses who are perhaps running on tight margins and for whom cash flow is often critical.  The average clean up for a smallish business is about £27K. this relates to system restoration, hardware replacement, and the implementation of enhanced security measures. and doesn’t include financial loss from the actual data stolen, or whatever scam was perpetrated, and any fall out from compliance failures, such as fines from the ICO.  And at least a third of organisations admit to losing customers post a data breach, highlighting reputational damage and a loss of customer trust.

So, what should owners, managers and board members be asking?

I think many get bogged down in the technicalities of IT and don’t consider it in business terms.  They don’t think about the business impact of cyber security, about what it is they’re trying to protect.  It’s not your IT systems, it’s your data that is the crown jewels.  IT systems can be replaced but once the data is stolen, then you are in very real trouble.

Risk Management

First and foremost, the board members need to ask themselves if they have a good handle on their cyber risk.  Have they identified their cyber assets?  What is a cyber asset? Cyber assets are not just hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.  Have you assessed the risk to those assets?  Have you assessed the training requirements for your staff, not just the techies but all staff?  Think People, Process and then Technology.

Once you have done this, then you can consider what controls need to be put in place to reduce the risk to an acceptable level.

Below is some of the controls you will need to consider.  This list is not exhaustive

1.        User Access Control (Admin access is a whole other discussion)

This isn’t just about passwords.  Yes, they remain important but on their own, they are no longer sufficient.   Nonetheless weak passwords, password re-use and password sharing remain one of the leading root causes of a data breach.  123456 and, believe it or not, password, remains the most used passwords across the world! 

It is imperative that you have a strong password policy, dictating not just the length of the password, but also its construction, ensuring that there is a good mix of upper and lower case characters, numbers and symbols, that together make things very difficult for password crackers.

On their own though passwords remain a potential weak spot.  Multi factor authentication (MFA), sometimes referred to as 2FA, provides that extra layer of defence and can help to protect against brute-force attacks, phishing scams, key-logging and social engineering.  MFA can be simply implemented on most email platforms and within various apps you are using.  For those of you trying for Cyber Essentials or ISO 27K series, MFA is mandatory, so make sure it’s put in place.  

2.        Are you backing up your files? 

This seems an obvious thing to do but you’d be surprised how often when trying to restore from a backup, it fails.  This is often because the backup routine was set up back in the mists of time and has never been reviewed and even more dangerous, it’s never been tested to see if it works.  Set up your backup regime, have it reviewed regularly and tested regularly to make sure it works.  If you are backing up online, keep in mind that if a cyber-criminal gets access to your systems to, for example, carry out a ransomware attack, then they can probably get at your back up as well.  So, belt and braces, consider having an offline backup as well as an online backup.  The latter is more convenient but can be corrupted.

3.        Do you train your staff in cyber awareness? 

My favourite subject – cyber awareness training.  Your first line of defence is your staff, but if not trained adequately, they can be your greatest vulnerability.  It’s known in the trade as the insider threat but it is caused mainly by human error, staff members doing something they shouldn’t, not maliciously but simply because they didn’t know they shouldn’t.  It actually accounts for 88% of data breaches. Providing your people with training on the threats, current scams and basic cyber awareness reduces the chance of a cyber-attack. This really is the easiest and cheapest quick win any organisation can take in reducing their risk exposure.

4.        Do your employees regularly travel or work remotely? 

This brings us neatly to what Microsoft coined as the New Normal.  Essentially this means remote working shared with in office working, known as the hybrid working model, or for some, moving to a totally remote working system.  Totally remote is not as common as hybrid working but is becoming more normal with certain size businesses in certain commercial verticals.  It’ll never work for everyone, but for those who have embraced it, it saves a considerable amount of expense.  It does however require us to rethink our cyber strategy.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers, often because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

We need to break out of the old ‘bastion’ security model of a network protected by firewalls and other technologies and think about solutions that are designed to protect your assets regardless of where your employees work from.  They exist and aren’t hard to find.

Data tends to proliferate, especially when working remotely.  Cyber awareness training helps here, but it also helps for management to have a handle on data storage.  All organisations have this problem, but it becomes more acute for those businesses that hold large amounts of what is known as Personal Identifiable Information or PII.  This is information that can identify a living individual and compromise their privacy in some way.  Financial advisors, estate agents, solicitors etc, all share this issue.  The data protection act, becoming referred to as UK GDPR, is not a suggestion, it is law.

