Cyber Awareness Training

What is Security Architecture, and what does it mean for SMEs?

Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats.  Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done.  What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows.  OK, I’m being a bit simplistic, but you get the idea.  Once that’s done, the security architect has something to work with to start putting in security layers.  As the design evolves, so does the security architecture.

So now let’s look at the real world.  Most SMEs are way past this phase, with their systems having grown organically as the company grows.  SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc.  Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model.  That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware.  A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking.  Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort.  And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model.  First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access.  Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control.  It took some persuasion and education to bring many of these owners/managers around.  These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure.  But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system.  It is vital to ensure that only the right people have access to the right systems.  SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them.  Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk.  But it doesn’t have to be expensive.  Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD.  I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

  • Mandatory Multi-Factor Authentication
  • Conditional access policies
  • Single Sign-On (SSO)
  • Privileged identity management
  • Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

  • Endpoint detection and response (EDR)
  • Device management
  • Encryption

Controls it should cover include:

  • Automated patching
  • Encryption:
  • Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
    • File-level encryption works by encrypting files that you have deemed to be sensitive and need protection.  It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission.  Sounds complicated, but it really isn’t, and it can be shown to you very easily.
  • Application control
  • USB restrictions
  • Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

  • Anti-phishing protection
  • Attachment sandboxing
  • URL scanning
  • DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

 Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

  • Next-generation firewall
  • VPN or Zero Trust remote access
  • Network segmentation
  • DNS filtering

Good firewall segmentation would include:

  • Company devices
  • Guest WiFi
  • Servers
  • IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure.  Again, this needs some controls, which could include:

  • Secure configuration monitoring
  • Data leakage prevention
  • Access monitoring

Key policies may include:

  • No public file sharing by default
  • Alert on impossible travel logins
  • Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised.  Controls might include:

  • Data classification
  • Data leakage prevention
  • Full disk and file-level encryption

Policies might include:

  • Prevent the sharing of sensitive records externally
  • Block download of sensitive files on unmanaged devices
  • Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

 Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

  • Immutable backups
  • Offline copies
  • Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten.  Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top.  That is no longer the case.  There are systems now available specifically for SMEs.

Typical SME approach:

  • Centralised log collection
  • Security alerts
  • Managed detection and response

Many SMEs outsource this to an MDR provider like H2.  I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation.  Cyber awareness training is a subject that I bang on about all the time.  It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

  • Security training platform
  • Phishing simulation
  • Acceptable use policy
  • Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past.  You need to be prepared for security incidents.  This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

:

  • Incident response playbooks
  • Legal and breach notification procedures
  • Disaster recovery and business continuity plans
  • Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information.  It really is something SMEs should consider and need to take advice about.  Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.

WHY SMEs NEED a CYBER SECURITY STRATEGY: PROTECTING GROWTH and REPUTATION

For small and medium-sized enterprises (SMEs), cyber risk management is the business process of identifying and addressing digital threats to protect operations, revenue, and reputation. Rather than just a technical IT task, it is a strategic function focused on ensuring business continuity and managing potential financial losses. 

For many SMEs, one of the most effective ways to secure a business is to follow the UK government’s National Cyber Security Centre (NCSC) recommendations. These five steps are designed to be cost-effective and provide protection against the majority of common cyber-attacks. 

  • Secure your data with back-ups.
  • Protect with strong authentication (MFA).
  • Keep devices and software up to date.
  • Guard against malware.
  • Train staff on cyber awareness, phishing in particular.

However, no two businesses are the same.  They will all have certain threats and vulnerabilities in common, and adherence to the NCSC guidelines will set you on the right path, as will schemes such as Cyber Essentials, and many of you will either have gone down that route or will be actively discussing it internally.  But there will still be differences, perhaps only nuances, that can drive a hole through your defences, and that is why you need a risk management strategy to ensure you have built robust defences.

Establish clear security responsibility

Key elements:

  • Appoint a security owner (even part-time or Fractional
  • Make sure you have an overarching security policy under which you have more detailed and targeted policies.
  • Institute regular security reviews

The second point is one that is often downplayed or overlooked altogether by SMEs.  Many of the protections that you may need will be procedural rather than technical.  They will require robust policies and processes that are enforced and audited.

The Business Case for Cyber Risk Management

Cyber incidents are not just “IT glitches”; they are economic events that directly impact the bottom line. 

