Data Breaches and their consequences

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Cyber Security Defence

When you are an owner or director of a company, you will have to face many challenges starting from employing the right people to protecting the sensitive data regarding the company, your workers, suppliers and clients, who buy products and services from you. Nowadays, data leakage prevention is essential in every business. Last week I touched on cyber security strategy, and I’ll expand on that a little more in a week or two, but I’ll just reiterate here that cyber security and data protection are inextricably linked, both practically and legally.  They apply equally to the large corporate entities and SMEs alike.  It’s purely a matter of scale.  So, let’s dive in and learn more about the security and data protection services that you may wish to consider, having first identified your risks and come up with what is called a risk treatment plan, ie a plan to remediate the identified risks to an appropriate level, taking account of the residual risk that your organisation finds acceptable.

Cyber Security Defence – What Are the Most Common Services?

The Insider Threat

There are a lot of actions that can be taken regarding cyber defence. You need to cover both external and insider threat detection. We need to simplify, and where possible, automate our responses and solutions.  The more complicated we make it, the more chance of it becoming a liability rather than a solution. The insider threat is one that is often misunderstood and in fact, often ignored.  It is one of the most fascinating and alarming aspects of cybersecurity! It refers to the potential risks posed by individuals within an organisation who have access to sensitive information and can misuse it for personal gain or to sabotage the company. These insiders could be employees, contractors, or even business partners who have intimate knowledge of the company’s processes and systems. It’s like a real-life spy thriller unfolding right within the walls of your own organisation! The challenge lies in identifying and mitigating these risks before they cause serious damage. It’s an adrenaline-pumping game of cat and mouse that keeps cybersecurity professionals on their toes!  It is important to note that many insider threats come not from any intended action by an employee, but rather a mistaken action taken by an employee who didn’t know they shouldn’t do whatever it is they had done.  It’s a primary reason why cyber awareness training is so important.  I can’t stress enough how important a comprehensive campaign of such training is.

To protect against insider threats you need, as well as awareness training, a good mix of procedural and technical security.  You need a sound access control policy that clearly lays down how to onboard an employee, what access to allow, and how to protect against employees gaining privilege they don’t need and shouldn’t have.  That policy should also cover off-boarding when an employee leaves.  Here at H2 we have partnered with Cyber Elements to provide solutions to provide the correct provisioning in an easy to administer way.

External Threats

These are the threats that everyone thinks of when the subject of cyber security comes up.  It can be very easy, such as identifying and blocking a virus, or it can be very complex. It all depends on the size and range of the problem. For example, ransomware protection. We have partnered with Platinum-HIT (UK) to provide the HDF concept.  This provides a unique approach to anti malware and provides a good level of ransomware, and indeed, phishing, protection. On any computer system, data is stored either as non-runnable information data or runnable application programs. Malware is a type of runnable program with undesirable behaviours. HDF prevents malware infection by stopping malware program files from being stored and run on a computer. Simply put, if a program can’t run, it can’t infect your system.  This does require a period of examination of your system to identify what does need to run, to run the business, and that is provided within the product.

We have introduced a fully managed proactive cyber defence solution that complements our data protection solution, described below, whilst remaining able to stand alone, in the unlikely event that the data protection element is not required.

In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognize that one-size-fits-all solutions often fall short, which is why we’ve developed a flexible and scalable cybersecurity solution powered by Guardz, to address the needs of our clients.

Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our solutions, we can tailor an approach that meets your exact needs and budget.

I talked earlier about the symbiotic relationship between cyber security and data protection, which of course includes data leakage prevention, data privacy and compliance. Once again, we have this covered.  Our data protection solution is very comprehensive and looks not just at the technical, but also at the procedural aspect of data protection, from providing a virtual data protection officer, to writing and/or reviewing your policies and processes, to identifying where your data actual is, what it’s status is ie sensitive or non-sensitive, and provides the ability to encrypt the sensitive data in order to reduce your risk.  If you have a data leak and the data is encrypted, then you are significantly reducing any risk.

