Author: Kevin Hawkins

Artificial Intelligence and Cyber Security – Boon or Pain?

I wrote a piece back in May about AI entitled ‘AI – Good or Evil? A Clear and Present Danger to Cyber Security? I’ve discussed how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams. I also quoted a story from CNN where a lady in the US received a call allegedly from her daughter, which was very scary indeed and the ‘daughter’ was yelling and sobbing that she’d been kidnapped, and other voices could be heard in the background. Of course, these were all generated by AI and turned out to be totally untrue, the daughter having called her mother and assured her she was safe. Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people. If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

Two bad examples of AI.  I’m not putting AI down or saying we shouldn’t be utilising it, but cyber security is my thing, and I can’t ignore the warning signs.  Cyber criminals are never slow in adopting new technologies and methods.  We need to be aware of that.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, is almost certainly not going to be realistic.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations: 

  1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation. 
  1. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment. 
  1. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats. 
  1. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations. 
  1. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches. 
  1. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences. 
  1. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges. 
  1. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats. 

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  But much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

Protecting Your Business from Cyber Attacks – Part 2 – Plus some info on a Ransomware Attack

efore I begin I thought it would be appropriate first, to discuss an issue that has cropped up in the news, which I believe is extremely pertinent to SMEs, because many use MS365 and Azure in part or in whole, for storing their data and as part of their access controls.  Many IT companies that service SMEs, will claim that Azure provides excellent protections, and that it’s enough on its own.  Now, I’m not here to denigrate Microsoft, heaven forefend, but it would be remiss of me not to point out a recent breach, which might well be a state backed attack, but nonethess has created what is known as an Advanced Persistent Threat (APT), known as Storm-0558 breach.

This breach has allowed China-linked APT actors to potentially have single-hop access to the gamut of Microsoft cloud services and apps, including SharePoint, Teams, and OneDrive, among many others.  It is estimated that the breach could have given access to emails within at least 25 US government agencies and could be much further reaching and impactful than anyone anticipated, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought.

A lack of authentication logging at many organizations means that the full scope of actual compromise stemming from the situation will take weeks, if not months, to determine.  This of course raises issues with authentication even amongst large enterprises and government departments.  SMEs are far more reliant on such technologies and are subsequently far more at risk.

This breach was caused by a stolen Microsoft account key which allowed the bad guys to forge authentication tokens to masquerade as authorised Azure AD users, and therefore obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.  However, it gets worse, as it turns out that the swiped MSA key could have allowed the threat actor to also forge access tokens for “multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams and One Drive.

It should be noted that Microsoft took swift action and revoked the stolen key, however despite this some Azure AD customers could potentially still be sitting ducks, given that Storm-0558 could have leveraged its access to establish persistence by issuing itself application-specific access keys, or setting up backdoors.  Further, any applications that retained copies of the Azure AD public keys prior to the revocation, and applications that rely on local certificate stores or cached keys that may not have updated, remain susceptible to token forgery.

OK, now back to the original subject.  Steps 6 to 10 in my suggested top ten list.

