Kevin Hawkins, Author at H2 Cyber Security for SMEs

Supply Chain Threats and Vulnerabilities

Supply chain attacks, what are they and why do they matter to an SME? Lots of larger company’s rely on smaller ones to provide key components that they require in their manufacturing or other processes. That supply chain is critical their operations and is therefore required to be robust and secure. An attacker is constantly looking for weak links in cyber defences, that can be exploited for financial gain. They will look at an SME as such a weak link, expecting the SME to have a lower understanding of the threat, and lower expenditure on defence. They will be looking to piggy back on loopholes in the suppliers defences, to attack their main target.

Manufacturers often use what is known as ‘just in time supply’, ie they have an electronic connection to their key suppliers who are connected up to the company’s inventory, and automatically resupply when an item runs low. It’s efficient and prevents the holding of unnecessary stock. But it can, if not done correctly, drive a coach and horses through your security.

Cybersecurity, IT governance, and data security will be the number one risks in 2023. Ransomware has been a significant threat in 2022, but the nature of cyberattacks is constantly evolving.

The goal of such attacks is to grab whatever the target has that is of value to the attacker, so it can include infecting legitimate applications in order to distribute malware, access IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc. In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

An example of such an attack was published by NCSC and points out that many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk. In the past, firms dealing with high profile mergers and acquisitions have been targeted. In September 2013, several networks belonging to large data aggregators were reported as having been compromised.

A small botnet was observed exfiltrating information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public Internet. The highest profile victim was a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. While the attackers may have been after consumer and business data, fraud experts suggested that information on consumer and business habits and practices was the most valuable.

The victim was a credit bureau for numerous businesses, providing “knowledge-based authentication” for financial transaction requests. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

NCSC also cited what is known as a watering hole attack, which works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

The malware may be delivered and installed without the target realising (called a ‘drive by’ attack) but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

Steven A. Melnyk, Professor of Supply Chain Management at Michigan State University said, “The problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.”

Melnyk cited the example of a well-respected American chemical company that was hacked through its supply chain. The hackers obtained information about customers and orders, including quotes. They saw details of items that the company – which was renowned for innovation – was getting ready to patent, he revealed. “The hackers altered the master production schedule; they changed due dates, order quantities and order quality levels. Deliveries were compromised. A new supplier then entered the market, with the precise items that the customers wanted, at prices under the current variable costs. This supplier also patented the firm’s innovations.”

The growth of the digital economy and digital supply chain is contributing to the growing cyber security threat, with four billion people predicted to be connected to the Internet daily in 2020. In 2021 it is estimated that so far, attacks of this nature have increased globally, by around 42%.

There are of course things that you can do to protect yourself and your clients. There are several technical defences that you can implement. The problem generally remains that SMEs have a tight budget and no internal resource to combat this issue.

The first thing cyberattackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts. This is because privileged accounts are the only accounts that can access sensitive resources. When a privileged account is found, sensitive data access is attempted. This predictable attack sequence is known as the Privileged Pathway – it’s the common attack trajectory followed by most cybercriminals. The trick is to disrupt an attacker’s progression along this pathway so that breach attempts, and therefore supply chain attacks, can be prevented.

An effective Privileged Access Management (PAM) framework will disrupt this common attack trajectory and is highly recommended.

That said, I have always been a great advocate that the biggest ‘quick win’ any company can achieve, at minimum cost, is staff awareness. Staff are the primary gateways to malicious code injections because they’re usually tricked into permitting cybercriminals access into an ecosystem.

The most common form of trickery is scam emails (or phishing attacks), which I have discussed in previous posts. These emails seem like they’re sent from trustworthy colleagues but upon interacting with them, malicious codes are activated, and internal login details are stolen, which in turn could grant criminals access to a system, initiating the hunt for higher privileged accounts.

To prevent such incidents, all staff need to be educated about common cyberattack methods so that they can identify and report breach attempts, rather than falling victim to them.