5.        Where is all your data stored and who has access to it? 

One of the biggest issues we find with organisations of all sizes, is that they think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue in that the new normal tempts users when working remotely, with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

There are several systems on the market which will help with this but what most need now is a system that works regardless of the location of the user and continues providing that cover when the user moves from one location to another.  This is just a suggestion, but we’d be delighted to demo it to anyone who is interested.  https://hah2.co.uk/gdpr-data-protection/

6.        Disaster Recovery and Business Continuity

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organisation can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective.  Both are critical components of a comprehensive risk management strategy and should be integrated into an organization’s overall resilience planning efforts.

Just like backups, which are a crucial part of Disaster Recovery, these plans can become very quickly out of date and useless, unless reviewed periodically and tested to see if they actually work.

7.        Vulnerabilities and Threats 

A vulnerability is a flaw or weakness in an asset’s design, implementation, or operation and management that could be exploited by a threat. A threat is a potential for a threat agent to exploit a vulnerability.  A simple way to explain this is that a vulnerability is the inability to resist a hazard or to respond when a disaster has occurred. For instance, people who live on plains are more vulnerable to floods than people who live higher up.  The threat is the flood itself.

IT risks and vulnerabilities are the potential threats and weaknesses that can affect the performance, security and reliability of your business function and processes. They can have serious consequences for your business goals, customer satisfaction, and competitive advantage.

Identifying vulnerabilities to your cyber security assets and then identifying the threat to those assets in terms of the vulnerability being exploited, informs your risk and enables you to assign a value to it.  Financial value can be assigned to the risk score if you so wish.  You then apply controls to bring the risk down to an acceptable level, starting with the Very High risks, and then bringing them down to whatever is acceptable to you.  That acceptable level, known as the risk appetite, will vary business to business, risk to risk.

8. Supply Chain Security? 

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

An example of such an attack was published by NCSC and points out that many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk. In the past, firms dealing with high profile mergers and acquisitions have been targeted. In September 2013, several networks belonging to large data aggregators were reported as having been compromised.

A small botnet was observed exfiltrating information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public Internet. The highest profile victim was a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. While the attackers may have been after consumer and business data, fraud experts suggested that information on consumer and business habits and practices was the most valuable.

The victim was a credit bureau for numerous businesses, providing “knowledge-based authentication” for financial transaction requests. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

NCSC also cited what is known as a watering hole attack, which works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

The malware may be delivered and installed without the target realising (called a ‘drive by’ attack) but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

If you are in someones supply chain, then you need to make doubly sure that your security protects your customer as well as yourself.  And conversely, if you are connected electronically to someone who supplies you, are you sure that you are protected from any vulnerability they may have.

General Security Issues News Ransomware, Phishing and other Malware Security Tools

KASPERSKY BANNED IN THE US

The US has announced plans to ban the sale of antivirus software made by Russian firm Kaspersky due to its alleged links to the Kremlin (source article https://www.bbc.co.uk/news/articles/ceqq7663wd2o).  This shouldn’t have come as a great shock.  In 2017 the Department of Homeland Security banned the anti-virus product from federal networks, and it has long been a target for US regulators.

There have always been some rather vague clouds over Kaspersky.  I well remember going back to 2010//11, working on a major UK Government sensitive project where we had one guy pushing Kaspersky hard, really fighting its corner but it soon became clear that the customer wasn’t going to use it under any circumstances.  But why?  Kaspersky has always scored very high, in fact near perfect scores, when tested independently by AV-TEST, the most trusted source for independent testing. 

Well, it’s all about the problem that it’s Russian owned and to provide a transliteration from Russian, Laboratoriya Kasperskogo.  In the UK it’s operated by a holding company.  Nonetheless the code comes from Russia and that’s going to have a very real impact on the US, especially given it’s almost total breakdown of relations and the ongoing Ukraine conflict.  Only the US Dept of Homeland Security knows whether this is a very real threat to western company’s using this suite of products, or if there’s a political element to it.  Either way, it’s going to damage Kaspersky, totally decimating its sales in the US.

The big question here in the UK, and across Europe and many Asian countries, is, is it safe to use?  In the UK, the British Standards Institute (BSI) has found no evidence of current problems with Kaspersky products.  However, it went on to recommend that its anti-virus products be replaced with alternatives.  Talk about sitting on the fence and damning with faint praise! 