  1. What steps should I take to protect my business from ransomware attacks? A very good question with a multi thread answer.
  • Keep Software Updated. Regularly update your operating system, applications, and antivirus software to ensure you have the latest security patches.
  • Use Strong Passwords. Use unique and complex passwords for all your accounts and consider using a password manager to keep track of them securely.
  • Enable Two-Factor Authentication (2FA).  Add an extra layer of security by enabling 2FA whenever possible, as it helps prevent unauthorized access to your accounts.
  • Be Cautious with Email. Avoid opening attachments or clicking on links from unknown or suspicious senders. Be wary of phishing attempts.
  • Backup Your Data.  Regularly back up your important files and data to an external hard drive or a secure cloud service. This way, even if you fall victim to ransomware, you can restore your files without paying the ransom.
  • Use Reliable Security Software. Install reputable antivirus and anti-malware software to help detect and block ransomware threats.
  • Educate Yourself and Others. Stay informed about the latest ransomware threats and educate your family or colleagues about the risks and preventive measures.
  • Secure Network Connections. Use a firewall and be cautious when connecting to public Wi-Fi networks.
  • Limit User Privileges. Restrict user access privileges on your devices, granting administrative rights only when necessary.
  • Monitor for Suspicious Activity. Regularly monitor your devices and network for any unusual or suspicious activity that might indicate a potential ransomware attack.
  1. What can I do to ensure that my data is backed up in case of a cyber-attack? This is straight forward and highlights a problem whereby many SMEs think that if their data is on a cloud service, they don’t need to back it up.    You need a backup routine that separates your backed up data, from your data storage.  What I mean by that, is that if an attacker, or a piece of malware, can jump from one system to another, then having a live connection to your back up defeats the object, but it’s surprising how many people do this.  So, there are a number of methods.  The first is the good old fashioned tape backup.  Becoming less and less used nowadays but still very effective.  Another is that several cloud providers also provide a backup solution that disconnects once the backup has been done and will allow you to go back to a ‘clean’ backup if the current one has been compromised.  Check this out, but do back up your data, don’t be convinced that you don’t need to, you do.
  1. What cyber security measures should I put in place to protect my business from external threats? To protect against external cyber threats, you should consider implementing the following cybersecurity measures:
  • Strong Passwords: Encourage employees to use complex passwords and enable multi-factor authentication wherever possible.
  • Regular Updates: Keep all software, operating systems, and applications up to date to patch known vulnerabilities.
  • Firewall: Set up and maintain a firewall to control incoming and outgoing network traffic.
  • Antivirus Software: Install reputable antivirus software to detect and remove malware.
  • Employee Training: Educate your staff about cybersecurity best practices and potential threats, such as phishing and social engineering.
  • Data Encryption: Encrypt sensitive data to prevent unauthorized access if it gets intercepted.
  • Access Control: Implement role-based access control to limit users’ access to only the data and systems they need.
  • Regular Backups: Regularly backup your important data and keep the backups in a secure location.
  • Network Monitoring: Use intrusion detection and prevention systems to monitor network activity for suspicious behaviour.
  • Incident Response Plan: Develop a comprehensive incident response plan to handle cybersecurity incidents effectively.
  • Vendor Security: Ensure third-party vendors and partners also have strong security measures in place, especially if they have access to your data.
  • Physical Security: Protect physical access to servers and sensitive equipment.
  1. How can I stay up to date with the latest cyber security threats and best practices? There is a number of things you can do but a lot depends on how much time you have available to devote to this.  Probably not much and you may wish to consider having an advisor on tap, and surprise, we provide such an advisor.  But pointers that might want to consider include:
  • Subscribe to reputable cyber security news sources and blogs, like this one!
  • Attend cyber security webinars.
  • Follow cyber security experts on social media.
  • Sign up for security alerts: Many organizations and government agencies offer email alerts for the latest cyber threats.
  • Participate in cyber security training. I can’t emphasise enough the value of cyber awareness training for your staff.
  • Read official reports and advisories: Stay informed about security bulletins and advisories released by software vendors and security organizations.
  • Practice good cyber hygiene: Implement strong passwords, use multi-factor authentication, keep your software up to date, and regularly backup your data.
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

This is going to depend on several factors, such as the business you are in.  Many organisations must adhere to a variety of standards within their area of business and of course, many use a variety of International Standards such as ISO9000 series.  On top of this there are legal frameworks that you also must adhere to, amongst those are UK GDPR and financial services regulations.  Not an exhaustive list.  It can be a minefield.

It is somewhat surprising to me, that many SMEs that I visit don’t know what data is subject to these regulations and what isn’t, and where that data is actually stored, how it is processed and protected.  They will argue that they do know most of this, at least at a high level, but that they outsource to their local IT provider.  That won’t help you if a regulator comes after you.  You can outsource your IT, but not your responsibility.  Take advice, get guidance, there are some great protections and audit tools out there which don’t have to cost a fortune.  Check them out.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Protecting your business from cyber attacks – Part 1

Protecting your business from cyber attacks and scams is a challenge, and I get it, it can be expensive, especially when the most effective solutions are aimed at enterprise businesses with big budgets that SMEs simply can’t match. And that of course, is why they are so tempting to the cyber criminal. Cybersecurity is an ongoing effort. It’s important, no matter how difficult you may think it is, to stay informed about the latest threats and continuously adapt your security measures to address emerging risks. SMEs and local IT company’s simple can’t afford professional cyber security advice and skills, so consider consulting with cybersecurity professionals for additional guidance tailored to your specific business needs.

There are a number of protections that you need to consider.  I’ve picked the top 5, at least in my opinion, but that’s far from exhaustive.