Summary

All cyber security defence solutions are designed and implemented in collaboration with the client, during a trial period that consists of between 14 and 30 days, depending upon the solution. All actions can be performed remotely and online and there is no requirement for us to be on site, thus reducing time and expense.  Additionally, all solutions are based on SaaS and therefore there is no expensive infrastructure or hardware requirements and being cloud based, it provides the additional advantage that it can monitor and protect end points regardless of where they are, in the office, on the move, or at home.

What’s the advantage of using a cyber defence managed service?

This will differ company to company, and some will have more of an issue, certainly regarding the protection of what is known as Personally Identifiable Information or PII, as defined in the Data Protection Act 2018.  Each must decide what their threshold is for residual risk, ie what risk is acceptable to them, once protections have been put in place.

Professional cyber security staff are, currently, difficult to source.  There is a global shortage of experienced personnel.  They are also expensive to employ.  You could also argue that there isn’t a full time job for more than one or two, in many organisations.  It therefore makes both operational and financial sense, to outsource at least some of your security operations.

Data Breaches and their consequences General Security Issues

DATA PROTECTION – HOW BADLY COULD I BE HIT?

How does data protection effect SMEs?

Data Protection, a somewhat dry subject that many companies, particularly SMEs, think they can get away from by simply paying a bit of lip service.  The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

Businesses that you might not think about, like Estate Agents, hold large amounts of personally identifiable information or PII, that is information that can identify a living individual. 

Are SMEs subject to punitive fines?

Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

It’s surprising just how much PII estate agents hold.  Just think about what they ask for when you’re buying a house.  In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

But in some cases that might not be the end of it.  Individuals can sue companies that release data into the wild.  In fact, there are now law firms advertising no win no fee when representing these cases.  Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

What size does a business need to be for the regulations to apply?

The regulations apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  Just exposing PII can threaten an individual’s right to privacy.

Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as prejudicial to an individual’s rights.  Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.

Do I need written policies and processes?

Yes – What this means is that a significant number of policies and processes will need to be written and taken into use by the organisation.  It is not unusual for many to visit the web and download templates to cover their requirements.  However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.

How is GDPR effected by cyber security?

The Act requires personal data to be secured by ‘default and design’.  This means that cyber security requirements must be designed into your protections.  This could mean at least another 6 or 7 policies and procedures.

How can I keep track of all my PII holdings and keep it secure?

When we are first approached by a prospective client and we begin our offer of a 30 day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we discover that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

Are there solutions suitable and affordable for SMEs?

We have a solution that meets the requirements and not only that, has a built in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

Check it out at https://hah2.co.uk/gdpr-data-protection/

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

Cyber Security Benchmarking

As long as I’ve been in this industry, clients have always had a thing about benchmarking, particularly those in the higher echelons, who are naturally driven by maturity, budgets, and the frequency of cyber breaches in their industry.  It’s often how they decide their spend.  Fair enough.  In the SME world it’s perhaps not that formalised but is still a thing.  An SME owner wants to know what other people are doing to try and gauge what they should be doing.

I talked, in a post last week, about conformational bias, which is a posh way of talking about the herd mentality and benchmarking falls loosely into that bracket.  What we’re actually talking about is the need for reassurance, deflecting plain discomfort, around the proposal to spend money on something that often seems a little esoteric to many.

Of course, not every situation, or every company is the same.  Their cyber maturity and risk appetite will often drive different approaches to a similar problem.  One company might have a heavy focus on data protection.  For example, an accountancy firm, a solicitors, even an estate agency, might assess that a serious data breach involving the Information Commissioner, could, potentially, put them out of business and they would therefore make this a number one risk.  On the other hand, a manufacturing company may consider this a risk, but of less importance than say, their designs for their next improvement to their product line.