On 29 March the UK’s National Cyber Security Centre (NCSC)  issued refreshed guidance on UK organisations’ use of technology originating from Russian companies, saying it is not at this time necessary, or necessarily wise, to discontinue use of products such as Kaspersky antivirus (AV) products.  That guidance is now nearly 3 months old, and it remains to be seen if it gets updated following the US action.

The judgement that companies will need to make is, whether renewing or looking to replace a current vendor, do we take a risk on Kaspersky?  Having been in this industry for many years, I know that there are lovers out there, of specific products and/or vendors, who will make this a hill to die on, but there are others who will adopt a much more cautious approach.  I don’t expect to see organisations rushing to ditch Kaspersky but I think their sales people, and their resellers, will find new sales and renewals, a real challenge.

Of course I can’t let this pass without a pitch.  So, if you want to take what I say as being tainted by the fact that I re-sell another product, then guilty m’lud, and I’ll take that on the chin.  The product we sell is one that is in heavy use by the US Department of Defense, as well as industries akin, including the nuclear industry.  It’s been pen tested to death and proof can be shown.  It has a unique approach in that it simply stops unauthorised programs from running.  But how?  Data is stored either as non-runnable info data or runnable application programs. Malware is a type of runnable program with undesirable behaviours.  The system uses what is called a Hard Disk Firewall (HDF).  HDF prevents malware infection, stopping malware program files from being stored and run on a computer.  Simply put it takes about a 30 day period to examine your network and end points, identifying what executables are being run and then, working with you, we decide which of those should be whitelisted to ensure your business isn’t impacted in any way, and anything not on the whitelist is blocked from running.  If you want to know more you can contact us on the links below.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy

WHAT IS MANAGEMENTS ROLE IN CYBER DEFENCE?

As I move around talking to business leaders of all sizes of company, one thing stands out.  And that’s that there are many different views as to how involved management needs to be in cyber defence, and some of these views are markedly different.  They range from a very hands off approach, happily leaving it to their IT support, to, and it has to be said, a minority, who see it as their responsibility.

Arguably one of the most, if not the most, important roles any CEO/MD/Chairman (call him or her whatever you like and for the purposes of this article I’ll stick with CEO) is to set the importance of cyber defence in everyones mind.  The tone has to come from the top to be accepted and effective.  When cyber defence is clearly prioritised by the CEO and the Board, it assumes an importance in the mind of the employees.  It is crucial that everyone from the CEO down understands the impact that a cyber breach, or a scam, or a cyber based fraud, can have on the bottom line.

This also aligns cyber defence and data protection with the business goals.  Cyber defence is a business issue, not an IT issue.  It’s crucial that all clearly understand this and how it should be woven into the very fabric of the business.  The CEO and the board have a clear perspective on the company’s strategic goals and direction.  By their involvement with cyber defence, they can ensure that it is aligned with the broader business strategy to fully protect the businesses data and systems.  It aids with budgets for cyber security tools, training and personnel, addressing the threats to the business.

CEOS might need advice and guidance but their involvement is essential and will help to identify some issues which may not be clear to employees, especially technical employees.  One such is reputational damage.  The damage to a company from a data breach may not be immediately clear.  But once it hits the press, or once the company becomes subject to a fine from a regulatory body such as the Information Commissioner, the word tends to spread.  If you can’t be trusted to maintain a level of confidentiality, can you be trusted with other things?  Doubt spreads and can destroy vendor, customer and partner relationships.

Cyber defence begins with risk management.  Managing cyber risks is no different to managing any other business risk.  There is no business without risk, the trick is to manage your risks down to a level that you are prepared to accept, known as the risk appetite.  This must involve the CEO and directors and business managers.  Each knows what could damage, perhaps catastrophically damage, their part of the business.  IT staff don’t have this knowledge, their focus is often on the technical risks, not the business risks.

Risk management itself begins with a clear cyber defence and data protection strategy.  Depending upon the size of your business, some elements of the suggested strategy below, may not be relevant to you.  This is offered as a guide, not an absolute.

Figure 1- Suggested Cyber Strategy Framework

To help in defining your strategy, you need to undertake a risk analysis which will inform the selection, deployment and management of Appropriate, Affordable and Accreditable (if required) controls.

