Data Breaches and their consequences Archives - Page 2 of 4

All about H2

Introduction

All the information below is contained within the website but we thought it might be useful to summarise it in one post to make it easier for people who want to understand what we are all about.

About myself and H2

I like to start any discussion by saying that I’ve been in the cyber security game almost since before it was a game! I started in Information Security at the MOD at a time when IT and databases were in their infancy and got in on the ground floor. I subsequently went to work for the NHS, HP/HPE, CSC and Symantec, during which time I led many major cyber security projects in the public and private sectors, designing and commissioning the Security Operations Centre for the FCO, carrying out several projects for the MOD, leading the security team for the new online passport application, as well as several high street banks.

In 2013 I was asked to go to the middle east to set up a Cyber Security team covering the UAE, Bahrain, Saudi Arabia, and Qatar, growing the team from 3 people to 24.

On return my business partner and I set up H2 to serve the SME community. Sadly, my business partner did not survive the pandemic, and I am now the sole management of the company.

So why SMEs? Surely there’s more money in corporate security?

Well yes there is, but SMEs are at the heart of our ethos. During our time working in the corporate sector, it became clear that there was little to no support given to SMEs, either at the S, or the M end of the scale, and the big security companies and system integrators were content to leave that to their resellers ie those local IT support companies that resold their products.

Here at H2 we understand that the only real difference between an SME and a corporate organisation, in terms of cyber security, is that of scale. We have therefore scaled our services, the products that support them, and our pricing, to fit with an SMEs issues and

pocket. We like to say that we offer a triple A service providing solutions that are Appropriate (to you), Affordable and Accreditable (to standards such as Cyber Essentials).

Take a look at our Blog and social media posts. We try to inform and educate, placing a link between what we know, and what SMEs need to know but are rarely told.

Solutions Provided to SMEs

The first thing that we discovered is that SMEs have a very poor grasp of cyber security issues, although that is changing following the pandemic when many were forced to change their working practices almost overnight and have subsequently embraced a distributed working model. There is no doubt that the propensity for working from home, or other remote locations, since COVID has introduced some very difficult, or at least challenging, security vulnerabilities into SME networks. For instance, prior to the pandemic, when they were 100% office based (except perhaps some mobile salespeople), their local IT provider will have almost certainly set up what we called the bastion security model. Ie, like a castle, a bastion, you had a wall around you, and for belt and braces, you also had a moat. The gateway was robust, had a drawbridge and portcullis, or let’s call it a secure firewall and anti-malware system. Everything was locked up inside and nice and secure (in fact it probably wasn’t but that’s for another day).

Whilst Microsoft didn’t invent the term the ‘new normal’, they were the first, I believe, to apply it to IT, following the enforced change in working practices brought about by the pandemic. Many companies have embraced this new normal and have settled into some form of hybrid working. Of course, this is nothing new, it’s been ‘a thing’ for years now, certainly in corporate organisations. The real change came about in SMEs for whom it really was quite revolutionary. Corporate bodies will have spent a lot of money on a variety of remote access systems to keep their data secure, whilst SMEs not only had to rush unprepared because of the pandemic, but they simply didn’t have the budget to employ more secure connections.

What the pandemic has done is change that, or perhaps arguably, accelerated the change to a more distributed way of working, already underway in corporate organisations but now common amongst SMEs.

Our first challenge then was that of education. Changing the mindset of SMEs, moving them away from being simply technology focused, onto a more business oriented cyber

security focus. Cyber security is a business issue, not a technical issue and that is something that many SMEs fail to grasp. Any true cyber security professional takes a

risk managed approach, identifying the risks posed to their client, and then applying the principles of People, Process and then Technology, in that order. That risk managed

approach is equally applicable to all sizes of organisation in all sectors and has not changed since the advent of the internet.

Taking the services we provide as shown clearly on our website (where pricing is shown), www.hah2.co.uk, the first is that of Board Advisory, where we offer advice and guidance to our clients regarding their security. We often end up providing this advice for free as we are putting forward solutions to solve their issues but there is of course a limit to that. We also offer a Cyber Maturity Assessment (CMA), which is close to a full risk assessment but tries to keep the costs down to an order that an SME can afford. The CMA is fully described on the website, and we won’t reprint that here.

Another service we provide is Penetration Testing and Vulnerability assessment. Pen Testing is a point in time test ie the minute you finish it and have read the report, it’s out of date. It is however useful to do once a year or when you add a new feature to your systems, or take a new system into use. We use a fully qualified CREST team who can, if you wish, also carry out attack simulations.

Vulnerability assessments are carried out continuously via agents deployed on the network. The main difference is that as a Pen Test will find real issues, a vulnerability assessment will find things that you may be vulnerable to, but which haven’t necessarily been exploited and in fact, may not be a real issue once investigated. They are, however, continuous throughout the year and can be more effective.

We talked earlier about People, Process and then Technology. Arguably your first line of defence is your people. They can also be your weakest link. Data leaks often occur inadvertently, due to a lack of awareness rather than malicious intent. We offer cyber awareness training designed to equip your team with the knowledge and skills to safeguard sensitive information.

This training can be delivered in one of 2 ways. The first is classroom based, either on site or over a remote connection such as Zoom or Google Meet. The second is online training provided via another of our solutions which will be described below and allows

staff to pick when they will take some time to undertake the training which is delivered in a modular fashion, taking up very limited time which won’t take staff away from their desks to too long.