There is so much more to this subject, and it is a matter for each company to assess how much of a problem they think this is to them. Understanding the threats to the business, how vulnerable you are to those threats, and therefore what risks you are taking, and how severe they are, is key to every element of Cyber Security. SMEs remain vulnerable because they rarely have any in house resource to understand those risks and take the right actions to mitigate those risks.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

The dangers of Wi-Fi in your local coffee shop

This is a subject that I tend to jump on every so often, because it’s one that people just don’t seem to get. I dropped into a coffee shop yesterday for my caffeine infusion, and there were a couple of people with their laptops open, working away on business issues. I could see open spreadsheets (and easy to read if you were sitting behind them), and all had their email open. One was on a video call, and I heard all of her side of the conversation, annoying enough for other café users but she wasn’t aware of the data she was releasing into the wild, at all.

Of course, this is nothing new, it’s been ‘a thing’ for years now, but is it a safe thing to be doing? A recent survey suggests that a high proportion of the connections to unsecured Wi-Fi networks result in hacking incidents, often from working in coffee shops, restaurants, airports, and other public places.

If you are among those Wi-Fi lovers, there’s bad news for you… your online privacy and security is at risk, as long as you rely on the weak to non-existent Wi-Fi security protocols at coffee shops. This means that you could be exposed to various threats such as identity theft which has over 15 million cases each year, data theft/breaches, introducing malware to your business network and that of your customers/suppliers. This list is not exhaustive.

Free or public Wi-Fi’s are hotspots for hackers and data snoopers who want to steal your private data or financial information. Needless to say, it is pretty easy for hackers to do that nowadays. You will be surprised to know the different ways hackers can compromise your device or your private information and why you shouldn’t rely on Wi-Fi security at coffee shops as they come with a lot of risk.

One of the favourites is the Man-In-The-Middle attack. As the name suggests, it is a type of attack where the attacker intercepts a transmission between two parties by inserting himself / herself between your network connection and the server. Quite easy to do with limited or no security on the Wi-Fi router. The attacker can record the data for later viewing and even change or modify it.

MITM attacks are usually caused by exploiting vulnerabilities, through malware or malicious tools like “hotspot honeypot.” An MITM attack is perhaps the most common type of Wi-Fi attack. In fact, a security survey of 500 CIOs and IT decision makers from 5 countries, conducted by iPass on Mobile Security, reveals that MITM poses the greatest threat to mobile security.

Another favourite is the Network scanner. The Internet is brimming with network scanning tools that are built to compromise networks or devices. They work by:

Mapping the network to find all the devices that are connected to it
Retrieve details regarding the operating system and find vulnerabilities like open ports
Using the open ports, the hacker would try to directly connect to the device through any means necessary such as password cracking

There is evidence to suggest that hotspot spoofing is the third greatest threat (after lack of encryption – almost never implemented in coffee shops) when it comes to mobile security. Wi-Fi lovers wouldn’t think twice what network they are connecting to and whether the network is safe or not.

Hackers are well aware of the psychology of Wi-Fi users and they exploit it by creating spoofed hotspots. These hotspots may have the label of the coffee shop, but in reality, they are fake networks created by hackers. When you join a fake or malicious hotspot, the attacker can trick you into using your credentials on fake websites or to gain access to your company network. For instance, when you try to purchase something online using your credit card, the hacker might create a fake website and retrieve your credit card number.

With such details in wrong hands, you might fall victim to threats like identity theft. The following could potentially happen:

The cybercriminal can use your national insurance number to get a job or apply for benefits
Take loans out in your name
Rent properties, even get a mortgage
Get access to your company network and install back doors, false identities etc to enable them to return time and again

Coffee shops are the most popular spots for people to sit and relax, drink coffee or eat their preferred food items. Perhaps their popularity is what makes them dangerous when it comes to mobile security. When you rely too much on the Wi-Fi security at coffee shops, you fall into the traps that hackers have laid out for you.

Coffee shops may be considered as dangerous venues when it comes to your online security. However, it doesn’t necessarily need to be! Security awareness amongst employees and individuals is of paramount importance, and there are a number of technical implementations that can be undertaken to allow for this practice to continue safely.

