Cyber Awareness Training

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Supply Chain Security

Another Tilt at AI

At the risk of boring you about the risks inherent in AI, I’m going to have another go, simply because it’s a fascinating subject.  AI can really become the gift that keeps on giving.  We’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be.  Will it be ransomware, denial of service or perhaps a new and more sophisticated scam?  Who knows?  But there is no doubt that AI is raising the bar.

I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this particular breed of wannabe criminals.  But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard earned cash.

There is a lot going around within the IT and cyber industry about the ethical usage of AI, its ethical development, and that IT system integrators have a cast of thousands working on such ethical development and usage.  Fine, I applaud them.  But what does that mean for cyber security, and indeed data protection?  Well, I have to say, in my humble opinion, not a great deal.  I say that simple because no matter how ethical we are, the criminal doesn’t give a damn, he or she will continue on their own sweet way and do what criminals have always done, which is to completely disregard ethics.  So, whilst we can applaud and support those companies who are producing software and systems which use AI ethically, for the good, but just like old times, the criminals will do their own thing.

So, let’s take a look at some of what is at risk in terms of our data and systems:

  1. Data Protection.  AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorized access to sensitive information.  A good AI powered attack could capture huge amounts of personally identifiable information (PII), in a ridiculously short amount of time.
  • Data Integrity.  In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability.  We now have something we call the Adversarial Attack.  This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but dangerous.
  • Model Vulnerabilities.  This next one is relatively new, at least to me, and as I never tire of saying, I’ve been this game as long as there’s been a game.  It’s something call Model Vulnerabilities.  AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models.  So, if you’re in the dev game, this is a very real nightmare.
  • Bias and Fairness.  AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications.  This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  • Malicious Actors.  These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems.  This has a play in supply chain security.
  • Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

Addressing these risks requires a multi-faceted approach, including robust security measures, thorough testing, ongoing monitoring, and regular updates to mitigate emerging threats.

The real danger is complacency.  AI isn’t a future hypothetical threat but is very real and here now, already making itself felt, for both good and bad.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Scams v Hacks – how does this effect SMEs?

When I speak to SMEs, I make the point that the chances of being ‘hacked’ is relatively low when compared with being scammed.  Why?  In my view, I look at a hack as being a technical attack on a target by someone who is technically savvy and skilled in identifying and exploiting weaknesses in a company’s defence.  A scam on the other hand can be perpetrated by people with relatively low levels of technical ability and scams are in fact, a con, just like any other old fashioned con, in that they get the target to agree to, or to do something, that will benefit the con artist.

We always recommend that our clients try as best as they can to have defence in depth.  That’s an old military term which is often used in cyber security now to describe multiple layers of defence.  This can be expensive though and it must be tempered by budget, targeting controls where they are most needed.  What this does is to deter many attackers who are looking for a quick win, so if they have to work long and hard to break in, they’ll often go elsewhere, where the pickings might be easier.  And of course, whilst an SMEs defence might be somewhat less than those of an enterprise organisation, the pickings are likewise smaller, making it not cost effective for the attacker to take too much time with a technical hack.

Does this make scams much more attractive to the criminal?  Yes, I believe it does, simply because the amount of effort required is low and they are skilled in manipulating people, especially those that have had minimal cyber awareness training.  Scamming, just like hacking is generally preceded by some form of social engineering.  Social engineering refers to techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.  So, whilst a hacker modifies a computer’s software and hardware structure to carry out certain tasks, social engineering uses people as weapons to attack selected targets. In this way the manipulation is accomplished by employing trust through different forms of communication.

Typically, social engineering is achieved via Phishing, Vishing (video), Smishing (via SMS), malware and Spear phishing where the targets are selected for their importance to a specific attack.  Whatever method is used the aim remains the same, it is to persuade the unwary to give up sensitive information, install malicious software or do things that compromise your business security.  The best protection against social engineering remains a work force that are aware of the techniques and dangers posed by this.

What is the cost of scams to the across the globe?  One statistic suggests that public sector fraud losses amount to about £50.2 billion whilst frauds committed directly against individuals, including marketing fraud and identity fraud, is around £8.3 billion. The total cost of fraud has risen from about £190 billion in 2017 to almost £219 billion.  (Source Peters, Peters and Crowe). Of course, not all of this is via online fraud, but it is becoming the most common type of scam we see today.

Some of the most common types of scams that we see include, but are not limited to:

  • Copycat government websites. Some scams involve websites designed to look like official government websites such as HMRC. …
  • Dating and romance scams. …
  • Holiday frauds. …
  • Mandate fraud. …
  • Pharming. …
  • Phishing emails.

I received an email only yesterday purporting to come from someone called, and I kid you not, Lisa Monaa, inviting me to partake in an extremely profitable project, and I just couldn’t bring myself to read anymore.  It was a badly written phishing email with little chance of success.