Another very important service which we provide online, cloud based, using a SaaS solution, is aimed at Data Protection. Clients with large amounts of sensitive data that they wish to protect, use this solution. It is essentially a data loss prevention system

that is designed and priced for SMEs, using state of the art file level encryption. This system comes with a 30-day free trial so that clients can see it for themselves.

Based on Actifile it is tailored to the unique needs of the modern business which often sees its staff work remotely as well as in the office. It protects the valuable data you hold and reduces your risk, without breaking the bank. It covers:

Insider Threat Detection: Protect your business from internal threats posed by employees
Ransomware Protection: Safeguard your data from ransomware attacks that can cripple your operations
Data Leakage Prevention (DLP): Prevent confidential information from falling into the wrong hands
Data Privacy and Compliance: Ensure you meet GDPR requirements and avoid costly fines
Automated Encryption: Protect sensitive data with encryption that’s easy to manage.

In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognise that one-size-fits-all solutions often fall short, which is why we’ve developed a flexible and scalable cybersecurity solution powered by Guardz, to address the needs of our clients.

Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our products woven into a solution, we can tailor that solution to meet your exact needs and budget.

This complements the data protection solution whilst remaining capable of standing alone. Especially devised and priced for SMEs, it maintains our commitment to affordability and accessibility which is reflected in our incredibly competitive price of

£12 per seat, which includes no hidden charges, add-ons, or expensive infrastructure costs. The solution comes with a 14-day trial to give you hands-on experience with our solutions and assess their impact on your business.

This solution comes with a fully loaded Cyber Security Awareness training course, and a Phishing simulation capability.

You should note that we have bundled the 2 managed services together and offer them at a price reduced by £3 per seat per month.

Finally, we offer certification in Cyber Essentials and Cyber Essentials Plus which provide robust defences, endorsed by UK government to guard against common cyber-attacks. They are required certifications to work with public sector entities, and achieving certification signals a commitment to securing client data.

We now offer different pricing options to our clients. For Cyber Essentials we offer:

Our Supported Package whereby we guide you during yourself assessment ensuring that you achieve certification first time, can be purchased at a one-off price which we are happy to quote for or a monthly subscription from £61 per month.

If you are short on time or not too sure what to do, try our Turnkey Package whereby we carry out the assessment for you in total, once again ensuring that you achieve certification first time. This can also be purchased as a one off at a price which we are happy to quote for or there is a subscription price which starts at £120 per month.

We can offer consultancy around ISO 2700X if it is considered desirable or appropriate. We can advise on that.

What are the effects of downtime on your business?

I’ve talked in the past about what SMEs really care about when it comes to cyber security. Do they really care about the technicalities of an attack or scam? Do they really care about the technical aspects of a piece of protective software or hardware? My argument is that they don’t give a damn. What they want to know can be summed up pretty easily.

How vulnerable are they to an attack and/or scam?
What would be the effects if that attack or scam succeeded?
What can they do about it, and how much will it cost them?

I wrote mostly about points a and c in a blog earlier in the year, https://hah2.co.uk/what-do-sme-owners-and-directors-want-from-cyber-security/, and I’ve included the link if you want to read it. This time I’m concentrating on point b and the effects of the downtime that it creates.

Downtime following a cyberattack can have serious consequences for businesses, and individuals. We can categorise these into several key areas:

Financial Costs

Lost Revenue: For e-commerce platforms, financial institutions, or other time-sensitive industries, downtime directly results in revenue losses.
Operational Costs: Companies may need to pay overtime to IT staff, hire external cybersecurity experts, or invest in replacement hardware or software.
Regulatory Fines: Non-compliance with regulations like GDPR or industry focused standards, due to downtime or data breaches can lead to significant fines.

Damage to Reputation

Loss of Customer Trust: Downtime can erode confidence, especially if sensitive customer data is exposed or if services are unavailable for extended periods.
Brand Damage: Affected organisations may face negative publicity, making it harder to attract and retain customers or partners.

Operational Disruption

Service Outages: Critical systems might be offline, affecting production lines, supply chains, or essential services.
- Loss of Productivity: Employees unable to access IT systems are effectively idle, causing delays in work and project completion.

Data Loss

Corruption or Deletion: Cyberattacks like ransomware can encrypt or destroy critical data, which may take days or weeks to recover, even with backups.
Intellectual Property Theft: If attackers steal proprietary information, it can be sold to competitors or leaked online.

Security Gap

Exploitation of Vulnerabilities: Downtime often exposes weak points in an organisation’s infrastructure, which may need to be patched or rebuilt.
Increased Risk of Future Attacks: Downtime may signal to attackers that the organisation is a viable target.

Legal and Regulatory Implications

Breach of Contract: Failure to meet service-level agreements (SLAs) due to downtime can result in legal action from customers or partners.
Insurance Implications: Cyber insurance claims may be denied if the company failed to follow adequate preventative measures.

Psychological and Social Impact

Employee Stress: Staff may feel pressured to resolve issues quickly, leading to burnout.
Customer Frustration: Extended downtime can alienate loyal customers, particularly in industries where continuity is critical, such as healthcare or finance.

Broader Economic and Societal Impacts

Supply Chain Disruption: Downtime in one organisation can ripple through its partners, affecting entire supply chains.
- Critical Infrastructure Risks: Attacks on essential services like utilities or healthcare systems can have life-threatening consequences.