So how good is a benchmark?  Well, it’s a guide, but that’s all it is, and you might think that if you’re close-ish to that guide, and you have an understanding about why you’re not closer, then that is probably OK.  What I’m saying is, don’t take an industry benchmark to be gospel, it isn’t, and basing decisions on what is essentially anecdotal evidence, isn’t, in my opinion, a very good basis for making that decision.

This is where building relationships with suppliers is essential for an SME.  Trust must be established, especially when dipping your toe in to the murky depths of cyber security.  Let’s face it, most people don’t understand it and people don’t trust what they don’t understand.  Finding a cyber security company that is happy to work with SMEs is not easy, especially one that isn’t wedded to technology as being the only answer to a problem.  Process and procedure can be just as effective as technology in certain circumstances and of course, is much much cheaper.  And let’s not forget cyber awareness training, still the cheapest quick win any SME can take to offset the risk of a data breach or scam.

All this is easy to say, but just how do you find a cyber security company you can trust?  I vaguely remember hearing the saying that you have to kiss a lot of frogs before you find your prince.  But in this case, you can’t afford to do that.  Time is not on your side but in doing your due diligence, you still need to be cautious.

What are you looking for?  I would suggest:

  • Proven track record.  Look into the past of the ownership of the company, not just the employees. 
  • Their approach.  Do they lead with technology?  If they do, walk away.  Do they take a risk managed approach?  That’s what you’re looking for.
  • Do they talk in jargon, trying to baffle you with science?  If they do, walk away.  This subject can be explained without getting into technicalities.  You want something that addresses threats to your business, and they should demonstrate they understand that.
  • Do they talk about the FUD factor. Fear, uncertainty and doubt. What they’re trying to do is to scare you into buying. Giving you the facts is one thing, FUD is completely different.
  • Have they taken the time to fully understand what your business is about, what it is that drives your revenue, what is important to you and what is not so important?
  • Do they see you as a long term partner or a quick revenue win?  Can be difficult to assess but it is crucial to building the trust I talked about earlier.

Of course, this is not an exhaustive list of criteria, and you’ll almost certainly have things you want to add, and maybe things you will discard.  But whatever route you take to build that trust, it is essential to your protection and peace of mind in what is becoming a very dangerous online world.

Data Breaches and their consequences News Security

Data Breaches – How bad could it be?

“Fujitsu Hacked – Attackers Stolen Personal Information”

Fujitsu confirmed a cyberattack that led hackers to steal personal data and customer information.

Now there’s a headline to put fear into their customers, both current and potential.  Not a great look for one of our premier IT system integrators and manufacturers.

But what’s that got to do with me you say?  I don’t have any Fujitsu kit and I’m way too small to feature on the radar of a hacker or team of hackers, that would target someone like this.  OK, maybe true, maybe not so true.

Did you know that since 2005 the Information Commissioners Office (ICO) has ruled on 13,500 freedom of information and environmental information cases. Many of these would be classed as SMEs and small government departments, particularly local government.  Last year alone, 86 enforcement actions were taken which included 37 reprimands, 24 enforcement notices, 23 monetary penalties and 2 prosecutions.  Fines of around 80K are not uncommon, and a fine of that size would be a severe blow to an SME.  The ICO has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.

Fines and enforcement notices cannot be hidden, they are published on the ICO website for all to see, which can have an impact on the reputations of companies, adding to the pain of any fine caused by a unwanted marketing calls or data breaches.

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

It is, for most SMEs, about doing what is reasonable to prevent a data breach.  That will include having the right policies and procedures, known to all staff, and rolled out.  Don’t play lip service to this, you will be found out.  It is important to be aware of the threat and take the necessary actions to prevent breaches.

Lack of adequate data security is an important basis for imposing fines.  Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need? 

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.  Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch.  For example, financial data which under other legislation, they must keep for 7 years.  I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it.  There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP.  These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment. 

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed.  Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost.  If you don’t like it, we take it away.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Supply Chain Security

Another Tilt at AI

At the risk of boring you about the risks inherent in AI, I’m going to have another go, simply because it’s a fascinating subject.  AI can really become the gift that keeps on giving.  We’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be.  Will it be ransomware, denial of service or perhaps a new and more sophisticated scam?  Who knows?  But there is no doubt that AI is raising the bar.

