Author: Kevin Hawkins

More about Risk Management

I’ve decided I haven’t bored you all enough about risk management yet, as it pertains to cyber security.  Try not to stretch your jaw too much as you yawn and stay with me because it is extremely important and will become more so as cyber-attacks get more sophisticated and more importantly, ever more common as AI makes them much easier to implement and enables hitherto less skilled criminals, to become more capable. 

We are still, in the SME market, suffering from a misunderstanding about what cyber security is all about.  I know I bang on about this, but it can’t be overstressed.  Without fully understanding the risks you are exposed to, how can you be sure that you are spending your limited budget in the most effective way, and in a way that is doing some good.  I threw that last bit in because I come across situations all too often, where an SME is wasting money and resources because they don’t have a handle on their security risks.

Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them.  Wrong.  Ask them some simple questions: 

·      Have they fully identified your security assets?  Security assets are not just   hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.

·      Have they done a risk assessment on those assets.

·      Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level.  That is assuming they have spoken to you about what that acceptable risk is. 

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement. 

·      Tech 

Describes the protection of networks, computers, programs, and data. It is a branch of cyber security which is focused on preventing intrusion and therefore theft or manipulation of your systems, from both internal and external sources. Technical security consists of tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers. 

Technical security needs to work within a defined and business focused security strategy.

·      Business 

Encompasses all aspects of protecting digital assets, including computer systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack. It is focused on People, Process and then Technology.

Cybersecurity has a larger role in protecting organizations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats. 

Bottom line folks – you can outsource your IT, but you can’t outsource your responsibility. 

Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis. 

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated. 

There is no business without risk and an acceptable residual risk in one company, will not be acceptable in another.  That’s a business decision.  Risk must be recognised and then managed in some way or other, classified in some way. And whilst we would all like to abolish risk, that won’t happen.  

Whilst working for major providers servicing the big company’s, banks and major government departments, we would recommend that at least 15% of their annual IT budget should be allocated to cyber security.  That means not just tech but also reviewing cyber security policies and processes, cyber awareness training for staff and managers, reviewing the threats and vulnerabilities and then revisiting the risk to their assets.  It’s interesting to note that the figure of approx. 15% has crept up over the years.  About 20 years ago we were saying 5% then 10 and now it’s a minimum of 15% and some company’s are allocating even higher percentages as threats increase year on year.  That figure could easily sky rocket once AI becomes prevalent amongst the criminal fraternity. 

Just keep in mind that cyber security is a business issue and not an IT issue and that cyber risk must be evaluated and dealt with in the same way that you would any other risk to your livelihood.

Secure By Design

I read a post on LinkedIn the other day, discussing the principle of Secure by Design.  It’s a very interesting topic and one that correlates perfectly with my recent posts on the issues surrounding SMEs, and their attitude to Cyber Security, and the posts about risk management.

What do we mean by Secure by Design?  Well, it’s all about identifying and managing your risks, so your future cyber security strategy, and the resources needed to fulfil that strategy, might look very different to how it’s structured today.  It will take a clear business focus, with the management team clearly communicating the business requirements to the IT and cyber security teams, so that everything is in alignment.

Let’s look at how most SMEs approach cyber security today.  To be fair to them, their focus is on obtaining IT solutions that support the business, and obtaining them as cost effectively as possible, and with the minimum of support costs.  Cost control is vital to many SMEs.  This means that they are extremely reluctant to spend money on what they see as not being part of their core business.  Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.

The approach most take is to trust their IT provider to give them the protections they need.  Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model.  What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because the SME is cost constrained, is targeted where it’s needed and will be most effective.  In other words, the technological approach taken by most IT support company’s, will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections, are fit for purpose?  Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated.

Business risk, in terms of cyber security, encompasses all aspects of protecting your assets, including computer systems and networks, from unintended or unauthorized access, change or destruction. Cybersecurity includes controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack.

Cybersecurity protects organisations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.

This differs from the purely technical approach which is a branch of cyber security focused on protecting computers, networks, and programs from unauthorized access to data either by hackers or other malicious players using tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers. It is subservient to the overall strategy, which is focused on People, Process and then Technology.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. And whilst we would all like to abolish risk, that won’t happen.  There is no business without some risk, the trick being to minimise risk to an acceptable level.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined?  Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium, or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent. 