I have blogged many times about the mitigation strategies you can take, that don’t need to break the bank, but the bottom line, proactive measures can significantly reduce the impact of cyberattacks and the associated downtime. Understand your vulnerabilities and threats, base your spend on protecting against those threats, starting with the most serious, and then working down. Don’t try and get to 100% security, it doesn’t exist, so understand what risks you find acceptable and what risks you don’t.

Cyber Security Skills Gap

We often hear, particularly withing the Cyber Security industry itself, of a skills gap and a real problem recruiting and retaining cyber security professionals. Why and is it real or imagined? There is a very useful report you can reference from the Department for Science, Innovation and Technology (DSIT), which I’d recommend.

Firstly, let’s look at the market. As my regular readers will know, I work largely in the SME market, having come from the corporate market where I worked for many years. Even there, true cyber security professionals were always hard to find and it’s very important to recognise the difference between cyber security skills and experience, and technical skills and experience.

Let me explain. Within the SME sector there has always been the perception that technical skills were what is needed when putting in place protections against cybercrime. That does seem to be changing, and I asked the question of a business audience a couple of weeks ago; did they think cyber security was a business issue or best left to the techies. 100% said business which is much different than when I first asked this group the same question 18 months ago, when about 80% said it was a technical issue. This last result was somewhat heart-warming.

So why does technology get pushed so hard in that sector? If we look at the corporate market for a moment, we’ll see that these organisations have a solid security team in place, run by a Chief Information Security Officer (CISO), who often reports to a Chief Information Officer (CIO) who is a board member. This allows them to build a team covering most of the security skills needed, cyber generalists and governance, risk and compliance specialists amongst others, and techies as well. They will often only outsource skills only needed now and again. But even here they often struggle to recruit.

SMEs simply don’t have that organisation in place, and even at the top ‘M’ end of the market, those company’s knocking on the door of the corporate market, they still outsource most of their IT and with it, their cyber security. The reason why an SME would choose to do this is obvious, it’s cost. They can’t afford to employ even IT staff full time and those that do, often have one person whose main role is to keep on top of their outsource partner.

A big issue facing SME organisations is balancing limited resources with the growing complexity and volume of cyber threats. The lack of resources is compounded by an overall dearth of cyber-security skills in general, and a real lack of skills in mid-sized companies and the IT companies they often outsource to.

Allied to this issue is that many IT support company’s, focused on the SME market, don’t really have any more of a handle on cyber security issues and how to fix them, than the SMEs themselves. This might sound harsh but consider that their business is all about selling in hardware and software licences, the more they sell, the stronger their business. Obvious right? That makes them focused on the technologies they sell, firewalls, anti-virus etc, and they will have technical skills needed to support and maintain those products. That’s all fine but ask them some simple questions:

Have they fully identified your security assets? Security assets are not just hardware and software, in fact those are often the least of your worries. It’s the data, where it is and how it’s protected that is important.
Have they done a risk assessment on those assets.
Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level. That is assuming they have spoken to you about what that acceptable risk is.

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement.

Cyber security professionals will focus on encompassing all aspects of protecting digital assets, IT systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorised access or attack. It is focused on People, Process and then Technology.

Technical security focuses on the technologies employed as controls to remediate the risks defined in the risk assessments carried out. Risk assessment is essential because without it, you can’t be sure that you have the right controls in the right place doing what you think they are doing. In other words, it helps to ensure that your spend is targeted correctly and you’re not wasting money.

And that last piece is what your local IT provider is not doing. They look at tech, not the business.

Getting back to the skills gap, it’s clear that whilst that gap exists it probably isn’t hitting SMEs hard because they weren’t invested in those skills in the first place in the way the corporate market is. SMEs tend to outsource those things that aren’t their core business, including IT, HR and payroll etc, so why not cyber security? The answer is often because they don’t think they need to, often until it’s too late. Having someone on tap that you can contact for advice and guidance is worth every penny. Trust me – I’m a cyber security pro!

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services designed specifically for SMEs; at a price they can afford. Our advice and guidance takes a unique look at the problems facing SMEs whilst calling on our vast experience working for the larger organisations and government departments.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or email

T: 0800 4947478

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

HOW DO HACKERS HACK?

You’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common. Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal. But I suppose hacker is less of a mouthful.

So, what is hacking? Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people. Favourite open sources of information include:

Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram. Do you have a social media policy in your company? Do you lay down what an employee can and cannot say about your company on their personal social media pages? Do you have a designated person in the company who handles your company’s profile on social media?

Company Website: You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and limit profiles published. I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.

Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.

Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently. The same issues that appertain to social media apply here.

Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

Another favourite is phishing and pretexting.

Phishing Emails: We all know, or at least I hope we know, what phishing is. Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity. In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company. That just requires a response showing a signature block, so the phishing email might seem very innocuous.

Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations. This is why it’s essential to regularly scan your network for these weaknesses. Ports can be opened for a particular reason and never closed again. It’s a common fault.

Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials. When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords. You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

In terms of cybercrime, who’s heard of psychological profiling? Cybercriminals analyse:

Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.

Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold. Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

LinkedIn and Organization Charts: Identify individuals with access to sensitive data.

Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).

Technical Probing: Use of phishing or malware to breach a target’s employer.