Appropriate in the sense that controls need to support rather than hinder business process as well as being capable of achieving their goals.  Your controls also need to be appropriate to your business.  Affordable may seem self-explanatory, however in the context of cyber security controls and overall budgetary constraints, return on investment is as important as cost effectiveness.  Accreditation to agreed cyber security standards – of which there are many, is crucial for all organisations.  Being able to provide a trail of evidence which demonstrates on going compliance to selected standards is essential in times of crisis.

Having got this far, we need a risk treatment plan to match the identified risks.  What you’re trying to achieve here is to manage the risk down to an acceptable level.  Don’t get bogged down in trying to eliminate risk, you won’t succeed, but rather get the risk down as low as you can.  Don’t make it too complicated, identify your risks as High, Medium and Low.  Then manage the high risks down to Low, followed by the medium risks.  You do this by applying controls, be they procedural or technical, to the risk and measuring the outcome.

It sounds complicated and you may need guidance, but once done and adhered to, it provides peace of mind to you, that you have done what you need to do to get your Cyber Defence in place.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Please feel free to give us a call or email.

Alternatively book a demo on our Calendly link https://bit.ly/3yoT0qi

T: 0845 5443742

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Cyber Security Defence

When you are an owner or director of a company, you will have to face many challenges starting from employing the right people to protecting the sensitive data regarding the company, your workers, suppliers and clients, who buy products and services from you. Nowadays, data leakage prevention is essential in every business. Last week I touched on cyber security strategy, and I’ll expand on that a little more in a week or two, but I’ll just reiterate here that cyber security and data protection are inextricably linked, both practically and legally.  They apply equally to the large corporate entities and SMEs alike.  It’s purely a matter of scale.  So, let’s dive in and learn more about the security and data protection services that you may wish to consider, having first identified your risks and come up with what is called a risk treatment plan, ie a plan to remediate the identified risks to an appropriate level, taking account of the residual risk that your organisation finds acceptable.

Cyber Security Defence – What Are the Most Common Services?

The Insider Threat

There are a lot of actions that can be taken regarding cyber defence. You need to cover both external and insider threat detection. We need to simplify, and where possible, automate our responses and solutions.  The more complicated we make it, the more chance of it becoming a liability rather than a solution. The insider threat is one that is often misunderstood and in fact, often ignored.  It is one of the most fascinating and alarming aspects of cybersecurity! It refers to the potential risks posed by individuals within an organisation who have access to sensitive information and can misuse it for personal gain or to sabotage the company. These insiders could be employees, contractors, or even business partners who have intimate knowledge of the company’s processes and systems. It’s like a real-life spy thriller unfolding right within the walls of your own organisation! The challenge lies in identifying and mitigating these risks before they cause serious damage. It’s an adrenaline-pumping game of cat and mouse that keeps cybersecurity professionals on their toes!  It is important to note that many insider threats come not from any intended action by an employee, but rather a mistaken action taken by an employee who didn’t know they shouldn’t do whatever it is they had done.  It’s a primary reason why cyber awareness training is so important.  I can’t stress enough how important a comprehensive campaign of such training is.

To protect against insider threats you need, as well as awareness training, a good mix of procedural and technical security.  You need a sound access control policy that clearly lays down how to onboard an employee, what access to allow, and how to protect against employees gaining privilege they don’t need and shouldn’t have.  That policy should also cover off-boarding when an employee leaves.  Here at H2 we have partnered with Cyber Elements to provide solutions to provide the correct provisioning in an easy to administer way.

External Threats

These are the threats that everyone thinks of when the subject of cyber security comes up.  It can be very easy, such as identifying and blocking a virus, or it can be very complex. It all depends on the size and range of the problem. For example, ransomware protection. We have partnered with Platinum-HIT (UK) to provide the HDF concept.  This provides a unique approach to anti malware and provides a good level of ransomware, and indeed, phishing, protection. On any computer system, data is stored either as non-runnable information data or runnable application programs. Malware is a type of runnable program with undesirable behaviours. HDF prevents malware infection by stopping malware program files from being stored and run on a computer. Simply put, if a program can’t run, it can’t infect your system.  This does require a period of examination of your system to identify what does need to run, to run the business, and that is provided within the product.