Don’t try and chase the Holy Grailof perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber-attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

In summary Risk Management is a proactive attempt to recognise and manage internal events and external threats that affect the likelihood of a cyber-attack or data breach.

  • What can go wrong (risk event).
  • How to minimise the risk events impact (consequences).
  • What can be done before an event occurs (anticipation).
  • What to do when an event occurs (contingency planning).

Of course, we do hear the argument that an SME can’t get involved with Secure by Design because they can’t afford the resources to do so.  We suggest you have a word with us and see how we can help in a cost effective way that won’t break the bank.

What irritates SME Owners and Founders, when it comes to Cyber Security?

Ask that question amongst said SME Owners and Founders and I strongly suspect that you’ll get some differing answers, and possibly some colourful language.  But I also suspect that there will be several recurrent themes.  Chief amongst them will be that they feel they are being pressured into buying this or that solution and get inundated with sales emails.  The use of FUD, Fear Uncertainty and Doubt, is also a real irritant, and with good reason.  Keep crying wolf and the message starts to get samey and eventually ignored.  That of course is a big problem because regardless of the FUD, the dangers are very real.

I tend to come back again and again, probably boring the pants off people, with the argument that relying on your local IT provider to give you good advice and guidance on cyber security, is a major part of the problem.  They will almost always push the technical solution.  Their focus is on selling hardware and software, whereas cyber security is first and foremost a business issue, not an IT issue, and many of the protections needed revolve around people and process, not technology.  Pushing that thought though, is an anathema to the IT support company because, firstly, they don’t get it any more than you do, and secondly, it doesn’t sell licences.

Conversely though, an SME neither needs, not can afford, a full time cyber security professional on staff, and for that matter, neither can the IT support company.  So what’s the answer?  Now this is where I get accused of trying to sell in my services, rather than giving good advice.  I would counter that by saying that taking my services is taking good advice.  I can provide over 20 years of experience in cyber security to an SME, or indeed a startup, using a day or half day rate, and providing advice and guidance when it’s needed, without breaking the bank.

I usually start with telling the Board that SMEs should prioritise cyber security awareness training for all employees. This training should cover topics such as recognizing phishing emails, creating strong passwords, and safely using company resources etc.  Crafting a programme is not difficult and delivery can be automated, keeping time away from the day job to an absolute minimum.  Those that read my stuff regularly will no doubt not be at all surprised that I push this.  Cyber awareness training is the quickest win any SME can undertake, and it’s not expensive.

Keep in mind that a successful cyber attack can disrupt operations, compromise customer data, and lead to financial losses. For SMEs, which often rely heavily on customer trust and loyalty, a breach can tarnish their reputation and erode the confidence of existing and potential clients.

What most SMEs lack is the understanding that they have a responsibility for continuous improvement.  Having said that technology comes third after people and process, it is still extremely important when examining threats to the business from hacks and scams.  A business owner needs advice, guidance and recommendations for continuous improvement of the processes and solutions required to provide adequate defences.  How many SME owners have the time to keep up with the latest cyber threats?  How many have a good handle on the latest scams, an understanding of how well cyber criminals are getting to grips with AI and using it to create new attacks and scams, and to update existing ones.  Not many SME owners have that time to spare, if any.

How many SMEs can devise a cyber security strategy that provides not just the answer to the threats today, but can grow and flex with the business, taking into account the latest threat assessments?  For that matter, how many local IT support companies have the skill set to do that, and indeed, the inclination to do that?

Advice and guidance is needed to identify and prioritise security controls based on the specific needs of that particular SME, enabling them to allocate resources effectively and efficiently, in order to proactively and significantly reduce the risk of successful cyber attacks.

And very importantly this approach allows an SME to target their very limited spend on what the risk to the business actually is and to ensure that the protections being put in place are what is needed, and that it is giving value for money,

Artificial Intelligence – It’s here to stay

Artificial Intelligence is coming more and more to the front in the news, in just about all spheres of IT, no matter the vertical it serves. 