In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process. All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

Ransomware and the risk to SMEs

There’s a lot of FUD (fear, uncertainty and doubt), going around about Ransomware, and it has to be said that a lot of it comes from cyber security companies. But amongst the rocks there are some very real diamonds that need the publicity. There is a very real difference between genuine information and propaganda. I hope what I do is spread information.

There is a prevailing feeling amongst small and medium-sized enterprises (SMEs) that they are not a desirable target for Ransomware and it’s therefore not a problem for them. However, that’s simply not true and they are increasingly vulnerable to ransomware attacks, with recent trends showing a notable rise in these incidents among smaller businesses. Several factors influence the likelihood of SMEs being targeted:

Widespread Targeting: SMEs are often viewed as “soft targets” because they may lack the advanced cybersecurity defences of larger corporations. Attackers assume that smaller businesses may have fewer resources dedicated to security, making them easier to compromise.
Increasing Ransomware Attacks Overall: Ransomware attacks globally have been on the rise, and attackers have shifted their focus to include not only large enterprises but also smaller organisations across various sectors. This is often due to the lower cost of launching ransomware campaigns, allowing attackers to spread wide nets with mass phishing campaigns and automated attacks.
Financial and Operational Impact: Many SMEs are attractive to attackers because the disruption from ransomware can be financially devastating for them. SMEs may feel greater pressure to pay the ransom to restore operations quickly, fearing the loss of business or reputation if the downtime persists.
Underinvestment in Cybersecurity: SMEs often underinvest in cybersecurity due to budget constraints, lack of expertise, or other business priorities. This underinvestment can lead to outdated software, limited employee training on cybersecurity best practices, and weaker defences that attackers can exploit.

Likelihood and Statistics

High Likelihood: Studies show that more than half of SMEs have experienced a cyberattack in the last year, with ransomware being one of the most common types of attack.
Small Business Victimisation: According to a 2022 survey by the Cyber Readiness Institute, nearly 60% of small businesses were targeted by cyberattacks, and a significant portion of these involved ransomware.
Increasing Cost: For many SMEs, the average cost of a ransomware attack, including downtime, lost revenue, and recovery expenses, can be as high as £50 to a £100K, making the financial impact severe and sometimes unmanageable without external assistance.

Key Risk Factors for SMEs

Lack of Security Awareness and Training: Employees at SMEs may be less well trained on cybersecurity threats, increasing the risk of phishing and social engineering attacks that lead to ransomware.
Lack of Backup and Recovery Plans: SMEs may not have effective data backup or disaster recovery strategies, making them more susceptible to extended downtime or paying the ransom.
Weak Network and Endpoint Security: Limited resources often mean that SMEs may not have enterprise-grade firewalls, intrusion detection, or antivirus solutions, leaving systems exposed to exploitation. They also struggle with the distributed work practice (office, home etc) that has happened since COVID.
Encryption: Data is often unencrypted on end point machines.

Reducing the Risk

While the risk is high, SMEs can take measures to reduce the likelihood and impact of a ransomware attack:

Implementing Regular Backups: Ensuring data backups are frequent, secured, and tested for restoration can significantly reduce the impact of an attack.
Employee Training: Conducting regular training to recognize phishing and social engineering can help employees avoid common attack vectors.
Monitoring: No or inadequate monitoring of their data and systems, including home and other remote workers.
Endpoint and Network Security: Investing in antivirus software, firewalls, and network monitoring can improve defences.
Cyber Insurance: Purchasing cyber insurance can help mitigate financial losses associated with an attack.
Data encryption.

In summary, while SMEs face a high likelihood of ransomware attacks, increasing awareness, preparation, and proactive defence measures can substantially reduce both the risk and the impact of an attack.

What is the impact of a Ransomware Attack?

Ransomware can have devastating effects on small and medium-sized enterprises (SMEs). Here are some of the key impacts:

Financial Losses

Ransom Payment: If SMEs decide to pay the ransom (which is not generally recommended), this can result in significant, sometimes crippling, costs.
Operational Downtime: Even if no ransom is paid, businesses often experience significant downtime as they attempt to recover systems, which can halt revenue generation and lead to lost sales.
Recovery Costs: In addition to the ransom, SMEs incur expenses related to data recovery, IT support, and forensic investigation. Often, additional security solutions are needed to prevent future attacks.

Loss of Data

Data Encryption or Destruction: Ransomware can lead to the permanent loss of critical data if files are corrupted or remain encrypted after an attack.
Loss of Sensitive Information: SMEs may lose access to sensitive customer or business data, leading to gaps in operational records or strategic plans.

Reputational Damage

Loss of Customer Trust: Ransomware attacks, especially if customer data is exposed or operations are disrupted, can damage customer confidence. Many SMEs rely on personal relationships, and a ransomware incident can harm these relationships.
Brand Damage: Businesses often struggle to rebuild trust, and reputation damage may deter new clients and weaken partnerships with vendors or other business partners.

Legal and Regulatory Consequences

Compliance Violations: If SMEs operate in regulated sectors (like finance, healthcare, or legal services), a data breach can lead to violations of regulations like GDPR, resulting in fines and other penalties.
Legal Liabilities: Affected customers or vendors may pursue legal action if sensitive data is compromised, adding further financial strain.

Operational Disruptions

Halting of Services: For many SMEs, especially those without a strong IT infrastructure, ransomware can paralyse day-to-day operations.
Long Recovery Times: SMEs often lack the same level of IT resources as larger enterprises, so restoring full operational capacity after an attack can take weeks or months.

