Cyber Awareness Training Archives - H2 Cyber Security for SMEs

Cyber Security as Business Protection – Protect, Detect and Recover

This is another foray into cyber risk management and strategy for SMEs. I make no apologies for covering it again because it should be a vital part of any SMEs business planning. In a nutshell it’s the business process of identifying and addressing digital threats to protect operations, revenue, and reputation. Rather than just a technical IT task, it is a strategic function focused on ensuring business continuity and managing potential financial losses.

A strong cybersecurity risk management strategy for SMEs should focus on reducing the highest risks first while staying practical and affordable. Most SMEs do not need enterprise-scale security programs, they need disciplined fundamentals, clear ownership, and resilience.

Core Principles

Protect what matters most
Customer data
Financial systems
Email accounts
Intellectual property
Operational systems

Assume attacks will happen
Focus on prevention and recovery.
Design for resilience, not perfect security.

Keep it simple and repeatable
Overly complex controls fail in SMEs due to limited staff and budget.

Recommended Cybersecurity Risk Management Framework

A practical SME strategy can follow five pillars inspired by the National Institute of Standards and Technology Cybersecurity Framework:

Identify
Protect
Detect
Respond
Recover

Alternatively, for those attempting or having achieved Cyber Essentials, one of the most effective ways to secure a business is to follow the UK government’s National Cyber Security Centre (NCSC) recommendations. These five steps are designed to be cost-effective and provide protection against the majority of common cyber-attacks.

Secure your data with back-ups.
Protect with strong authentication (MFA).
Keep devices and software up to date.
Guard against malware.
Train staff on cyber awareness, phishing in particular.

But beware, the latest iteration of CE requires CEOs/MDs to sign a certification that they will ensure that the standard is maintained throughout the year and not just at point of achieving the standard. That is a game changer which requires some form of monitoring to be put in place to ensure that the standard continues to be met.

No two businesses are the same. They all have certain threats and vulnerabilities in common, and adherence to the NCSC guidelines and/or Cyber Essentials will set you on the right path, many of you will either have gone down that route or will be actively discussing it internally. But there will still be differences, perhaps only nuances, that can drive a hole through your defences, and that is why you need a risk management strategy to ensure you have built robust defences.

Identify Your Risks

The first stop is to create an Asset Inventory:

Document:

Devices
Servers
Cloud services
SaaS platforms
User accounts
Critical data
Vendors

Even a spreadsheet is enough initially.

Classify Critical Assets

Rank systems by business impact:

High: payroll, CRM, finance, production
Medium: internal collaboration
Low: public marketing systems

Identify Likely Threats

For SMEs, the biggest risks are usually:

Phishing
Business email compromise
Ransomware
Weak passwords
Insider mistakes
Third-party/vendor compromise
Unpatched software
Cloud misconfiguration

Protect the Business

Multi-Factor Authentication (MFA)

This is one of the highest-value controls and you need MFA for:

Email
VPN
Admin accounts
Cloud apps
Banking systems

Use authenticator apps or hardware keys where possible.

Strong Identity & Access Management

You need to apply:

Least privilege access
Separate admin accounts
Role-based permissions
Immediate removal of leavers

Review access at least quarterly.

Endpoint Protection

Deploy modern endpoint security on all company devices:

Antivirus/EDR
Device encryption
Automatic updates
Screen lock policies

Focus first on laptops because they are commonly targeted.

Patch Management

Set strict update timelines:

Critical vulnerabilities: 24–72 hours
High-risk patches: within 1 week
Routine updates: monthly

Automate updates whenever possible but you will still need some form of monitoring patch management to ensure that you have this under control.

Email Security

Since email is the number one attack vector:

Anti-phishing filters
DMARC, DKIM, SPF (these require DNS entries and will need to be monitored)
Attachment sandboxing if affordable
User reporting button for suspicious emails

Backup Strategy

Use the 3-2-1 rule:

3 copies of data
2 different storage types
1 offline/immutable copy – don’t rely on on-line backups, they may make restoring quicker, but they can be encrypted in a ransomware scenario, just like the rest of your systems.

Test restores regularly. Recovery in a disaster or ransomware situation depends on this.

Secure Cloud Usage

For cloud platforms like Microsoft 365 or Google Workspace:

Disable legacy authentication
Enforce MFA
Monitor sharing permissions
Limit external access
Audit administrator activity

Detect Threats Early

Centralised Logging

This is often a particularly difficult thing for SMEs because they don’t have any on staff cyber security personnel and often their IT support company doesn’t offer this service. However, it is still important to collect logs from:

Email systems
Firewalls
Endpoints
Cloud platforms

A managed service is often the way forward.

Monitoring & Alerts

This is another issue that is very hard for SMEs, for the same reasons as log collection. You need to receive alerts on:

Failed login spikes
Impossible travel logins
Admin privilege changes
Large file downloads
Suspicious mailbox rules

A managed service is often the only way to achieve this.

Vulnerability Scanning

You should aim to run monthly scans internally and externally.

Prioritise:

Internet-facing systems
Critical vulnerabilities
Unsupported software

There are a variety of scanning tools available to purchase however you need to have someone who can interpret the results, identify critical issues and eliminate false positives. Once again, a managed service maybe the answer for many SMEs.

Incident Response Plan

Every SME should have a documented response process which includes:

Who makes decisions
Who contacts customers
Legal/compliance steps
Cyber insurance contacts
IT recovery procedures

Create Playbooks For:

Ransomware
Phishing compromise
Lost/stolen device
Data breach
Vendor compromise

Run tabletop exercises twice yearly.

Recovery & Business Continuity

Define Recovery Objectives

Set:

RTO (Recovery Time Objective)
RPO (Recovery Point Objective)

Examples are below and show the amount of time the business can survive with the loss of each system, but this will be determined by business priorities:

System	Max Downtime	Max Data Loss
Email	4 hours	1 hour
Payroll	24 hours	4 hours
CRM	8 hours	2 hours

Business Continuity Planning

Prepare for:

Cloud outages
Cyberattacks
Staff unavailability
Power/network failures

Document manual fallback procedures to keep the business running whilst you recover from the crisis.⸻

Governance & Leadership

Assign Ownership

Even small companies need accountability:

Security lead
Executive sponsor
Incident coordinator

Security without ownership fails.

Establish Policies

Minimum essential policies:

Acceptable use
Password policy
Data handling
Remote work
Vendor management
Incident reporting

Keep them concise and enforceable and importantly, rolled out so that staff know where to find them and what they contain.

Human Risk Management

Most SME breaches involve human error.

Security Awareness Training

Train employees on:

Phishing
Social engineering
Password hygiene
Safe file sharing
AI/deepfake scams
Reporting suspicious activity

Short monthly sessions work better than annual training.

Phishing Simulations

Measure:

Click rates
Reporting rates
Repeat offenders

Use results for coaching, not punishment.

Third-Party & Supply Chain Risk

SMEs increasingly rely on vendors.

