Author: Kevin Hawkins

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy Security Tools

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

No unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

Uncategorized

Cyber Security Defence and Data Protection Solution At An Affordable Price

Proactive Cyber Security Defence (https://hah2.co.uk/protective-monitoring)

Protective Monitoring (which we now refer to as Proactive Cyber Security Defence), a phrase well known in the corporate world which gets immediate understanding of what it is, and what it entails.  But in the SME world, not so much.  Basically, it focuses on the growing cyber security threats and how companies can protect themselves.  We’ve found it’s a very poorly understood subject outside of the corporate world and we have therefore re-designed and re-priced it, specifically for the SME market.

We’ve seen global cyberattacks increase by 38 per cent compared to the previous years. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries.

What is it? (https://hah2.co.uk/protective-monitoring)

So, what is protective monitoring?  It refers to the process of continuously monitoring an organization’s systems and networks for potential security threats and incidents. This includes analysing logs, monitoring network traffic, and identifying and responding to any suspicious activity. For small and medium-sized enterprises (SMEs), protective monitoring is essential to protect their sensitive data and prevent cyber-attacks. Many SMEs may not have the resources or expertise to implement comprehensive cybersecurity measures, making them more vulnerable to cyber threats.

Detect and Respond

By implementing protective monitoring practices, SMEs can detect and respond to security incidents in a timely manner, reducing the impact of potential breaches. This can help prevent data loss, financial losses, and damage to their reputation. Additionally, protective monitoring can help SMEs comply with regulations such as GDPR and other data protection laws, which require organisations to have measures in place to protect personal data. Overall, protective monitoring is a critical component of a comprehensive cybersecurity strategy for SMEs, helping them to mitigate risks and protect their valuable assets from cyber threats.

It’s Like Cyber Insurance

Protective monitoring can be like insurance for your data – you might not think you need it until disaster strikes. Cost is always an issue for SMEs and traditionally protective monitoring has been a bit pricey, but then so is insurance and can you put a price on peace of mind? Plus, it’s probably cheaper than dealing with a data breach down the line. Wouldn’t it be nice if there was a solution on the market that looks not just at the protective monitoring piece, but also at your data protection needs (https://hah2.co.uk/gdpr-data-protection), all at a price that an SME can afford, whether you are at the S end or the M end, perhaps hovering just below the corporate market, of the SME market.

Awareness and Resource

Many Boards appear to be struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.  Why would that be?  Well often it’s simply a lack of awareness of the issues involved.  A big issue with SMEs, as well as poor awareness, remains a lack of resources and expertise in the field of cyber security.  They are very reliant on outside support and often attempt to get that support from the local IT company that provides their hardware and software, often managing those resources. This is coupled with Managed Security Service Providers (MSSP) ignoring the SME sector primarily because of cost.  The services they provide traditionally have simply been too expensive. 

Solution – https://hah2.co.uk/

But what if there was a system designed and managed on behalf of SMEs, which addressed the issues that they face daily, at a price they can afford.  What if you can see those issues, highlighted in front of you, using your own data, rather than a demo using dummy data, how much better to help you understand what is happening on your network.  We are offering that opportunity, a FREE trial to try this out.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks.  And this latter is what we’re looking at today.

To make this doubly effective and doubly affordable, we have combined a protective monitoring solution with a data protection solution and titled it the Cyber Security Defence and Data Protection Service.  OK, not very catchy but it does nicely encapsulate what it is.  And I can hear your scepticism from here, you’re thinking that sounds pricey.  Well, it is priced at £24 per seat per month, so if you have 20 IT users, then the price is £480 per month.

It’s a cloud based system that requires no expensive infrastructure, and it requires no presence on your site.  It is managed remotely by us and monitors your end points regardless of where they may be.  So, with today’s mobile workforce, it doesn’t matter where your employees are, in the office, at home or on the move, their endpoints are still being monitored.

The key to making this affordable and appropriate for SMEs, is automation, which is becoming more and more possible using AI enhancements.  I’ve highlighted before that here at H2 we are constantly on the lookout for innovative solutions that allow us to provide appropriate and effective services to our clients, at a price that is affordable.  And we think we’ve found another gem.

What’s Covered?

The following services are provided as standard:

  • External and Insider Threat Detection.
  • Ransomware Protection.
  • Data Leakage Protection.
  • Data Privacy and Compliance.
  • Built in Encryption Capability.
  • Automated Cyber Awareness Training.
  • Phishing Simulation. 

