Cyber Awareness Training

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy

More About Data Leakage

Last weeks newsletter was all about data leakage, and I argued that it wasn’t a well understood problem, which doesn’t get the attention it deserves.  We all know about data protection, at least at a high level, and we know about the regulatory issues around it, although many take the view that talking about that is scare tactics designed to make you buy something.  And OK, it can be just that, but it doesn’t make it any the less real.

We all need to be cognisant of the issues and potential fallout, but it becomes much more of an urgent issue for organisations that depend upon holding and processing large amounts of what is known as Personally Identifiable Information or PII.  That is information that can identify a specific individual, either on its own or when combined with other data.  PII spans quite a large category of data:

a. Direct identifiers (identify someone immediately)

         •        Full name

         •        Social Security number / National ID number

         •        Passport number

         •        Driving license number

         •        Biometric data (fingerprints, facial recognition data)

b. Contact information

         •        Home or mailing address

         •        Email address

         •        Phone number

c. Financial information

         •        Credit or debit card numbers

         •        Bank account and routing numbers

         •        Tax records

         •        Payment transaction histories

d. Digital & online identifiers

         •        IP address

         •        Device IDs (IMEI, MAC address)

         •        Cookies linked to an individual

         •        Account usernames (when tied to a real person)

e. Personal characteristics

         •        Date and place of birth

         •        Gender

         •        Marital status

         •        Employment details

         •        Education records

f. Sensitive PII (higher risk if exposed)

         •        Medical and health records

         •        Insurance information

         •        Genetic data

         •        Precise location data

         •        Criminal history

We all process some data of this kind, if only data pertaining to our own employees, such as payroll information.  However, we often hold personal data regarding our customers and suppliers, names, payment details, addresses etc.  But consider organisations that store and process data covering many of the categories above.  I’m thinking about law firms, financial firms, even real estate agents and recruitment agents, amongst others.  Have you thought about the categories of PII you are holding?  Have you identified the sensitivity of the data you hold, and protect it accordingly?

It’s also important to understand what PII is not. 

  • Fully anonymised or aggregated data
  • General information that cannot be tied to a specific person (i.e., “people aged 20–30 in England”).

If you do hold lots of PII that is critical to your business, what do you need to care about?  This will depend to a certain extent on what you are holding and processing, but generally:

  • Protecting reputation above all else
  • Being seen as a safe pair of hands
  • Keeping clients and the board confident
  • Avoiding public embarrassment or loss of trust
  • Having certainty without complexity

Reputational damage can be far worse than losing say, some money to a scam or ransomware.  Firms can often come back from financial loss, but reputational damage is often permanent and fatal.  You need to be seen as a safe pair of hands.

A core anxiety is often worrying that if something happens, the organisation wouldn’t be able to confidently explain where the sensitive data is and how it’s protected.  Three things that tend to be a common theme amongst those we deal with at the start of their journey:

  • They know the risk exists
  • They don’t know how big the problem is
  • They hope nothing happens before they act

The problem often gets explained like this:

  • “We don’t really know where all our sensitive data is.”
  • “I’m relying on trust and assumptions.”
  • “Our outsourced IT provides storage solutions and gateway security, but they don’t really have a handle on our data.”

At H2 we understand the issues and anxieties.  We have a solution that deals with these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy

Data Leakage

Data leakage is a subject that is not well understood but can have a devastating effect on a business.  It is a somewhat dry subject that many companies, particularly SMEs, pay little attention to, even whilst understanding the requirements of data protection, even if at a high level. 
 
Most data leaks are not the result of a cyber-attack, although many are, particularly ransomware, but are often the result of an employee either making a simple mistake, or more likely doing something that they didn’t know they shouldn’t.
 
I’m minded of an issue that arose a couple of years ago with a government department where magnetic media containing millions of pieces of data belonging to members of the public, was sent to somewhere it shouldn’t have been.  An employee was asked to download the data and send it out.  There was no policy in place for magnetic media handling, and the employee could not be blamed for doing what he was told.
 