Vet Critical Suppliers

Review:

Security certifications
MFA usage
Breach history
Data protection controls

Prioritise vendors with access to:

Financial data
Customer data
Internal systems

Compliance Considerations

Depending on industry/location, SMEs may need alignment with:

International Organisation for Standardization ISO 27001
National Cyber Security Centre Cyber Essentials
GDPR/Data Protection Laws
PCI DSS

For UK SMEs, Cyber Essentials is an excellent baseline.

Recommended SME Security Stack

A practical modern stack often includes:

MFA platform
Endpoint detection & response (EDR)
Password manager
Secure email gateway
Cloud backup
Mobile device management (MDM)
Firewall with IDS/IPS
Security awareness platform

For those considering Cyber Essentials for the first time, or for renewal, some form of monitoring is required to ensure that that standard is maintained throughout the life cycle.

Budget Prioritisation (Highest ROI First)

For SMEs budget is always limited and must be prioritised. This is a general guide and may change dependent upon business priorities:

MFA everywhere
Backups
Endpoint protection
Email security
Patch management
Security awareness training
Logging/monitoring
Vulnerability scanning
Managed security services
Advanced zero-trust controls

In order to decide your budget, you need to work out your priorities and again, this will depend on what the company does. A suggested 12 month roadmap, for someone starting from scratch, is:

Months 1–3

Asset inventory
MFA rollout
Backup improvements
Patch automation
Security policies

Months 4–6

Endpoint protection
Vulnerability scanning
Staff awareness training
Incident response planning

Months 7–9

Logging and monitoring
Vendor risk reviews
Phishing simulations
Access reviews

Months 10–12

Tabletop exercises
Business continuity testing
External security assessment
Cyber insurance review

Metrics SMEs Should Track

I talked about measuring your security stance and your compliance. Some useful KPIs might be:

MFA adoption %
Patch compliance %
Phishing click rate
Mean time to detect/respond
Backup recovery success
Number of critical vulnerabilities
Security training completion

Common SME Mistakes

Turning now to some common mistakes. I don’t want to dwell on these too much as they are self-evident, but you should avoid:

Treating cybersecurity as only an IT problem
Buying too many disconnected tools
Ignoring backups
Giving staff admin rights
Failing to test recovery
Depending entirely on one IT provider
No incident response process

I hope that this provides some guidance but I’m fully aware that it contains issues that will appear as a bit of a ‘black art’ to some people. Get advice from cyber security professionals, don’t think that because someone knows about IT, they have the nuances of security covered, they often don’t. Remember that some cyber security solutions are procedural not technical.

Policy, Process and then Technology

CYBER ESSENTIALS HAS CHANGED: ARE YOU READY?

Cyber Essentials has changed recently and one of the most significant changes, in my opinion is the requirement for a senior executive to formally declare that security controls are continuously assessed throughout the year. A fundamental change, not just a paperwork tweak. It shifts accountability and how organisations approach compliance.

What does this change really mean?

Accountability moves to the top

Executives (often a CEO, CFO, or board-level director) are now personally attesting that controls aren’t just “point-in-time compliant” but actively maintained. This raises the stakes, false declarations could have legal, reputational, and contractual consequences.

End of “annual checkbox” compliance

Previously, many organisations treated Cyber Essentials as a once-a-year exercise. This change pushes toward continuous assurance, more in line with standards like ISO/IEC 27001 or frameworks such as NIST Cybersecurity Framework.

Increased audit and insurance implications

Cyber insurers and regulators may view this declaration as evidence of due diligence or even negligence if something goes wrong. Expect more scrutiny if a breach occurs.

Cultural shift toward operational security

Security becomes an ongoing business process, not an IT task. It requires coordination across the company up to and including management.

How organisations can actually deliver “continuous assessment”?

This is where many companies will struggle, because the declaration implies evidence, not intention.

Continuous monitoring of key controls

Use tools that provide ongoing visibility into:

Patch management status
Vulnerability scanning
Endpoint protection health
Firewall and access control configurations

Common tooling might include:

Endpoint detection & response (EDR)
Vulnerability management platforms
Security configuration monitoring tools

Defined control testing schedule

Not everything needs real-time monitoring, but you should have:

Monthly or quarterly control checks
Automated scans (minimum of weekly vulnerability scans)
Regular access reviews (e.g., user permissions)

Centralised logging and alerting

Implement:

An MDR solution.
Alerts for control failures (e.g., antivirus disabled, patch failures)

This creates an audit trail—critical if leadership is signing a declaration.

Metrics and reporting to leadership

Executives need evidence to sign confidently:

Security dashboards
KPIs (e.g., patch SLAs, vulnerability remediation times)
Regular security reports to the board

Policies backed by enforcement

It’s not enough to have policies; you need:

Technical enforcement (e.g., blocking unpatched devices)
Automated compliance checks

Internal audits or independent checks

Periodic internal reviews or external assessments that help validate that controls are actually working.

Practical example

Instead of saying:

“We apply patches”

You now need to demonstrate:

All devices report patch status daily
Alerts trigger if patches are overdue
Reports show compliance over time
Exceptions are tracked and approved

The real challenge

The hardest part isn’t technology, it’s evidence and governance.

Many SMEs certified under Cyber Essentials don’t currently have:

Centralised visibility
Documented control testing
Board-level security reporting

So, this change may force investment in:

Better tooling
Clearer processes
Stronger governance structures

Bottom line

This declaration effectively aligns Cyber Essentials with modern security expectations: continuous control validation, not annual self-assessment.

If an organisation can’t produce evidence of ongoing monitoring and review, executives are being asked to take a significant personal risk by signing.

How can an SME meet this requirement without breaking the bank?

You don’t need an enterprise SOC or a six-figure toolchain to meet these new expectations, but you do need joined-up tooling that produces continuous evidence.

The principle: “Good enough + visible + provable”

For an executive to sign the declaration, you must:

Cover all five control areas
Be centrally visible
Generate reports + alerts automatically
Require minimal manual effort

The issue for many SMEs that a system that integrates many of the issues simply hasn’t existed in a form that is financially viable, and that doesn’t require a dedicated cyber individual on staff, until now. Such a system does now exist, and I have put up a short video on the features section of my profile page on LinkedIn, the link is A short video on protective monitoring for SMEs. This should help you without having to read reams of information. You will also find a couple of articles on that particular subject.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide, please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or drop us an email:

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Protecting Your Data on Public Networks

Remote working is here to stay, and whilst it’s not for everyone, many employers and employees alike, have taken to it. There are multiple problems related to cyber security around this, working from home or on the move, and today I’m going to concentrate on the prevalence of people working from insecure sites such as coffee shops, railway and air terminals etc. It’s a subject that I tend to jump on every so often because it’s one that people just don’t seem to get. I dropped into a coffee shop this morning for my caffeine infusion, and there were six people with their laptops open, working away on business issues. I could see open spreadsheets (and easy to read if you were sitting behind them), and all had their email open. One was on a video call, and I heard all her side of the conversation, annoying enough for other café users but she wasn’t aware of the data she was releasing into the wild, at all.