  • Revenue Protection: Downtime can freeze sales, stop production, and prevent invoicing, leading to immediate cash flow gaps.
  • Liability & Compliance: Breaches of sensitive data (like customer or staff records) can trigger legal fees, regulatory fines (e.g., under UK GDPR), and mandatory reporting costs.
  • Market Advantage: Demonstrating robust security, such as achieving Cyber Essentials accreditation, is often a prerequisite for winning major contracts and building customer trust.
  • Survival: Reports indicate that 60% of small companies go out of business within six months of a major cyberattack due to recovery costs and reputational damage. 

Core Strategic Pillars

Effective management focuses on Outcomes, not just tools.

  • Identity Control: Ensuring only the right people have access to specific business data. Multi-Factor Authentication (MFA) is a non-negotiable standard to prevent unauthorised access.
  • Data Integrity: Maintaining secure, encrypted, and regularly tested backups so the business can “rewind” to a stable state if files are locked by ransomware.
  • Operational Resilience: Building a plan to stay trading even during an incident. This includes defined roles for who contacts IT, legal, regulators and customers when a breach occurs. 

Risk Treatment Options

Not all risks can be fixed; business owners must decide how to handle each one based on their risk appetite

  • Mitigation: Investing in security controls (people (awareness training), process and technology) to lower the likelihood of an attack.
  • Transfer: Using Cyber Insurance to shift the financial burden of recovery, legal fees, and business interruption to an insurer.
  • Acceptance: Acknowledging low-impact risks where the cost of fixing them outweighs the potential loss.
  • Avoidance: Choosing to stop a high-risk activity altogether, such as retiring an old, insecure software system. 

Human Capital as a Defence

Since over 80% of breaches involve human error (such as clicking phishing links), staff training is the most cost-effective “firewall” an SME can implement. Regular, simple awareness sessions turn employees into a proactive detection layer. 

What does a practical strategy look like for an SME

Start with Risk Assessment

Before buying tools or even setting a budget, understand what you must protect.

Key actions:

  • Identify critical assets (customer data, financial systems, IP).
  • Identify main threats (phishing, ransomware, credential theft).
  • Map who has access to what.
  • Prioritise highest-impact risks.

Typical SME top risks:

  • Phishing attacks
  • Ransomware
  • Weak passwords
  • Unpatched systems
  • Cloud misconfiguration

Successful phishing attacks, ransomware, and weak passwords nearly all stem from poor cyber awareness by staff.  Knights of Old, a transport company employing over 700 people, went under within two weeks following a ransomware attack that was the result of a poor password being cracked, allowing the criminals to install the relevant code.

Other important measures

  • Implement Strong Identity & Access Controls
  • Secure Endpoints and Devices
  • Protect Email and Users
  • Backup and Ransomware Protection
  • Network Security
  • Incident Response Plan
  • Third-Party Risk Management

In short, what we call a ‘Lean” Security Stack might include:

  • MFA + identity management
  • Email security filtering
  • EDR on endpoints
  • Automated patching
  • Secure backups
  • Firewall
  • Security awareness training
  • Encryption

This covers 80–90% of real attacks. The last piece of advice to those wanting to do this properly is not to try to do it all yourself.  You are not experts in this field any more than I am an expert in yours.  Working together with a cybersecurity professional, you can identify what, out of everything that is written above, is really going to give you the protection you need in your particular field, and what might be a nice-to-have, rather than an essential.  You can then prioritise the fixes by both importance and cost, maybe implementing fixes over several budgetary periods

Data Leakage Explained for SMEs

Stopping data leaks from your organisation is an important part of data protection; it is a subset, if you like, of that ever-evolving subject.  The rules are evolving here in the UK, with new legislation coming online, and there is a wide requirement that starts with a good mindset and sound rules and processes to guard your most sensitive data.  We refer to data leakage when talking about a service we provide to SMEs, which we don’t like to frame as data protection because it is, as I said, a subset of the requirements.  However, it is an important subset that lies at the sharp end of the whole thing.

First of all, let’s clarify what Data Loss Prevention (DLP) is.  It is a cybersecurity strategy that identifies, monitors, and prevents sensitive information from being accessed, shared, or transmitted without authorisation, whether accidentally or maliciously, across endpoints, networks, cloud services, and email systems.  In short, DLP stops sensitive data from leaving where it shouldn’t.