Of course, these days electronic data handling make mistakes like that much easier to make, and as such they happen much more often.  The reputational damage from such mistakes can be catastrophic.
 
My subscribers will know that my focus is the SME, large and small.  So how does this impact them.  Not so long ago a small UK housing association experienced a breach when a disgruntled former employee leaked tenant data, exposing names, addresses, financial details, and tenancy agreements of around 3,500 tenants. This case shows how insider threats and inadequate access controls can lead to leakage of sensitive data in a small organisation. 
 
Industry reporting and surveys show that many UK SMEs experience data breaches with around 43 % reporting some kind of cyber security breach or attack in the past year. 
 
While not always individually publicised, these incidents often involve:
 
         •       Phishing that leads to credential compromise
         •       Unauthorised access via weak passwords or unmanaged devices
         •       Malware/ransomware encrypting or exfiltrating business data
 
These types of breaches typically result in data leakage of customer contacts, invoices, employee records and sensitive business information that can severely harm small firms.
 
A widespread supply-chain style attack affected companies using compromised versions of popular VoIP software (3CX). While this isn’t a single SME, it demonstrates how attackers target tools widely used by SMEs, leading to stolen data and credentials across hundreds of thousands of business customers globally. 
 
Here at H2, when we are first approached by a prospective client and we begin our offer of a 15-day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.
 
Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, makes life a whole lot easier.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.
 
We have a solution that meets these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.
Cyber Awareness Training General Security Issues Security Working Practices

Cyber Security Policies – A Must Have or a Nice to Have

I’ve written about this a couple of times now but it’s worth reminding people that policies and attendant processes are a cost-effective necessity in terms of cyber security.  How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection.  The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s often the case that technology is not the answer.  There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So, it arrives purporting to come from the boss, but it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened not so lo g ago to someone I know, and when it arrived in the accounts department it didn’t look genuine to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type.  In broad terms, and as an absolute minimum, the following are required:

  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them.  And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home.  This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important.  Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list.  It depends very much on risks that needs mitigating.  They will also be accompanied by processes to support the policy.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you?  The first part is easy to explain but the second is a little more problematic.  MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team.  That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

CapabilityWhy it matters to SMEs
Around-the-clock monitoringCyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern toolsUses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident ResponseCan remotely contain and remediate attacks before they spread.
Security expertise on demandSMEs gain access to required expertise.
Proactive threat huntingIdentifies hidden attackers or early-stage breaches.
Compliance and reportingHelps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

  • Not a replacement for basic security hygiene (patching, backups, strong access controls)
  • Not just a tool, it’s a combination of technology + human expertise
  • Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it.  SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust.  And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables.  They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them.  They lack:

  • 24/7 threat monitoring
  • Real-time detection and investigation
  • Specialised expertise required for modern cyber threats
  • Rapid response capability to contain breaches

As a result, you potentially face::

  • Increased probability of a successful attack
    • Delayed breach response → attackers remain undetected for months
    • Data exfiltration and business disruption
  • Higher financial and operational impact if one occurs
  • Non-compliance with data protection obligations (e.g., GDPR, industry standards)
  • Reputational damage and loss of customer confidence
  • Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
  • Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable.  A good fit could be:

  • Affordable subscription model with no costly infrastructure
  • Bridges the cybersecurity skills shortage
  • Improves resilience against ransomware, phishing, insider threats, and more
  • Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level.  The latter is obviously cheaper and maybe more appropriate for many.  The coverage they should be looking for needs to include:

  • Endpoints (laptops, servers)
  • Cloud workloads (Microsoft 365, Azure, etc)
  • Identity services (Active Directory)
  • Network visibility
  • Email security
  • Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top.  And for many years this would have been just that.  I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes. 

Generally, these have been way too expensive for an SME to consider.  But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate.  Now I know you’ve been waiting for the pitch and here it comes.  At H2 we provide such a service which is very affordable, and we are happy to stack it up against others.  We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation. 

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy Security

Innovation – Why Do Many Shy Away from it?