Ransomware and SMEs

REvil, Wizard Spider, Grief, Ragnar, they sound like they should be in a Marvel comic. But there’s nothing funny about these guys. Operating in countries that do not cooperate with international law agencies and not caring who they attack, including health care organisations, Ransomware gangs are on the increase.

Ransom money in the millions has been paid by some very respectable companies, in order to recover access to their data and keep their companies going. A quick trawl of the internet produces results that how diverse ransomware targets are. Whilst the largest target area appears to be the US, the UK targets have included Amey, Hackney Council, Wentworth Golf and Country Club, Scottish Environment Protection Agency, UK Research and Innovation and last month, Serco. (Source Blackfrog).The way it works remains relatively the same, regardless of the method used. Criminal gangs hack into connected IT systems, lock access to them, and then sell a decryption key in exchange for payment in bitcoin. They have targeted schools, hospitals (you may remember the well reported attack on the NHS a couple of years ago), councils, airports, government bodies (local and central), insurance companies, this list is far from exhaustive.

Anyone who is connected to the internet, is vulnerable to a Ransomware attack. An emerging sweet spot though, is mid-sized companies that generate enough revenue to make them a target, but aren’t yet large enough to have dedicated cybersecurity resources on board.

Make no mistake, these hackers operate as organised gangs who compartmentalise themselves into specialties. Some specialise in identifying compromised systems and gaining access, whilst others handle the ransom negotiations. These hackers operate as organised gangs: some members specialise in identifying compromised systems and gaining access, while others handle the ransom negotiations. It is not uncommon for an investigation to see cryptocurrency transferred into many different cyberwallets). These gangs to have a ‘signature’ which is often recognizable. REvil and Psya have flair whilst Ryuk are somewhat robotic in their approach.

A worrying trend is that recently, these gangs have pivoted into extorting individuals. If victims don’t pay, their data is dumped online, or sold on the dark web to the highest bidder, and of course, there is no way of ensuring that the data isn’t sold anyway, regardless of the victim paying up.

Of course, most people don’t have incriminating or embarrassing data on their private systems, but some do, particularly important people in the public eye for whom data release can be at least damaging, if not crippling. According to a report from cybersecurity software firm Bitdefender, attacks increased by 485% in 2020 alone. “It’s taken off since Covid because we have more people working from home,” says Sophia, a crisis communications expert who specialises in advising companies who have been targeted by ransomware hackers. Poorly secured remote access logins are a common route in. “More of a digital environment leads to more points of entry for the attackers,” she says. “The last year and a half has been a whole new ballgame.”

So, if you are running a medium size business, or perhaps running a local organisation using your own home systems where you have personal data belonging to others which you are obliged to protect under the DPA2018/GDPR, then you are a target and you need to take some precautions against an attack of this nature. If you want to know more please don’t hesitate to contact us for a chat. We specialise in looking after SMEs and understand your challenges.

Risk Assessment – An Essential Element for all Business large and small

I’ve talked a lot in the past about targeting your spend to ensure that you’re money goes on protecting what is really important to you, ensuring that the protections you have spent money on are in the right place, configured to protect what really needs protecting, are maintained correctly and are of course, effective. So how do you do that? Do you just take a good guess at what is needed? Of course not, but it’s still a valid question. Did whoever built your network install a firewall, did they set up an effective anti malware regime ie one that is constantly updated using a process whereby users can’t stop it if it becomes inconvenient? That happens, believe me. Is all of this necessary? Almost certainly.

A lot of these questions can be relatively easily answered. To start with you need to:

Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head).
Run through each Data Asset (or group of them) against the Controls and Procedures in accordance with your security policies (if you haven’t got security policies then that’s a whole other discussion), to determine which should apply and how they are currently being applied. It’s very useful to use a standard such as ISO27001 for this, even if you have no intention of applying for certification.