Cyber Security Insurance

And as bonus, if you wish, a cyber insurance policy starting at around £400 annually, which is priced according to the risks identified within the service, i.e., the more the risk is reduced, the more the premium is reduced.

We Can Manage This for You

This whole package is offered as a managed service so that the risk, risk reduction, reporting and monitoring is all carried out by us, within the incredibly low price shown above.  And as we’ve already highlighted, we are offering a free demo and a free trial.

Data Breaches and their consequences General Security Issues

DATA PROTECTION – HOW BADLY COULD I BE HIT?

How does data protection effect SMEs?

Data Protection, a somewhat dry subject that many companies, particularly SMEs, think they can get away from by simply paying a bit of lip service.  The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

Businesses that you might not think about, like Estate Agents, hold large amounts of personally identifiable information or PII, that is information that can identify a living individual. 

Are SMEs subject to punitive fines?

Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

It’s surprising just how much PII estate agents hold.  Just think about what they ask for when you’re buying a house.  In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

But in some cases that might not be the end of it.  Individuals can sue companies that release data into the wild.  In fact, there are now law firms advertising no win no fee when representing these cases.  Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

What size does a business need to be for the regulations to apply?

The regulations apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  Just exposing PII can threaten an individual’s right to privacy.

Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as prejudicial to an individual’s rights.  Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.

Do I need written policies and processes?

Yes – What this means is that a significant number of policies and processes will need to be written and taken into use by the organisation.  It is not unusual for many to visit the web and download templates to cover their requirements.  However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.

How is GDPR effected by cyber security?

The Act requires personal data to be secured by ‘default and design’.  This means that cyber security requirements must be designed into your protections.  This could mean at least another 6 or 7 policies and procedures.

How can I keep track of all my PII holdings and keep it secure?

When we are first approached by a prospective client and we begin our offer of a 30 day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we discover that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

Are there solutions suitable and affordable for SMEs?

We have a solution that meets the requirements and not only that, has a built in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

Check it out at https://hah2.co.uk/gdpr-data-protection/

General Security Issues Risk Analysis and Security Strategy

Business Continuity Planning

How many SMEs have a business continuity plan in place should they be subject to a cyber-attack that seriously disrupts business to the point where you can’t process and order, raise an invoice or get in essential supplies.  It happens, don’t kid yourself and business continuity is not the same as disaster Recovery.  Business Continuity and Disaster Recovery are two closely related concepts that are often used interchangeably, but they serve different purposes within an organization.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organization can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective.  Both are critical components of a comprehensive risk management strategy and should be integrated into an organization’s overall resilience planning efforts.

In general, along with your insurers, the IT support company you have under contract, should be able to help you with disaster recovery, which is often defined by a physical disaster ie fire, flood etc, as well as a cyber-attack.  Business continuity on the other hand requires much more thought and planning.

In essence then, business continuity is the ability to recover quickly and continue operating when there has been a serious disruption to the business function caused by equipment failure, power outage, fire, flood, or other type disruption (manmade or otherwise).  Business continuity may be achieved through resiliency – which is an essential part of system architecture, associated with business continuity planning.  Resiliency considers the business impact and corresponding plans to restore business functionality after a disruptive event.  However, as many SMEs have carried out no real risk assessment and have no real risk management plan in regard to cyber security, then it is unlikely that they have a system architecture robust enough to take account of this requirement.  The exception is that the majority have taken to cloud computing which goes someway to achieving resilience, although that was probably not their primary reason for going down that road.

There are 4 elements that are essential to the business continuity component of the security operations function are as follows:

  • Business impact assessments (BIA)
  • Disaster recovery planning.
  • Business recovery planning.
  • Plan, testing and analysis.

Arguably the most important is the BIA, developing an understanding of what could happen to the business if the loss of systems, leading to the loss of access to critical data and the ability to continue to function efficiently, should a disaster overcome you.

These are the issues all business owners should get to grips with and here at H2 we understand that it isn’t easy, and that advice and guidance is necessary.

Cyber Awareness Training General Security Issues Ransomware, Phishing and other Malware

Phishing – as much a problem today as it’s ever been

Think phishing is old news? You won’t believe why it’s still the number one nightmare for CEOs and business owners.