What exactly is AI?

Artificial intelligence (AI) describes computer systems which can perform tasks usually requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

Of course, that’s not the only description you’ll find if you use your best research tool, Google, but it’s one used by the National Cyber Security Centre, so it’ll do for me.

I’m willing to bet that many of you, most of you, have some form of AI app downloaded on your devices.  ChatGPT is arguably the most popular amongst the general populace but it’s not the only game in town.  These apps are becoming more and more available and popular. ChatGPT is an artificial intelligence chatbot developed by OpenAI, a US tech startup. It’s based on GPT-3, a language model released in 2020 that uses deep learning to produce human-like text.  It has an underlying technology that has been around much longer, but this blog isn’t about the technicalities of AI, but more about how it affects SMEs as they go about their business.

I’ve been arguing that perhaps the biggest potential threat in terms of proliferation, ie the number of attacks waged at a relatively low level, aimed at quick wins in terms of scamming money, is the re-emergence of the script kiddie.  I wrote, some time ago, about how code could be written to be inserted into a Ransomware attack, quite easily, using AI. 

Script Kiddie

A script kiddie was what we called someone of relatively low skill levels who would go online to the dark web, and purchase scripts written by more advanced criminals that they had put up for sale.   The script kiddie would then use these scripts to mount an attack on a company or organisation.  These often failed because the script kiddie wasn’t all that bright, but just occasionally, they were harmful and even devastating.

Another scam, reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

Double Edged Sword

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, will seemingly be too costly for them.  But as many defences use AI themselves now, it’s actually quite affordable.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Key Considerations

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations:

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation.

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment.

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats.

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations.

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches.

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges.

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats.

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Next Steps & Relevance

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  And much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

The argument then is that AI might encourage a proliferation of low level attacks, largely aimed at SMEs who generally have the lowest defences.  Quite low level criminals can utilise AI to carry out attacks that heretofore would have been beyond their skill level.  Common Cyber sense can go a long way to mitigating these attacks.  Technology evolves, attacks evolve, but the basic understanding of threat + vulnerability = risk, has never gone away.  Understand that and you stand a good chance of staying safe.

Can a Board Advisor Help You Devise Your Cyber Security Strategy?

I’ve always dabbled in Board Advisory roles, even when working for major IT integrators, because consultancy at a senior level, often crosses that boundary.  The bigger companies will often value having independent advice, although I have found it’s not always welcomed by their in house IT/Cyber team, who can become quite defensive.  The more experienced of them do see the value, even if it’s only validating what they have already put forward as a solution to a particular problem.  And they often use a Board advisor to craft the boring bits, around strategy and policies.  And I’m OK with that.

When we set up H2 to service the SME sector, we naively thought that they’d welcome an advisor who could guide them through what can be a difficult minefield.  It was a bit of an eye opener that SMEs don’t see the value in this at all.  In fact, what they see is a drain on resources.  It’s a little strange because they are very happy to spend money on getting advice from their local IT company that supplies, and often manages, their IT infrastructure, but who are also focused of selling a product set, dressed up as a solution.  Now, I know that that will upset some IT providers and I’ll water my comments down a little by saying I’m referring to Cyber Security which is a distinct discipline which many nibble around the edges without any in depth knowledge or experience. 

So, what does a Board Advisor do? 

Board Advisors help to guide businesses but are not legally authorised to bind them. As companies establish themselves, moving from an idea to a fully structured and realised organisation, they typically prepare for full operation, sales, and/or fundraising, and in my case, Cyber Security.

As they begin these processes, experts in the field – including mentors or specialists brought into the organisation by a mentor – become hugely valuable as the organisation works to achieve its goals. Advisors are key assets, and it’s crucial to formalise exactly what they will provide, their availability, who they can introduce you to, and how much time they can give you – as well as how they will be compensated in exchange for these services.  A board advisor can help fill in any gaps in your team in terms of both experience and expertise. They can also help you bring in new team members and sometimes sources of funding as opportunities allow. Most crucially, they can do all of this while giving you time to think about what you need to be doing to grow your business, or just get it and keep it, running.