Of course, this is nothing new, it’s been ‘a thing’ for years now, but is it a safe thing to be doing? A recent survey suggests that a significant proportion of the connections to unsecured Wi-Fi networks result in hacking incidents, when from working in coffee shops, restaurants, airports, and other public places.

If you are among those Wi-Fi lovers, there’s bad news for you… your online privacy and security is at risk, if you rely on the weak to non-existent Wi-Fi security protocolsat these insecure locations. This means that you could be exposed to various threats such as identity theft which has over 15 million cases each year, data theft/breaches, introducing malware to your business network and that of your customers/suppliers. This list is not exhaustive.

Free or public Wi-Fi’s are hotspots for hackers and data snoopers who want to steal your private data or financial information. It is easy for cyber criminals to do that nowadays. You will be surprised to know the different ways they can compromise your device or your private information and why you shouldn’t rely on public Wi-Fi security as it comes with a lot of risk. Using insecure public Wi-Fi exposes you to a range of cybersecurity risks because you’re sharing a network with unknown and potentially malicious persons. The core issue is that these networks often lack proper encryption and authentication, making it much easier for attackers to intercept or manipulate your data.

One of the biggest risks is data interception (packet sniffing). On an unsecured network, attackers can use simple tools to capture data packets traveling between your device and the internet. If the data isn’t encrypted (for example, websites not using HTTPS), sensitive information like passwords, emails, or credit card details can be read directly.

A closely related threat is the Man-in-the-Middle (MitM) attack. Here, an attacker secretly positions themselves between you and the service you’re accessing. Instead of communicating directly with a website, your traffic is routed through the attacker, who can monitor, alter, or inject malicious content into the communication without your knowledge.

Another common issue is rogue hotspots or “evil twin” attacks. Attackers set up fake Wi-Fi networks with names that look legitimate (e.g., “Free Airport Wi-Fi”). When you connect, all your traffic passes through their system, giving them full visibility and control over your activity.

Public Wi-Fi also increases the risk of session hijacking. Even if you log into a secure site, attackers may capture session cookies, small pieces of data that keep you logged in, and use them to impersonate you without needing your password.

There’s also the danger of malware distribution. Some attackers exploit vulnerabilities in devices connected to the same network to push malicious software. Others may trick users into downloading infected files via fake pop-ups or compromised websites.

Many public networks lack proper network segmentation, meaning devices on the same network can sometimes directly communicate with each other. This makes it easier for attackers to scan for vulnerable devices, open ports, or shared files, potentially gaining unauthorised access.

Another issue is unencrypted connections and misconfigured security protocols. Some networks use outdated encryption standards (like WEP) or even none at all, making it trivial to crack passwords or decrypt traffic.

Additionally, automatic connectivity on devices can be exploited. If your device is set to automatically connect to known networks, attackers can spoof those network names and trick your device into connecting without your explicit approval.

Finally, there’s a broader privacy concern: even if attackers don’t actively interfere, network operators themselves (or anyone monitoring the network) may log your browsing habits, device information, and other metadata.

How to reduce risk:

Use a VPN to encrypt your traffic
Only access HTTPS websites (look for the padlock icon)
Avoid logging into sensitive accounts on public Wi-Fi
Disable file sharing and use a firewall
Turn off automatic Wi-Fi connections
Verify network names with the venue before connecting
Only use authorised protocols to access your company network or cloud

In short, insecure public Wi-Fi removes many of the protections that normally keep your data private, making it far easier for attackers to observe, intercept, or manipulate your online activity.

The risk reductions above are essential but even then, don’t get complacent. A VPN for instance, encrypts your data as it transits the internet, putting up a secure ‘tunnel’ for it to move through. However, that data is only protected once you start sending it. Other data on your laptop is not encrypted and remains vulnerable. Disk encryption such as Bitlocker on Windows or File Vault on Macs, is designed to encrypt your disk as you are shutting down, so that if your machine is stolen, the data can’t be accessed. But once you start it up and log on, the disk is unencrypted. The safest encryption uses what is known as file level encryption which encrypts your files by sensitivity level and only allows them to be read by authorised persons on your corporate network. That way if your machine is accessed whilst it is up and running in your coffee shop, the sensitive data can’t be read.

Stay aware and stay vigilant. You have to be successful all the time; the criminal has to be successful just once.

Three weeks v three minutes: The MDR Difference

Managed Detection and Response, MDR, has long been considered too expensive and beyond the reach of SMEs. There are very good reasons for this, not least because most companies who provide these services, don’t target SMEs because they perceive that the revenue isn’t there, even though the need very much is. Another issue is that SMEs don’t have the in-house resource that can deal with this kind of service, to do this internally requires expertise, resource and expensive monitoring tools; all resource that SMEs don’t have. At best, their IT systems are overseen by someone who has another primary function and hasn’t got much time to deal with IT issues, has no technical background, much less a cybersecurity background, and whose responsibility lies with liaising with their network provider.

Turning to the network provider, who provides hardware and software, and maybe manages the network on behalf of the SME. The service level agreement (SLA) that these companies work to will concisely lay down what services they provide, and I’m prepared to bet that that doesn’t include MDR, for the simple reason that they also don’t have the skill levels and experience required, to provide an adequate service. Be clear, I’m not denigrating these companies or the services they supply, simply pointing out that they work to strict service levels as laid down in the contract and will usually not step outside of these.

I have written articles and posts about this before, but it’s worth repeating because there are now systems available that, often driven by AI, are now affordable and are not just appropriate for SMEs, but specifically designed for them, at a service level that is realistic and priced accordingly. AI is something that we use in our service, quite extensively, because it does the heavy lifting and allows us to deliver a service at a price that is appropriate for an SME. AI is now prevalent and is used pretty much everywhere, including by cyber criminals. AI driven attacks are becoming the norm and are not going away. We fight fire with fire.

Let’s develop this a bit further and look at a before and after’ scenario, where a small business, holding lots of personal identifiable data (PII), as defined within GDPR and associated legislation, decides to use an MDR service, having recognised that they have a legal duty to protect this data, and that a data breach would be a serious issue which could put them out of business.

Scenario: “Maple & Co. Accounting”

Business type: Small accounting firm (12 employees)

Tech setup: Cloud-based email, shared drives, a basic firewall, and endpoint antivirus

Challenge: Limited IT staff (1 generalist), growing concerns about cyber threats

BEFORE MDR

Day-to-day reality

Maple & Co. believes they’re “covered” because they have antivirus software and strong passwords. But in practice:

Alerts from antivirus pop up frequently → mostly ignored (“probably nothing”)
No centralised visibility into systems or logs
Employees occasionally click phishing emails
Software updates are inconsistent
No formal incident response plan

The Incident

One employee receives a convincing phishing email posing as a client invoice.