Sounds great until you investigate such systems, which can be extremely effective if you are a large corporate organisation.  That’s because these systems can be very expensive, difficult to set up and come with a heavy admin burden.  It’s not terribly surprising that SMEs don’t know much about these systems because the organisations that market them simply don’t target SMEs. After all, SMEs, in general, can’t afford them.

A data leak, however, can be one of the most damaging incidents an SME can face. Unlike large enterprises, SMEs often have fewer financial reserves, less technical expertise, and limited crisis-management capacity, making the impact proportionally greater.

Threats to an SME from Data Leakage

Taking a quick glance through the threats to an SME business from a data leak:

Financial Loss

  • Legal costs from customer or partner lawsuits.
  • Compensation payments to affected individuals.
  • Incident response and forensic investigation costs.
  • Business interruption losses during system shutdowns.
  • Regulatory fines (e.g., under data protection laws such as GDPR).

For SMEs, even moderate fines can significantly impact cash flow or survival.

Reputational Damage

  • Loss of customer trust.
  • Negative media exposure.
  • Damage to brand credibility.
  • Loss of competitive advantage.

SMEs often rely heavily on local reputation or niche trust; once damaged, recovery can be slow and costly.

Loss of Customers and Contracts

  • Clients may terminate contracts.
  • Prospective customers may choose competitors.
  • Larger partners may require stronger security compliance before continuing relationships.

Operational Disruption

  • Systems may need to be taken offline.
  • Data recovery efforts consume time and resources.
  • Staff productivity drops during investigation and remediation.

Theft of Intellectual Property

  • Loss of trade secrets.
  • Exposure of proprietary processes.
  • Competitors gaining access to confidential pricing or strategy information.

Increased Cyber Targeting

Once breached, a company may:

  • Be seen as an “easy target.”
  • Experience follow-up phishing or ransomware attacks.
  • Appear on dark web data marketplaces.

What are the Requirements of a Data Leakage Protection Solution?

In a nutshell, a solution that would fit an SME should be proportionate, cost-effective, scalable, and manageable without a large in-house security team.

Such a system needs to:

  • Identify sensitive data (customer data, financial records, IP).
  • Classify data based on sensitivity.
  • Map where data is stored and who has access.

It needs role-based access control (RBACS) using a least privileged principle, with multi-factor authentication and strong password policies.  It needs encryption at rest, preferable file level encryption, and use TLS for encryption in transit with secure key management. Such a system needs to be set up with monitoring, logging, alerting for suspicious activity and periodic audits.  It needs backup and recovery.  

For SMEs specifically, the solution should be:

  • Affordable and scalable
    • Cloud-friendly
    • Easy to manage
    • Automated where possible
    • Supported by managed security providers (if no internal team exists)

How Do SMEs View Such Systems

All too often, we come up against the attitude that such a loss is very rare amongst SMEs, and the threat doesn’t justify the expenditure.  That is often because this is a very under-reported issue, and those that are reported are just the tip of the iceberg.

What Is the Source of the “Tip of the Iceberg” Claim?

The idea comes from multiple types of evidence:

Incident Response & Forensics Data

Cybersecurity firms (e.g., Mandiant, CrowdStrike) publish threat intelligence showing:

  • Many breaches are only discovered during unrelated audits.
  • Cyber criminals often maintain access for long periods.

 Academic Research

Studies in cybersecurity economics suggest breach reporting underestimates actual intrusion frequency due to:

  • Asymmetric information.
  • Underreporting incentives.
  • Detection bias.

Threat Intelligence Monitoring

Security vendors monitoring criminal forums consistently find large datasets being traded that were never publicly linked to a disclosed breach.

Bottom Line

The consensus among cybersecurity professionals, regulators, and researchers is that publicly reported data breaches represent only a fraction of actual incidents.

The conclusion is based on:

  • Detection lag data.
  • Forensic investigations.
  • Legal reporting thresholds.
  • Dark web intelligence.
  • Academic economic modelling.

How Can an SME Protect Itself?

Having waded your way through the reasons why SMEs don’t see much data on this subject and therefore don’t see the threat, I’m going to reward you with the pitch.  Yes, H2 does have a managed solution that is designed, priced and operated specifically for SMEs.  It’s a solution that isn’t as comprehensive as a full enterprise-grade DLP solution, but it does do the job for an SME.