Board Advisors are also far more flexible, offering services either on an ongoing basis, in parallel to a Board of Directors, or as part of your transition into a formal, Board-run business.  In other words, they are not full time employees, but work on a part time basis where you pay them for their time, bounded as you see fit.

How does a board advisor add value?

In terms of cyber security, a Board Advisor is an experienced cyber security professional who provides advice and support to a business’s leadership without sitting on their Board. They provide counsel based on their prior experience in this field to help the Board make decisions, especially when faced with unfamiliar challenges.  And most challenges in the field of Cyber Security will be unfamiliar to them. 

When working as an advisor it is essential that we are excellent coaches and can demonstrate our deep knowledge of the subject.  We need to take both their board members, their in house IT teams and IT users, getting them onside and letting them know that we are there to enhance their knowledge and skills, we are not their enemies.  We must also be prepared to work with any IT company they may have under contract, although that can be a bigger challenge.

Summary

Having a Board Advisor who can mentor the leadership team and other employees, either on a retainer or paid for actually hours worked, can be a great boon for an SME.  Just having someone who can debunk the myths and devise strategy, training programmes and advise on cyber risk, is something that any SME management team should value.

What Are The Chances of a Cyber Attack Affecting You?

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Aviva, not of course a cyber security company but who nonetheless do sell insurance, carried out some research reported in December 2023, which seems, on the fact of it, to be a little more realistic.  They have said that one in five UK businesses have experienced a cyber-attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents.  But even this has some problems in that it depends on how many businesses reported such an attack or incident.  There is other research that suggests that many businesses, especially SMEs, keep such things well under wraps.

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Small Business Cyber Attack Statistics 2024 (And What You Can Do About Them) says that SMEs account for 43% of cyber-attacks annually, of which 46% were SMEs with 1,000 or fewer employees.

In the 2023 Not (Cyber) Safe for Work Report, there are some alarming statistics.  A staggering 97% of executives use personal devices to access work accounts, and 74% frequently send work-related emails and texts from these devices.  Behaviour which significantly increases the vulnerability of SMEs to cyber-attacks, putting not just operations at risk but also sensitive employee and customer data.

SMEs are often repositories of a considerable amount of personal and financial information, making them lucrative targets for cyber criminals.  The report further indicates that one in three respondents has fallen victim to data theft via scams.  A single can result in identify theft, financial loss, and severe reputational damage.

This is a suggested list of the top 10 Cybersecurity Threats:

  • Social Engineering (often a precursor to Phishing).
  • Third-Party Exposure.
  • Configuration Mistakes.
  • Poor Cyber Awareness and Practice.
  • Cloud Vulnerabilities.
  • Mobile Device Vulnerabilities.
  • Internet of Things.
  • Ransomware.

Given that many SMEs have now adopted the hybrid working style since COVID, these are not particularly surprising.  Working remotely isolates employees who can be much more easily panicked into doing things that are unsafe, than if they have someone on hand, in the office, they can turn to for advice.  For example, Phishing.  Should I click this, does look a bit iffy?  I’ll ask Fred and see what he thinks.  As opposed to sitting at home, working to a deadline, and getting pressured by well-crafted Phishing emails, and thinking, I’ll just do it, what’s the worst that can happen?

One of the major problems facing all sizes of business is the lack of cyber security skills available for hire, either as an FTE or a contractor.  Shockingly, In September 2023, 50% of all UK businesses had a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap. These figures are consistent with those from 2022 and 2021, highlighting the persistent skills gap issue.

We talked a little bit above, about people using their devices.  This isn’t necessary a major issue, providing the individual is prepared to adhere to some security controls being placed on that device, if it is to be used for work.  It’s a bit of a balancing act.  It is reported that 80% of employees are uncomfortable with the idea of their personal devices being monitored by their companies, yet 73% would consent to having cyber security software installed on their devices.  So, a balanced approach is needed, which respects individual privacy while ensure collective security.  Not easy.