They click the link and enter credentials
Attacker gains access to their email account
Uses that account to send more phishing emails internally
Installs a lightweight remote access tool (RAT)

What goes wrong:

No one notices unusual login locations
Antivirus doesn’t flag the RAT
Suspicious outbound traffic goes undetected
The attacker quietly accesses financial documents for 3 weeks

Impact

Sensitive client data exposed
Regulatory reporting required
Business reputation damaged
Costly emergency IT response
Downtime and lost productivity

AFTER MDR IMPLEMENTATION

Maple & Co. adopts a Managed Detection and Response service.

What MDR Adds

24/7 monitoring by a managed service provider
Endpoint detection and response (EDR) tools installed on all devices
Centralised log collection and analysis
Automated and human-led incident response

Same Attack Attempt (But Now…)

Step 1: Phishing Email Clicked

An employee clicks a similar phishing link again.

MDR Response:

Suspicious login detected (unusual geography + device fingerprint)
Alert triggered immediately by behavioural analytics

Step 2: Credential Misuse Attempt

Attacker tries to access email and internal systems.

MDR Response:

Account access temporarily blocked
Forced password reset initiated
Managed service team flags activity as high risk

Step 3: Malware Execution Attempt

The attacker tries to deploy a remote access tool.

MDR Response:

EDR agent detects unusual process behaviour
File execution is automatically stopped
Device is isolated from the network

Step 4: Human Analyst Intervention

Analysts investigate the full timeline
Confirm malicious intent
Remove persistence mechanisms
Provide a clear incident report

Outcome

Attack stopped within minutes, not weeks
No data exfiltration
Minimal disruption to operations
Actionable report delivered to the business

BEFORE vs AFTER (Quick Comparison)

Summary

Before MDR, Maple & Co. relied on tools without coordination or expertise. After MDR, they gained:

Continuous monitoring
Rapid response
Expert analysis
Reduced risk exposure

The biggest shift isn’t just better tools; it’s having dedicated security expertise actively defending the business at all times.

Remember, no service is ever going to guarantee 100% security, that’s just not realistic. What an MDR designed for SMEs will do is to reduce your risk to a level that you’re prepared to accept, by adopting a risk managed approach. It does this by having:

A vulnerability assessment tool
A cyber awareness programme inbuilt
A phishing simulation tool

By identifying your vulnerabilities early and fixing them, your exposure is reduced and by training your staff to be your first line of defence, you reduce your exposure still further.

TARGET PROFILING AND SOCIAL ENGINEERING

I frequently share insights on the significance of Cyber Awareness Training and its critical role in helping organisations defend against cybercrime. Cyber awareness training is a vital aspect of contemporary security strategies for everyone. It provides employees with the essential knowledge and skills needed to identify, respond to, and reduce cyber threats. This training is particularly effective in combating social engineering. It is arguably the quickest and cheapest measure an SME can implement to shore up their defences.

While many people are now familiar with the term social engineering, they may not fully understand its meaning. In the context of cybersecurity, social engineering involves manipulating, influencing, or deceiving individuals to gain unauthorised access to IT systems or to steal personal and financial information. It employs psychological tricks to lead users into making security errors or divulging sensitive data. The most prevalent form of social engineering is phishing.

Social engineering heavily relies on the six Principles of Influence identified by Robert Cialdini, a behavioural psychologist and author of “Influence: The Psychology of Persuasion.” These six principles are: Reciprocity, Commitment and Consistency, Social Proof, Authority, Liking, and Scarcity. Simply put, what these criminals seek is information, login credentials, passwords, names, phone numbers, and more. They are profiling your organisation to identify vulnerabilities, such as who manages accounts payable or whether you have an IT support company under contract that they could impersonate. In addition to phishing, they utilise various forms including vishing (voice phishing), smishing (SMS phishing), and simply calling to ask questions.

A rising threat that criminals are increasingly adopting is help desk social engineering tactics. In these schemes, attackers call an organisation’s IT help desk while posing as a legitimate employee, trying to convince the help desk agent to reset passwords or multi-factor authentication (MFA) for a specific account.

In recent years, these techniques have been used to access single sign-on (SSO) accounts and cloud-based application suites. Multiple criminals adopted this approach in 2024, targeting academic and healthcare institutions; in these cases, attackers utilised compromised identities to extract data from cloud-based software as a service (SaaS) application or alter employee payroll information.

It is important to keep in mind that profiling isn’t about technology. Profiling uses social engineering techniques before it starts scanning your network for vulnerabilities.

Let’s now look at a scenario which we have entitled, “The Helpful IT Contractor”

Reconnaissance (Profiling the Target)

An attacker spends time gathering information about a mid-sized company:

Reviews employee profiles on LinkedIn
Identifies the IT helpdesk structure
Finds names of recent hires and projects
Notes that the company recently adopted a new cloud platform

The attacker now knows enough to sound convincing.

Initial Contact (Pretexting)

The attacker calls the finance department pretending to be:

“Hi, this is Alex from IT support. We’re fixing an issue with the new system rollout.”

They:

Use real employee names to build trust
Mention the actual cloud migration project
Create urgency: “We need to resolve this before payroll processing today”

Exploitation Attempt

The attacker asks the employee to:

Confirm their login details “for verification”
Install a “security patch” (malware)
Or approve a multi-factor authentication (MFA) request

If successful, the attacker gains:

System access
Credentials for lateral movement
Potential access to financial systems

How This Can Be Detected

Red Flags

Unexpected calls asking for credentials
Urgency or pressure (“must be done now”)
Requests that bypass normal IT procedures
Slight inconsistencies (email domain, phone number, tone)

Technical Indicators

Unusual login attempts (time/location anomalies)
Multiple MFA push requests
New software installation outside standard processes

How to Stop the Attack

People Controls

Train staff to:

Never share passwords or MFA codes
- Verify identity via official channels
- Challenge unusual requests—even from “IT”
- Encourage a “pause and verify” culture

Process Controls

Enforce strict IT support procedures:
No credential requests via phone/email
All changes logged through a ticketing system
Require call-back verification using known numbers
Implement approval workflows for sensitive actions

Technology Controls

Multi-factor authentication (with number matching, not just push)
Endpoint protection to block unauthorized installs
Email and call filtering systems
Identity monitoring (detect unusual behaviour patterns)

Example of a Successful Defence

An employee receives the call but:

Refuses to share credentials
Reports the incident to IT/security/line manager
IT confirms no such request exists
Security team blocks the attacker’s number and flags related activity

Attack stopped before any damage.

Key Takeaway

Social engineering works by exploiting trust, urgency, and human behaviour—not technical vulnerabilities. The strongest defence is a combination of:

Aware people
Clear processes
Enforced technology controls

Cyber Awareness training isn’t a nice to have, it’s essential Your staff can be a very effective first line of defence, or they can be your biggest weakness. Such training is an iterative process; it should be done on induction and then at regulator intervals through the year. It is not a fire and forget process.

This training doesn’t need to be costly; it can be delivered face-to-face, online, or through automated means. At H2, we offer all these options! Regardless of your choice, please consider this training an essential component of your strategy.