Ever find it odd that phishing, an old trick in the cyberbook, keeps CEOs awake at night? Guess what, it’s not budging from that top spot.

Here’s the deal: cyber villains always stay ahead. If you develop a shield, they craft a spear. They’re all out to make your employees act impulsively, falling into traps on all communication fronts.

Ever thought about arming your business against phishing, without the tech jargon? Let’s discuss uncomplicated, everyday measures to secure your digital turf.

1. Training: Educating your team about phishing scams is the first step. A well-informed team can spot such scams.

2. Double-checking: Emails from ‘official’ sources often aren’t. Encourage your team to verify before replying.

3. Regular updates: Keep your systems and software updated, they often include security enhancements. Phishing is a persistent threat, but with the right non-technical measures, your business can uphold security. Ready to fortify your cyber defences? I’m here to help.

Questioning the efficiency of your cyber defence is valid. But to provide any assurance about your training methods and protections, we need to monitor and measure.

Here at H2 we take place great store in crafting solutions for SMEs that are appropriate to them, and as such, are very affordable.  We know how difficult it is to keep up with everything that is going on around you, it can be an absolute nightmare and you are going to be laser focused on your core business.  We believe we have come up with a service that is very affordable, and that provides SMEs with the protections they need, in an appropriate way.

In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognize that one-size-fits-all solutions often fall short, which is why we’ve married together two solutions which we fully manage, to address the needs of our clients.

Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our solutions, we can tailor a solution that meets your exact needs and budget.

We offer a fully managed Security Monitoring Data Protection (GDPR) that provides the following:

  • External and Insider threat detection.
  • Ransomware protection.
  • Data Leakage Prevention.
  • Data privacy and compliance.
  • Inbuilt encryption capability.
  • Automated cyber awareness training programme.
  • Vulnerability Assessment.
  • Phishing simulation.
General Security Issues Identity and Access Management News Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Innovation – Why Do Many Shy Away from it?

I read an interesting piece recently where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

Of course, and as I’ve mentioned before, many of these surveys are written, or at least sponsored, by cybersecurity vendors and largish consultancies, who could potentially be seen as biased in that they are pushing their own solutions.  But keeping that in mind, there is still and underlying truth.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive.  Whilst this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

We are holding a webinar to discuss and highlight these solutions and would love to see you there:

Event Details:

General Security Issues News

Cyber Threats to SMEs

I’m not a big fan of FUD – Fear, Uncertainty and Doubt – which is often used when selling, or attempting to sell, cyber security solutions.  I’ve always considered it a little unethical and unsavoury.  However, there is a clear difference between telling people what they need to know and spreading FUD around to scare up sales opportunities.  SMEs, just like the corporate world, need, and deserve, to know the truth about what they are facing.  I’m also not a fan of the saying ‘you don’t know what you don’t know’, but it’s sadly true.  Being uninformed can lead to complacency which can, in turn, lead to some quite disastrous consequences.

It’s being reported that SMEs experienced a 37% surge in cyber security warnings in 2023.  That’s a lot, and whilst there is always a little scepticism about stats, if only because many SMEs will simply not involve themselves in gathering such stats, preferring to keep things to themselves regarding their security, you can argue that 37% is a conservative estimate given that reluctance to take part.

They go on to say that Private sector organisations were hit harder by cyber threats, receiving 18% more alerts than their public sector counterparts. As threat levels rose, IT teams also showed signs of shrinking – the mean size of each security team at the beginning of 2024 was 2.63 people, slightly down from 2.7 people in 2021.  And that’s for organisations that can afford their own in house IT whilst most rely on contracted IT management companies, often local and themselves resource challenged.

They report that:

  • Two in five SMEs were taken offline – 41% of SMEs had to take systems and applications offline due to an incident over the last year. For one in seven of those (14%), the outage lasted more than a day.
  • Data loss hit almost two in five – 39% of SMEs lost data due to a cyber-attack in 2023, a 13% jump since 2021. Nearly a third (30%) of SMEs also lost data due to user error in the last 12 months and 27% lost data due to disgruntled employees.
  • One in five fell victim to ransomware – 20% SMEs fell victim to a ransomware attack – although the pace of attack has remained consistent over the last three years.
  • 34% paid out after a ransomware attack, with the average pay-out standing at £139,368. And, one in five were subjected to a regulatory fine as a result.
  • Nearly a quarter experienced an email attack – 23% of SMEs suffered from an employee opening a suspicious or malicious email that led to a serious attack.