  1. What are the best practices for keeping my business secure from cyber threats? A sound strategy is a mixture of process, procedure and technical controls, coupled with sound security awareness training.  Here are some of the highlights:
  • Strong Passwords: Enforce the use of complex, unique passwords for all accounts, and consider implementing multi-factor authentication (MFA) for an extra layer of security.
  • Regular Updates: Keep all software, operating systems, and applications up to date with the latest patches and security updates to address known vulnerabilities.
  • Employee Education: Train employees on cybersecurity awareness, including recognising phishing attempts, social engineering, and safe browsing habits. Regularly remind them about the importance of maintaining security practices.
  • Network Security: Use firewalls, intrusion detection and prevention systems, and virtual private networks (VPNs) to safeguard your network against unauthorised access.
  • Data Encryption: Encrypt sensitive data both in transit and at rest. This helps protect data if it is intercepted or stolen.
  • Backup and Recovery: Regularly back up critical data and test the restoration process. This ensures that important information can be recovered in the event of a cyber incident.
  • Access Controls: Implement a least privilege approach, granting employees access only to the resources they need for their job roles. Regularly review and revoke access for former employees or those who no longer require it.
  • Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in case of a cybersecurity incident. This helps minimize damage and facilitates a swift recovery.
  • Vendor Management: Assess the security practices of third-party vendors and partners to ensure they meet your standards. Establish clear security requirements and monitor compliance.
  • Periodic security assessments, remember nothing stays the same and new vulnerabilities and threats emerge all the time.
  1. How can I protect my business from phishing, malware, and other online attacks?
  • Employee Education: Train your employees to recognise and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.
  • Strong Passwords: Enforce the use of strong, unique passwords for all business accounts. Consider implementing two-factor authentication (2FA) for an extra layer of security.
  • Regular Updates and Patches: Keep all software and operating systems up to date with the latest security patches. Regularly update antivirus and anti-malware software as well.
  • Secure Network: Implement robust network security measures, including firewalls, intrusion detection systems, and secure Wi-Fi networks. Regularly monitor and audit network activity for any anomalies.
  • Email Protection: Deploy email filters and spam blockers to prevent malicious emails from reaching employees’ inboxes. Consider using email authentication protocols such as SPF, DKIM, and DMARC.
  • Web Browsing Security: Advise employees to exercise caution when visiting websites, especially those with suspicious or unknown origins. Encourage the use of secure browsing practices, such as avoiding clicking on unfamiliar links.
  • Data Backups: Regularly back up all critical business data to secure, off-site locations. This ensures that even if malware or ransomware attacks occur, you can restore your data without paying a ransom.
  • Incident Response Plan: Develop a comprehensive incident response plan outlining the steps to be taken in case of a security breach. This plan should include communication protocols, containment measures, and recovery procedures.
  • Ongoing Security Awareness: Maintain a culture of security awareness within your organisation. Regularly remind employees about the importance of staying vigilant and following security best practices.
  1. What type of cyber security training should I provide for my employees? It’s important to cover several key topics.  Here are some suggestions:
  • Phishing Awareness: Teach employees how to recognise and report phishing emails, suspicious links, and potential scams.
  • Password Security: Educate employees on creating strong passwords, using password managers, and avoiding password reuse.
  • Social Engineering: Raise awareness about social engineering techniques, such as pretexting and tailgating, and provide guidelines for handling suspicious requests.
  • Data Protection: Train employees on handling sensitive data, including proper data classification, encryption, and secure file transfer methods.
  • Malware Defence: Teach employees about malware threats, safe browsing habits, and the importance of keeping their devices and software up to date.
  • Mobile Security: Highlight best practices for securing mobile devices, such as using secure Wi-Fi networks, enabling device encryption, and being cautious about downloading apps.
  • Incident Reporting: Establish clear procedures for reporting security incidents, so employees know how to promptly and effectively respond to potential breaches.
  • Remote Work Security: Provide guidelines on securing home networks, using VPNs, and maintaining the security of devices when working remotely.
  • Physical Security: Emphasise the importance of physical security measures, such as locking screens, securing work areas, and preventing unauthorized access to sensitive areas.
  • Ongoing Training and Updates: Keep employees informed about emerging threats, new attack techniques, and evolving security practices through regular training sessions, newsletters, or online resources.

Remember to tailor the training to your organisation’s specific needs and provide practical examples to reinforce the concepts. Training should reflect the policies and processes that you have put in place.  Additionally, consider conducting periodic security assessments and simulations to test employees’ knowledge and readiness.