We are, by nature, somewhat reserved I think, and we like to trust the known and proven, rather than the unknown and as yet, unproven.  How many of us like to be the first to by the latest model of a car, or the latest ‘phone.  The same applies to our IT infrastructure and security.  Something might advertise some really great innovations, but we want to see someone else try it first, just to be sure.

I read an interesting piece where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

So, what are we referring to here.  In a nutshell, the creation and adoption of new technologies, strategies, and practices that improve the protection of digital systems, data, and networks from cyber threats. It goes beyond simply maintaining existing defences, it’s about staying ahead of attackers by introducing smarter, more efficient, and more resilient security methods.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive, and this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, but SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and SMEs will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

How one SME coped with the fall out of a cyber attack

We talk a lot about how to protect ourselves from cyber-attacks and the potential for how easy or difficult it is for cyber criminals to attack companies of all sizes and types, but we don’t often describe real events which could impact those companies until they actually happen, and then, we often only get the information that they want us to have.

So, we thought we’d try and do just that, albeit in a sanitised way (with permission) to protect the privacy of the company involved.

Background

The target was a small. To medium sized design agency based in the UK. They manage branding and marketing materials for a significant number of clients, many of whom share confidential product data and campaign details before public release.  And of course, the company held their own confidential data regarding their operations, finances and personnel.

For years, this agency relied on a mix of free antivirus software, shared passwords, and basic email communication. Like many SMEs, cybersecurity wasn’t seen as a priority until the day that all changed!

So, what happened?

One Friday morning, a manager noticed that all shared project files on their network drive had strange extensions and couldn’t be opened. A ransom note appeared on every folder:

“Your files have been encrypted. Pay x amount of Bitcoin to recover them.”

  • The team had been hit by ransomware.
  • Their business was paralysed, and they couldn’t access their admin and finance systems or their client work, deadlines loomed, and panic set in.

The IT contractor confirmed the bad news: a staff member had unknowingly clicked a link in a fake invoice email that mimicked a well-known supplier. The malware spread across the network overnight.

At this point many companies fall into complete disarray simply because they haven’t got a disaster recovery and business continuity plan and they have no way of operating their systems manually.  Management will be demanding to know how long they can manage without their IT systems and how long it will take to get everything up and running, without paying the ransom.   The IT company will be pressured about backups; are there any and if so when can they be restored, which is when of course they realise that without their systems, there is nothing to restore the backups to.

The IT company confirmed that they did have backups stored off-site as part of the contract but that daily backups were stored on site and that the onsite backup server was also compromised, and the off-site backups were taken once a week, which meant that as by this time it Tuesday, the off-site backups were 2 days old.  But much better than nothing.

The problem remained that they had deadlines to meet and if they didn’t want to lose clients and have their reputation in their industry shattered, they had very little time.  Reluctantly the management made the decision to pay the ransom which meant they had to go cap in hand for extra funding as they operated on tight margins and the ransom in pounds was close to £150k.

This got them back online and saved their projects and reputation but at a cost that really hurt and not just in financial terms, but in their pride as managers.  It really stung.  They knew that had to bite the bullet and take cyber security seriously.  They realised that their local IT company, although excellent in keeping their network up and running efficiently as well as providing their hardware and software, and kept strictly to the terms of the contract, was not going to protect them to the level that they needed.

The rebuild

Having got everything back up and running they were seriously worried that they might get hit again quickly, before they had a chance to sort things out.  There was no room for complacency but at the same time they had to go forward with a strategic plan.  So, they brought in a specialist cybersecurity company who guided them through a strategy to not just recover, but to protect themselves going forward.

One of the first things they learnt is that cyber security is a business issue and not a technical one.  Management must own it and understand it.  It starts with people, having the right people in the right place who understand, at least at a high level, the issues and how to take basic precautions to protect themselves and the business.  Then comes policy and process, coming down from the top, regularly reviewed and updated by management, and promulgated to all staff with regular reminders.  Once that’s in place we can look at technology.  Noone had articulated that to them before.

