Author: Kevin Hawkins

What has risk management got to do with Cyber Security?

Okay in a conversation I was having last week about the new EU and UK data protection regulations and legislation, someone said to me; “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”?

Good question I thought… And could only come back to something I believe to be the core foundation stone for anything related to whatever sexy label you want to put on it –  The application of sound Information Risk Management (IRM) techniques are central to ensuring all aspects of keeping information safe, whether that be any one or a combination of vectors related to the people, process and technological aspect of collecting, using, communicating or storing information in any form.  Without this, you simply will never be as secure as you should be.

Oh yes, and I hear you say… there’s no such thing as 100% security. Whatever percentages you care to bandy about, the highest levels will only be achievable if you use IRM techniques to understand the risks you face and identify the most appropriate, affordable and accreditable secure solution.

Understand what value your information has to you.  Every bit of information your business holds falls into at least three categories, highly sensitive, confidential or public and as a result has a value that can have both positive or a negative financial impact on the business.  It is therefore important that you understand what the “value at risk” is to the business should you find that information has been compromised – stolen or no longer available to you.

There is always a direct and indirect value at risk.  Actual cost impacts and consequential or collateral cost impacts.  Understanding these costs informs your decisions on risk reduction controls, which may be “organisational” or “technological”. More importantly, this knowledge with make sure you don’t spend too much time, effort and cash on inappropriate “all singing and dancing” bits of technology, when simple people, process and procedural controls will be sufficient – and of course the opposite.

So, to answer the direct question, “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”.  Simples… use a good information risk management technique, like the H2 methodology and you will have succeeded in meeting the requirements of the DPA 2018 and GDPR in terms of both Privacy by Design and Default and taking a Risk Based Approach to data protection.

We at H2 have a great deal of experience in helping companies understand that Value at Risk. We would be delighted to discuss our methods with you and even demonstrate how we conduct our IRM reviews.

Internet of Things

There’s a lot being said in various quarters about the Internet of Things (IOT) but whenever it comes up in conversation with senior people in the SME world, even those businesses that are definitely in the Medium bracket, with 25m upwards turnover,  it raises a titter or two.

Why would that be?  All the usual light hearted comments about being hacked by your kettle, or held to ransom by your toaster, come out in the conversation.  And I suppose, there can be some amusement to be had.   But there is a serious side to this.   The graphic below, which I have unashamedly stolen from The Joy of Tech, whilst lighthearted, gives clues to potential disasters.

Whilst we are some way away from having smart appliances in most SME work places that could be used jump onto the more serious elements of a network, we are already at a place where some functions, perceived as routine, even mundane, can already be used to jump onto other network devices.  For instance, most have security cameras and alarm systems.  Many of these are IP based and are connected via the LAN.  OK, but many also are remotely maintained by a variety of suppliers.  I have found it not uncommon for these suppliers to arrange for their own backdoor into the system to maintain these systems, often without the client actually knowing how that is done.  This provides a very neat circuit around the router and firewall and, when most SME networks are flat, access onward to all parts of the network.

This of course is not the only example but it shows how poor security architecture, often times by local network providers, can have a quite seriously detrimental effect.  So what I am saying is that as many more devices become ‘smart’ and interconnected via the LAN, security architecture becomes just as important for the SME as it does for the larger enterprise.  The problem is that the awareness and support within the SME community and their suppliers, tends to be lacking.

Does Risk Management Matter?

Risk management is all about helping us to create plans for the future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day to day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated, there are limits.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk, as if that were an easy and simple option.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined?  Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.

Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

A little bit more about Phishing protection and awareness

Think phishing is old news? You won’t believe why it’s still the number one nightmare for CEOs and business owners. Ever find it odd that phishing, an old trick in the cyberbook, keeps CEOs awake at night? Guess what, it’s not budging from that top spot.

Here’s the deal: cyber villains always stay ahead. If you develop a shield, they craft a spear. They’re all out to make your employees act impulsively, falling into traps on all communication fronts.

Ever thought about arming your business against phishing, without the tech jargon? Let’s discuss uncomplicated, everyday measures to secure your digital turf.

  1. Training: Educating your team about phishing scams is the first step. A well-informed team can spot such scams.
  2. Double-checking: Emails from ‘official’ sources often aren’t. Encourage your team to verify before replying.
  3. Regular updates: Keep your systems and software updated, they often include security enhancements. Phishing is a persistent threat, but with the right non-technical measures, your business can uphold security. Ready to fortify your cyber defences? I’m here to help.

Questioning the efficiency of your cyber defence is valid. But to provide any assurance about your training methods we need to monitor and measure.

Explore our Protective Monitoring service. For just a tenner per user, it’s a shockingly affordable way to both test your defences and uplift your team’s cyber consciousness – all under that ten-pound note. Zilch hidden charges, and a 14-day free trial to sweeten the deal.

From simulating phishing to rooting out insider liabilities, and safeguarding email privacy to mobile security – we’ve got you covered with a whopping 28 distinct campaigns. Are you prepared to test your cyber fortitude?