If you’d like more information on this topic, let’s chat!

Ransomware 101: What Every SME Needs to Know

Ransomware is something that we tend to only hear about when it hits the news, usually referring to an attack on a major corporate organisation or a government body. But it’s happening to a much wider range of businesses, and it tends to be a very much under-reported issue, particularly when it affects SMEs, which it does more often than you’d think. In a post last week, I referred to the attack on Knights of Old, a mid-sized transport company which was taken down in a very short space of time by a ransomware attack, from which they never recovered. I wrote a piece a couple of months ago which highlighted the issue of under-reporting. I won’t regurgitate it here, but if you want to read up on it, the link is Under-reported security incidents.

Overall, SMEs are particularly vulnerable because they often lack robust cybersecurity resources and recovery capabilities. A ransomware attack can have severe and often disproportionate impacts on small or medium-sized businesses:

Operational disruption: Critical systems and data become inaccessible, halting day-to-day business activities.
Financial loss: Costs may include ransom payments, recovery expenses, lost revenue, and potential regulatory fines.
Data loss or exposure: Sensitive customer or business data may be encrypted, stolen, or leaked.
Reputational damage: Loss of customer trust can lead to reduced sales and long-term brand harm.
Legal and compliance risks: Breaches of data protection laws (i.e. GDPR) can trigger investigations and penalties.
Business continuity risk: In severe cases, prolonged downtime can threaten the survival of the business.

Let’s now use a scenario to illustrate the problem. The scenario is fictitious but has been constructed from real events.

It started like an ordinary Tuesday morning for BrightLane Logistics, a 45-person SME based just outside Manchester. They specialised in same-day delivery for local retailers, and their entire operation depended on a cloud-based booking system, a small internal server, and a handful of laptops used by dispatchers and drivers.

The Entry Point

At 9:12 AM, Sarah, a finance assistant, received what appeared to be a routine email from a known supplier. The message referenced an overdue invoice and urged her to review an attached document. The email address looked legitimate at a glance, just one letter off from the real domain.

Busy and under pressure, Sarah downloaded the attachment: “Invoice_April2026.xlsm.”

When she opened it, nothing obvious happened, just a blank spreadsheet and a prompt to “Enable Content.” She clicked.

That single action executed a hidden macro. Within seconds, a small piece of malicious code connected to a remote server and quietly installed ransomware on her machine.

Attackers do their homework. They will have spent time profiling this company and its staff. They will have researched them on Companies House, seen their last financial postings, and will have carried out various innocuous social engineering exercises to discover who does what within the company, and who their suppliers and customers are. They maximise the chance of an employee clicking the link in the email.

The Spread

Because BrightLane had weak internal network segmentation and shared admin credentials across several systems, the malware didn’t stay contained. It harvested saved passwords from Sarah’s machine and moved laterally across the network.

By lunchtime:

The shared file server was infected
The dispatch system was compromised
Backup drives connected to the network were also encrypted

No alarms were triggered. BrightLane had basic antivirus, but no advanced detection or monitoring tools.

The Detonation

At 2:03 PM, screens across the office flickered.

Files began changing names. Systems slowed to a crawl. Then everything locked.

A message appeared:

“Your files have been encrypted.

To regain access, pay X Bitcoin within 72 hours.

After that, your data will be permanently deleted.”

Phones started ringing immediately. Drivers couldn’t access delivery routes. Customers couldn’t place orders. The warehouse team had no visibility of scheduled shipments. Operations ground to a halt.

The Immediate Consequences

Within hours:

All deliveries stopped
Customer service was overwhelmed
Financial systems were inaccessible
Staff were sent home early

The managing director, Tom, faced a brutal reality: the company could not operate.

They contacted their IT support provider, but it quickly became clear:

Backups were unusable (they had been encrypted too)
No incident response plan existed
Recovery could take weeks, if at all possible

The Decision Point

The ransom demand equated to roughly £120,000.

Paying it came with no guarantee of recovery as well as potential legal and ethical implications. Not paying meant:

Permanent data loss
Severe operational disruption
Potential business closure

Meanwhile, the attackers escalated pressure by threatening to leak sensitive customer data.

The Longer-Term Impact

Over the following weeks:

Financial Damage

Lost revenue from halted operations
Cost of external cybersecurity experts
Legal and regulatory compliance expenses

Reputational Harm

Customers lost trust
- Key clients moved to competitors

Regulatory Consequences

A data breach investigation was triggered
- Potential fines for failing to protect customer data

Internal Fallout

Staff morale dropped sharply
- Leadership faced scrutiny over the lack of preparedness

The Aftermath

BrightLane eventually chose not to pay the ransom. They rebuilt their systems from scratch, but it took nearly a month to resume partial operations.

By then:

30% of their customer base was gone
- Cash reserves were severely depleted
- The company had to downsize

The Lesson

The attack didn’t rely on sophisticated zero-day exploits. This wasn’t one failure; it was a chain of small, common weaknesses, which, taken together, created a complete business shutdown:

One phishing email
One click
One flat network
One set of shared credentials
One poorly designed backup system

For BrightLane, the ransomware attack wasn’t just an IT issue; it became an existential business crisis.

SMEs can’t do everything, and if I were to prioritise measures that could produce the biggest risk reduction, taking into account limited budgets, I would recommend the following:

MFA everywhere (especially email & admin accounts)
Offline/immutable backups
Cyber Awareness training for staff and managers
EDR instead of basic antivirus
Remove shared admin credentials
Network segmentation (even simple VLANs)
Some form of managed detection and response

Don’t think it won’t happen to you. It can and does happen to SMEs in the UK, many of whom pay up and don’t report it. I understand why they do this, but it doesn’t help the overall problem, as it disguises the frequency and the damage done. It’s much cheaper in the long run to take preventative action than it is to try to recover once it’s happened.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide, please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or drop us an email:

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

Watch, Detect, Protect: Detecting Cyber Attacks Before They Start

Imagine a small business owner who runs a 25-person company providing financial services to firms and individuals. He knows cyber threats are “a thing,” and in fact, one of his customers required basic security controls before signing a contract. And so, he took advice from his network provider, a local IT reseller, and he purchased a bundle: antivirus software, a firewall appliance, and a cloud backup service.

From his perspective, everything seems covered:

The antivirus dashboard shows green checkmarks.
The firewall has flashing lights and a web interface that he never logs into.
The backup system sends a weekly email saying, “Backup completed successfully.”

But here’s the reality:

He has no meaningful way to tell if any of this is actually protecting him.

A few subtle issues are happening behind the scenes:

The antivirus hasn’t detected anything, not because threats aren’t present, but because it’s misconfigured and only running quick scans.
The firewall rules were set up once by the reseller and never reviewed; several unnecessary ports are still open.
Backups are completing, but no one has ever tested restoring them, so they may be incomplete or unusable.
Staff occasionally click phishing emails, but those incidents go unnoticed because there’s no monitoring or reporting in place.
He doesn’t have a clear idea of what data he is holding and what that data may reasonably be classified as, i.e. highly sensitive or sensitive, or not sensitive at all. Neither does he really have an idea who has access to what, either at a user level or worse, at an administrator level.