Perhaps one of the most concerning issues for SMEs, is that it was reported that those employing some form of cyber security expertise were requiring their staff to work out of hours regularly in order to keep up with the issues, with 38% having been called at night and 34% having their holiday interrupted.  Not hugely surprising as cyber criminals don’t keep regular hours.  And of course, as I said earlier, most SMEs don’t employ their own in house staff but rely on IT management company’s and it would perhaps pay SMEs to re-visit their Ts & Cs to see if they have any out of hours coverage, and what it entails.

At least 70% of SMEs are struggling with the plethora of security solutions being sold to them, especially as most of these don’t inter operate with each other and instead, work independently and often overlap.  It’s essential that any solutions that are in place complement each other and where they do overlap, it’s for a good and useful purpose, providing belt and braces, requiring some form of reporting that allows us to see that these solutions are doing what we think they are doing.  All too often that’s not the case.

Getting advice and guidance, ensuring that you ask the right questions to get your knowledge to the point where you can realistically start to assess where you stand in regard to cyber security, is essential.  To that end we are holding a webinar on the 8th of May where we’ll explore some strategies you can adopt to protect your information from cyber threats, providing practical tips and best practices to secure your data effectively, and provide you with a tailored solution specially designed and priced for SMEs. This session is an excellent opportunity to enhance your digital security and protect the data you hold within your network that is critical to the operation of your business and your fiscal security.

You can register via Eventbrite:

https://www.eventbrite.com/e/protect-your-digital-assets-before-they-become-digital-liabilities-tickets-880741630927

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

Cyber Security Benchmarking

As long as I’ve been in this industry, clients have always had a thing about benchmarking, particularly those in the higher echelons, who are naturally driven by maturity, budgets, and the frequency of cyber breaches in their industry.  It’s often how they decide their spend.  Fair enough.  In the SME world it’s perhaps not that formalised but is still a thing.  An SME owner wants to know what other people are doing to try and gauge what they should be doing.

I talked, in a post last week, about conformational bias, which is a posh way of talking about the herd mentality and benchmarking falls loosely into that bracket.  What we’re actually talking about is the need for reassurance, deflecting plain discomfort, around the proposal to spend money on something that often seems a little esoteric to many.

Of course, not every situation, or every company is the same.  Their cyber maturity and risk appetite will often drive different approaches to a similar problem.  One company might have a heavy focus on data protection.  For example, an accountancy firm, a solicitors, even an estate agency, might assess that a serious data breach involving the Information Commissioner, could, potentially, put them out of business and they would therefore make this a number one risk.  On the other hand, a manufacturing company may consider this a risk, but of less importance than say, their designs for their next improvement to their product line.

So how good is a benchmark?  Well, it’s a guide, but that’s all it is, and you might think that if you’re close-ish to that guide, and you have an understanding about why you’re not closer, then that is probably OK.  What I’m saying is, don’t take an industry benchmark to be gospel, it isn’t, and basing decisions on what is essentially anecdotal evidence, isn’t, in my opinion, a very good basis for making that decision.

This is where building relationships with suppliers is essential for an SME.  Trust must be established, especially when dipping your toe in to the murky depths of cyber security.  Let’s face it, most people don’t understand it and people don’t trust what they don’t understand.  Finding a cyber security company that is happy to work with SMEs is not easy, especially one that isn’t wedded to technology as being the only answer to a problem.  Process and procedure can be just as effective as technology in certain circumstances and of course, is much much cheaper.  And let’s not forget cyber awareness training, still the cheapest quick win any SME can take to offset the risk of a data breach or scam.

All this is easy to say, but just how do you find a cyber security company you can trust?  I vaguely remember hearing the saying that you have to kiss a lot of frogs before you find your prince.  But in this case, you can’t afford to do that.  Time is not on your side but in doing your due diligence, you still need to be cautious.