We have introduced a fully managed proactive cyber defence solution that complements our data protection solution, described below, whilst remaining able to stand alone, in the unlikely event that the data protection element is not required.

In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognize that one-size-fits-all solutions often fall short, which is why we’ve developed a flexible and scalable cybersecurity solution powered by Guardz, to address the needs of our clients.

Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our solutions, we can tailor an approach that meets your exact needs and budget.

I talked earlier about the symbiotic relationship between cyber security and data protection, which of course includes data leakage prevention, data privacy and compliance. Once again, we have this covered.  Our data protection solution is very comprehensive and looks not just at the technical, but also at the procedural aspect of data protection, from providing a virtual data protection officer, to writing and/or reviewing your policies and processes, to identifying where your data actual is, what it’s status is ie sensitive or non-sensitive, and provides the ability to encrypt the sensitive data in order to reduce your risk.  If you have a data leak and the data is encrypted, then you are significantly reducing any risk.

Summary

All cyber security defence solutions are designed and implemented in collaboration with the client, during a trial period that consists of between 14 and 30 days, depending upon the solution. All actions can be performed remotely and online and there is no requirement for us to be on site, thus reducing time and expense.  Additionally, all solutions are based on SaaS and therefore there is no expensive infrastructure or hardware requirements and being cloud based, it provides the additional advantage that it can monitor and protect end points regardless of where they are, in the office, on the move, or at home.

What’s the advantage of using a cyber defence managed service?

This will differ company to company, and some will have more of an issue, certainly regarding the protection of what is known as Personally Identifiable Information or PII, as defined in the Data Protection Act 2018.  Each must decide what their threshold is for residual risk, ie what risk is acceptable to them, once protections have been put in place.

Professional cyber security staff are, currently, difficult to source.  There is a global shortage of experienced personnel.  They are also expensive to employ.  You could also argue that there isn’t a full time job for more than one or two, in many organisations.  It therefore makes both operational and financial sense, to outsource at least some of your security operations.

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy Security Tools

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

No unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

Uncategorized

Cyber Security Defence and Data Protection Solution At An Affordable Price

Proactive Cyber Security Defence (https://hah2.co.uk/protective-monitoring)

Protective Monitoring (which we now refer to as Proactive Cyber Security Defence), a phrase well known in the corporate world which gets immediate understanding of what it is, and what it entails.  But in the SME world, not so much.  Basically, it focuses on the growing cyber security threats and how companies can protect themselves.  We’ve found it’s a very poorly understood subject outside of the corporate world and we have therefore re-designed and re-priced it, specifically for the SME market.

We’ve seen global cyberattacks increase by 38 per cent compared to the previous years. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries.

What is it? (https://hah2.co.uk/protective-monitoring)

So, what is protective monitoring?  It refers to the process of continuously monitoring an organization’s systems and networks for potential security threats and incidents. This includes analysing logs, monitoring network traffic, and identifying and responding to any suspicious activity. For small and medium-sized enterprises (SMEs), protective monitoring is essential to protect their sensitive data and prevent cyber-attacks. Many SMEs may not have the resources or expertise to implement comprehensive cybersecurity measures, making them more vulnerable to cyber threats.

Detect and Respond

By implementing protective monitoring practices, SMEs can detect and respond to security incidents in a timely manner, reducing the impact of potential breaches. This can help prevent data loss, financial losses, and damage to their reputation. Additionally, protective monitoring can help SMEs comply with regulations such as GDPR and other data protection laws, which require organisations to have measures in place to protect personal data. Overall, protective monitoring is a critical component of a comprehensive cybersecurity strategy for SMEs, helping them to mitigate risks and protect their valuable assets from cyber threats.

It’s Like Cyber Insurance

Protective monitoring can be like insurance for your data – you might not think you need it until disaster strikes. Cost is always an issue for SMEs and traditionally protective monitoring has been a bit pricey, but then so is insurance and can you put a price on peace of mind? Plus, it’s probably cheaper than dealing with a data breach down the line. Wouldn’t it be nice if there was a solution on the market that looks not just at the protective monitoring piece, but also at your data protection needs (https://hah2.co.uk/gdpr-data-protection), all at a price that an SME can afford, whether you are at the S end or the M end, perhaps hovering just below the corporate market, of the SME market.