Here are 5 actionable steps we are recommending SMEs take:

  • Employee cyber awareness training.  Probably the biggest and cheapest quick win any SME can and should be taking.
  • Strong access control using multi factor authentication.  This should be a no brainer.
  • Cyber Security audits and monitoring.  Not easy for many SMEs who will be put off by thinking about costs.  However, this has become much more affordable, and all SMEs should be having conversations around this.
  • Encryption.  Again, becoming much more affordable and easier to use.  If your sensitive data is encrypted, the chances of falling foul of data protection becomes much less of an issue.
  • Supply chain security.  Many SMEs are in the supply chains of the bigger companies, often utilising online processes, connecting direct to the customer.  What would happen if a cyber-criminal gained access to a customer of yours, through your systems?

There is no silver bullet for this.  First and foremost, it must be recognised as a business issue, not an IT issue.  It must be owned from the top, and dealt with by the board, as they would any other business issue.  You can outsource your IT management, but you can’t outsource your responsibility.

Cyber Security Really is a Business Issue, not an IT Issue

Happy New Year and welcome to my first blog post of 2024.  For my theme I thought I’d expand on a post I made earlier this week on LinkedIn, about how cyber security is viewed by many SMEs and explore why that view appears to be paramount.  I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

We tend to flood potential clients with adverts and articles, mainly focused on technology.  Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

Let me give you a couple of quotes.  The first comes from a renowned Harvard scientist and cyber security specialist.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’  The second comes from Joe Longo, the Chair of the Australian Securities & Investments Commission.  He says, ‘If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.’

Boil that down and they are saying that this is not an IT issue, it’s a business issue.  That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture.  Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  Let’s just remind ourselves of the quote from Bruce Schneier:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

Christmas Scams

I’ve just arrived back in the UK having been in the Netherlands and Germany visiting some Christmas markets.  As well as nearing bankruptcy, having bought stuff that we would never buy at any other time of the year, and in any other place, it reminds me of the way that Christmas tends to open wallets like no other time of year, but that we still need to watch the pennies.  A bargain cannot be passed up.  This of course can open us up to some scams that we might otherwise not give the time of day to.

I thought I’d compile a list of 8 of the current types of scams doing the rounds, that tend to get more success at this time of year.

Phishing Scams


Always top of my list.  Criminals send emails that look genuine to make you click on a link to a fake site or open an attachment that infects your machine with malware. They will be designed to make you panic and rush your decision. THINK before clicking.

Shopping Scams


A seasonal favourite.  Love top brands with low prices? Stay vigilant for counterfeit goods. These range from poorly made clothes to dangerous electronics which fail to comply with safety laws. These are often pushed hard on web sites put up just for this purpose and taken down again soon after.  If it sounds too good to be true, it probably is.

Phone Scams


Criminals ring you to discuss a topic then ask you to press a number on your phone keypad to ‘opt out’ of a survey for example. It will generate extreme charges which the criminals will profit from. Just put the phone down.  Another is asking a simple question and wanting a Yes or No answer.  They then record you saying yes, to use your voice giving agreement to something totally different, that will cost you big money.
 

Ecard Scams


Watch for those e-cards you receive online. It could be infected with a virus that could shut down your device and you could be held to ransom to restore files. Get a good anti-malware installed that will alert you.

Fake Websites


Using the web to buy Christmas presents? Criminals set up fake websites that look identical to steal your personal details and money. Secure website addresses start with ‘https’ and display a locked padlock.  However, that doesn’t always protect you.  All a scammer must do is to buy an SSL certificate and then their website will display the padlock and begin with https.  There is no substitute for awareness and vigilance.
 

IT support scams


IT support scams could be via a phone call or email stating there is something wrong with your computer and it needs fixing. They will try to direct you to a bogus website. Companies like Microsoft will NEVER call you directly.
 

Fake Charities


Watch out for criminals using a legitimate charity’s name and appealing on their behalf, for a donation. If suspicious, ask to see their official charity ID which they’re required to carry. TRUST your instincts.  If it’s online then go to their official website and see if it matches the one you’re looking at, or check the email address/phone number if it’s an email or text you’re looking at.  Again, vigilance at all times.
 

Refund Scams


You may receive an email or text pretending to be from the Council or a well-known store promising a credit or tax refund and a link to click to claim the money back. They’ll ask for bank details. DON’T give them out.