The first thing their new cyber partner did was to devise a high-level strategy that the company could adopt going forward.  They explained that it needn’t be complicated and in fact, the simpler and easier to understand, the better.  Keep tech jargon out of it and use plain English.  They came up with a plan which identified some quick wins to protect them quickly, before coming up with more detailed projects that could be phased in over time.

The quick wins were:

  1. Cyber awareness training for all staff including management.  Let’s make sure no one ever clicks a link they shouldn’t.  The training should be done at induction and then refreshed regularly throughout the year.  It can be run by the HR staff or a HR company under contract if that is the case.
  • Produce policies starting with a high-level policy signed off by the CEO which clearly outlines everyones responsibility for cyber security and who is responsible for the detailed polices which will underpin this top-level policy.
  • Enforced multi factor authentication (MFA) for all logins and a password manager to replace the spreadsheets they were using.

This is then followed by more detailed projects phased in over time.  The phasing helps to ensure that there is not too much disruption to the business operations and that staff can be carried along with it, ensuring their buy in.  It also helps to make sure that it fits in with the company budget and doesn’t hit the bottom line all at once.  It included:

  1. An examination of the contract with the IT company and making any revisions that might be necessary.  For example, the back-up regime.
  • Migrated to a cloud-based file system with built-in versioning and encryption (in this case MS365 was chosen which is a favourite go to for SMEs and was offered by their IT support company).
  • Every employee completed simulated phishing exercises as part of the awareness training.
  • A detailed incident response plan was produced which clearly detailed who was responsible for what, who to contact and what to do, in a prioritised order.  It also outlined a business continuity plan written by departmental heads, showing how the company would continue to operate whilst systems are recovered.
  • Identification of assets, i.e. databases, client information, HR data, financial data, project plans etc, to prioritise what data needs to be protected to what level.
  • Identity and access management review with a view to moving to a zero-trust access control system.
  • Consider applying for cyber essentials certification.

The Outcome

Within six months, they were back on track and stronger, much more resilient. They were, like most companies, hit with phishing attempts all the time but their employees were trained to recognise them instantly and knew who to report it to. No one clicked the link.

Clients noticed the change, too. The company started to include a short “data protection and security” statement in their contracts, which won them new business. Larger clients trusted them more because they could prove their cyber resilience.  They were now committed to Cyber Essentials and would include that logo on their website and advertising as soon as they qualified.

The big lesson

Their experience shows that cybersecurity isn’t just an IT issue — it’s a business survival issue.  Even small steps, awareness, MFA, and secure backups, can transform an SME from a target into a resilient organisation.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Risk Analysis and Security Strategy Working Practices

      Cyber Maturity

      What do we mean by cyber maturity?  It’s not just about the protections you may have in place, but more about how well your organisation understands the importance of it and its place in your overall business strategy.  It is after all a business issue, not a technical issue and needs to be treated as such. Modern security solutions are increasingly complicated and challenging. These complexities change all the time and with the changes in working patterns and the introduction of AI now at the hands of the cyber criminals, they require a broad understanding of cyber security. Very few SMEs possess this level of expertise and can find themselves struggling to protect themselves and rectify security risks discovered within their business. In a climate of frequent, and potentially devastating, malicious activity organisations need targeted, rapid remediation and effective solutions. In doing this they will improve specific areas of their security systems, reduce their level of exposure and minimise potential losses, which can be very significant.

      Many small and mid-size businesses struggle to combat the threat that cybercrime poses. A simple piece of malware or a social engineering event, can result in the loss of sensitive company and client data, disrupt business and waste staff time. Such incidents are commonly sensationalised by the media, causing client defection and damage to hard-earned reputations, resulting in significant loss of business.

      I’ve described the risk management process before, and I know it can be a bit daunting, and many would fear it’s costs and complexity.  That is why we have designed and taken into use the Cyber Maturity Assessment (CMA), specifically for SMEs which will enable them to go down the risk management road at a pace and price they can afford.  The CMA is designed to obtain a view of where a client sits currently in terms of their Cyber Security posture. It is obtained from the results of interview with the staff, examination of current policies and procedures, including their effectiveness, security architecture and technical controls, and observations to gain an understanding of cyber security by management and staff. It is designed to provide a report which shows a client exactly where they sit in terms of Cyber Risk in a way that is demonstrable and east to understand. It gives a client a starting point from which H2 consultants will be able to scope any problems.