  1. How can I secure my customer data, and what regulations and best practices should I follow?

To a large extent, this is going to depend on what regulations and requirements the industry that you work in, require of you.  However, there are some things that remain common.  For instance, UK GDPR, the Computer Misuse Act, Financial regulations requiring you to maintain records for 7 years, which, for some industries (financial services, legal etc), can require a considerable effort.  One of the first requirements will be finding out where all your data actually is.  I know many will say well, I know where it is, it’s on my cloud and/or network storage.  But is it?  How many records containing personal identifiable information (PII), has been copied from one directory to another, usually for sound working reasons, or perhaps attached to email and not removed thus leaving a copy of it residing on your email server, etc.  Once you know where it is, then you can start to assess the risk.

  1. How can I quickly and effectively respond to a cyber security incident?

This is a procedural issue.  Do you have a sound incident response plan, which ideally is linked to a business continuity plan?  Are these the same thing?  An incident response plan is just what it says, it’s how you respond and technically recover from a security incident.  Whilst business continuity is about how you continue to work and service your customers whilst recovering from the incident.  Deeply related but not the same thing.

Next week I’ll take a look at the next 5 steps on my list, which are:

  1. What steps should I take to protect my business from ransomware attacks?
  1. What can I do to ensure that my data is backed up in case of a cyber attack?
  1. What cyber security measures should I put in place to protect my business from external threats?
  1. How can I stay up-to-date with the latest cyber security threats and best practices?
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

DATA BREACHES AND RANSOMWARE

Data breaches just keep on coming don’t they. Probably one of the worst, in terms of potential impact, is the leak of Police Service Northern Ireland (PSNI), personnel data. As we’ve seen many times before this wasn’t a technical breach, but a procedural breach where someone either ignored the rules, or more probably, didn’t know them and didn’t think. Cyber Awareness Training anyone?

Police officers in Northern Ireland are frightened and their families and friends could be “jeopardised” after details were published in error, a former NI justice minister has said.

Naomi Long said some officers would consider their futures with the force.

In response to a freedom of information (FoI) request, the Police Service of Northern Ireland (PSNI) shared names of all police and civilian personnel, where they were based and their roles. 

The details were then published online. 

They were removed a few hours later. 

More than 300 police officers were murdered in Northern Ireland during the 30 years of violence known as the Troubles and officers and staff remain under threat from republican paramilitaries.

The Electoral Commission has revealed it has been the victim of a “complex cyber-attack” potentially affecting millions of voters.  The unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021.  Hackers also broke into its emails and “control systems” but the attack was not discovered until October last year.  So, for over a year this data was available to cyber criminals without anyone knowing about it.  It frankly beggars’ belief that there weren’t significant protections in place so that even if they breach was stopped, it was at least discovered and known about in a timely manner.

Unlike the attack on PSNI, this one was described as a sophisticated technical attack.

Data belonging to the University of the West of Scotland (UWS) has been put up for auction by a cyber-criminal gang.  The university first said it was facing a “cyber incident” earlier this month and police have been investigating.  The data has now been ransomed by the ransomware gang Rhysida, demanding 20 bitcoin (£450,000) for the confidential data and says it will be sold to the highest bidder.  UWS said it was a “victim of a cybercrime” and the attack affected several digital systems and staff data.  It has been reported by BBC Scotland that the incident has affected staff laptops, shut off around half of the university’s IT systems, and affected student submissions.

There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

How much better if you can avoid getting hit in the first place.  Here I list some ways that you could perhaps use to avoid the problem.

  1. Arguably, the biggest and most effective step an SME can take is Cyber Awareness Training for staff. It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.
  2. The next reasonably low-cost thing that ties in with Cyber Awareness Training and a security strategy is robust, well thought out policies and procedures, that have been rolled out across the work force and are monitored to ensure they remain relevant and that they are understood by all. Giving an employee the means to check what they should do if they suspect there is something nefarious going on, is simply giving them support, it is not there to catch them out or to use as a stick against them.  Many SMEs don’t have any such policies in place and many others have downloaded specimens from the internet, topped and tailed them and expect them to be enough, which they very rarely are.
  3. Next think about your backup strategy. Even when you are using a cloud-based provider, that doesn’t necessarily mean that your data is secure, although many providers would disagree, at least in their advertising.  How much better to have a strategy whereby your data is backed up overnight to a magnetic media storage point, which can be taken offline and stored in secure storage.  If you do that, then if you are subject to an attack and your data is locked up, you can have some or all workstations wiped and reloaded, and then have data restored from the tape, all of which would not take most SMEs offline for more than a day.  You then have a breathing space to sort everything out in the longer term.
  4. Email remains the top attack vector for many attacks, and this is one of them. There are many products on the market that will tell you that they will block as many malicious emails as possible, and many of these are very good at what they do.  For an SME, it will nearly always come down to a matter of cost and some of these products are more expensive than others.  Unfortunately, there are still a considerable number of SMEs out there, either using the cheapest anti malware product they could find, or even a free product.  You get what you pay for and if its free, you’ve got a problem.  Any product you choose to use must be mitigating an identified risk.  If a risk hasn’t been properly identified and a product selected that covers that risk off, as well as it can be covered off, then you’ve quite possibly wasted your money.