Employee Productivity and Morale

Reduced Productivity: During and after a ransomware attack, employees may be unable to work if they lack access to necessary files, email, or software.
Psychological Impact: The stress and uncertainty from a cyberattack can lead to anxiety or frustration among employees, potentially impacting morale and retention.

Increased Insurance Costs

Higher Cyber Insurance Premiums: Cyber insurance costs tend to increase significantly for companies that have experienced ransomware attacks. Additionally, insurers may demand proof of enhanced security measures to continue providing coverage.

Pressure to Strengthen Cybersecurity Measures

Increased Security Costs: Post-incident, SMEs often must invest in more robust cybersecurity infrastructure, including advanced threat detection, backup solutions, and employee training.
Ongoing Monitoring Needs: Ransomware may prompt SMEs to adopt more rigorous monitoring and endpoint protection tools, leading to continuous IT spending.

Ransomware attacks can be particularly harmful to SMEs because they often have fewer resources for cybersecurity, and a single attack can have a prolonged impact. Many SMEs lack a full-time IT staff or robust data backup protocols, which can compound the impact. Consequently, proactive measures, such as employee training, regular data backups, and up-to-date cybersecurity defences, are critical to reducing the likelihood and impact of ransomware attacks on SMEs.

What Do SME Owners and Directors Want From Cyber Security?

I wrote a post earlier this week exploring what SME owners and directors really care about when it comes to cyber security! Do they really care about the how the latest technological solutions work? Do they really care about the scare stories, or at least, do they really think that they apply to them. Oh, they might have a sneaky suspicion that it could be a problem but is it on their mind enough for them to do something about it.

The argument was made that this is especially true in an economic downturn when they are focused on costs, even more than they normally are. They want robust cyber security solutions that don’t cost an arm and a leg. And what they don’t want is jargon and tech speak that they feel is aimed at bamboozling them with science in order to convince them they should buy something that they don’t actually need.

We are believers that what is needed is simplicity. SMEs are looking for user-friendly security measures that don’t require a PhD in Cyber Science. They don’t want jargon or even industry metrics. Remember the KISS principle – Keep It Simple Stupid.

Of course they are going to have a focus, and you need to understand what is important to them and what isn’t. That will depend on the nature of their business to a great extent. Whilst there are commonalities regardless of the vertical they work in, there will always be differences, some big, some more subtle, that will impact any cyber security solutioning.

Nowadays many SMEs are increasingly aware of cybersecurity risks, but a significant number still underestimate the importance of cybersecurity risk management. SMEs often face unique challenges in this area due to limited resources, competing priorities, and often a lack of expertise not just in their organisation but also in the IT support company’s they use. Here are some insights into the current landscape:

Growing Awareness: SMEs have started to recognise that they are just as likely to be targeted by cyber threats as larger companies, partly due to high-profile ransomware attacks and data breaches affecting businesses of all sizes. As a result, awareness is rising, especially as more businesses transition to digital platforms and remote work, which increases exposure to cyber risks.

Resource Constraints: For many SMEs, the cost of robust cybersecurity measures can be prohibitive. They often lack dedicated IT and cybersecurity teams, which makes it challenging to implement and maintain comprehensive security protocols. Cybersecurity solutions can be expensive, so SMEs may prioritise short-term operational needs over what they might perceive as longer-term security investments.

Risk Perception and Underestimation: Some SMEs mistakenly believe they are too small to be targeted by cybercriminals, assuming that attackers primarily focus on large corporations. However, this “security by obscurity” mindset has been proven false, as attackers often view SMEs as easier targets due to their weaker defences.

Impact of a Breach on SMEs: Unlike larger companies, SMEs are less likely to recover from a significant cyber incident. A data breach or ransomware attack can be devastating, leading to financial losses, reputational damage, and even closure. Despite this, many SMEs may not fully understand the potential scale of these consequences.

Compliance and Regulatory Pressure: With increasing data protection regulations (e.g., GDPR, PCI), SMEs are under more pressure to adopt better cybersecurity practices to remain compliant. This has led to greater awareness among some SMEs, especially those handling sensitive data like healthcare, finance, or customer and payment information.

Cybersecurity Awareness Training and Culture: Even when SMEs implement some cybersecurity measures, they may lack the necessary employee training and risk management practices that foster a security-focused culture. Human error remains a leading cause of data breaches, so SMEs need to prioritize employee awareness and training.

In summary, while awareness of cybersecurity risk management is growing among SMEs, gaps remain, particularly around adequate investment, robust risk perception, and ongoing management of cybersecurity threats. Cybersecurity can seem overwhelming for small businesses, but as the digital landscape continues to evolve, understanding and addressing these risks is becoming essential for SME survival and growth.

Is Cyber Security about Tech or the Business?

It’s simply a fact that many owners, managers, directors etc, believe that cyber security is a technology issue and is best left to those guys in IT who understand that stuff. Here at H2 we spend a lot of time and effort trying to educate C level people, that it really is a business issue, although it has significant input from the techies. It’s a business issue because breaches can have a significant financial and reputational impact. It’s also an IT issue because it involves implementing technical measures to protect systems and data. Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

The crux of the issue though, is that it must be led by the business, and at board level. It requires a strategy to be followed, which is laid down at board level and which is focused on the goals and aspirations of the business, especially when your IT is outsourced. You can outsource your IT, but you can’t outsource your responsibility.