Many of these sound very familiar and I’m sure you are going to think that you’d never fall for anything like that.  But people do, and it’s a thriving industry.  They prey on people who are busy and the scammers don’t give you time to think.  Electronic scams in the main, are just a rehash of old fashioned con tricks which use the same formula.

One major difference we are seeing though is the use of AI by scammers.  I wrote a piece back in May about AI entitled ‘AI – Good or Evil?  A Clear and Present Danger to Cyber Security?  I’ve discussed how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams. I also quoted a story from CNN where a lady in the US received a call allegedly from her daughter, which was very scary indeed and the ‘daughter’ was yelling and sobbing that she’d been kidnapped, and other voices could be heard in the background.  Of course, these were all generated by AI and turned out to be totally untrue, the daughter having called her mother and assured her she was safe.

Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people.  If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

Stay safe out there and online, be more vigilant now than you are at any other time of the year.

Aligning business strategy with Cyber Security Strategy

“If boards do not give cybersecurity sufficient priority, this creates a foreseeable risk of harm to the company, and thereby exposes the directors to potential enforcement action by ASIC, based on the directors not acting with reasonable care and diligence” – Joe Longo

Now, SMEs of course don’t generally have to worry about enforcement action regarding their cyber security, but the effects of not taking ownership fully can be quite devastating. Cyber security is a risk, just like any other regarding running a business, and needs to be treated accordingly.

Cyber security can be both a business and an IT issue.  It’s a business issue because breaches can have a significant financial and reputational impacts.  It’s also an IT issue because it involves implementing technical measures to protect systems and data.  Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

That said it has to business led as the IT and cyber security strategy must reflect the overall business strategy that all elements of the business must adhere to.  You can outsource your IT, but you can’t outsource your responsibility.

Phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022). So, what can you do to better protect your business? Well, here are some quick wins you can implement straight away: Ensure that you and your employees are using some form of password management software. Implement strong access controls to ensure that only authorised individuals can access critical systems and data. Invest in employee training and awareness programs. But this is just the tip of the iceberg when it comes to cybersecurity.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information. H2 is making that affordable and appropriate for SMEs at a price of £10 per seat and offering a 14 day free trial of the solution.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

SMEs and their Trials and Tribulations in regard to Cyber Security and Data Protection

Earlier this week I put a post on LinkedIn talking about why SMEs don’t take cyber security as seriously as they should and often just pay lip service to it.  I said I’d elaborate on that in the next newsletter.  Well, here it is.

When Cyber Security hits the news, and thus our consciousness, it’s nearly always in terms of breaches, regulatory fines, and business disasters, and nearly always concerning a major household name.  We don’t talk about the benefits that it can bring, particularly these days when businesses of all sizes are looking to drive efficiency through digitising their admin and operations.  Cyber-attacks on British businesses are increasing year on year.  When it comes to cybercrime, small and medium-size businesses are not exempt from the disruption that impacts large organisations. If anything, their size can make them more vulnerable as they are perceived as a softer target.

So why SMEs tend to underestimate the chances of being on the receiving end, and often play that down, is something of a mystery.  As is the mindset that it’s an IT matter, not a business matter, when nothing could be further from the truth.  Cyber security must be owned by the business owner or board and driven top down.  It cannot be left to an IT manager, or worse, a company under contract to provide IT services.

Let’s think for a moment about one potential aspect, supply chain security.  Many SMEs sit in a supply chain for a major company or companies.  In fact, for many it’s a critical part of their business, without which they could be in real trouble.  Their customer will spend money and commit resources to their own security and I’m willing to bet that somewhere in their contract with their suppliers, there will be a stipulation laying down some cyber security standards as a minimum that they must adhere to, which I’m also willing to bet that unless audited, are rarely being met.

Large organisations rely on a network of SMEs. If they operate within the EU, they are subject to the EU General Data Protection Regulation (GDPR) and if they operate only with the UK, then they are required to be in line with what has become known as UK GDPR.  The two are very similar indeed. Under both, data controllers (those that collect the data) are responsible for their own compliance as well as that of any third-party processors. Lax compliance in implementing regulations has in fact created a unique opportunity for those SMEs that make the effort to invest in cyber security. With so many damaging data breaches, large organisations are now starting to examine the security practices of any potential third party and seeking agreement with partners to ensure that secure systems are in place. It is the responsibility of the data controller to ensure that third parties within its supply chain take appropriate technical and organisational measures equal to their own.