AI is having an effect as well.  I’ve written earlier about the CEO scam whereby a CEOs email is spoofed and sent to an accounts department with an invoice attach, stating that the CEO has received a complaint from a supplier that their invoice is late and to get it paid without delay.  That scam has now been updated to a voice simulated by AI, over the phone, demanding the same.

Whilst that scam is quite old, it shows how social engineering has a play.  Firstly, they have to find out what the CEOs email is.  Not difficult.  The company’s email form will almost certainly be shown on their website with a contact like sales@abc.com.  So, the attacker knows that the suffix is abc.com.  They may well also be able to get the CEOs name from the website or even Company’s House.  Next send an email to JSmith@abc.com.  If that bounces send it to John.Smith@abc.com and so on until it goes through.  Next phone the accounts department, ask for Mary in accounts payable.  No Mary here I’m afraid.  Oh sorry, I was sure it was Mary, who handles accounts payable then, Oh that’s Julie.  So, he now has CEOs email and someone to send the email to.  That would probably take about 30 minutes of the scammers time.

The impacts of scams can be very far reaching.  Firstly, there is financial loss, which to many SMEs operating on tight margins, can be quite devastating.  Then there is the possibility of data breach.  If you are a business with lots of client personal data, say a financial advisor, a lawyer, an estate agent, pharmacist, you get the drift, and the aim was to steal data, then you could be hit with a substantial fine from the Information Commissioner not to mention lawsuits from those whose data has been stolen.  Reputational damage can be disastrous and then there is the effect on staff who can suffer greatly thinking they have damaged the company and put everyones job at risk.

Bottom line – scamming is endemic, it’s going nowhere, and AI is going to make it more prevalent, not less.  SMEs spend far less on their defences and on cyber awareness training making them more likely to be targeted.  Combating this threat should be high on your to do list.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware

A Tale of Two Company’s

These stories are fictitious but are based on real events with the company names, locations, and industry vertical either changed or obscured.

Company One

ABC Ltd is a chain of financial advisors which has seen strong growth even allowing for the hiccup of the COVID lockdowns.  It has grown from one site nearly 20 years ago, to six sites situated in rural market towns in the East of England.  As with nearly everyone else, COVID has significantly changed the way they operate as they were forced into home working and never went back to being fully office based and are now operating a more distributed hybrid working pattern, with staff working between offices and home.  This hasn’t proven to be an issue and has some financial benefits, reducing the office footprint, fuel and light and travel costs.  Their clients, consisting of local businesses mainly but with a significant department looking after individuals, have not been impacted by these changes.

John is the finance director, and he was given the additional responsibility for IT, something not unusual in SMEs, as they can rarely afford their own in house IT experts.  This has led to John outsourcing the IT to a local IT management company and so far, they have had no complaints.  Although John doesn’t profess to have any in depth IT knowledge, he discussed their requirements in detail and accepted that a move away from onsite servers and storage to a cloud based system made perfect sense and lent itself to the distributed network they now operated.

However, he had some concerns around cyber security.  He read a lot and what he read worried him, particularly about things such as ransomware, phishing, social engineering and scamming.  He knew that they held considerable amounts of personally identifiable information (PII) as defined by the Data Protection Act or UK GDPR as it is becoming known, and he had heard horror stories of company’s being fined a lot of cash for losing that data.  So, John decided to bring to bring this up at a board meeting and was met with some resistance from the CEO and other board members.  They asked what advice he was getting from their IT providers, and he said not a lot.  They seemed to be happy with the defences in place, which relied on firewalls in the office, and personal firewalls on remote laptops and desktops, anti-virus software and secure channels for sending data to and from the cloud storage.  The cloud provider operated under Ts&Cs which seemed to ensure that they took responsibility for the secure storage of their data.  He was concerned that not all their data was stored on the cloud, even though it was supposed to be.  He knew that staff working from home downloaded data onto their laptops, worked on it, and then uploaded it.  He was sure they ever deleted the copy they had on their laptops and had no way of checking.  He was also sure that data was attached to emails and sent around, so there would be copies on the email server, and on email clients.  But he was told to forget about it as it wasn’t a priority for funding. 

Jumping forward a couple of months and staff were panicking, and his phone was ringing off the hook as IT user after user was seeing a red text box sporting a skull and crossbones and the message that their data was encrypted, and if they wanted to unencrypt it, it would cost £50,000.  The CEO convened an emergency board meeting, and the IT provider was dragged in.  It didn’t take long to ascertain that this was a sophisticated attack and when they attempted to access their cloud storage, they found that the data held there, was also affected.

The CEO asked the IT provider how long this would take to fix, if indeed it was fixable.  He replied that they did have two sources of backups of the data, online and offline.  The problem was that the online data could also be affected and so the safest recourse was the offline backup, but that was only done weekly and therefore they would lose at least 3 days’ worth of data.  The CEO was not pleased.  Added to this, John wasn’t happy with just fixing the immediate issue, he wanted to get to the bottom of how this happened and how can they stop it in the future.  He contacted a specialist cyber security company that was fairly local to them.  Modesty forbids me to mention their name.