These campaigns won’t help against point number 3, regular updates.  For most that will mean ensuring that regular updates on desktops, laptops, tablets etc, are switched on and can’t be switched off.  But of course, installing these updates can be a problem and users regularly try to find ways to delay it, or cancel it, because they find it an irritation.  And you are at the mercy of cloud providers and other suppliers to ensure that their systems are patched fully, and on time.  What if you were running an anti-malware system that made updates and patches, not obsolete, that would be nice, but far less urgent because it stops executable files from running, unless you have said they can.  Give us a call to discuss, it really is innovative.

Here’s a challenge for you: Take the right steps to fortify your cyber walls.

Is Anti-virus to cure all that many SMEs seem to think it is?

In the SME world there is an instilled view that anti-virus, along with a firewall or two, is the knight in shining armour, constantly battling malicious threats. But is it always the hero we think it is? Let’s talk about duality – the good and the not-so-good side of anti-virus software. On the bright side, it’s an essential tool for digital safety. It stands as our frontline defence, identifying and eliminating potential threats like viruses, malware, and phishing attempts. It’s a relentless protector, working round-the-clock to safeguard our valuable data. So far so good.

However, no knight is without its flaws. Anti-virus software can sometimes be overzealous, flagging innocent files as harmful. This ‘false positive’ can disrupt our workflow, especially when essential files are blocked. Moreover, no anti-virus software provides 100% protection. Complacency can be our undoing, leading us to believe we’re invincible behind our digital shield. So, what’s the bottom line? Well, anti-virus software is a necessity in today’s world, but it’s not a fool proof solution.

So why do SMEs think it is?  Well, there’s probably several reasons for that and chief amongst them will be the constant companion of an SME, cost.  If you can convince yourself that a solution solves all, or most, of your problems in one hit, then that’s going to be a winner in your mind.  There is also an issue with the larger IT and Cyber Security companies, that they have largely ignored SMEs because they don’t produce the financial rewards that their bigger clients do. So, they have been happy to pass off software sales, like AV, to their sales channel, and allow their re-sellers to push those products on their behalf.  Sounds good except that often those re-sellers simply don’t have any more in house cyber skills than the SMEs themselves, so there is no guarantee that what they are selling is what the SME needs.

Now, I’m not knocking your local IT support company, they do what they do and generally do it well.  Generally, they like to stick to the tried and tested products that they have been selling for years and tend not to buy in to innovation easily.  Can’t blame them, they are as beholden to the bottom line as the rest of us.  And the various flavours of AV fall into that category.

This is where we part company with such companies.  We are very much involved with innovation, looking at new ways of solving old problems, and new ones as they crop up.  The only way an SME is going to get the protection they need and deserve, at a cost they can afford, is via such innovation.  We have been working with Platinum High Intensity Technologies, or Platinum-HIT.  This is a new PROACTIVE Managed Security Service Solution for Endpoint in the class of Anti-virus, anti-malware, anti-ransomware.

So, what’s different about it?  Surely, it’s just another version of AV?  Well, no it isn’t, it’s a new approach to an old and continuing problem, that solves a several problems along with way, using what is known as a Hard-Disk-Firewall or HDF.  So, what I hear you cry.  I have a personal firewall on my laptop.  Why do I need another one?  Perhaps the word firewall is a little misleading.  Read on and you’ll see what I mean.

The HDF concept is a simple one. On any computer system, data is stored either as non-runnable information data or runnable application programs. Malware is a type of runnable program with undesirable behaviours. HDF prevents malware infection by stopping malware program files from being stored and run on a computer. HDF functions as part of the Microsoft® operating system.

From the perspective of the computer operating systems, malware or viruses are simply another form of application program. From a human’s perspective, malware is existential threat that we do not want to run on our systems. HDF works by stopping any additional program from saving on a fully working and virus free computer unless the system administrator/owner allows a certain specific program to install.

The approach is to deny write access of runnable program files to any storage devices irrespective of the user’s right and privilege on the computer. For example, the control is so absolute that administrator/user cannot bypass, intentionally or by mistake.

Other than blocking install of malware, the computer functions as normal, and HDF operates to- tally transparently to end users. For example, running applications, opening, reading, saving, and deleting non-runnable data is not affected.

Device independent – effective on all storage devices supported by the underlying operating systems, e.g., hard disk, USB token device, tape drive, optical writers (CD or DVD writer) and any future device which relies on the operating system to provide read and write functionality.

Data location independent – works identical on local and remote storage devices including write access from wired and wireless networks, infrared and blue tooth etc. No hardware component. Implemented as a component fully integrated into the operating system, effectively becomes part of the operating system and not a separate application. Making the operating system immutable.

HDF does not require any prior knowledge of file and data contents. The system just stops any data to be saved that can be run on a computer, including all known or future malware. This indiscriminately stops polymorphic viruses, ransomware, zero-day threat and renaming any data file back to runnable programs.

HDF does not rely on Microsoft security operating system patches and in of itself no regular updating is required.