What are you looking for?  I would suggest:

  • Proven track record.  Look into the past of the ownership of the company, not just the employees. 
  • Their approach.  Do they lead with technology?  If they do, walk away.  Do they take a risk managed approach?  That’s what you’re looking for.
  • Do they talk in jargon, trying to baffle you with science?  If they do, walk away.  This subject can be explained without getting into technicalities.  You want something that addresses threats to your business, and they should demonstrate they understand that.
  • Do they talk about the FUD factor. Fear, uncertainty and doubt. What they’re trying to do is to scare you into buying. Giving you the facts is one thing, FUD is completely different.
  • Have they taken the time to fully understand what your business is about, what it is that drives your revenue, what is important to you and what is not so important?
  • Do they see you as a long term partner or a quick revenue win?  Can be difficult to assess but it is crucial to building the trust I talked about earlier.

Of course, this is not an exhaustive list of criteria, and you’ll almost certainly have things you want to add, and maybe things you will discard.  But whatever route you take to build that trust, it is essential to your protection and peace of mind in what is becoming a very dangerous online world.

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security Tools

Is Cyber Security making the grade for Small to Medium Enterprises?

I’ve touched on this subject several times in the past but was encouraged to revisit it after reading a book by Jean-Christophe Gaillard entitled The Cyber Security Spiral of Failure.  A provocative title and of course, the subject matter was aimed at the corporate sector.  But my view is the difference between the 2 sectors, in terms of solutions is often one of scale, with corporations being more complex and faced with many problems that the SME sector doesn’t.  They do however have the same threats and consequences of failure, as each other.

The author argues that for a couple of decades now, many organisations have been trapped in this spiral of failure, driven by endemic business short termism and the box-ticking culture of many executives in regard to compliance.  This really does resonate in the SME world with short termism often driven by financial necessity and especially during and since COVID, where survival was paramount, often requiring day to day management.  Of course, no SME owner or manager likes that and would love to have a solid and well-funded plan going forward, if only! 

Successful transformation takes time and often requires changing the culture of the organisation, and this at a time when many owners are struggling with the emerging business practices of a more distributed work force, following the pandemic.  Coming up with any transformative planning around IT naturally comes below that required for the business in general.  Bottom line is often that if it isn’t our core business, it can wait.  Even though of course, there are very few businesses that can continue to operate efficiently without their IT systems.

Which brings us to compliance.  For most SMEs compliance often means data protection, although there are the financial services regulations, and many do have industry standards governing IT and data, that they must comply with.  This often means that owners and managers undertake quick wins using box-ticking measures which often come a cropper sooner or later.

The book quotes from the BT Security survey released in January 2022.  One aspect which I fully agree with is the emphasis on getting security basics right and the importance of awareness development amongst employees.  Getting this right and training our employees are essential pillars of any cyber security practice, so as the book says, the question remains, why are we still banging on about it? – and everyone who reads my stuff knows I do that a lot.

There are a lot of traditional good security practices which have been pushed and re-emphasised time and time again.  Patch management, access management, anti-virus/malware, firewalls etc, and from my time working in the corporate space, I know that large enterprises have spent millions on traditional areas of cyber security over the last 2 decades.

But are we really still stuck there, entrenched in traditional thinking when our working practices are changing, technology is changing, compliance requirements are changing?

SME management is often completely left behind by these changes.  They have enough problems just keeping their businesses afloat and trying to grow, they don’t have enough time or resource to keep abreast of these many and varied issues.  Let’s face it, if corporate management is struggling with this changing landscape given their resources, what hope for the SME.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022 (stats for 2023 are starting to trickle through), up from 39% in 2020 (Vodafone Study, 2022).  As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

But now we have the ‘new normal’ with many businesses enjoying the financial bonus of having a smaller office footprint whilst many people work remotely, bringing with it an increase in security problems.  Earlier we mentioned traditional security solutions that have been around for a long time, most of which pre-date the pandemic and were based on the old bastion security methodology ie a network perimeter, protected with traditional solutions.  But that bastion model no longer exists in many places, or if it does, it only protects half the workforce in the office, whilst the other half work remotely.  What is needed is new solutions that protect your staff wherever they might be working from.

Luckily for you, we have such a solution.

Cyber Awareness Training General Security Issues Identity and Access Management Risk Analysis and Security Strategy

A Company’s Tale – From COVID to Hybrid – Part 2

In last weeks blog we talked about a company that was forced, by COVID restrictions, to move to working from home, and how that affected the organisations’ structure and ability to continue in business, and some of the difficulties they faced. 

We reached a point where they had started to get back into the office but had decided to adopt the hybrid method of working, saving money on floor space, fuel and light etc.  But this has come with problems of its own which we’ll look at now.