Once onsite they identified that there needs to be two strands to this.  First and foremost, the company needs to be gotten up and running, which means restoring from backup.  But there is no point doing that if the ransomware is still sitting on their systems because it would merely encrypt the backup.  It’s never that easy.  How did the ransomware get on the systems, how deeply is it embedded, how did it get on the cloud storage etc.  How it got there was quite easily detected.  It was simple email scam sent to around half of their workforce, at least two of whom clicked on it.  Once that was done it spread itself around the system, infecting all connected machines, and easily jumped to the cloud storage and even the online backup, which was connected to the cloud storage itself.

From then it was a simple but painful exercise which took best part of a week to sort out.  In order to be safe and thorough, all machines were wiped, including the operating systems, and then the OS reinstalled, along with all the applications.  Meanwhile they worked with the cloud storage provider, who was cooperative, to clean up their servers.  The data was then installed from the offline backup.

It was estimated that they lost money well into 6 figures, including fixing the problem, and lost business whilst it was all sorted out.  Trying to get back the 3 days’ worth of data lost, was embarrassing.  But at least they didn’t cave in to extortion as some might have, as we’ll see below.  Luckily there was no indication of a data breach which sometimes accompanies ransomware attacks, so no involvement of the Information Commissioner and the embarrassment of having to contact clients about their personal information.  It could have been worse.

Recommendations asked for by the board included:

  • Cyber Security Awareness training for all staff, including induction and 6 monthly refreshers.
  • Revisit the anti-virus/malware in use to see if there is a better solution for ransomware.
  • Revisit protections for the data itself.  Do they know where it all is?  Can it be audited?  What about encrypting it themselves before anyone else can?  It might not protect against ransomware, but if a data breach happens, it will avoid ICO fines.
  • Revisit the backup routines.
  • Have a solid disaster recovery and business continuity plan to avoid ad hoc and inevitable knee jerk responses.
  • The ransomware code required privileged access to do the real damage.  It got it easily.  Revisit the privileged access management system in place.  Is it up to scratch?
  • Consider annual cyber security health checks.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.

Company Two

Company Two was a transportation and storage company which operated from one site and its core business was transporting and storing produce before it was moved on to the consumer chain ie supermarkets and the like.  As such they had 3 large cold stores which were of course temperature controlled and any prolonged period without temperature control could cost the business thousands in a relatively short space of time.

The problem was that their security architecture was still based on the old bastion model of having a secure perimeter, protected by firewalls, but once inside, there was no segmentation, ie once in, the world was your oyster and the temperature control systems were on the same network as the other IT systems, with nothing separating them.

At this point the same thing happened to them, as happened to Company One.  They received the ransomware message which was even more damaging because it not only encrypted their data, but it knocked out the temperature control systems.  This meant a more sophisticated attack than just embedding malware in an email, the attackers must have gotten into the system and identified a serious weakness that they could exploit.

This wasn’t as difficult as it seemed.  There were several weaknesses in their defences.  First, they had changed broadband provider, but the old broadband connection was still active and connected to their network.  Second, they had security cameras which were remotely maintained.  These cameras were also on the main network and therefore there was a remote backdoor into the system.  There were other weaknesses, but these will do as explanations as to what happened.

As the gravity of the situation dawned on everyone, the decision was made to pay up and prevent a potential disaster in regard to the cold stores.  Understandable I suppose but ultimately not a good solution.  They did get back online within half a day.  So far so good.  But they wanted to make sure that this couldn’t happen again and so they called in some cyber experts to look things over.  What was discovered was quite horrifying.  Firstly, the attackers left a back door into the system which was discovered and closed down.  This would have allowed the attackers easy access to do it all again.  The issue with clicking on a dodgy link was also raised.  But the real problem was that it was discovered that the ransomware attack was used to also disguise the theft of data.  Missing was a considerable amount of financial information, including bank account details not just for them, but for their customers and suppliers, and PII relating to their customers and suppliers, but nothing too damaging other than business email and postal addresses.  Luckily their HR and payroll was outsourced and so they held very little about their staff.  Nevertheless, it was estimated that the cost of this breach would eventually reach 5 figures.

Lessons included very much the same as Company One but with the addition of having a security architecture review with the aim of tightening things up and introducing network segmentation.

Summary

  • Cyber security is a business issue not an IT issue.  It’s the business that suffers, not the IT support. 
  • Cyber Awareness training is the biggest and cheapest quick win that any company can take to protect itself.
  • Make sure your backups are adequate and up to date.
  • Make sure you have a disaster plan to recover from an attack.
  • Make sure you have a business continuity plan to continue working whist you recover from a disaster.
  • Make sure you privileged access management is adequate.
  • Make sure your anti-malware solution is the best available to protect against modern threats.
  • Don’t be complacent.  Just because your cloud provider is popular, doesn’t necessarily mean it’s up to par.
  • Don’t rely on firewalls alone, the bastion model of security is well out of date now.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.
Cyber Awareness Training General Security Issues

What irritates SME Owners and Founders, when it comes to Cyber Security?