There is a product on the market from a company called Platinum-HIT, which takes a very innovative approach to this.  Quite simply it blocks any executable not on your whitelist from running.  It takes a free 30 day evaluation for it to profile your network and build a list of executables that are in use daily by users.  So those that run your applications, email etc etc, and produces that list for human inspection.  Once agreed, that becomes your whitelist.  It’s extremely effective and so far, we haven’t found another product that takes this approach in blocking all forms of malware, including ransomware.

The overall message I would like to put across to all SMEs, is that you are just as vulnerable as anyone else, to this, and many other attacks.  Have you identified your risks?  Have you identified ways to mitigate those risks, enabling you to maximise your defensive spend.  Or have you just bought into an argument that says that you have a firewall and some anti-virus, you’re using a cloud provider and you’re therefore covered?  I’d welcome the opportunity to have that debate with you.

But is about defence in depth, marrying up people, process, and technology to give you the best protection you can afford.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Cyber Security Threats to SMEs in 2023

It probably won’t surprise many people that the threats to SMEs in 2023, look very much the same as the threats in 2022, and in fact, the years before that really. They can be summarised to include ransomware attacks, phishing scams, supply chain vulnerabilities, insider threats and overall inadequate security measures caused by resource constraints. And as if that wasn’t enough, we can top that off with a remaining issue around cyber awareness training, which can produce huge benefits for little cost, and which many SMEs still don’t carry out.

Insider threats have been exposed widely in the press lately with the exposure of data from 2 police forces, the most serious being PSNI, in terms of threats to police officers’ safety, and yet another has exposed confidential information regarding criminal records, court documents etc.  These things are often not because of any criminal activity, but because of lax processes, not widely published, a lack of security awareness, and in general, employees doing things they shouldn’t, because they didn’t know that they shouldn’t.  Not technical issues at all but I’ve no doubt that someone somewhere will take a simple process and complicate it, taking far too long to fix it, and costing a fortune when it could have been done effectively, relatively cheaply.

Revisiting ransomware. it continues to be a clear and present danger to UK companies, both at the Enterprise and SME level.  There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

Arguably, the biggest and most effective step an SME can take is once again, Cyber Awareness Training for staff.  It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.

An often forgotten element of Cyber security is within a company’s supply chain.  The threat has been around for a while now but is starting to become much more prevalent targeting suppliers to get to an otherwise well protected company.  Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

The goal of such an attack is to grab whatever you have that is of value to the attacker, so it can include infecting legitimate applications to distribute malware, access your IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc.  In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.  If you are in the supply chain for a major company, then consider how damaging to your reputation it would be, if they were attacked via a hole in your security.  I would be prepared to bet the damage would be so significant, that it could take an SME under.

Phishing, a subject we hear a lot about and which most SMEs do nothing about.  Protecting businesses from phishing and other malware is crucial for maintaining a secure online environment. And that brings us straight back to the subject of Cyber Awareness Training once again. Train your employees to recognize and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.

Of course, that isn’t the only thing that will protect you against Phishing.  But it goes a long way towards it at minimal cost.  Strong passwords, 2 factor authentication, keep your systems updated and patched, ensure that your security architecture is designed to match your risk and that the technical controls in place are appropriate and in the right place.  Have adequate email protection, email filters, spam blockers etc.  Good backups and a solid incident response plan.

There’s a lot there, which brings us finally to the lack of adequate security measures because of resource constraint.  SMEs simply can’t afford cyber security professionals on staff.  They will often rely on their suppliers, local IT providers, to give them the protections they require.  This can be a very real risk, simply because the local IT provider doesn’t employ cyber security professionals either, but rather staff that are skilled in the products that they supply.  A cyber security professional takes a much more holistic view and will spend time marrying the business requirements to the protections required.  Considering the policies and processes required, awareness training requirements, as well as technical controls.  People, Process and Technology, in that order.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Do You Have a Handle on Your Cyber Maturity Stance?

Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security. The conversations tend to take a very familiar turn. The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus. They tell me all is good’. Slightly depressing but hardly surprising.

Even though cyber security and data protection have leapt to the top of many people’s agenda in recent years it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue?

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach.  For the small business this could result in costs of around £1400, for the medium business, considerably more.  One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

It is a common misperception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

Within the SME world this tends to mean that there is an almost total reliance on third party IT providers.  Is that a good thing, after all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT. They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organization’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

During the assessment, cybersecurity experts typically examine various aspects, such as:

  • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
  • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
  • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
  • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
  • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
  • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
  • Compliance and Regulations: Verifying the organization’s compliance with relevant cybersecurity regulations and industry standards.

The results of the Cyber Maturity Assessment provide valuable insights to the organization, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthen their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Cyber Security and the SME – The Path to Cyber Resilience

The EU is the world’s largest single market area and is the largest economy in the world, whether some people agree or not. Many may attribute that market size to large organizations and multi-national companies. While these are important contributors to the overall EU economy, the Small Medium Enterprise (SME) businesses form the backbone of the EU’s economy. This is also true of the UK where the DTI estimates that SMEs make up 95% of the UKs GDP. A huge percentage and one that might surprise you.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022).

So, what can you do to better protect your business?

In today’s digital landscape, cyber security is a non-negotiable aspect of business success. The threats are real, and SMEs are not immune. In fact, they’re often the most vulnerable to cyber-attacks.

Solutions need not be complicated or expensive, yet many SME owners still act reactively, not proactively, to cyber threats.

The result? Huge costs to put things right and a massive hit on the company’s reputation and trust with their customers.

That’s why I’m excited to share a valuable (FREE) resource that we’ve been working on to help guide SME business owners in the right direction and provide valuable actions to fortify their company’s cyber security.

You can download your copy here: https://bit.ly/3qTCYkW

The common underlying issue common to all SMEs appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of the cybersecurity practices. Six categories of major challenges for SMEs have been identified:

  • Low cybersecurity awareness of the personnel.
  • Inadequate protection of critical and sensitive information.
  • Lack of budget.
  • Lack of ICT cybersecurity specialists.
  • Lack of suitable cybersecurity guidelines specific to SMEs.
  • Low management support.

Some of you who are amongst my regular readers, will be quite aware of my mantra in regard to Cyber Awareness Training for staff and managers.  A big misconception is that because cyber security can be an issue connected to technical measures, it lies squarely within the realm of IT.  Wrong.  Cyber security needs to be part of the culture of the organisation, second nature to all.  Staff need a basic awareness and how their attitude and actions can have a damaging effect on the business.  A report for ENISA, the EU security agency, suggests that 84% of Cyber attacks rely on some form of social engineering, and that the number of phishing attacks within the EU continues to grow.  This is echoed in the UK.

Budgets remain a problem.  Many SMEs are low margin organisations, heavily reliant on cash flow, and therefore reluctant to spend on things that are not connected to their core business.  But they must get used to asking themselves, ‘Is IT part of my core business?’, and ‘how long could I continue to operate my business if I lost my IT systems?’.  Cyber security needs to be factored into budgets. Cyber security is an iterative process, it isn’t something that needs to be done once and then forgotten about.  The criminals are constantly evolving, and defences must evolve with them.

Cyber security expertise is something that isn’t cheap and easy to obtain.  Many IT companies will talk about their expertise in this area but if you delve into that, it is generally focused on products, mainly firewalls and anti-malware.  Cyber security expertise goes much much deeper than that and is as much procedural as it is technical.  It starts with risk management, understanding the risks you face, which in turn is derived from threat and vulnerability analysis, matched to your cyber security assets.  Those latter are not necessarily hardware and software but can be much wider ranging than that.  Typically, the type of person who can legitimately call themselves experts in this field, can command salaries north of £80K.  I doubt there are many SMEs prepared to pay that, or indeed, many of the smaller IT companies.

It can also be advantageous to follow a standard.  By far the most comprehensive is the International Standard for Cyber Security, ISO27000 series.  However, this might be seen as a little heavy for many SMEs, although at the higher end, they may want to follow it, rather than seek certification.  At the lower end the UK Cyber Essentials scheme, mandated for anyone wishing to do business with the public sector, is very suitable, inexpensive, and obtainable.