I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this particular breed of wannabe criminals.  But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard earned cash.

There is a lot going around within the IT and cyber industry about the ethical usage of AI, its ethical development, and that IT system integrators have a cast of thousands working on such ethical development and usage.  Fine, I applaud them.  But what does that mean for cyber security, and indeed data protection?  Well, I have to say, in my humble opinion, not a great deal.  I say that simple because no matter how ethical we are, the criminal doesn’t give a damn, he or she will continue on their own sweet way and do what criminals have always done, which is to completely disregard ethics.  So, whilst we can applaud and support those companies who are producing software and systems which use AI ethically, for the good, but just like old times, the criminals will do their own thing.

So, let’s take a look at some of what is at risk in terms of our data and systems:

  1. Data Protection.  AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorized access to sensitive information.  A good AI powered attack could capture huge amounts of personally identifiable information (PII), in a ridiculously short amount of time.
  • Data Integrity.  In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability.  We now have something we call the Adversarial Attack.  This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but dangerous.
  • Model Vulnerabilities.  This next one is relatively new, at least to me, and as I never tire of saying, I’ve been this game as long as there’s been a game.  It’s something call Model Vulnerabilities.  AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models.  So, if you’re in the dev game, this is a very real nightmare.
  • Bias and Fairness.  AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications.  This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  • Malicious Actors.  These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems.  This has a play in supply chain security.
  • Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

Addressing these risks requires a multi-faceted approach, including robust security measures, thorough testing, ongoing monitoring, and regular updates to mitigate emerging threats.

The real danger is complacency.  AI isn’t a future hypothetical threat but is very real and here now, already making itself felt, for both good and bad.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Scams v Hacks – how does this effect SMEs?

When I speak to SMEs, I make the point that the chances of being ‘hacked’ is relatively low when compared with being scammed.  Why?  In my view, I look at a hack as being a technical attack on a target by someone who is technically savvy and skilled in identifying and exploiting weaknesses in a company’s defence.  A scam on the other hand can be perpetrated by people with relatively low levels of technical ability and scams are in fact, a con, just like any other old fashioned con, in that they get the target to agree to, or to do something, that will benefit the con artist.

We always recommend that our clients try as best as they can to have defence in depth.  That’s an old military term which is often used in cyber security now to describe multiple layers of defence.  This can be expensive though and it must be tempered by budget, targeting controls where they are most needed.  What this does is to deter many attackers who are looking for a quick win, so if they have to work long and hard to break in, they’ll often go elsewhere, where the pickings might be easier.  And of course, whilst an SMEs defence might be somewhat less than those of an enterprise organisation, the pickings are likewise smaller, making it not cost effective for the attacker to take too much time with a technical hack.

Does this make scams much more attractive to the criminal?  Yes, I believe it does, simply because the amount of effort required is low and they are skilled in manipulating people, especially those that have had minimal cyber awareness training.  Scamming, just like hacking is generally preceded by some form of social engineering.  Social engineering refers to techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.  So, whilst a hacker modifies a computer’s software and hardware structure to carry out certain tasks, social engineering uses people as weapons to attack selected targets. In this way the manipulation is accomplished by employing trust through different forms of communication.

Typically, social engineering is achieved via Phishing, Vishing (video), Smishing (via SMS), malware and Spear phishing where the targets are selected for their importance to a specific attack.  Whatever method is used the aim remains the same, it is to persuade the unwary to give up sensitive information, install malicious software or do things that compromise your business security.  The best protection against social engineering remains a work force that are aware of the techniques and dangers posed by this.