Ask that question amongst said SME Owners and Founders and I strongly suspect that you’ll get some differing answers, and possibly some colourful language.  But I also suspect that there will be several recurrent themes.  Chief amongst them will be that they feel they are being pressured into buying this or that solution and get inundated with sales emails.  The use of FUD, Fear Uncertainty and Doubt, is also a real irritant, and with good reason.  Keep crying wolf and the message starts to get samey and eventually ignored.  That of course is a big problem because regardless of the FUD, the dangers are very real.

I tend to come back again and again, probably boring the pants off people, with the argument that relying on your local IT provider to give you good advice and guidance on cyber security, is a major part of the problem.  They will almost always push the technical solution.  Their focus is on selling hardware and software, whereas cyber security is first and foremost a business issue, not an IT issue, and many of the protections needed revolve around people and process, not technology.  Pushing that thought though, is an anathema to the IT support company because, firstly, they don’t get it any more than you do, and secondly, it doesn’t sell licences.

Conversely though, an SME neither needs, not can afford, a full time cyber security professional on staff, and for that matter, neither can the IT support company.  So what’s the answer?  Now this is where I get accused of trying to sell in my services, rather than giving good advice.  I would counter that by saying that taking my services is taking good advice.  I can provide over 20 years of experience in cyber security to an SME, or indeed a startup, using a day or half day rate, and providing advice and guidance when it’s needed, without breaking the bank.

I usually start with telling the Board that SMEs should prioritise cyber security awareness training for all employees. This training should cover topics such as recognizing phishing emails, creating strong passwords, and safely using company resources etc.  Crafting a programme is not difficult and delivery can be automated, keeping time away from the day job to an absolute minimum.  Those that read my stuff regularly will no doubt not be at all surprised that I push this.  Cyber awareness training is the quickest win any SME can undertake, and it’s not expensive.

Keep in mind that a successful cyber attack can disrupt operations, compromise customer data, and lead to financial losses. For SMEs, which often rely heavily on customer trust and loyalty, a breach can tarnish their reputation and erode the confidence of existing and potential clients.

What most SMEs lack is the understanding that they have a responsibility for continuous improvement.  Having said that technology comes third after people and process, it is still extremely important when examining threats to the business from hacks and scams.  A business owner needs advice, guidance and recommendations for continuous improvement of the processes and solutions required to provide adequate defences.  How many SME owners have the time to keep up with the latest cyber threats?  How many have a good handle on the latest scams, an understanding of how well cyber criminals are getting to grips with AI and using it to create new attacks and scams, and to update existing ones.  Not many SME owners have that time to spare, if any.

How many SMEs can devise a cyber security strategy that provides not just the answer to the threats today, but can grow and flex with the business, taking into account the latest threat assessments?  For that matter, how many local IT support companies have the skill set to do that, and indeed, the inclination to do that?

Advice and guidance is needed to identify and prioritise security controls based on the specific needs of that particular SME, enabling them to allocate resources effectively and efficiently, in order to proactively and significantly reduce the risk of successful cyber attacks.

And very importantly this approach allows an SME to target their very limited spend on what the risk to the business actually is and to ensure that the protections being put in place are what is needed, and that it is giving value for money,

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security

Artificial Intelligence – It’s here to stay

Artificial Intelligence is coming more and more to the front in the news, in just about all spheres of IT, no matter the vertical it serves. 

What exactly is AI?

Artificial intelligence (AI) describes computer systems which can perform tasks usually requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

Of course, that’s not the only description you’ll find if you use your best research tool, Google, but it’s one used by the National Cyber Security Centre, so it’ll do for me.

I’m willing to bet that many of you, most of you, have some form of AI app downloaded on your devices.  ChatGPT is arguably the most popular amongst the general populace but it’s not the only game in town.  These apps are becoming more and more available and popular. ChatGPT is an artificial intelligence chatbot developed by OpenAI, a US tech startup. It’s based on GPT-3, a language model released in 2020 that uses deep learning to produce human-like text.  It has an underlying technology that has been around much longer, but this blog isn’t about the technicalities of AI, but more about how it affects SMEs as they go about their business.

I’ve been arguing that perhaps the biggest potential threat in terms of proliferation, ie the number of attacks waged at a relatively low level, aimed at quick wins in terms of scamming money, is the re-emergence of the script kiddie.  I wrote, some time ago, about how code could be written to be inserted into a Ransomware attack, quite easily, using AI. 