A valid argument is that the proliferation of security tools creates an illusion of safety. Organisations, large and small, often believe that by deploying a firewall, antivirus software and maybe some other tools, such as intrusion detection systems, they are adequately protected. This ignores the fact that such tools are controls put in place to mitigate risks identified and qualified in terms of importance, in a risk assessment and unless the benefits they bring are properly identified, and the solutions placed and configured correctly, they may well not be doing what you think they are doing. This thinking can also introduce significant third-party risks into your domain. The most recent example of this is the CrowdStrike issue which caused so much chaos throughout the globe.

To be fair to most companies in the smaller and mid-market arenas, their focus is on obtaining IT solutions as cost effectively as possible, and with the minimum of support costs. Cost control is vital to most. This means that they are extremely reluctant to spend money on what they see as not being part of their core business. Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention. Unless they have a well thought out risk managed strategy, they are wide open to slick sales pitches which push products. The rub is that in order to have that well thought out strategy, it means spending on what they see as expensive services that can seem somewhat nebulous, not something they can see and feel, and there is that vague feeling that they are being led to do something that really isn’t all that important.

The approach most take is to trust their IT provider to give them the protections they need. Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model. What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because of cost constraints, is targeted where it’s needed and will be most effective. In other words, the technological approach taken by most IT support company’s will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections are fit for purpose? Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

How do we approach this then? First and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it? Taking risks is a part of business. You assess risk every day when doing business. Do you want to do this deal? What happens if it goes not as expected? Do I want to take this person on? Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

The difference between assessing day to day business risk and assessing risk to cyber assets, is one of understanding. What is a cyber asset? In this context insert the word ‘information’ instead of cyber. It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on. You understand your business risk, after all it is your business, but do you understand information risk? Do you have a clear idea of what information assets you have and where they are? Before you answer that think it through. Do you really know where all the data is? OK, you know that you have a server or servers probably in a cloud somewhere (cloud storage and access is a whole other subject) and that somewhere in those servers there is a bunch of data which runs your business. How much of that data has been saved onto staff workstations when they needed it to carry out some work? How much has been copied off somewhere else for what was probably a very good reason at one point? How well is your firewall functioning? Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations. And we haven’t even thought about changes in working patterns. How many of your staff now work remotely some or all of the time. I could go on.

How can we be sure where all this information is and how important each bit is to the business? How can we assess this risk to the business, if information is lost or otherwise compromised? What about ransomware, phishing scams etc? The good news is that some of this can now be automated and managed for you at an affordable price and you can even arrange a 14 day totally free trial to assess its effectiveness.

New Cyber Threats and Innovations

Cybersecurity is an ever-evolving field, with new threats and innovations emerging regularly. Not all these threats will apply to everyone, the trick is, and has always been, identifying the threats that apply to you, working out how vulnerable you are too those threats, and applying controls to bring those down to an acceptable level. That acceptable level will change, not just from company to company, but also asset to asset. Don’t waste valuable time and energy trying to achieve a zero-threat level. It doesn’t exist. You need to understand clearly what your appetite for risk is, ie what is an acceptable level of risk for you, and then go for it.

But what emerging threats are there that you just might have to combat in your daily business life. These trends highlight the ongoing innovation in both cyber threats and defences, driven by the growing reliance on digital infrastructure and the rapid evolution of technology.

Here are some suggestions and trends in cybersecurity as of late 2024:

1. AI-Powered Cyber Attacks and Defences

Threats: Cybercriminals are increasingly using AI to launch more sophisticated attacks, such as AI-driven phishing campaigns, automated hacking attempts, and machine learning-based malware that adapts to security measures. We’re seeing AI powered social engineering, phone calls mimicking voices of managers, and similar. Like with just about all AI usage, what it does it make things much easier by reducing human effort. So, attacks can be set up using AI and become almost fire and forget, just letting it get on with it in the background.

Defense: Organisations are countering this with AI-based threat detection systems, anomaly detection, and predictive analytics to identify potential breaches before they occur. What about your defences? Are they keeping up with these types of threat. What about mobile workforces, are your staff covered once they leave the office; do you have a hybrid or even fully remote workforce? If so, are your defences up to the job? Check out https://hah2.co.uk/

2. Ransomware Evolution

Ransomware continues to be a major threat, but it’s evolving with more advanced encryption techniques, and multi-stage attacks where attackers exfiltrate data before encrypting it. They then threaten to publish the stolen data unless a ransom is paid. I recently heard of a company that had been infiltrated through its website which was transactional, ie it sold stuff via the website and the website was connected to their database of products and sales order processing system. The web developer didn’t have sufficiently robust security in place. A good example of an SME being exploited via their supply chain.

Double extortion and Ransomware-as-a-Service (RaaS) have become more common, where hackers sell ransomware kits to other criminals.

3. Zero Trust Architecture

Zero Trust has moved from a buzzword to a mainstream security model. Organisations are adopting a “never trust, always verify” approach, assuming that every user and device, both inside and outside the network, could be compromised.

Implementing least privilege access, micro-segmentation, and continuous authentication are key features of this approach. And no, this doesn’t have to be cost prohibitive.

4. Supply Chain Attacks

Attacks targeting third-party vendors and software providers have increased. By compromising trusted suppliers, attackers can infiltrate many organisations through a single breach.