One day, an employee unknowingly installs malware from a phishing link. The attacker gains access to the company’s systems and quietly exfiltrates sensitive client data over several weeks.

Throughout this entire period:

No alerts reach any level of management in a way they understand.
No KPI or metric tells them, “You are under attack”, or even “your defences are being exercised.”
The tools continue to report “all good” because they are measuring activity (i.e., scans completed), not effectiveness (i.e., attacks prevented).
He assumes that “no news is good news.” In reality, he’s operating in a visibility gap:
He doesn’t know what “normal” vs “suspicious” looks like.
He has no baseline metrics (i.e., number of blocked threats, phishing simulations, patch status).
He lacks independent validation (like audits, vulnerability assessments, or even simple security reports translated into business terms).

So, when a client later informs him of a data breach traced back to his company, it’s a complete shock. From his perspective, he did everything right; he bought the tools. But he never had a way to measure whether those tools were correctly configured, actively working, or aligned to real threats.

This is a common SME problem: security is treated as a one-time purchase rather than an ongoing, measurable process. Without clear, understandable metrics or external validation, the owner is essentially flying blind, relying on reassuring dashboards instead of actual evidence of protection.

The question then becomes what can an SME do to protect itself from these issues. The first problem is to recognise that they don’t have any in-house resource that can deal with these problems, and neither can they afford such a resource. At best, their IT systems are overseen by someone who has another primary function and hasn’t got much time to deal with IT issues, has no technical background, much less a cybersecurity background, and whose responsibility lies with liaising with their network provider.

Now, let’s deal with the network provider that supplied the security tools. These companies work to Ts&Cs that will concisely lay down what services they provide under any network maintenance contract. Such contracts may include administration of the network, adding and taking away access rights, or they may just refer to routine maintenance and troubleshooting. Whatever it is, an SME must have a clear understanding of what those Ts&Cs say. You may be under the impression that they are covering things that they simply aren’t. This is often the case with cybersecurity. This is because they themselves don’t have a handle on how cybersecurity hangs together. They concentrate on supplying products such as firewalls and AV, and on how to install and configure such products. They may also handle AV updates, and in that case, you need to be very clear about how they do that and how they assure you that it is done.

Be clear, I’m not denigrating these companies or the services they supply, simply pointing out that they work to strict service levels as laid down in the contract and will often not step outside of these.

To sum up, we are now at the point where we recognise that SMEs in general do not have a handle on how effective their security actually is, on where their sensitive data sits and how it’s accessed and handled. They don’t have anyone on staff who has an understanding of cybersecurity, and there is a good chance that their network contract doesn’t include any sort of security monitoring and alerting. The question now becomes, is there anything they can do about it?

Until quite recently, what we called protective monitoring, which is now more formally called Managed Detection and Response, along with Data Loss Prevention Systems, were very much out of reach of an SME on financial terms, and as such the majority of SMEs didn’t just not invest in them, they never really knew about them because the corporate level providers, never pitched to them because they knew they couldn’t afford it.

There are now systems on the market, AI-driven, that have managed to hit a price point that an SME can afford. These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs. You don’t need to understand AI; it’s built into the system and operates seamlessly. What it does is to allow one operator to manage multiple clients at the same time, because the AI does the heavy lifting. In this way, not only is the system itself affordable, but the managed service it supports also becomes affordable.

To maximise its cost effectiveness, it has additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes, making it more attractive. The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown Security Operations Centre (SOC). Delivering it as a service reduces cost by cutting out the need for an in-house team.

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department. It provides peace of mind; you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a very short video which you can find on the Features Section on my LinkedIn profile. But if you don’t want to view that, what follows is an introduction to what the service offers.

Continuous monitoring of endpoints, servers, and some cloud environments
Rapid detection of ransomware, malware, insider threats, and advanced attacks
Expert-led response
Phishing simulations
Cyber awareness training programme
Dark web monitoring
Auditing your data, identifying what is sensitive and what isn’t; providing file-level encryption and tracking data movements around your network and where it goes when sending it to outside agencies.

In short, it provides the business benefit of reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built into it. Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection, would come at additional cost, and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

Identify outdated software, misconfigurations, and exposed services
Prioritise risks based on severity
Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen. It is a proactive risk reduction instead of reactive damage control.

The system also offers built-in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

Test employee awareness safely
Identifies high-risk users
Reinforces learning through practical scenarios

It helps reduce successful phishing attacks and reduces the likelihood of credential compromise or ransomware infection. Such simulations are an integral part of cyber awareness training.

The system also assists in building a security culture (CBEE Awareness Training Programme). A structured awareness programme:

Trains staff on cyber hygiene and data protection
Covers password security, social engineering, safe browsing, and more.
Assists compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly and turns employees from a security liability into a security asset.

A managed system such as this can also help with compliance & insurance requirements. Many SMEs now face:

Regulatory obligations
Supply chain security requirements
Cyber insurance conditions

Having a managed service, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME: Cost Predictability & Simplicity. As a managed service, everything is:

Subscription-based
Centralised under one provider
Fully supported by trained personnel

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms, you are getting executive-level risk reduction with a simple value:

Reduced likelihood of business interruption
Reduced financial exposure
Protection of brand and customer trust
Clear reporting and measurable risk reduction

All through this article, I’ve talked about cost-effectiveness. So, what does this service cost? I’ll add the BBC caveat – other systems are available!! We charge £15 per seat per month for the technical system and £15 per seat per month for the data leakage protection system. Discounts are available for clients who take both systems, and you get a lot for your money. It’s a 30-day rolling contract, no long-term lock-in, simply 30 days’ notice to quit. We also offer a totally free 14-day trial that is fully functional, so you can see the outputs from your own system, rather than look at demos with dummy data.

What is Security Architecture, and what does it mean for SMEs?

Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats. Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done. What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows. OK, I’m being a bit simplistic, but you get the idea. Once that’s done, the security architect has something to work with to start putting in security layers. As the design evolves, so does the security architecture.

So now let’s look at the real world. Most SMEs are way past this phase, with their systems having grown organically as the company grows. SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc. Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model. That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware. A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking. Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort. And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model. First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access. Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control. It took some persuasion and education to bring many of these owners/managers around. These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure. But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system. It is vital to ensure that only the right people have access to the right systems. SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them. Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk. But it doesn’t have to be expensive. Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD. I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

Mandatory Multi-Factor Authentication
Conditional access policies
Single Sign-On (SSO)
Privileged identity management
Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

Endpoint detection and response (EDR)
Device management
Encryption

Controls it should cover include:

Automated patching
Encryption:

Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
- File-level encryption works by encrypting files that you have deemed to be sensitive and need protection. It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission. Sounds complicated, but it really isn’t, and it can be shown to you very easily.