Awareness and Resource

Many Boards appear to be struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.  Why would that be?  Well often it’s simply a lack of awareness of the issues involved.  A big issue with SMEs, as well as poor awareness, remains a lack of resources and expertise in the field of cyber security.  They are very reliant on outside support and often attempt to get that support from the local IT company that provides their hardware and software, often managing those resources. This is coupled with Managed Security Service Providers (MSSP) ignoring the SME sector primarily because of cost.  The services they provide traditionally have simply been too expensive. 

Solution – https://hah2.co.uk/

But what if there was a system designed and managed on behalf of SMEs, which addressed the issues that they face daily, at a price they can afford.  What if you can see those issues, highlighted in front of you, using your own data, rather than a demo using dummy data, how much better to help you understand what is happening on your network.  We are offering that opportunity, a FREE trial to try this out.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks.  And this latter is what we’re looking at today.

To make this doubly effective and doubly affordable, we have combined a protective monitoring solution with a data protection solution and titled it the Cyber Security Defence and Data Protection Service.  OK, not very catchy but it does nicely encapsulate what it is.  And I can hear your scepticism from here, you’re thinking that sounds pricey.  Well, it is priced at £24 per seat per month, so if you have 20 IT users, then the price is £480 per month.

It’s a cloud based system that requires no expensive infrastructure, and it requires no presence on your site.  It is managed remotely by us and monitors your end points regardless of where they may be.  So, with today’s mobile workforce, it doesn’t matter where your employees are, in the office, at home or on the move, their endpoints are still being monitored.

The key to making this affordable and appropriate for SMEs, is automation, which is becoming more and more possible using AI enhancements.  I’ve highlighted before that here at H2 we are constantly on the lookout for innovative solutions that allow us to provide appropriate and effective services to our clients, at a price that is affordable.  And we think we’ve found another gem.

What’s Covered?

The following services are provided as standard:

  • External and Insider Threat Detection.
  • Ransomware Protection.
  • Data Leakage Protection.
  • Data Privacy and Compliance.
  • Built in Encryption Capability.
  • Automated Cyber Awareness Training.
  • Phishing Simulation. 

Cyber Security Insurance

And as bonus, if you wish, a cyber insurance policy starting at around £400 annually, which is priced according to the risks identified within the service, i.e., the more the risk is reduced, the more the premium is reduced.

We Can Manage This for You

This whole package is offered as a managed service so that the risk, risk reduction, reporting and monitoring is all carried out by us, within the incredibly low price shown above.  And as we’ve already highlighted, we are offering a free demo and a free trial.

Data Breaches and their consequences General Security Issues

DATA PROTECTION – HOW BADLY COULD I BE HIT?

How does data protection effect SMEs?

Data Protection, a somewhat dry subject that many companies, particularly SMEs, think they can get away from by simply paying a bit of lip service.  The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

Businesses that you might not think about, like Estate Agents, hold large amounts of personally identifiable information or PII, that is information that can identify a living individual. 

Are SMEs subject to punitive fines?

Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

It’s surprising just how much PII estate agents hold.  Just think about what they ask for when you’re buying a house.  In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

But in some cases that might not be the end of it.  Individuals can sue companies that release data into the wild.  In fact, there are now law firms advertising no win no fee when representing these cases.  Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

What size does a business need to be for the regulations to apply?

The regulations apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  Just exposing PII can threaten an individual’s right to privacy.

Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as prejudicial to an individual’s rights.  Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.

Do I need written policies and processes?

Yes – What this means is that a significant number of policies and processes will need to be written and taken into use by the organisation.  It is not unusual for many to visit the web and download templates to cover their requirements.  However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.

How is GDPR effected by cyber security?

The Act requires personal data to be secured by ‘default and design’.  This means that cyber security requirements must be designed into your protections.  This could mean at least another 6 or 7 policies and procedures.

How can I keep track of all my PII holdings and keep it secure?

When we are first approached by a prospective client and we begin our offer of a 30 day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we discover that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

Are there solutions suitable and affordable for SMEs?