The key advantages for a small or medium-sized enterprise (SME) of using our service in practical, business-focused terms are: 

Automates Data Discovery and Protection

The service automatically finds, classifies, and assesses sensitive data (such as customer information, IP, and financial records) across endpoints, servers, cloud applications, and remote devices without manual scanning. This saves SMEs considerable time and decreases dependence on specialised security personnel. 

Proactive Risk Reduction

Rather than just alerting after an incident, the service can automatically encrypt or block sensitive data based on risk level, minimising exposure before a breach happens. This helps avoid data leaks and insider mishandling. 

Real-Time Monitoring and Alerts

The platform continuously tracks data movement and access, sending notifications for unusual activity. This keeps SMEs aware of potential threats or policy violations, even without a full-time security team. 

Simplifies Compliance

The service helps businesses meet data privacy rules like GDPR, PCI, and others by providing reports, audit trails, and documented controls, making audits and regulatory compliance far easier. 

Low Maintenance and Fast Deployment

Designed to be lightweight and “set-and-forget”, it can be deployed quickly with little disruption and minimal ongoing management, which is ideal for SMEs that don’t have large IT/security teams. 

Cost-Efficient Risk Management

By automating complex security workflows and reducing reliance on manual processes or legacy tools, SMEs can keep security budgets lean while still achieving strong protection. 

Centralised Visibility

It comes with a dashboard where you can see where sensitive data resides, who accessed it and what its risk level is, providing clear, actionable insights rather than fragmented logs across multiple systems. 

Supports Remote & Hybrid Work

Because it works across cloud, endpoint, and server environments, the service helps secure data no matter where employees work or where the data lives, particularly useful as more SMEs adopt remote/hybrid models. 

Reduces Human Error

With automatic classification and encryption, the service helps guard against accidental disclosure, which is a common risk in smaller organisations without dedicated security training. 

In summary, for an SME, the service can deliver data leakage protection, risk reduction and compliance support without the heavy cost or complexity typically associated with traditional data loss prevention (DLP) or manual security practices. 

Cost is something that is guaranteed to concentrate the mind of the SME owner.  This service is priced specifically for SMEs at £15 per user per month.  There is no contractual lock-in, and a client can quit with 30 days’ notice.  We also offer a 14-day trial to allow a client to see the benefits of the system using their own data, rather than a demo with dummy data.  We’d be delighted to discuss this with you further.

MORE ABOUT MANAGED DETECTION AND RESPONSE

This subject has, in the past, been difficult to convey to SMEs.  In the corporate and major government department world, it’s a well-understood issue, more often referred to as a security operations centre, or SOC.  I’ve built several of these over the years in the UK and the Middle East, and one thing is for sure: they are expensive to run in terms of both technology and manpower, which makes them unrealistic for an SME, even if they would be of real benefit.

So why am I even bothering to explain what it is?  Simply because there are now systems on the market, very often AI-driven, that have managed to hit a price point that an SME can afford.  These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.

Why would an SME want such a system?  First and foremost, any such system or service pitched to an SME needs to make business sense.  To maximise its cost effectiveness, having additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes makes it more attractive.  The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown SOC.  Delivering it as a service reduces cost by cutting out the need for an in-house team.

Good questions for all SMEs to ask themselves are:

If an attack or scam happened tomorrow…

Would you know about it?

Would you be able to stop it in time?

Would your team recognise it for what it is?

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department.  It provides peace of mind – you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a short video which you can find on the Features Section on my LinkedIn profile.   But if you don’t want to view that, what follows is an introduction to what the service offers.

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring

For most SMEs, hiring skilled cybersecurity analysts is expensive and difficult. MDR gives access to an appropriate service level at a predictable monthly cost.

Business benefit: Reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built it.  Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

                  •               Identify outdated software, misconfigurations, and exposed services

                  •               Prioritise risks based on severity

                  •               Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen.

Business benefit: Proactive risk reduction instead of reactive damage control.

The system also offers built in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

                  •               Tests employee awareness safely

                  •               Identifies high-risk users

                  •               Reinforces learning through practical scenarios

Business benefit: Fewer successful phishing attacks and reduced likelihood of credential compromise or ransomware infection.  Such simulations are an integral part of cyber awareness training.

We also assist in building a security culture (CBEE Awareness Training Programme).  A structured awareness programme:

  • Trains staff on cyber hygiene and data protection
  • Covers password security, social engineering, safe browsing, etc.
  • Supports compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly.