Script Kiddie

A script kiddie was what we called someone of relatively low skill levels who would go online to the dark web, and purchase scripts written by more advanced criminals that they had put up for sale.   The script kiddie would then use these scripts to mount an attack on a company or organisation.  These often failed because the script kiddie wasn’t all that bright, but just occasionally, they were harmful and even devastating.

Another scam, reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

Double Edged Sword

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, will seemingly be too costly for them.  But as many defences use AI themselves now, it’s actually quite affordable.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Key Considerations

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations:

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation.

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment.

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats.

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations.

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches.

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges.

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats.

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Next Steps & Relevance

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  And much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

The argument then is that AI might encourage a proliferation of low level attacks, largely aimed at SMEs who generally have the lowest defences.  Quite low level criminals can utilise AI to carry out attacks that heretofore would have been beyond their skill level.  Common Cyber sense can go a long way to mitigating these attacks.  Technology evolves, attacks evolve, but the basic understanding of threat + vulnerability = risk, has never gone away.  Understand that and you stand a good chance of staying safe.

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy

Can a Board Advisor Help You Devise Your Cyber Security Strategy?

I’ve always dabbled in Board Advisory roles, even when working for major IT integrators, because consultancy at a senior level, often crosses that boundary.  The bigger companies will often value having independent advice, although I have found it’s not always welcomed by their in house IT/Cyber team, who can become quite defensive.  The more experienced of them do see the value, even if it’s only validating what they have already put forward as a solution to a particular problem.  And they often use a Board advisor to craft the boring bits, around strategy and policies.  And I’m OK with that.

When we set up H2 to service the SME sector, we naively thought that they’d welcome an advisor who could guide them through what can be a difficult minefield.  It was a bit of an eye opener that SMEs don’t see the value in this at all.  In fact, what they see is a drain on resources.  It’s a little strange because they are very happy to spend money on getting advice from their local IT company that supplies, and often manages, their IT infrastructure, but who are also focused of selling a product set, dressed up as a solution.  Now, I know that that will upset some IT providers and I’ll water my comments down a little by saying I’m referring to Cyber Security which is a distinct discipline which many nibble around the edges without any in depth knowledge or experience. 

So, what does a Board Advisor do? 

Board Advisors help to guide businesses but are not legally authorised to bind them. As companies establish themselves, moving from an idea to a fully structured and realised organisation, they typically prepare for full operation, sales, and/or fundraising, and in my case, Cyber Security.

As they begin these processes, experts in the field – including mentors or specialists brought into the organisation by a mentor – become hugely valuable as the organisation works to achieve its goals. Advisors are key assets, and it’s crucial to formalise exactly what they will provide, their availability, who they can introduce you to, and how much time they can give you – as well as how they will be compensated in exchange for these services.  A board advisor can help fill in any gaps in your team in terms of both experience and expertise. They can also help you bring in new team members and sometimes sources of funding as opportunities allow. Most crucially, they can do all of this while giving you time to think about what you need to be doing to grow your business, or just get it and keep it, running.

Board Advisors are also far more flexible, offering services either on an ongoing basis, in parallel to a Board of Directors, or as part of your transition into a formal, Board-run business.  In other words, they are not full time employees, but work on a part time basis where you pay them for their time, bounded as you see fit.

How does a board advisor add value?

In terms of cyber security, a Board Advisor is an experienced cyber security professional who provides advice and support to a business’s leadership without sitting on their Board. They provide counsel based on their prior experience in this field to help the Board make decisions, especially when faced with unfamiliar challenges.  And most challenges in the field of Cyber Security will be unfamiliar to them. 

When working as an advisor it is essential that we are excellent coaches and can demonstrate our deep knowledge of the subject.  We need to take both their board members, their in house IT teams and IT users, getting them onside and letting them know that we are there to enhance their knowledge and skills, we are not their enemies.  We must also be prepared to work with any IT company they may have under contract, although that can be a bigger challenge.

Summary

Having a Board Advisor who can mentor the leadership team and other employees, either on a retainer or paid for actually hours worked, can be a great boon for an SME.  Just having someone who can debunk the myths and devise strategy, training programmes and advise on cyber risk, is something that any SME management team should value.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy

What Are The Chances of a Cyber Attack Affecting You?

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Aviva, not of course a cyber security company but who nonetheless do sell insurance, carried out some research reported in December 2023, which seems, on the fact of it, to be a little more realistic.  They have said that one in five UK businesses have experienced a cyber-attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents.  But even this has some problems in that it depends on how many businesses reported such an attack or incident.  There is other research that suggests that many businesses, especially SMEs, keep such things well under wraps.

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Small Business Cyber Attack Statistics 2024 (And What You Can Do About Them) says that SMEs account for 43% of cyber-attacks annually, of which 46% were SMEs with 1,000 or fewer employees.