More and more SMEs are now moving to a cloud environment.  Be it MS365, Amazon Web Services, Digital Ocean, amongst others.  I usually recommend that SMEs take this approach as it can solve a lot of problems, particular with home working still very much in vogue.  However, it is not the panacea that most think it is and still has some security issues, usually but not always at the user end, that need to be addressed.

Here at H2 we use our long experience of providing cyber security solutions to the large enterprises, to craft solutions for the SME community, having first identified the issues that the business faces.  We take an approach that looks at things from the business point of view, managing risk and coming up with cost effective solutions which can be brought in in a phased way, for a subscription price.  No large bills to damage that all important cash flow.

IDENTITY AND ACCESS MANAGEMENT

Today I’m suffering from what is known in the UK, as a stinking cold. I feel like death warmed up, so this week I’ve decided to rehash a piece I did last year, on identity and access management. Those of you who have managed to plough your way through some of my earlier stuff, will know that I am very big on user awareness training for staff at all levels, believing as I do, that it is arguably one of the biggest wins that an SME can gain, to protect themselves against cybercrime. There is however a very close second, and that is identity and access management.

There is mounting evidence that the message is getting through that, although passwords are very important, they most certainly aren’t the panacea that many think they are.  We can see many organisations moving to 2 factor authentication as a norm now.  A charity I volunteer for has recently done just that and not before time, considering the amount of personal data they are holding.  But is that enough?

Compromised credentials are very high on the list of cybercrime related incidents that we see and have to deal with.  Protecting these identities can be a very technical issue and advice and guidance will be needed to ensure that you are adequately covered.  However it needn’t be overly expensive, neither need it be overly complicated.  In fact, I’m a great believer in that the simplest solution is often the best solution.  I’m an adherent of the KISS principle – Keep It Simple Stupid.

Questions to ask yourself include:

  1. Are your user accounts configured with the minimum level of privilege they need to do their job?
  2. If an employee needs additional privilege to carry out a one off job, how do you ensure that once it’s completed, the privilege is revoked?
  3. What is a privileged account? Typically it’s someone who needs additional privileges as part of their daily tasks, such as adding/removing users, auditing actions, access to more secure areas of the network (finance, management data etc), etc etc.  Are you limiting by policy the roles within your organisation that need privileged accounts, and are you specifying explicitly what those privileges are, by role?
  4. Are your privileged accounts subject to greater levels of auditing and scrutiny?
  5. Do you have a joiners and leavers process to manage active accounts?
  6. Do you have a movers process ie employees that change roles and require different levels of access to carry out their new role, either adding or removing privilege?

Another issue that you may need to consider is any accounts that exist on your network that may be used by third party suppliers.  Many companies use ‘just in time’ supply management which can require third parties to have access to their network.  Another example is people like me who, when carrying out things like vulnerability assessments, may be given privileges to scan the network.  Is that revoked at the end of the scan?  And of course, there is the IT company you may have under contract who actively have access to your network to carry out maintenance and might actually also have a contract for controlling user privilege.  Or perhaps the company you have under contract maintaining your alarms and security cameras which you didn’t know were actually using your network to connect to each other and their control room.

What about logging?  What is logging?  Every system has a set of logs which can be switched on or off.  I often come across networks where logging has been switched off or never activated because its consider to be an overhead you can live without.  Well, I disagree with that, quite vehemently.  Logging helps you to determine what normal looks like.  For example user profiles carry out certain functions within their role.  If a user is stepping outside of that profile, you need to find out why.  Is it a user who is doing something they simply didn’t realise they shouldn’t, or is it something more serious?  Is it an identity that has been created or hi-jacked by a cybercriminal who has managed to gain access?  Examination of these logs will help you understand that.  There is of course software on the market that will be of great help with this.

And of course, what do you do if you are suspicious of an activity or action by a user?

Protective Monitoring – is it suitable/affordable for SMEs?

An interesting article by the cyber security consultancy Savanti, was brought to my attention yesterday. It was focused on UK companies and their struggle to address the growing cyber security threats. This is especially pertinent to SMEs. In 2022, global cyberattacks saw a 38 per cent increase compared to the previous year. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries. The financial impact of cybercrime is also significant. According to Cybersecurity Ventures, the cost of cybercrime to businesses could reach £8.4trillion annually by 2025, positioning it as the third-largest global economy after the US and China. Many boards appear to be struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.

Savanti have highlighted a compelling correlation between effective cybersecurity measures and business success. Companies with digitally-savvy, cyber-engaged executive teams experienced higher revenue growth, increased valuations, and improved net margins.