Business benefit: Employees become a security asset rather than a liability.

A managed system such as this can also help with compliance & insurance requirements.  Many SMEs now face:

  • Regulatory obligations
  • Supply chain security requirements
  • Cyber insurance conditions

Having MDR, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME:  Cost Predictability & Simplicity.  As a managed service, everything is:

  • Subscription-based
  • Centralised under one provider
  • Fully supported by experts

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms you are getting executive-level risk reduction with a simple value:

  • Reduced likelihood of business interruption
  • Reduced financial exposure
  • Protection of brand and customer trust
  • Clear reporting and measurable risk reduction

All through this article I’ve talked about cost effectiveness.  So, what does this service cost?  I’ll add the BBC caveat – other systems are available!!  We charge £15 per seat per month, and you get a lot for your money.  Seems cheap and we’re happy to explain how we can get the price so low.  It’s a 30-day rolling contract, no long-term lock in, simply 30 days’ notice to quit.  We also offer a totally free 14-day trial that is fully functional so you can see the outputs from your own system, rather than look at demos with dummy data.

LESS FEAR MORE FIXES:  WHAT SME LEADERS WANT FROM CYBER SECURITY

That’s a good question and one that I’ve often pondered upon.  Cost effectiveness obviously, everyone’s on a budget, especially these days and there is a healthy reluctance to spend money on what is seen as not being your core business. 

I would argue that these days IT is part of your core business, or perhaps part of your core business operations.  Ask yourselves how many of you can continue business without access to your IT systems and the data they hold.  If IT is part of your business operations, then so is its integrity and security.

Let’s take a quick look at some of the reasons why security doesn’t feel like core business to many people:

  • It’s invisible when it works

If cybersecurity is doing its job, nothing happens. No alerts, no fires to put out, no obvious ROI. Compared to sales, ops, or product delivery, it feels abstract and thankless.

  • It’s framed as an IT problem, not a business risk

Many SMEs still see cyber as “the IT guy’s job.” Leaders think in terms of revenue, customers, and growth whereas cybersecurity often isn’t translated into those terms.

  • Short-term survival beats long-term risk

SMEs run lean. Cash flow, hiring, and winning the next customer feel urgent. Cyber risk feels probable someday rather than painful today, so it gets deprioritised.

  • Lack of personal exposure

If a leader hasn’t personally experienced a cyber incident, or heard a close friends horror story, it’s hard to internalise the risk. Threats feel like something that happens to “big companies” or “other people.”

  • Complexity and jargon turn people off

Cybersecurity language is often technical, fear-based, or compliance-heavy. When leaders don’t fully understand something, they’re less likely to own it as core strategy.

  • No clear ownership at the top

In many SMEs there’s no CISO, no risk committee, no board pressure. If no one at leadership level “owns” cyber risk, it floats somewhere below the surface.

  • Seen as a cost centre, not a value driver

Cybersecurity is usually positioned as insurance or compliance spend, not as something that enables trust, customer retention, or business continuity.

  • Optimism bias

Many SME leaders quietly think: “We’re too small / not interesting enough to be targeted.” Unfortunately, attackers often prefer SMEs because they’re easier targets.

Now let’s flip the mindset.  Cybersecurity starts to feel like it’s part of the core business when it’s framed as:

  • Protecting revenue not systems.
  • Protecting customers not servers.
  • Protecting the ability to operate.

Cyber incidents have to be seen as business stopping events, not just technical inconveniences.  Once that is recognised at the top, it tends to be moved into core business territory very quickly.

So, going back to the question I posed above, what do SME owners want from cyber security, assuming now that they truly embrace its importance to the core of the business they are running?  I did mention cost effectiveness above and what follows has to be seen in the context of individual budgets, which will necessarily affect the spend.  In order to make sure that happens any security spending must be targeted on what is important and indeed, critical to the business, and not just what is thought of as critical or important.

What comes top of my list every time is the protection of critical business data.  Think of this in terms of what outcome is wanted.  Generally, that means that customer data, financial records, HR data and intellectual property remain confidential and intact.  From the angle of cost-effectiveness:

  • SMEs prefer low-cost but high-impact controls such as strong passwords, multi-factor authentication, and encrypted backups rather than expensive enterprise systems.
  • Preventing a data breach is far cheaper than paying fines, compensation, or suffering reputational damage.