But now the difficult part, assessing the risks and what controls would be adequate to remediate those risks, thus ensuring you are placing the right controls, be they procedural or technical, in the right places and not wasting time, money and effort, putting in controls that aren’t actually needed, or are in the wrong place.

If you have a system to help you with this, then that really is the way to go. Here at H2 we have partnered with Secure Business Data to enable us to use, and where appropriate, to sell 27K1 ISMS. A risk assessment tool that is specifically targeted at SMEs and is therefore very competitively priced. It can come with an annual or a monthly fee, however you prefer. We have adopted this system for use with our Risk Assessment Service which is carried out in three phases:

Phase 1 – H2 conducts an assessment reviewing your existing information security, data protection protocols, technical security controls, and processes and procedures to determine their effectiveness and appropriateness, using 24K1 ISMS.

Phase 2 – Working to your timescale and budget, H2 implements the findings from the risk assessment process which has used 24K1 ISMS. This could include introducing simple changes to your processes, all the way through to implementing technical solutions that provide effective protection from threats.

Phase 3 – Education, ongoing security management, review and maintenance.

Consequences of a data breach

Despite a greater emphasis being placed on data security, data breaches are on the increase. Whether through sophisticated social engineering techniques or more technical attacks, cybercriminals are trying every available tactic to profit from this sensitive information.

According to one report, within the first nine months of 2019, 5,183 breaches were reported, exposing over 7 billion compromised records. Up 33.3% on the previous year with records exposed more than doubled, up over a 100%.

In a recent study, more than half of the recipients (57%) said they do not have a Cyber Security policy in place, rising to more than two-thirds (71%) of medium-sized businesses (250 to 549 employees). This is somewhat shocking considering the potential consequences, exposing companies to significant risk and placing them under the microscope with both customers and regulators.

This week we will publish a significant potential consequence of this daily, starting with:

Financial Loss

The financial impact of a data breach is one of the most hard-hitting consequences that organisations. It is estimated that the cost of a data breach has risen 12% over the past five years. If as a result of a ‘scam’ via phishing for example, the loss may not even be noticed for some time, perhaps not until the next financial audit.

The hit can include compensating customers, responding to the incident, investigating the breach, investment into new security measures, legal fees, not to mention the eye-watering regulatory penalties that can be imposed for non-compliance with the DPA 2018 and GDPR.

Tomorrow we’ll take a look at reputational damage.

Reputational damage

The reputational damage resulting from a data breach can be devastating for a business. It is estimated that up to a third of customers in retail, finance and healthcare will stop doing business with organisations that have been breached. Additionally, the majority will tell others about their experience, and 33.5% will post on social media.

It todays world of instant communication organisations can become a national, even global, news story within a matter of hours of a breach being disclosed. This negative press coupled with a loss in consumer trust can cause irreparable damage to the breached company.

Consumers are all too aware of the value of their data and if organisations can’t demonstrate that they have taken all the necessary steps to protect this data, they will simply leave and go to a competitor that takes security more seriously.

Reputational damage does not go away and can impact an organisation’s ability to attract new customers, future investment and eveb new employees to the company.

Legal Action

Under the DPA 2018 and GDPR, organisations are legally bound to demonstrate that they have taken all the necessary steps to protect personal data. If this data is compromised, whether it’s intentional or not, individuals can seek legal action to claim compensation.

We recently posted a piece on a UK Legal Firm offering a no win no fee service for anyone who suspects their data may have been compromised. There has been a huge increase in UK as victims seek monetary compensation for the loss of their data.

Equifax’s 2017 data breach affected more than 145 million people worldwide and the company has paid out more than $700 million in compensation to affected US customers. Whilst this is at an extreme end, SMEs could find themselves risking compensation of around £5k per person whose data is compromised. As it rarely only affects one individual, how many SMEs would be able to withstand such claims in the hundreds, followed by action by the ICO could see a fine in 6 figures.

As the number of breaches continues to rise, we can expect to see more of these group cases being brought to court.