The UK Government-backed framework Cyber Essentials Plus provides SMEs with a way to demonstrate their security credentials. By gaining Cyber Essentials Plus certification, SMEs can demonstrate that their cyber security has been verified and audited by independent experts. Auditable proof is often requested during tender bids as part of the warrants and liabilities process. Being Cyber Essentials Plus certified can leapfrog a business ahead of the competition.

Supply chains are only as strong as their weakest link and therefore require standardisation in terms of security across the whole chain. SMEs able to prove their cyber security credentials can differentiate themselves from the crowd and maximise on lucrative business opportunities. Some 65% of UK small businesses have no plans in place to deal with potential supply chain disruption, including cybercrime. Ensure your company isn’t one of them by staying ahead of the game – don’t lose business due to supply chain weaknesses.

I’ve already said that the main challenges that I come across is that SMEs do not accept that this is a business issue and continue to see it as an IT Issue.  Consider this; if an attack, say Ransomware, hits the business, who suffers?  Is it the IT department and/or the IT Support company you have under contract to supply your IT/Network?  Or is it the business that takes both a financial hit and reputational damage, perhaps losing contracts from the larger businesses they have been supplying?  You know the answer.  You can outsource your IT, but not your responsibility.

Let’s examine what stops SMEs from taking the view that it is in fact a business issue.  My experience of working with SMEs is that the two main issues are budget and resource, both of which are closely entwined.

SMEs do not budget for Cyber security.  They conflate this with their costs for IT support and will expect their IT support company to provide an adequate level of security within the services and products they supply.  I’ve talked before about this.  Most, if not all, of these companies are what is known as Value Added Resellers, or VARs.  What this means is that they sell other people’s products, firewalls, anti-virus etc. And of course, they push those products, ie the flavours of those products they sell, onto their clients.  The value added bit comes in the services they provide.  In terms of security that generally, although not always, means that their skill set is in the configuration and maintenance of the products they sell.

I’m not knocking that, it’s a perfectly acceptable business plan and has been around for as long as IT has been around.  But from a security perspective, it ignores the basics.  Whilst technology has come on in leaps and bounds, making it sometimes a nightmare to keep up with, the basic principles of security have never changed.  It is built on three towers, People, Process and then Technology.  If you haven’t got the right training and awareness in place, if your processes and policies aren’t sound, up to date and rolled out across the business, then all the technology in the world won’t protect you.  Risk management is crucial.  Understanding the threats to your business and how vulnerable you are to those threats, married to your assets (which aren’t confined to hardware and software), will inform you of the risks you face, in turn allowing you to focus your limited spend on the weakest areas first.

How you arrive at those risks brings us to the second point, resource.  It’s not just SMEs that don’t have the resource, but their IT support company rarely does either.  Cyber security professionals are expensive and very thin on the ground.  Perhaps buying in an advisor for a defined period every month, or on a retainer to be called off as and when required, is the way to go.

Another key plank is innovation.  Finding innovative solutions that SMEs can be sure are appropriate for their business, mitigating identified risks.  Of course, such innovations have also got to be affordable.  This is one of the reasons why many are adopting cloud services, not necessarily for security reasons, but for cost reasons ie no expensive infrastructure to buy in and maintain.  It’s also a reason why many security solutions these days are Software as a Service, SaaS, as again, no expensive infrastructure.

In summary, what I’m saying is that SMEs have to:

  • Accept cyber security as a business, not an IT issue.
  • Have a senior manager or preferably, board member, take responsibility for it.
  • Have an adequate budget. Of course, that will be subject to what you can afford.  Take advice on what is important and what can wait.  It just might save you a lot of time, money, and angst.
  • Have a defined strategy for improving your security stance, perhaps phased over budgetary periods.
  • Consider a standard such as Cyber Essentials or, for the larger SME, perhaps even ISO2700x.
Scroll to top