High on the list of importance comes business continuity and minimal downtime.  It’s vital that systems stay available so the business can keep operating even after an incident.  This generally means simple, automated backups and basic disaster recovery plans that can be pulled own from a shelf, having been regularly updated and tested, and taken into use.  Plans must minimise lost sales and staff productivity.

There’s a lot more too this whilst trying to keep it simple.  Some headlines:

  • Compliance and regulatory requirements – industry dependent except for things like PCI, GDPR etc.
  • Reducing risk to a level that the organisation deems acceptable.  What is known as the risk appetite.  There is no such thing as 100% security, you are essentially managing risk down to a level you can live with.
  • Ease of use for staff.  Security shouldn’t cause frustration and slow things down. 
  • Predictable costs.  Clear, predictable cybersecurity costs that fit within limited budgets.
  • Reputational and customer trust.  Whilst the fallout from loss of trust with your customers can vary from company to company, it is often extremely damaging, especially for companies that hold lots of personal client data.  Maintaining trust through basic security measures is far cheaper than trying to rebuild after a breach.

SME owners and managers are usually not looking for “perfect” security. Their focus is on practical outcomes that protect the business without overspending.  Don’t be lulled into a false sense of security, believing that the technical solutions you have been sold are adequate protection.  Ask questions, look for assurance that you have this covered, remember that often the best solutions are procedural not technical.  Look at things from the angle of people, process and then technology.

Good Luck!!

Security on Paper vs Security in Practice: What Executives Need to Know

My recent articles have been all about data leakage and I very briefly indicated that we have a solution for that.  I am aware though that in cyber security and in fact data protection, technical solutions on their own, are not sufficient.  They must be underpinned by sound policies and procedures.  One of my favourite quotes, that I probably use too often, but I make no apologies for that, is by a Harvard professor and cyber security evangelist, Bruce Schneier.  He says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

What am I getting at here exactly?  Well, some solutions are not about technology and in fact are best done procedurally and with sound cyber awareness training.  Other solutions are technical in nature but must be underpinned with sound policies and processes that are rolled out and understood by staff via sound cyber awareness training which covers these policies and processes and why they are necessary.

The great cry from cyber security professionals is – People, Process and then Technology.

For many SMEs, cybersecurity policies do exist but real visibility into cyber risk does not. Policies are often written to satisfy compliance requirements, reassure clients, and demonstrate intent, yet they rarely answer the questions executives care about most: Where are we vulnerable? What could realistically disrupt the business? Are we investing in the right protections?

What we are saying here is that security documentation should be more than a defensive tick box. When policies are actively mapped to vulnerability assessments, they become a powerful source of risk intelligence. Gaps between documented controls and technical reality surface quickly, exposing weaknesses that attackers are far more likely to exploit than auditors are to find.

In an environment where cyber incidents increasingly target smaller organisations, the difference between written policy and operational security is no longer academic. Converting policy into protection is a practical, achievable step that materially reduces risk and one that executive leadership is uniquely positioned to drive.

The trick is understanding what your risks are and what needs protecting and at what level.  What we mean is separating out what is highly sensitive, sensitive and not so much.  Our system helps you map this and helps you make some informed decisions, but it won’t write your policies for you.

I’ve written articles in the past on risk management and identifying threats and vulnerabilities and mapping them to risks Identifying what could go wrong digitally, understanding how bad it would be for the business, and deciding what to do about it, all within your budget and risk appetite. Think of it like financial or operational risk, just applied to data, systems, and online operations.

You can’t protect everything equally.  You don’t need a threat catalogue, just a broad understanding of the common ones that hit SMEs.  You can then assess:

Risk = Likelihood × Impact

Translate tech issues into:

  • Revenue loss
  • Operational downtime
  • Legal/regulatory exposure
  • Reputational damage
  • Customer trust erosion – reputational damage

What we are looking to do is to decide how we treat each risk.  There are really 4 options that you need to think about in terms of each risk:

  • Reduce – put controls in place (e.g., MFA, backups)
  • Accept – consciously live with the risk
  • Transfer – insurance, contracts, outsourcing
  • Avoid – stop doing the risky thing

There was an interesting post on LinkedIn recently about the Bank of England having just dropped its 2025 CBEST Thematic Report with some interesting findings.


After 13 threat-led penetration tests across UK financial services, the message is clear: most vulnerabilities aren’t sophisticated. They’re foundational.