Operational Downtime

Business operations can be heavily disrupted in the aftermath of a data breach. Organisations will need to contain the breach and conduct a thorough investigation into how it occurred and what systems were accessed. Operations may need to be completely shut down until investigators get all the answers they need. This process can take days, depending on the severity of the breach. The knock-on effect on revenue can be substantial.

Loss of Sensitive Data

If a data breach has resulted in the loss of sensitive personal data, the consequences can be devastating. Personal data is any information that can be used to directly or indirectly identify an individual, whether held electronically or on paper. This will include everything from a name to an email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.

If a critical patient had their medical records deleted in a data breach it could have a serious effect on their medical treatment and ultimately their life. Biometric data is also extremely valuable to cybercriminals and worth a lot more than basic credit card information and email addresses. The fallout from breaches that expose this data can be disastrous and exceed any financial and reputational damage.

Regardless of how prepared your organisation is for a data breach, there is no room for complacency in today’s evolving threat landscape. You must have a coordinated security strategy in place that protects sensitive data, reduces threats and safeguards your brand’s reputation.

Cyber Security and the Small to Medium Enterprise

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach. For the small business this could result in costs of around £1400, for the medium business, considerably more. One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins. And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology. They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a back up regime. All well and dandy. A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

So what does he mean?

As he’s not here to ask I suggest that he’s saying that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI). It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force. To do this you have to understand exactly what your risks, vulnerabilities and threats are in order to ensure that your solution to those risks, vulnerabilities and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

What is the risk? How can you identify that risk and then mitigate it? Taking risks is a part of business. You assess risk every day when doing business. Do you want to do this deal? What happens if it goes not as expected? Do I want to take this person on? Etc etc etc. Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding. What is an information asset? Note the word ‘information’ rather than IT. It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on. You understand your business risk, after all it is your business, but do you understand information risk? Do you have a clear idea of what information assets you have and where they are? Before you answer that think it through. Do you really know where all the data is? OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business. How much of that data has been saved onto staff workstations when they needed it to carry out some work? How much has been copied off somewhere else for what was probably a very good reason at one point? How well is your firewall functioning? Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations. I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team. That needs to be understood fully by those at the top. That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate in order to achieve your business aims. You need to ensure that supporting policies are produced, implemented, understood by employees and regularly reviewed and updated. At H2 we tend to produce an information security and data protection handbook which can run into many pages. Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management. One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way. Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly that’s not the end. User education is probably the most important element of all for an SME. Ensuring that your staff are aware of the policies and why they exist. Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks. Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

What has risk management got to do with Cyber Security?

Okay in a conversation I was having last week about the new EU and UK data protection regulations and legislation, someone said to me; “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”?

Good question I thought… And could only come back to something I believe to be the core foundation stone for anything related to whatever sexy label you want to put on it – The application of sound Information Risk Management (IRM) techniques are central to ensuring all aspects of keeping information safe, whether that be any one or a combination of vectors related to the people, process and technological aspect of collecting, using, communicating or storing information in any form. Without this, you simply will never be as secure as you should be.

Oh yes, and I hear you say… there’s no such thing as 100% security. Whatever percentages you care to bandy about, the highest levels will only be achievable if you use IRM techniques to understand the risks you face and identify the most appropriate, affordable and accreditable secure solution.

Understand what value your information has to you. Every bit of information your business holds falls into at least three categories, highly sensitive, confidential or public and as a result has a value that can have both positive or a negative financial impact on the business. It is therefore important that you understand what the “value at risk” is to the business should you find that information has been compromised – stolen or no longer available to you.

There is always a direct and indirect value at risk. Actual cost impacts and consequential or collateral cost impacts. Understanding these costs informs your decisions on risk reduction controls, which may be “organisational” or “technological”. More importantly, this knowledge with make sure you don’t spend too much time, effort and cash on inappropriate “all singing and dancing” bits of technology, when simple people, process and procedural controls will be sufficient – and of course the opposite.

So, to answer the direct question, “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”. Simples… use a good information risk management technique, like the H2 methodology and you will have succeeded in meeting the requirements of the DPA 2018 and GDPR in terms of both Privacy by Design and Default and taking a Risk Based Approach to data protection.