Hybrid working is something that many SMEs like because of the cost savings, providing of course that the business doesn’t require people on site, such as manufacturing, transport etc.  Company’s such as lawyers, financial advisors/accountants, HR facilitators, recruiters and the like, can support hybrid working quite easily, from an operational standpoint.

Last week we saw that the 2 partners are aware that they hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients.  They were also aware of the Data Protection Act 2018 and GDPR but at a very surface level and were not sure about how much this will affect them.  For example, in terms of policies, they have very little that references the DPA 2018 and/or GDPR.  Their website does not contain the necessary privacy statement or statements regarding the use of Cookies.  They don’t have an overarching security policy or a cyber security strategy in place.

So, what’s are the issues arising from last paragraph?  Well, the DPA 2018, or UK GDPR as it’s becoming colloquially known, requires that data is processed and stored securely and that managers and staff are aware of the regulations regarding the safe processing and storage of information, which are quite extensive and can be daunting, but needn’t be an issue for SMEs, if not ignored.  The ICO is, in my experience, very helpful in this regard and are not there to hand out heavy fines, threatening to put you out of business. If you can demonstrate that you have done your very best to obey the law, then they will be helpful and conciliatory.  On the other hand, if you’ve been neglectful and even a little cavalier about it, then not so much.

But getting back to the case in point, these guys were now at the juncture where they had their staff working from home for about 3 days a week, and coming into the office on 2 days, unless of course they were consultants who were visiting client sites and were working on the move.  Everyone now had a company laptop, including admin staff, and data was held on the cloud.

But what didn’t they have, and how would that affect the?  Well, firstly they didn’t have a cyber security strategy in place.  So, what is a cyber security strategy?    It’s a plan that outlines an organisation’s approach to protecting its digitally held assets and information from cyber threats. This strategy typically includes policies, procedures, technologies, and practices that are designed to prevent, detect, respond to, and recover from cyber-attacks.  People, Process and Technology combined and integrated to provide protection.

This needn’t be scary, and you can pick and choose what is important to your organisation, what needs to be comprehensive, and what can be less so.  The level of risk you are prepared to take, is entirely your call.  Key components might include:

  • Risk assessment: Identifying and prioritizing potential threats and vulnerabilities to the organization’s systems and data.
  • Security controls: Implementing technical and procedural measures to protect against cyber threats, such as firewalls, encryption, access controls, and employee training.
  • Incident response plan: Establishing protocols for responding to and recovering from security incidents, including communication plans, containment strategies, and forensic analysis.
  • Continuous monitoring: Monitoring systems and networks for suspicious activity or anomalies that could indicate a security breach.
  • Compliance management: Ensuring that the organization complies with relevant laws, regulations, and industry standards related to data protection and privacy.

What the management is doing here, is laying down a framework for how things need to be developed.  It doesn’t need to happen all at once,

Not having formulated a strategy, the company didn’t have much of this in place, and what it did have wasn’t well structured and integrated.  The security products in use were stand alone, working independently of each other.  Another major flaw was that they had no cyber awareness training in place, neither did they have effective policies.  Those that they had were downloaded from the internet as a box ticking exercise.  They were in fact a cyber disaster looking for somewhere to happen.

The 2 partners were aware of these issues and yes, they took some time to get around to addressing them simply because recovering the business from the issues arising from COVID, took precedence.  But they realised that this couldn’t be put off for any longer and took action.

They engaged with us to first carry out a Cyber Maturity Assessment.  This covered:

  • Cyber Security Strategy.
  • Cyber Security and Data Protection policies.
  • Protective monitoring and vulnerability assessment.
  • Incident response and business continuity planning.
  • Access control.
  • Employee awareness training.
  • Compliance.
  • Technical Security

The strategy they needed could be very much simplified to meet their requirements, but it did cover the salient points and gave a clear indication of what was needed immediately, what could follow and what was more of a nice to have rather than a necessity.  To that end we were able to structure remediation that was phased over a number of months, covering 2 budgetary periods.

End result, they had a solution that was affordable as well as appropriate to them.  It covered staff in the office, working from home and on the move.  It kept them compliant with the relevant legislation and set them up to achieve a standard such as Cyber Essentials, which is next on their list.  If necessary, they could even go as far as ISO2700x series, although that might not be appropriate for them at their current size.

Scroll to top