In the 2023 Not (Cyber) Safe for Work Report, there are some alarming statistics.  A staggering 97% of executives use personal devices to access work accounts, and 74% frequently send work-related emails and texts from these devices.  Behaviour which significantly increases the vulnerability of SMEs to cyber-attacks, putting not just operations at risk but also sensitive employee and customer data.

SMEs are often repositories of a considerable amount of personal and financial information, making them lucrative targets for cyber criminals.  The report further indicates that one in three respondents has fallen victim to data theft via scams.  A single can result in identify theft, financial loss, and severe reputational damage.

This is a suggested list of the top 10 Cybersecurity Threats:

  • Social Engineering (often a precursor to Phishing).
  • Third-Party Exposure.
  • Configuration Mistakes.
  • Poor Cyber Awareness and Practice.
  • Cloud Vulnerabilities.
  • Mobile Device Vulnerabilities.
  • Internet of Things.
  • Ransomware.

Given that many SMEs have now adopted the hybrid working style since COVID, these are not particularly surprising.  Working remotely isolates employees who can be much more easily panicked into doing things that are unsafe, than if they have someone on hand, in the office, they can turn to for advice.  For example, Phishing.  Should I click this, does look a bit iffy?  I’ll ask Fred and see what he thinks.  As opposed to sitting at home, working to a deadline, and getting pressured by well-crafted Phishing emails, and thinking, I’ll just do it, what’s the worst that can happen?

One of the major problems facing all sizes of business is the lack of cyber security skills available for hire, either as an FTE or a contractor.  Shockingly, In September 2023, 50% of all UK businesses had a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap. These figures are consistent with those from 2022 and 2021, highlighting the persistent skills gap issue.

We talked a little bit above, about people using their devices.  This isn’t necessary a major issue, providing the individual is prepared to adhere to some security controls being placed on that device, if it is to be used for work.  It’s a bit of a balancing act.  It is reported that 80% of employees are uncomfortable with the idea of their personal devices being monitored by their companies, yet 73% would consent to having cyber security software installed on their devices.  So, a balanced approach is needed, which respects individual privacy while ensure collective security.  Not easy.

Here are 5 actionable steps we are recommending SMEs take:

  • Employee cyber awareness training.  Probably the biggest and cheapest quick win any SME can and should be taking.
  • Strong access control using multi factor authentication.  This should be a no brainer.
  • Cyber Security audits and monitoring.  Not easy for many SMEs who will be put off by thinking about costs.  However, this has become much more affordable, and all SMEs should be having conversations around this.
  • Encryption.  Again, becoming much more affordable and easier to use.  If your sensitive data is encrypted, the chances of falling foul of data protection becomes much less of an issue.
  • Supply chain security.  Many SMEs are in the supply chains of the bigger companies, often utilising online processes, connecting direct to the customer.  What would happen if a cyber-criminal gained access to a customer of yours, through your systems?

There is no silver bullet for this.  First and foremost, it must be recognised as a business issue, not an IT issue.  It must be owned from the top, and dealt with by the board, as they would any other business issue.  You can outsource your IT management, but you can’t outsource your responsibility.

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy

Cyber Security Really is a Business Issue, not an IT Issue

Happy New Year and welcome to my first blog post of 2024.  For my theme I thought I’d expand on a post I made earlier this week on LinkedIn, about how cyber security is viewed by many SMEs and explore why that view appears to be paramount.  I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

We tend to flood potential clients with adverts and articles, mainly focused on technology.  Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

Let me give you a couple of quotes.  The first comes from a renowned Harvard scientist and cyber security specialist.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’  The second comes from Joe Longo, the Chair of the Australian Securities & Investments Commission.  He says, ‘If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.’

Boil that down and they are saying that this is not an IT issue, it’s a business issue.  That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture.  Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  Let’s just remind ourselves of the quote from Bruce Schneier:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

Cyber Awareness Training

Cyber Awareness Training and its worth to the business

I’m going to cover off a couple of subjects today, starting with an excerpt from a Data Breach Investigation Report by Verizon, from which I am openly cribbing. The bit that initially grabbed me attention was the number of recorded business email compromises (BEC) reported which have apparently, doubled over the past year, with this threat comprising nearly 60% of social engineering incidents studied.

The report was based on an analysis of 16,312 incidents and 5199 breached over the past year and the report suggests that BEC is now more common than phishing in social engineering incidents, although phishing is still more prevalent in breaches.

Social engineering, that is to say the gathering of information and profiling a target company is a very real reason why most breaches involve a high proportion of human interaction.  It is especially prevalent amongst senior management who are often exposed to such attacks.  In fact, I reported last week that AI is now being used to spoof emails and even phone calls, purporting to come from senior management, instructing staff to carry out an action that will involve some form of financial penalty.

This means that the protections in use against this type of attack can’t simply rely on technical solutions, but that staff must be made aware of, and kept up to date with, the latest techniques, as they will be the ones who will be targeted in the first instance.  Training must also involve senior management; they are most certainly not immune.