We at H2 have a great deal of experience in helping companies understand that Value at Risk. We would be delighted to discuss our methods with you and even demonstrate how we conduct our IRM reviews.

Internet of Things

There’s a lot being said in various quarters about the Internet of Things (IOT) but whenever it comes up in conversation with senior people in the SME world, even those businesses that are definitely in the Medium bracket, with 25m upwards turnover, it raises a titter or two.

Why would that be? All the usual light hearted comments about being hacked by your kettle, or held to ransom by your toaster, come out in the conversation. And I suppose, there can be some amusement to be had. But there is a serious side to this. The graphic below, which I have unashamedly stolen from The Joy of Tech, whilst lighthearted, gives clues to potential disasters.

Whilst we are some way away from having smart appliances in most SME work places that could be used jump onto the more serious elements of a network, we are already at a place where some functions, perceived as routine, even mundane, can already be used to jump onto other network devices. For instance, most have security cameras and alarm systems. Many of these are IP based and are connected via the LAN. OK, but many also are remotely maintained by a variety of suppliers. I have found it not uncommon for these suppliers to arrange for their own backdoor into the system to maintain these systems, often without the client actually knowing how that is done. This provides a very neat circuit around the router and firewall and, when most SME networks are flat, access onward to all parts of the network.

This of course is not the only example but it shows how poor security architecture, often times by local network providers, can have a quite seriously detrimental effect. So what I am saying is that as many more devices become ‘smart’ and interconnected via the LAN, security architecture becomes just as important for the SME as it does for the larger enterprise. The problem is that the awareness and support within the SME community and their suppliers, tends to be lacking.

Does Risk Management Matter?

Risk management is all about helping us to create plans for the future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day to day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated, there are limits.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk, as if that were an easy and simple option.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined? Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’? This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.

Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

A little bit more about Phishing protection and awareness

Think phishing is old news? You won’t believe why it’s still the number one nightmare for CEOs and business owners. Ever find it odd that phishing, an old trick in the cyberbook, keeps CEOs awake at night? Guess what, it’s not budging from that top spot.

Here’s the deal: cyber villains always stay ahead. If you develop a shield, they craft a spear. They’re all out to make your employees act impulsively, falling into traps on all communication fronts.

Ever thought about arming your business against phishing, without the tech jargon? Let’s discuss uncomplicated, everyday measures to secure your digital turf.

Training: Educating your team about phishing scams is the first step. A well-informed team can spot such scams.
Double-checking: Emails from ‘official’ sources often aren’t. Encourage your team to verify before replying.
Regular updates: Keep your systems and software updated, they often include security enhancements. Phishing is a persistent threat, but with the right non-technical measures, your business can uphold security. Ready to fortify your cyber defences? I’m here to help.

Questioning the efficiency of your cyber defence is valid. But to provide any assurance about your training methods we need to monitor and measure.

Explore our Protective Monitoring service. For just a tenner per user, it’s a shockingly affordable way to both test your defences and uplift your team’s cyber consciousness – all under that ten-pound note. Zilch hidden charges, and a 14-day free trial to sweeten the deal.

From simulating phishing to rooting out insider liabilities, and safeguarding email privacy to mobile security – we’ve got you covered with a whopping 28 distinct campaigns. Are you prepared to test your cyber fortitude?

These campaigns won’t help against point number 3, regular updates. For most that will mean ensuring that regular updates on desktops, laptops, tablets etc, are switched on and can’t be switched off. But of course, installing these updates can be a problem and users regularly try to find ways to delay it, or cancel it, because they find it an irritation. And you are at the mercy of cloud providers and other suppliers to ensure that their systems are patched fully, and on time. What if you were running an anti-malware system that made updates and patches, not obsolete, that would be nice, but far less urgent because it stops executable files from running, unless you have said they can. Give us a call to discuss, it really is innovative.

Here’s a challenge for you: Take the right steps to fortify your cyber walls.

Author: Kevin Hawkins