Notable Examples: The SolarWinds and Kaseya attacks were significant instances that highlighted the dangers of such supply chain vulnerabilities. The attack on the NHS via a contracted service provider, is also a good example but it doesn’t just affect the big organisations. See above for an example of how an SME was attacked via a third-party web designer.

5. Post-Quantum Cryptography

With quantum computing on the horizon, there’s increasing focus on developing encryption algorithms that can resist quantum attacks. Post-quantum cryptography is becoming a hot topic as organisations prepare for the future of computing.

Even without quantum computing, many organisations do not use encryption, even for their critical data. If you are subject to a data breach, but that data is encrypted, you could save yourself a lot of money and reputational damage.

6. Cloud Security and Misconfiguration

As cloud adoption accelerates, the security of cloud environments remains a top concern. Misconfigured cloud settings continue to expose sensitive data, while cloud-native security solutions (e.g., CSPM, CWPP) are becoming more prevalent.

Securing multi-cloud environments and addressing shared responsibility models are critical challenges.

7. Cybersecurity for IoT and OT

The Internet of Things (IoT) and Operational Technology (OT) are becoming frequent attack targets. Securing connected devices, industrial systems, and critical infrastructure from cyber threats is a growing concern, especially as they are often lacking in adequate security protocols.

This is becoming more critical as home working becomes more and more popular. Employees connecting to your company cloud and systems using home broadband and WIFI, are also de fact connecting to any IOT devices that they are using in the home, potentially opening up back doors into your system.

8. Data Privacy Regulations and Compliance

Data privacy is a key focus as more countries introduce stricter regulations like the Data Protection Act 2018, now becoming known as UK GDPR (General Data Protection Regulation). There are other compliances such as FSA regulations and other industry bodies, that many need adherence to. Data breaches can produce fines from regulatory bodies, law suites from those affected, and quite severe reputational damage.

9. Cybersecurity Automation and SOAR

Automation is becoming critical in cybersecurity due to the sheer volume of threats. Security Orchestration, Automation, and Response (SOAR) tools help streamline incident detection and response, freeing up analysts to focus on complex tasks.

Do you have anything in place to automate your defences? Do you monitor your systems for threats?

10. Identity and Access Management (IAM)

Identity theft and credential stuffing attacks are rising, making IAM solutions more important than ever. Multi-factor authentication (MFA), password less authentication, and biometrics are seeing widespread adoption to prevent unauthorised access.

Farewell to Bob – A data protection swan song

Today is somewhat of a sad day for me as tomorrow I will attend Bob Hays funeral. Bob and I started this business when we both returned from Dubai where we worked for HPE in their cyber security business, across the Middle East. We came a long way since starting up in 2017 even though COVID happened in the middle, changing the way that business was conducted by many companies and therefore how we had to adapt and change in order to compete and provide the services needed by the new normal. I think we did a pretty good job all told.

In honour of Bob, I thought I’d focus my blog this week on data protection, his pet subject. He always went to great lengths to point out that we weren’t lawyers but were providing the how to, rather than the legal requirements of data protection legislation. He always said that lawyers were great at telling us what we need to do to meet our legal obligations but were lousy at telling us how to do it.

Data Protection, a somewhat dry subject that many companies, particularly SMEs, think they can get away from by simply paying a bit of lip service. The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

Businesses that you might not think about, like Estate Agents, hold large amounts of personally identifiable information or PII, that is information that can identify a living individual. Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

It’s surprising just how much PII estate agents hold. Just think about what they ask for when you’re buying a house. In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

But in some cases that might not be the end of it. Individuals can sue companies that release data into the wild. In fact, there are now law firms advertising no win no fee when representing these cases. Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

One thing that many misunderstand is the link between cyber security and data protection. The Act requires personal data to be secured by ‘default and design’. This means that cyber security requirements must be designed into your data protection processes which could considerably increase the number of policies and processes you require to stay safe and within the law.

Data Protection is a bit of a bureaucratic nightmare I have to admit. Here at H2 we have a raft of templates we use, originally drafted up by Bob, that have been successfully introduced into a variety of organisations, often integrated with their company handbooks. These include:

Data Protection – Overarching Policy	Data Protection Training
Data Protection – Consent	Consent Withdrawal
Subject Access Request	Data Protection Complaints
Retention of Records	Data Breach Notification (note there is an electronic version of this on the ICO website)
Data Protection Impact Assessment Procedure	Security & Control of data protection documentation
Policy Management Review Procedure	Internal Data Protection Breach Register
Retention & Disposal of Records Register	Data Protection Officer (DPO) Responsibilities
Required records to be maintained

Of course these aren’t necessarily the only things needed, there are a whole list of cyber security policies required to complement these. Nearly all are available online, but the problem is knowing what you need and what you don’t and not just downloading, topping and tailing, and hoping for the best. That happens all too often.

Our approach to this has been refined over the years as not just the legislation evolves, both here and in Europe, but as working practices evolve alongside it. We have spent many hours researching solutions and crafting them into services that meet the requirements, which in turn have evolved into a system which works, is both affordable and appropriate for all types of business, and is accreditable to standards such as cyber essentials, if that is required. Flexibility is another key attribute that the new working practices demand. Long gone is the old bastion security system whereby everyone works within a secure boundary, protected by firewalls and other similar technologies. These days we need a system of protection that works regardless of where you are working, office, home, on the move, and can switch seamlessly between them.