As I go around the SME community, it never ceases to amaze me that many SME owners don’t see the value of cyber awareness training for their staff, and I can’t help wonder why not.  After all, we would argue that it is one of the single biggest wins against cyber-crime that an SME can take, at a minimal cost in turns of time and money.  So why do I think this is?

Statistics reveal that around 60-70% of UK SMEs have suffered a cyber-attack, and amongst those, only 11% had cyber cover. While we are beginning to slowly see a rise in the number of businesses seeking insurance cover after becoming more aware of the risks of cyber-attacks since the pandemic, we still have a long way to go.  Now, cyber insurance is another very thorny issue which really deserves a blog of its own.  However, briefly let’s say that there are many clauses in most, if not all, policies that will require named precautions to have been taken, before any pay out can be considered, and those pay outs are not common, shall we say.

Returning to the subject of Cyber Awareness training, this is a favourite hobby horse of ours, particularly as it affects non-technical staff where it is vitally important for both managers and employees to make them aware of what they could be facing.  If you don’t know what threats exist, them how can you look out for the signs, and how can you effectively target your security spend.  Likewise, staff must know what to look out for, how attacks are formulated and how they are carried out.  A good motivator for staff is that, to put it bluntly, their jobs are on the line if the business is hit badly and loses money.  Most SMEs are involved in businesses where cash flow is king, and they simply can’t afford the kind of hits that are being experienced almost daily now.

It cannot be stressed enough that whilst your staff are your greatest asset, they can also be the biggest threat regarding cyber security.  Most data leaks are caused not be personnel doing anything deliberately wrong, but by doing things they didn’t know they shouldn’t, and by not fully understanding the processes in place to fight off such attacks.

Moving on, and unashamedly cribbing from another article, this time from Forbes, which was all about the need to prioritise cyber security and the culture needed to promote it continuously throughout the organisation.  This of course, continues to reinforce the need for adequate cyber security awareness training throughout year, and not just as a tick in the box, point in time exercise.  A very real perspective, not just at the SME level but at all levels of business size, is that “cybersecurity is a cost centre”, a cost to the business that doesn’t help drive revenue and therefore it’s an expense line item; expensive employees, expensive tools and processes that can hinder operations. With the explosion of internet connected everything constantly collecting data, security is a SALES DRIVER. Being secure and having the ability to prove it (via audits/certs) builds TRUST and makes for a stronger brand. For most SMEs it is already well known that if they want Government contracts or want to be in the supply chain for bigger company’s servicing Government contracts, then Cyber Essentials and Cyber Essentials Plus, is a must, so It is time to shift the old mentality and to start focusing on how security can help drive sales and revenue.  We are seeing a shift in that direction, albeit slowly, but even so, many in SME management are reluctant to embrace this reality. It often takes a customer, or potential customer, to carry out due diligence before placing an order, to convince an SME to take this seriously.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Protecting Your Business from Cyber Attacks – Part 2 – Plus some info on a Ransomware Attack

efore I begin I thought it would be appropriate first, to discuss an issue that has cropped up in the news, which I believe is extremely pertinent to SMEs, because many use MS365 and Azure in part or in whole, for storing their data and as part of their access controls.  Many IT companies that service SMEs, will claim that Azure provides excellent protections, and that it’s enough on its own.  Now, I’m not here to denigrate Microsoft, heaven forefend, but it would be remiss of me not to point out a recent breach, which might well be a state backed attack, but nonethess has created what is known as an Advanced Persistent Threat (APT), known as Storm-0558 breach.

This breach has allowed China-linked APT actors to potentially have single-hop access to the gamut of Microsoft cloud services and apps, including SharePoint, Teams, and OneDrive, among many others.  It is estimated that the breach could have given access to emails within at least 25 US government agencies and could be much further reaching and impactful than anyone anticipated, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought.

A lack of authentication logging at many organizations means that the full scope of actual compromise stemming from the situation will take weeks, if not months, to determine.  This of course raises issues with authentication even amongst large enterprises and government departments.  SMEs are far more reliant on such technologies and are subsequently far more at risk.

This breach was caused by a stolen Microsoft account key which allowed the bad guys to forge authentication tokens to masquerade as authorised Azure AD users, and therefore obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.  However, it gets worse, as it turns out that the swiped MSA key could have allowed the threat actor to also forge access tokens for “multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams and One Drive.

It should be noted that Microsoft took swift action and revoked the stolen key, however despite this some Azure AD customers could potentially still be sitting ducks, given that Storm-0558 could have leveraged its access to establish persistence by issuing itself application-specific access keys, or setting up backdoors.  Further, any applications that retained copies of the Azure AD public keys prior to the revocation, and applications that rely on local certificate stores or cached keys that may not have updated, remain susceptible to token forgery.

OK, now back to the original subject.  Steps 6 to 10 in my suggested top ten list.