HDF security capability has NOT degraded since commercial deployment in 2008. There has never been a CVE attributed to the HDF solution.

So yes, whilst this system has been around the defence and nuclear space for some time, it’s very new to the SME market, and in fact, to the enterprise market for that matter.

Is your AV due for renewal soon?  Before you just push the button and renew, have a word with us first.  We just might have what you are missing, and you might be surprised at how affordable it is, considering it’s managed for you at no additional cost.

I Never Get Tired of Talking About Ransomware

Many of you outside of the legal profession might not have heard of the Ince Group and what happened to it. The 157-year old law firm collapsed into administration last year following a cyber-attack. To be fair a much bigger crisis came after it was rescued by a firm that almost no one had heard of. There are many out there much better qualified than me, to comment on its legal and accounting problems, I’ll stick to the cyber-attack.

So, what happened to Ince and is it a story of what can happen, in terms of cyber security, to pretty much anyone?

Things started to go south for Ince following a cyber-attack in March 2022, which was later revealed to have cost the company £5m.  Their share price tumbled, and they struggled to get on top of the crisis.  They went from trading at around 80p per share to are the 5p mark.  Pretty devastating for any company of any size.

What was the nature of the cyber-attack?  Well, Ince did everything they could to stop the exact nature of the attack becoming public, but it appears that it was our old friend ransomware.   In March 2022, Ince was granted an interim injunction to stop hackers from releasing confidential data on the dark web if it does not pay a ransom, following the unknown perpetrator threatening to publish the stolen data on the dark web if the firm did not pay a “substantial ransom”.

Now, I don’t know about the rest of you, but given that the perpetrators are already criminals, and are unknown criminals to boot, I’m a little confused as to how such an injunction could have any tangible effect, except to show perhaps, that Ince were taking this very seriously and were trying to prevent the release of client data.

Of course, this was an attack perpetrated on what was, at that time, a major company, publicly listed, and that supports the impression amongst many, that only such companies are targeted by cyber criminals.  Not so.

According to the NCSC, responsible for cyber security in the UK, ransomware continues to be a clear and present danger to UK companies, both at the Enterprise and SME level.  It has now become the most significant cyber threat facing the UK, with the impact of an attack on critical national infrastructure stated in the UK National Cyber Strategy 2022 as potentially as harmful as state-sponsored espionage. There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

How much better if you can avoid getting hit in the first place.  Here I list some ways that you could perhaps use to avoid the problem.

  1. Arguably, the biggest and most effective step an SME can take is Cyber Awareness Training for staff. It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.
  2. The next reasonably low-cost thing that ties in with Cyber Awareness Training and a security strategy is robust, well thought out policies and procedures, that have been rolled out across the work force and are monitored to ensure they remain relevant and that they are understood by all. Giving an employee the means to check what they should do if they suspect there is something nefarious going on, is simply giving them support, it is not there to catch them out or to use as a stick against them.  Many SMEs don’t have any such policies in place and many others have downloaded specimens from the internet, topped and tailed them and expect them to be enough, which they very rarely are.
  3. Next think about your backup strategy. Even when you are using a cloud-based provider, that doesn’t necessarily mean that your data is secure, although many providers would disagree, at least in their advertising.  How much better to have a strategy whereby your data is backed up overnight to a magnetic media storage point, which can be taken offline and stored in secure storage.  If you do that, then if you are subject to an attack and your data is locked up, you can have some or all workstations wiped and reloaded, and then have data restored from the tape, all of which would not take most SMEs offline for more than a day.  You then have a breathing space to sort everything out in the longer term.
  4. Email remains the top attack vector for many attacks, and this is one of them. There are many products on the market that will tell you that they will block as many malicious emails as possible, and many of these are very good at what they do.  For an SME, it will nearly always come down to a matter of cost and some of these products are more expensive than others.  Unfortunately, there are still a considerable number of SMEs out there, either using the cheapest anti malware product they could find, or even a free product.  You get what you pay for and if its free, you’ve got a problem.  Any product you choose to use must be mitigating an identified risk.  If a risk hasn’t been properly identified and a product selected that covers that risk off, as well as it can be covered off, then you’ve quite possibly wasted your money.

There is a product on the market from Abatis, which takes a very innovative approach to this.  Quite simply it blocks any executable not on your whitelist from running.  It takes a free 30 day evaluation for it to profile your network and build a list of executables that are in use daily by users.  So those that run your applications, email etc, and produces that list for human inspection.  Once agreed, that becomes your whitelist.  It’s extremely effective and so far, we haven’t found another product that takes this approach in blocking all forms of malware, including ransomware.

The overall message I would like to put across to all SMEs, is that you are just as vulnerable as anyone else, to this, and many other attacks.  Have you identified your risks?  Have you identified ways to mitigate those risks, enabling you to maximise your defensive spend.  Or have you just bought into an argument that says that you have a firewall and some anti-virus, you’re using a cloud provider and you’re therefore covered?  I’d welcome the opportunity to have that debate with you.

This is about defence in depth, marrying up people, process, and technology to give you the best protection you can afford.

Scroll to top