When we are first approached by a prospective client and we begin our offer of a free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is. Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy. And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s). How does that happen? Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine. Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

Then comes the issue with audit trails. If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential. And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person. The law insists on it, and you can’t refuse it. I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

Our solution meets the requirements needed today and not only that, has a built-in encryption system, all within the same monthly cost. It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

So a final farewell to Bob, with thanks for all his work in the data protection arena, and for the friendship forged in 3 different company’s before we took the bull by the horns and went out on our own.

Disaster Recovery and Business Continuity

I’ve made quite a bit recently about cyber resilience and the focus being placed on computer outages caused by third party suppliers, highlighted by not just the CloudStrike issue but also the ransomware attack on the UK NHS, made possible by infiltrating a key supplier. All of this of course highlights the importance of supply chain security, but my focus today will be all about disaster recovery and business continuity.

Disaster recovery and business continuity are very much connected but are different. The former is basically a plan for when things go sideways—like when a natural disaster hits, a cyberattack happens, or even if there’s a major tech failure. It’s all about making sure that businesses can bounce back and keep things running as smoothly as possible. Imagine your favourite coffee shop gets flooded. Disaster recovery is like their game plan for getting back on their feet: they might have backup equipment stored somewhere, a way to communicate with customers, and a strategy for cleaning up and reopening. In the tech world, it often involves regular backups of data, having alternate servers ready to go, and making sure everyone knows what to do in case of an emergency. The goal? To minimize downtime and get everything back to normal without too much hassle. It’s like having an insurance policy but for your operations—very important for keeping the lights on when the unexpected hits!

However, we need to understand that when it comes to the type of outages caused by supply chain cyber failures as we saw with CloudStrike, there isn’t much a customer can do to recover from that, without fixes from the suppliers. So, in this instance disaster recovery planning becomes a little difficult to say the least.

Business continuity on the other hand, is all about making sure that a company can keep running smoothly when it is deprived of their IT systems, in whole or in part. So, it’s about keeping business running whilst the disaster recovery plan kicks in and gets stuff back online. The idea is to have a plan in place that helps the business bounce back quickly. This includes figuring out which critical functions need to keep going, having some way of operating manually if necessary. Can you place an order, process an order, raise an invoice, pay a bill etc. It’s like having an emergency kit for your business—batteries included! Companies should create a business continuity plan (BCP) that outlines the steps they’ll take during a crisis. This way, they don’t just react on the fly; they can hit the ground running. It’s all about minimising downtime and keeping customers happy. In short, it’s like being prepared for a rainy day—just with more spreadsheets and meetings!

The first thing to decide is what the priorities are regarding business processes. What is essential, what is a nice to have and what you can live without in the short to medium term. Don’t leave it to managers and staff to guess, have it documented. This priority order is determined based on what is known as a business impact analysis (BIA). This determines the impact of an outage on the business and its customers. Don’t ever forget that your reputation is on the line, and you need to keep your customers serviced and happy. Each business process should have recovery time attached to it, ie how long you can do without it before it becomes truly disastrous.

It all sounds terribly complicated and therefore expensive, but in fact, it isn’t. All the information you need to work this out is already in your hands. You know your business best and you know what’s important and what isn’t quite so important. You just have probably never written it down. And that’s the crux of the matter.

Disaster recovery planning addresses the processes, technical requirements and infrastructure an organisation needs to implement to recover data and operations as required by the business in the event of a disaster. The planning process will involve identification of critical business processes, business impact analysis and thus determination of the overall requirements for a cost-effective plan.

Following the disaster recovery plan, business recovery planning is the process that organisations must use to assess appropriate timeframes for business resumption, also allowable data losses and risk tolerances for business disruptions. As stated earlier, it also needs a plan to carry on manually whilst the disaster recovery plan is implemented. Budgetary requirements for infrastructure and processes, to meet the disaster recovery plan, will also be determined by the business recovery planning process.

There are also 2 other key parts to this. Firstly, companies must ensure that their plans are tested, that everyone in the company is aware of them, where they can find them, and what their responsibilities are in this regard. Testing is critical to ensure that processes, systems and business restoration can meet the requirements laid down for them. Where the plans rely on third party service providers and/or indicate the need to support key customers, these should be involved in the testing process. This will give re-assurance that support will be received and/or given as expected.

And then we have key stakeholders. Who in your organisation is responsible for what, regarding disaster recovery and business continuity planning? Do they know their respective responsibilities, have they accepted this? Have you placed this in their job descriptions? Can they be held to this responsibility? Are they part of the planning and testing process? All seems a bit obvious when you say it, but you’ll probably not be surprised to know that it’s often totally overlooked.

Key Stakeholders	Roles and Responsibilities
CEO/Board of Directors	Aware of business continuity processes, inputs as required Approval of business continuity processes and integration with other technical functions – Note 1 Ownership of business continuity processes together with relevant business units – Note 1
Infrastructure (IT operations)	Input into business continuity processes. Consideration of any infrastructure changes which may impact security architecture. Provide inputs and coordination for systems’ resiliency testing and remediation. Provide costs/budgets for systems requirements
Business units	Creation of BIA and corresponding recovery requirements. Budgetary approval.

Note 1 – these two functions would be carried out by a CIO and/or and CISO in a larger organisation, but as most, even top end, SMBs are unlikely to have anyone in that role, then it must be owned by other board members. I hope this is helpful, but it can only be a guide and there is no one size fits all solution.

Data Breaches and their consequences