  1. What steps should I take to protect my business from ransomware attacks? A very good question with a multi thread answer.
  • Keep Software Updated. Regularly update your operating system, applications, and antivirus software to ensure you have the latest security patches.
  • Use Strong Passwords. Use unique and complex passwords for all your accounts and consider using a password manager to keep track of them securely.
  • Enable Two-Factor Authentication (2FA).  Add an extra layer of security by enabling 2FA whenever possible, as it helps prevent unauthorized access to your accounts.
  • Be Cautious with Email. Avoid opening attachments or clicking on links from unknown or suspicious senders. Be wary of phishing attempts.
  • Backup Your Data.  Regularly back up your important files and data to an external hard drive or a secure cloud service. This way, even if you fall victim to ransomware, you can restore your files without paying the ransom.
  • Use Reliable Security Software. Install reputable antivirus and anti-malware software to help detect and block ransomware threats.
  • Educate Yourself and Others. Stay informed about the latest ransomware threats and educate your family or colleagues about the risks and preventive measures.
  • Secure Network Connections. Use a firewall and be cautious when connecting to public Wi-Fi networks.
  • Limit User Privileges. Restrict user access privileges on your devices, granting administrative rights only when necessary.
  • Monitor for Suspicious Activity. Regularly monitor your devices and network for any unusual or suspicious activity that might indicate a potential ransomware attack.
  1. What can I do to ensure that my data is backed up in case of a cyber-attack? This is straight forward and highlights a problem whereby many SMEs think that if their data is on a cloud service, they don’t need to back it up.    You need a backup routine that separates your backed up data, from your data storage.  What I mean by that, is that if an attacker, or a piece of malware, can jump from one system to another, then having a live connection to your back up defeats the object, but it’s surprising how many people do this.  So, there are a number of methods.  The first is the good old fashioned tape backup.  Becoming less and less used nowadays but still very effective.  Another is that several cloud providers also provide a backup solution that disconnects once the backup has been done and will allow you to go back to a ‘clean’ backup if the current one has been compromised.  Check this out, but do back up your data, don’t be convinced that you don’t need to, you do.
  1. What cyber security measures should I put in place to protect my business from external threats? To protect against external cyber threats, you should consider implementing the following cybersecurity measures:
  • Strong Passwords: Encourage employees to use complex passwords and enable multi-factor authentication wherever possible.
  • Regular Updates: Keep all software, operating systems, and applications up to date to patch known vulnerabilities.
  • Firewall: Set up and maintain a firewall to control incoming and outgoing network traffic.
  • Antivirus Software: Install reputable antivirus software to detect and remove malware.
  • Employee Training: Educate your staff about cybersecurity best practices and potential threats, such as phishing and social engineering.
  • Data Encryption: Encrypt sensitive data to prevent unauthorized access if it gets intercepted.
  • Access Control: Implement role-based access control to limit users’ access to only the data and systems they need.
  • Regular Backups: Regularly backup your important data and keep the backups in a secure location.
  • Network Monitoring: Use intrusion detection and prevention systems to monitor network activity for suspicious behaviour.
  • Incident Response Plan: Develop a comprehensive incident response plan to handle cybersecurity incidents effectively.
  • Vendor Security: Ensure third-party vendors and partners also have strong security measures in place, especially if they have access to your data.
  • Physical Security: Protect physical access to servers and sensitive equipment.
  1. How can I stay up to date with the latest cyber security threats and best practices? There is a number of things you can do but a lot depends on how much time you have available to devote to this.  Probably not much and you may wish to consider having an advisor on tap, and surprise, we provide such an advisor.  But pointers that might want to consider include:
  • Subscribe to reputable cyber security news sources and blogs, like this one!
  • Attend cyber security webinars.
  • Follow cyber security experts on social media.
  • Sign up for security alerts: Many organizations and government agencies offer email alerts for the latest cyber threats.
  • Participate in cyber security training. I can’t emphasise enough the value of cyber awareness training for your staff.
  • Read official reports and advisories: Stay informed about security bulletins and advisories released by software vendors and security organizations.
  • Practice good cyber hygiene: Implement strong passwords, use multi-factor authentication, keep your software up to date, and regularly backup your data.
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

This is going to depend on several factors, such as the business you are in.  Many organisations must adhere to a variety of standards within their area of business and of course, many use a variety of International Standards such as ISO9000 series.  On top of this there are legal frameworks that you also must adhere to, amongst those are UK GDPR and financial services regulations.  Not an exhaustive list.  It can be a minefield.

It is somewhat surprising to me, that many SMEs that I visit don’t know what data is subject to these regulations and what isn’t, and where that data is actually stored, how it is processed and protected.  They will argue that they do know most of this, at least at a high level, but that they outsource to their local IT provider.  That won’t help you if a regulator comes after you.  You can outsource your IT, but not your responsibility.  Take advice, get guidance, there are some great protections and audit tools out there which don’t have to cost a fortune.  Check them out.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Scroll to top