      What Does a Cyber Maturity Assessment Give Me?

      In brief, the CMA is designed to:

      • Understand and define the target state of the system i.e., where does the client want to be in terms of Cyber maturity – in defining the target state there must be a clear understanding of the business drivers, future business demands and business dependencies affecting the organisational area under examination.
      • Understand the current level of Cyber maturity – At this point the matter of cyber maturity will be a somewhat subjective view, obtained from the results of interviews with staff and initial observations by H2 consultants. This element is not intended to replace a detailed understanding, but to provide an initial view and start point, from which H2 consultants will be able to scope the problem and recommend any remediation required, in a phased way.

      We measure both the starting point and the end point using the Carnegie Melon Cyber Maturity Model.  I know other consultancies will use other models for this, but this is one that we have found to be effective, both for SMEs and in the corporate world.  It looks like this:

      I mentioned earlier that this is something used in the corporate world and whilst that’s true it is a matter of scale and need.  Most corporates would have the requirement and budget to aim high, say at around CMMI4 (5 is rarely hit).  For most SMEs that’s a step too far and as a rule of thumb, when we do this, we tend to find we’re starting at around 0.8 to 1.5 with the aim to get to CMMI 2 as soon as is feasible, with the end game at CMMI 3 which is affordable for most SMEs if a phased approach is taken.

      At the end of this initial process and SME is rarely able to just jump in and accept the recommendations and get on with fixing them.  It can be a complex issue requiring a hard look at their staff in terms of cyber awareness training, their policies and processes and their technical solutions, all aimed at prioritising the protections required for each asset in accordance with their vulnerabilities and threats.

      A phased approach is almost always needed, often aligned with budgets.  It can look a bit like this:

      The first transformation project tends to be what we term the Quick Wins Phase ie what can we do relatively easily, quickly and therefore affordably, to give the client the most urgent fixes.  It often, but not always, looks like this:

      This has just been a very quick cantor through the CMA process, and we need to emphasise that each client has a different set of requirements, and we can often jump into the process at a different stage. Call us if you want to know more.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

      Do You Have a Handle on Your Cyber Maturity Stance?

      Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

      Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

      The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

      As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

      If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

      It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

      Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

      Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

      • Small to medium size businesses are not worth attacking.
      • Cyber Security is an IT Issue.
      • Technology will keep me safe.
      • My policies and procedures are up to the job.
      • My staff are young and have been brought up with IT.  They know the score.

      Now let’s look at some of the more common issues that we see often amongst SMEs:

      • Lack of awareness around the current real-world cybersecurity risks
      • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
      • Lack of cybersecurity knowledge, and understanding
      • Poor cybersecurity maturity and posture within their businesses
      • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

      Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

      During the assessment, we typically examine various aspects, such as:

      • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
      • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
      • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
      • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
      • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
      • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
      • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

      The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

      H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

      Cyber Awareness Training Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Working Practices

      Cyber Security is a Business Issue

      This is a subject I return to quite often and it’s all about how cyber security is viewed by many SMEs, and I’ll explore why that view appears to be paramount.  I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

      We tend to flood potential clients with adverts and articles, mainly focused on technology.  Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

      Let me give you a couple of quotes.  The first comes from a renowned Harvard scientist and cyber security specialist.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’  The second comes from Stephane Nappo, Vice President and Global Chief Information Security Officer for Groupe SEB, ‘It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.’

      Boil that down and they are saying that this is not an IT issue, it’s a business issue.  That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

      Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture.  Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

      As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to give the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  Let’s just remind ourselves of the quote from Bruce Schneier:

      If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

      So, what does he mean?  As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

      It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

      But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

      Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

      The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

      You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

      Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

      Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

      Scroll to top