We have a solution that meets the requirements and not only that, has a built in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

Check it out at https://hah2.co.uk/gdpr-data-protection/

General Security Issues Risk Analysis and Security Strategy

Business Continuity Planning

How many SMEs have a business continuity plan in place should they be subject to a cyber-attack that seriously disrupts business to the point where you can’t process and order, raise an invoice or get in essential supplies.  It happens, don’t kid yourself and business continuity is not the same as disaster Recovery.  Business Continuity and Disaster Recovery are two closely related concepts that are often used interchangeably, but they serve different purposes within an organization.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organization can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective.  Both are critical components of a comprehensive risk management strategy and should be integrated into an organization’s overall resilience planning efforts.

In general, along with your insurers, the IT support company you have under contract, should be able to help you with disaster recovery, which is often defined by a physical disaster ie fire, flood etc, as well as a cyber-attack.  Business continuity on the other hand requires much more thought and planning.

In essence then, business continuity is the ability to recover quickly and continue operating when there has been a serious disruption to the business function caused by equipment failure, power outage, fire, flood, or other type disruption (manmade or otherwise).  Business continuity may be achieved through resiliency – which is an essential part of system architecture, associated with business continuity planning.  Resiliency considers the business impact and corresponding plans to restore business functionality after a disruptive event.  However, as many SMEs have carried out no real risk assessment and have no real risk management plan in regard to cyber security, then it is unlikely that they have a system architecture robust enough to take account of this requirement.  The exception is that the majority have taken to cloud computing which goes someway to achieving resilience, although that was probably not their primary reason for going down that road.

There are 4 elements that are essential to the business continuity component of the security operations function are as follows:

  • Business impact assessments (BIA)
  • Disaster recovery planning.
  • Business recovery planning.
  • Plan, testing and analysis.

Arguably the most important is the BIA, developing an understanding of what could happen to the business if the loss of systems, leading to the loss of access to critical data and the ability to continue to function efficiently, should a disaster overcome you.

These are the issues all business owners should get to grips with and here at H2 we understand that it isn’t easy, and that advice and guidance is necessary.

Cyber Awareness Training General Security Issues Ransomware, Phishing and other Malware

Phishing – as much a problem today as it’s ever been

Think phishing is old news? You won’t believe why it’s still the number one nightmare for CEOs and business owners.

Ever find it odd that phishing, an old trick in the cyberbook, keeps CEOs awake at night? Guess what, it’s not budging from that top spot.

Here’s the deal: cyber villains always stay ahead. If you develop a shield, they craft a spear. They’re all out to make your employees act impulsively, falling into traps on all communication fronts.

Ever thought about arming your business against phishing, without the tech jargon? Let’s discuss uncomplicated, everyday measures to secure your digital turf.

1. Training: Educating your team about phishing scams is the first step. A well-informed team can spot such scams.

2. Double-checking: Emails from ‘official’ sources often aren’t. Encourage your team to verify before replying.

3. Regular updates: Keep your systems and software updated, they often include security enhancements. Phishing is a persistent threat, but with the right non-technical measures, your business can uphold security. Ready to fortify your cyber defences? I’m here to help.

Questioning the efficiency of your cyber defence is valid. But to provide any assurance about your training methods and protections, we need to monitor and measure.

Here at H2 we take place great store in crafting solutions for SMEs that are appropriate to them, and as such, are very affordable.  We know how difficult it is to keep up with everything that is going on around you, it can be an absolute nightmare and you are going to be laser focused on your core business.  We believe we have come up with a service that is very affordable, and that provides SMEs with the protections they need, in an appropriate way.

In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognize that one-size-fits-all solutions often fall short, which is why we’ve married together two solutions which we fully manage, to address the needs of our clients.

Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our solutions, we can tailor a solution that meets your exact needs and budget.

We offer a fully managed Security Monitoring Data Protection (GDPR) that provides the following:

  • External and Insider threat detection.
  • Ransomware protection.
  • Data Leakage Prevention.
  • Data privacy and compliance.
  • Inbuilt encryption capability.
  • Automated cyber awareness training programme.
  • Vulnerability Assessment.
  • Phishing simulation.
General Security Issues Identity and Access Management News Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Innovation – Why Do Many Shy Away from it?

I read an interesting piece recently where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

Of course, and as I’ve mentioned before, many of these surveys are written, or at least sponsored, by cybersecurity vendors and largish consultancies, who could potentially be seen as biased in that they are pushing their own solutions.  But keeping that in mind, there is still and underlying truth.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive.  Whilst this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

We are holding a webinar to discuss and highlight these solutions and would love to see you there:

Event Details:

Scroll to top