  • Passwords stored in spreadsheets and shared drives
  • Weak MFA enforcement and poor credential hygiene
  • Inadequate network segmentation
  • Detection capabilities that couldn’t spot simulated attacks early
  • Staff still falling for social engineering

The regulators’ call to action is direct:

  • Harden your systems – patch and configure properly
  • Fix your credentials management – MFA, strong passwords, no plaintext storage
  • Detect faster – monitoring and alerting that actually works
  • Remediate based on risk – with proper oversight, not just tactical patches

What I’m touching upon here is multi layered security, what in the military we referred to as strength in depth.  Monitoring systems has often been thought of as too difficult and expensive for SMEs but that’s no longer true and we now have a solution that is affordable and designed specifically for SMEs which handles monitoring but also has some useful addons such as vulnerability assessment, phishing simulations and a built in cyber awareness programme, all within the licence costs, no hidden extras.

More About Data Leakage

Last weeks newsletter was all about data leakage, and I argued that it wasn’t a well understood problem, which doesn’t get the attention it deserves.  We all know about data protection, at least at a high level, and we know about the regulatory issues around it, although many take the view that talking about that is scare tactics designed to make you buy something.  And OK, it can be just that, but it doesn’t make it any the less real.

We all need to be cognisant of the issues and potential fallout, but it becomes much more of an urgent issue for organisations that depend upon holding and processing large amounts of what is known as Personally Identifiable Information or PII.  That is information that can identify a specific individual, either on its own or when combined with other data.  PII spans quite a large category of data:

a. Direct identifiers (identify someone immediately)

         •        Full name

         •        Social Security number / National ID number

         •        Passport number

         •        Driving license number

         •        Biometric data (fingerprints, facial recognition data)

b. Contact information

         •        Home or mailing address

         •        Email address

         •        Phone number

c. Financial information

         •        Credit or debit card numbers

         •        Bank account and routing numbers

         •        Tax records

         •        Payment transaction histories

d. Digital & online identifiers

         •        IP address

         •        Device IDs (IMEI, MAC address)

         •        Cookies linked to an individual

         •        Account usernames (when tied to a real person)

e. Personal characteristics

         •        Date and place of birth

         •        Gender

         •        Marital status

         •        Employment details

         •        Education records

f. Sensitive PII (higher risk if exposed)

         •        Medical and health records

         •        Insurance information

         •        Genetic data

         •        Precise location data

         •        Criminal history

We all process some data of this kind, if only data pertaining to our own employees, such as payroll information.  However, we often hold personal data regarding our customers and suppliers, names, payment details, addresses etc.  But consider organisations that store and process data covering many of the categories above.  I’m thinking about law firms, financial firms, even real estate agents and recruitment agents, amongst others.  Have you thought about the categories of PII you are holding?  Have you identified the sensitivity of the data you hold, and protect it accordingly?

It’s also important to understand what PII is not. 

  • Fully anonymised or aggregated data
  • General information that cannot be tied to a specific person (i.e., “people aged 20–30 in England”).

If you do hold lots of PII that is critical to your business, what do you need to care about?  This will depend to a certain extent on what you are holding and processing, but generally:

  • Protecting reputation above all else
  • Being seen as a safe pair of hands
  • Keeping clients and the board confident
  • Avoiding public embarrassment or loss of trust
  • Having certainty without complexity

Reputational damage can be far worse than losing say, some money to a scam or ransomware.  Firms can often come back from financial loss, but reputational damage is often permanent and fatal.  You need to be seen as a safe pair of hands.

A core anxiety is often worrying that if something happens, the organisation wouldn’t be able to confidently explain where the sensitive data is and how it’s protected.  Three things that tend to be a common theme amongst those we deal with at the start of their journey:

  • They know the risk exists
  • They don’t know how big the problem is
  • They hope nothing happens before they act

The problem often gets explained like this:

  • “We don’t really know where all our sensitive data is.”
  • “I’m relying on trust and assumptions.”
  • “Our outsourced IT provides storage solutions and gateway security, but they don’t really have a handle on our data.”

At H2 we understand the issues and anxieties.  We have a solution that deals with these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.

Data Leakage

Data leakage is a subject that is not well understood but can have a devastating effect on a business.  It is a somewhat dry subject that many companies, particularly SMEs, pay little attention to, even whilst understanding the requirements of data protection, even if at a high level. 
 