Application control
USB restrictions
Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

Anti-phishing protection
Attachment sandboxing
URL scanning
DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

Next-generation firewall
VPN or Zero Trust remote access
Network segmentation
DNS filtering

Good firewall segmentation would include:

Company devices
Guest WiFi
Servers
IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure. Again, this needs some controls, which could include:

Secure configuration monitoring
Data leakage prevention
Access monitoring

Key policies may include:

No public file sharing by default
Alert on impossible travel logins
Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised. Controls might include:

Data classification
Data leakage prevention
Full disk and file-level encryption

Policies might include:

Prevent the sharing of sensitive records externally
Block download of sensitive files on unmanaged devices
Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

Immutable backups
Offline copies
Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten. Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top. That is no longer the case. There are systems now available specifically for SMEs.

Typical SME approach:

Centralised log collection
Security alerts
Managed detection and response

Many SMEs outsource this to an MDR provider like H2. I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation. Cyber awareness training is a subject that I bang on about all the time. It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

Security training platform
Phishing simulation
Acceptable use policy
Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past. You need to be prepared for security incidents. This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

Incident response playbooks
Legal and breach notification procedures
Disaster recovery and business continuity plans
Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information. It really is something SMEs should consider and need to take advice about. Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.

WHY SMEs NEED a CYBER SECURITY STRATEGY: PROTECTING GROWTH and REPUTATION

For small and medium-sized enterprises (SMEs), cyber risk management is the business process of identifying and addressing digital threats to protect operations, revenue, and reputation. Rather than just a technical IT task, it is a strategic function focused on ensuring business continuity and managing potential financial losses.

For many SMEs, one of the most effective ways to secure a business is to follow the UK government’s National Cyber Security Centre (NCSC) recommendations. These five steps are designed to be cost-effective and provide protection against the majority of common cyber-attacks.

Secure your data with back-ups.
Protect with strong authentication (MFA).
Keep devices and software up to date.
Guard against malware.
Train staff on cyber awareness, phishing in particular.

However, no two businesses are the same. They will all have certain threats and vulnerabilities in common, and adherence to the NCSC guidelines will set you on the right path, as will schemes such as Cyber Essentials, and many of you will either have gone down that route or will be actively discussing it internally. But there will still be differences, perhaps only nuances, that can drive a hole through your defences, and that is why you need a risk management strategy to ensure you have built robust defences.

Establish clear security responsibility

Key elements:

Appoint a security owner (even part-time or Fractional
Make sure you have an overarching security policy under which you have more detailed and targeted policies.
Institute regular security reviews

The second point is one that is often downplayed or overlooked altogether by SMEs. Many of the protections that you may need will be procedural rather than technical. They will require robust policies and processes that are enforced and audited.

The Business Case for Cyber Risk Management

Cyber incidents are not just “IT glitches”; they are economic events that directly impact the bottom line.

Revenue Protection: Downtime can freeze sales, stop production, and prevent invoicing, leading to immediate cash flow gaps.
Liability & Compliance: Breaches of sensitive data (like customer or staff records) can trigger legal fees, regulatory fines (e.g., under UK GDPR), and mandatory reporting costs.
Market Advantage: Demonstrating robust security, such as achieving Cyber Essentials accreditation, is often a prerequisite for winning major contracts and building customer trust.
Survival: Reports indicate that 60% of small companies go out of business within six months of a major cyberattack due to recovery costs and reputational damage.

Core Strategic Pillars

Effective management focuses on Outcomes, not just tools.

Identity Control: Ensuring only the right people have access to specific business data. Multi-Factor Authentication (MFA) is a non-negotiable standard to prevent unauthorised access.
Data Integrity: Maintaining secure, encrypted, and regularly tested backups so the business can “rewind” to a stable state if files are locked by ransomware.
Operational Resilience: Building a plan to stay trading even during an incident. This includes defined roles for who contacts IT, legal, regulators and customers when a breach occurs.

Risk Treatment Options

Not all risks can be fixed; business owners must decide how to handle each one based on their risk appetite:

Mitigation: Investing in security controls (people (awareness training), process and technology) to lower the likelihood of an attack.
Transfer: Using Cyber Insurance to shift the financial burden of recovery, legal fees, and business interruption to an insurer.
Acceptance: Acknowledging low-impact risks where the cost of fixing them outweighs the potential loss.
Avoidance: Choosing to stop a high-risk activity altogether, such as retiring an old, insecure software system.

Human Capital as a Defence

Since over 80% of breaches involve human error (such as clicking phishing links), staff training is the most cost-effective “firewall” an SME can implement. Regular, simple awareness sessions turn employees into a proactive detection layer.

What does a practical strategy look like for an SME

Start with Risk Assessment

Before buying tools or even setting a budget, understand what you must protect.

Key actions:

Identify critical assets (customer data, financial systems, IP).
Identify main threats (phishing, ransomware, credential theft).
Map who has access to what.
Prioritise highest-impact risks.

Typical SME top risks:

Phishing attacks
Ransomware
Weak passwords
Unpatched systems
Cloud misconfiguration

Successful phishing attacks, ransomware, and weak passwords nearly all stem from poor cyber awareness by staff. Knights of Old, a transport company employing over 700 people, went under within two weeks following a ransomware attack that was the result of a poor password being cracked, allowing the criminals to install the relevant code.

Other important measures

Implement Strong Identity & Access Controls
Secure Endpoints and Devices
Protect Email and Users
Backup and Ransomware Protection
Network Security
Incident Response Plan
Third-Party Risk Management

In short, what we call a ‘Lean” Security Stack might include:

MFA + identity management
Email security filtering
EDR on endpoints
Automated patching
Secure backups
Firewall
Security awareness training
Encryption

This covers 80–90% of real attacks. The last piece of advice to those wanting to do this properly is not to try to do it all yourself. You are not experts in this field any more than I am an expert in yours. Working together with a cybersecurity professional, you can identify what, out of everything that is written above, is really going to give you the protection you need in your particular field, and what might be a nice-to-have, rather than an essential. You can then prioritise the fixes by both importance and cost, maybe implementing fixes over several budgetary periods

Data Leakage Explained for SMEs

Stopping data leaks from your organisation is an important part of data protection; it is a subset, if you like, of that ever-evolving subject. The rules are evolving here in the UK, with new legislation coming online, and there is a wide requirement that starts with a good mindset and sound rules and processes to guard your most sensitive data. We refer to data leakage when talking about a service we provide to SMEs, which we don’t like to frame as data protection because it is, as I said, a subset of the requirements. However, it is an important subset that lies at the sharp end of the whole thing.

First of all, let’s clarify what Data Loss Prevention (DLP) is. It is a cybersecurity strategy that identifies, monitors, and prevents sensitive information from being accessed, shared, or transmitted without authorisation, whether accidentally or maliciously, across endpoints, networks, cloud services, and email systems. In short, DLP stops sensitive data from leaving where it shouldn’t.