Furthermore, effective cybersecurity practices led to higher success rates when competing for new clients, enhanced data insights, increased investor confidence, and preserved shareholder value during mergers and acquisitions.

There are several measures all companies can take but the issue with SMEs remains a lack of resources and expertise in the field of cyber security.  They are very reliant on outside support and often attempt to get that support from the local IT company that provides their hardware and software, often managing their network. Managed Security Service Providers (MSSP) have long ignored this sector primarily because of cost.  The services they provide traditionally have simply been too expensive.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks.  And this latter is what we’re looking at today.

What is Protective Monitoring, and how would be it benefit you?  After all you’re an SME and this all sounds just a bit over the top.

Well, it’s central to the identification and detection of threats to your IT systems. It acts as your eyes and ears when detecting and recovering from security incidents and it enables you to ensure that devices are used in accordance with your organisational policies.

Effective monitoring relies on proportionate, reliable logging and device management practices. This guidance is designed to give system and network admins advice on the logging and monitoring options available on modern platforms.

What use is it to me, I hear you ask?  Well, many incidents have been shown to target individual hosts, from which attackers will attempt to further strengthen their access through lateral movement techniques such as credential theft, account impersonation, use of legitimate network tools or known exploits in outdated versions of network protocols to propagate and compromise additional devices to access additional data and services.

In a cloud environment some of these techniques may be less effective or not apply, however your users still have to access these cloud services and monitoring device activity, health and configuration are still important, perhaps more so, when deciding whether or not to permit access to organisational services and data.

The key to making this affordable and appropriate for SMEs, is automation, which is becoming more and more possible using AI enhancements.  I’ve highlighted before that here at H2 we are constantly on the lookout for innovative solutions that allow us to provide appropriate and effective services to our clients, at a price that is affordable.  And we think we’ve found another gem.

This is yet another SaaS service, so no expensive infrastructure costs and no additional software required to run it.  The agents required to scan the data can be installed remotely and within minutes, without your users knowing it’s happening.

We leverage:

  • Generative AI, phishing simulation emails are crafted on the fly based on custom inputs, targeting groups of employees, and reporting on pass/fail status.
  • Automatically receive real-time alerts when a threat is verified, or action is required.
  • Respond swiftly to cyber events with one-click remediation and powerful integrations.
  • Generate a report summarizing your risk across their digital footprint, with just a single click.
  • Demonstrate ROI by reflecting the value of this services using language that resonates at a business level.
  • Provides continuous vulnerability assessments.

The following services are provided as standard:

  • External Risk Assessment
  • Phishing simulation
  • Identity theft protection
  • Secure browsing
  • Cloud apps security
  • Email security
  • Device protection
  • Cyber Awareness programme
  • Automated remediation
  • Continuous threat detection

And as bonus, if you wish, a cyber insurance policy starting at around £400 annually, which is priced according to the risks identified within the product, i.e., the more the risk is reduced, the more the premium is reduced.

This whole package is offered as a managed service so that the risk, risk reduction, reporting and monitoring is all carried out by us, within the incredibly low price shown above.

In the coming days we will be offering a demonstration of the product, followed by an introductory offer of a 7 day free trial and a service priced at a fixed price of £10 per month per user, plus VAT.  No fixed term contract, terminate on 30 days’ notice.

Aligning business strategy with IT/Cyber Security strategy

“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” Joe Longo Now, SMEs of course don’t generally have to worry about enforcement action regarding their cyber security, but the effects of not taking ownership fully, can be quite devastating. Cyber is a risk, just like any other regarding running a business and needs to be treated accordingly.

Cyber security can be both a business and an IT issue.  It’s a business issue because breaches can have a significant financial and reputational impacts.  It’s also an IT issue because it involves implementing technical measures to protect systems and data.  Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

That said it has to business led as the IT and cyber security strategy must reflect the overall business strategy that all elements of the business must adhere to.  You can outsource your IT, but you can’t outsource your responsibility.

Phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022). So, what can you do to better protect your business? Well, here are some quick wins you can implement straight away: Ensure that you and your employees are using some form of password management software. Implement strong access controls to ensure that only authorised individuals can access critical systems and data. Invest in employee training and awareness programs. But this is just the tip of the iceberg when it comes to cybersecurity.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information. H2 is making that affordable and appropriate for SMEs at a price of £10 per seat and offering a 14 day free trial of the solution.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Scroll to top