Most data leaks are not the result of a cyber-attack, although many are, particularly ransomware, but are often the result of an employee either making a simple mistake, or more likely doing something that they didn’t know they shouldn’t.
 
I’m minded of an issue that arose a couple of years ago with a government department where magnetic media containing millions of pieces of data belonging to members of the public, was sent to somewhere it shouldn’t have been.  An employee was asked to download the data and send it out.  There was no policy in place for magnetic media handling, and the employee could not be blamed for doing what he was told.
 
Of course, these days electronic data handling make mistakes like that much easier to make, and as such they happen much more often.  The reputational damage from such mistakes can be catastrophic.
 
My subscribers will know that my focus is the SME, large and small.  So how does this impact them.  Not so long ago a small UK housing association experienced a breach when a disgruntled former employee leaked tenant data, exposing names, addresses, financial details, and tenancy agreements of around 3,500 tenants. This case shows how insider threats and inadequate access controls can lead to leakage of sensitive data in a small organisation. 
 
Industry reporting and surveys show that many UK SMEs experience data breaches with around 43 % reporting some kind of cyber security breach or attack in the past year. 
 
While not always individually publicised, these incidents often involve:
 
         •       Phishing that leads to credential compromise
         •       Unauthorised access via weak passwords or unmanaged devices
         •       Malware/ransomware encrypting or exfiltrating business data
 
These types of breaches typically result in data leakage of customer contacts, invoices, employee records and sensitive business information that can severely harm small firms.
 
A widespread supply-chain style attack affected companies using compromised versions of popular VoIP software (3CX). While this isn’t a single SME, it demonstrates how attackers target tools widely used by SMEs, leading to stolen data and credentials across hundreds of thousands of business customers globally. 
 
Here at H2, when we are first approached by a prospective client and we begin our offer of a 15-day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.
 
Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, makes life a whole lot easier.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.
 
We have a solution that meets these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.

Cyber Security Policies – A Must Have or a Nice to Have

I’ve written about this a couple of times now but it’s worth reminding people that policies and attendant processes are a cost-effective necessity in terms of cyber security.  How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection.  The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s often the case that technology is not the answer.  There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So, it arrives purporting to come from the boss, but it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened not so lo g ago to someone I know, and when it arrived in the accounts department it didn’t look genuine to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type.  In broad terms, and as an absolute minimum, the following are required:

  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them.  And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home.  This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important.  Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list.  It depends very much on risks that needs mitigating.  They will also be accompanied by processes to support the policy.

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you?  The first part is easy to explain but the second is a little more problematic.  MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team.  That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

CapabilityWhy it matters to SMEs
Around-the-clock monitoringCyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern toolsUses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident ResponseCan remotely contain and remediate attacks before they spread.
Security expertise on demandSMEs gain access to required expertise.
Proactive threat huntingIdentifies hidden attackers or early-stage breaches.
Compliance and reportingHelps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

  • Not a replacement for basic security hygiene (patching, backups, strong access controls)
  • Not just a tool, it’s a combination of technology + human expertise
  • Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it.  SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust.  And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables.  They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them.  They lack:

  • 24/7 threat monitoring
  • Real-time detection and investigation
  • Specialised expertise required for modern cyber threats
  • Rapid response capability to contain breaches

As a result, you potentially face::

  • Increased probability of a successful attack
    • Delayed breach response → attackers remain undetected for months
    • Data exfiltration and business disruption
  • Higher financial and operational impact if one occurs
  • Non-compliance with data protection obligations (e.g., GDPR, industry standards)
  • Reputational damage and loss of customer confidence
  • Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
  • Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable.  A good fit could be:

  • Affordable subscription model with no costly infrastructure
  • Bridges the cybersecurity skills shortage
  • Improves resilience against ransomware, phishing, insider threats, and more
  • Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level.  The latter is obviously cheaper and maybe more appropriate for many.  The coverage they should be looking for needs to include:

  • Endpoints (laptops, servers)
  • Cloud workloads (Microsoft 365, Azure, etc)
  • Identity services (Active Directory)
  • Network visibility
  • Email security
  • Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top.  And for many years this would have been just that.  I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes. 

Generally, these have been way too expensive for an SME to consider.  But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate.  Now I know you’ve been waiting for the pitch and here it comes.  At H2 we provide such a service which is very affordable, and we are happy to stack it up against others.  We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation. 

Scroll to top