Sounds great until you investigate such systems, which can be extremely effective if you are a large corporate organisation. That’s because these systems can be very expensive, difficult to set up and come with a heavy admin burden. It’s not terribly surprising that SMEs don’t know much about these systems because the organisations that market them simply don’t target SMEs. After all, SMEs, in general, can’t afford them.

A data leak, however, can be one of the most damaging incidents an SME can face. Unlike large enterprises, SMEs often have fewer financial reserves, less technical expertise, and limited crisis-management capacity, making the impact proportionally greater.

Threats to an SME from Data Leakage

Taking a quick glance through the threats to an SME business from a data leak:

Financial Loss

Legal costs from customer or partner lawsuits.
Compensation payments to affected individuals.
Incident response and forensic investigation costs.
Business interruption losses during system shutdowns.
Regulatory fines (e.g., under data protection laws such as GDPR).

For SMEs, even moderate fines can significantly impact cash flow or survival.

Reputational Damage

Loss of customer trust.
Negative media exposure.
Damage to brand credibility.
Loss of competitive advantage.

SMEs often rely heavily on local reputation or niche trust; once damaged, recovery can be slow and costly.

Loss of Customers and Contracts

Clients may terminate contracts.
Prospective customers may choose competitors.
Larger partners may require stronger security compliance before continuing relationships.

Operational Disruption

Systems may need to be taken offline.
Data recovery efforts consume time and resources.
Staff productivity drops during investigation and remediation.

Theft of Intellectual Property

Loss of trade secrets.
Exposure of proprietary processes.
Competitors gaining access to confidential pricing or strategy information.

Increased Cyber Targeting

Once breached, a company may:

Be seen as an “easy target.”
Experience follow-up phishing or ransomware attacks.
Appear on dark web data marketplaces.

What are the Requirements of a Data Leakage Protection Solution?

In a nutshell, a solution that would fit an SME should be proportionate, cost-effective, scalable, and manageable without a large in-house security team.

Such a system needs to:

Identify sensitive data (customer data, financial records, IP).
Classify data based on sensitivity.
Map where data is stored and who has access.

It needs role-based access control (RBACS) using a least privileged principle, with multi-factor authentication and strong password policies. It needs encryption at rest, preferable file level encryption, and use TLS for encryption in transit with secure key management. Such a system needs to be set up with monitoring, logging, alerting for suspicious activity and periodic audits. It needs backup and recovery.

For SMEs specifically, the solution should be:

Affordable and scalable
- Cloud-friendly
- Easy to manage
- Automated where possible
- Supported by managed security providers (if no internal team exists)

How Do SMEs View Such Systems

All too often, we come up against the attitude that such a loss is very rare amongst SMEs, and the threat doesn’t justify the expenditure. That is often because this is a very under-reported issue, and those that are reported are just the tip of the iceberg.

What Is the Source of the “Tip of the Iceberg” Claim?

The idea comes from multiple types of evidence:

Incident Response & Forensics Data

Cybersecurity firms (e.g., Mandiant, CrowdStrike) publish threat intelligence showing:

Many breaches are only discovered during unrelated audits.
Cyber criminals often maintain access for long periods.

Academic Research

Studies in cybersecurity economics suggest breach reporting underestimates actual intrusion frequency due to:

Asymmetric information.
Underreporting incentives.
Detection bias.

Threat Intelligence Monitoring

Security vendors monitoring criminal forums consistently find large datasets being traded that were never publicly linked to a disclosed breach.

Bottom Line

The consensus among cybersecurity professionals, regulators, and researchers is that publicly reported data breaches represent only a fraction of actual incidents.

The conclusion is based on:

Detection lag data.
Forensic investigations.
Legal reporting thresholds.
Dark web intelligence.
Academic economic modelling.

How Can an SME Protect Itself?

Having waded your way through the reasons why SMEs don’t see much data on this subject and therefore don’t see the threat, I’m going to reward you with the pitch. Yes, H2 does have a managed solution that is designed, priced and operated specifically for SMEs. It’s a solution that isn’t as comprehensive as a full enterprise-grade DLP solution, but it does do the job for an SME.

The key advantages for a small or medium-sized enterprise (SME) of using our service in practical, business-focused terms are:

Automates Data Discovery and Protection

The service automatically finds, classifies, and assesses sensitive data (such as customer information, IP, and financial records) across endpoints, servers, cloud applications, and remote devices without manual scanning. This saves SMEs considerable time and decreases dependence on specialised security personnel.

Proactive Risk Reduction

Rather than just alerting after an incident, the service can automatically encrypt or block sensitive data based on risk level, minimising exposure before a breach happens. This helps avoid data leaks and insider mishandling.

Real-Time Monitoring and Alerts

The platform continuously tracks data movement and access, sending notifications for unusual activity. This keeps SMEs aware of potential threats or policy violations, even without a full-time security team.

Simplifies Compliance

The service helps businesses meet data privacy rules like GDPR, PCI, and others by providing reports, audit trails, and documented controls, making audits and regulatory compliance far easier.

Low Maintenance and Fast Deployment

Designed to be lightweight and “set-and-forget”, it can be deployed quickly with little disruption and minimal ongoing management, which is ideal for SMEs that don’t have large IT/security teams.

Cost-Efficient Risk Management

By automating complex security workflows and reducing reliance on manual processes or legacy tools, SMEs can keep security budgets lean while still achieving strong protection.

Centralised Visibility

It comes with a dashboard where you can see where sensitive data resides, who accessed it and what its risk level is, providing clear, actionable insights rather than fragmented logs across multiple systems.

Supports Remote & Hybrid Work

Because it works across cloud, endpoint, and server environments, the service helps secure data no matter where employees work or where the data lives, particularly useful as more SMEs adopt remote/hybrid models.

Reduces Human Error

With automatic classification and encryption, the service helps guard against accidental disclosure, which is a common risk in smaller organisations without dedicated security training.

In summary, for an SME, the service can deliver data leakage protection, risk reduction and compliance support without the heavy cost or complexity typically associated with traditional data loss prevention (DLP) or manual security practices.

Cost is something that is guaranteed to concentrate the mind of the SME owner. This service is priced specifically for SMEs at £15 per user per month. There is no contractual lock-in, and a client can quit with 30 days’ notice. We also offer a 14-day trial to allow a client to see the benefits of the system using their own data, rather than a demo with dummy data. We’d be delighted to discuss this with you further.

Cyber Awareness Training

Cyber Security as Business Protection – Protect, Detect and Recover

CYBER ESSENTIALS HAS CHANGED: ARE YOU READY?

Protecting Your Data on Public Networks

Three weeks v three minutes: The MDR Difference

TARGET PROFILING AND SOCIAL ENGINEERING

Ransomware 101: What Every SME Needs to Know

Watch, Detect, Protect: Detecting Cyber Attacks Before They Start

What is Security Architecture, and what does it mean for SMEs?

WHY SMEs NEED a CYBER SECURITY STRATEGY: PROTECTING GROWTH and REPUTATION

Data Leakage Explained for SMEs

Search

Recent Comments

Recent Posts

Archives