What is the cost of scams to the across the globe?  One statistic suggests that public sector fraud losses amount to about £50.2 billion whilst frauds committed directly against individuals, including marketing fraud and identity fraud, is around £8.3 billion. The total cost of fraud has risen from about £190 billion in 2017 to almost £219 billion.  (Source Peters, Peters and Crowe). Of course, not all of this is via online fraud, but it is becoming the most common type of scam we see today.

Some of the most common types of scams that we see include, but are not limited to:

  • Copycat government websites. Some scams involve websites designed to look like official government websites such as HMRC. …
  • Dating and romance scams. …
  • Holiday frauds. …
  • Mandate fraud. …
  • Pharming. …
  • Phishing emails.

I received an email only yesterday purporting to come from someone called, and I kid you not, Lisa Monaa, inviting me to partake in an extremely profitable project, and I just couldn’t bring myself to read anymore.  It was a badly written phishing email with little chance of success.

AI is having an effect as well.  I’ve written earlier about the CEO scam whereby a CEOs email is spoofed and sent to an accounts department with an invoice attach, stating that the CEO has received a complaint from a supplier that their invoice is late and to get it paid without delay.  That scam has now been updated to a voice simulated by AI, over the phone, demanding the same.

Whilst that scam is quite old, it shows how social engineering has a play.  Firstly, they have to find out what the CEOs email is.  Not difficult.  The company’s email form will almost certainly be shown on their website with a contact like sales@abc.com.  So, the attacker knows that the suffix is abc.com.  They may well also be able to get the CEOs name from the website or even Company’s House.  Next send an email to JSmith@abc.com.  If that bounces send it to John.Smith@abc.com and so on until it goes through.  Next phone the accounts department, ask for Mary in accounts payable.  No Mary here I’m afraid.  Oh sorry, I was sure it was Mary, who handles accounts payable then, Oh that’s Julie.  So, he now has CEOs email and someone to send the email to.  That would probably take about 30 minutes of the scammers time.

The impacts of scams can be very far reaching.  Firstly, there is financial loss, which to many SMEs operating on tight margins, can be quite devastating.  Then there is the possibility of data breach.  If you are a business with lots of client personal data, say a financial advisor, a lawyer, an estate agent, pharmacist, you get the drift, and the aim was to steal data, then you could be hit with a substantial fine from the Information Commissioner not to mention lawsuits from those whose data has been stolen.  Reputational damage can be disastrous and then there is the effect on staff who can suffer greatly thinking they have damaged the company and put everyones job at risk.

Bottom line – scamming is endemic, it’s going nowhere, and AI is going to make it more prevalent, not less.  SMEs spend far less on their defences and on cyber awareness training making them more likely to be targeted.  Combating this threat should be high on your to do list.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware

A Tale of Two Company’s

These stories are fictitious but are based on real events with the company names, locations, and industry vertical either changed or obscured.

Company One

ABC Ltd is a chain of financial advisors which has seen strong growth even allowing for the hiccup of the COVID lockdowns.  It has grown from one site nearly 20 years ago, to six sites situated in rural market towns in the East of England.  As with nearly everyone else, COVID has significantly changed the way they operate as they were forced into home working and never went back to being fully office based and are now operating a more distributed hybrid working pattern, with staff working between offices and home.  This hasn’t proven to be an issue and has some financial benefits, reducing the office footprint, fuel and light and travel costs.  Their clients, consisting of local businesses mainly but with a significant department looking after individuals, have not been impacted by these changes.

John is the finance director, and he was given the additional responsibility for IT, something not unusual in SMEs, as they can rarely afford their own in house IT experts.  This has led to John outsourcing the IT to a local IT management company and so far, they have had no complaints.  Although John doesn’t profess to have any in depth IT knowledge, he discussed their requirements in detail and accepted that a move away from onsite servers and storage to a cloud based system made perfect sense and lent itself to the distributed network they now operated.

However, he had some concerns around cyber security.  He read a lot and what he read worried him, particularly about things such as ransomware, phishing, social engineering and scamming.  He knew that they held considerable amounts of personally identifiable information (PII) as defined by the Data Protection Act or UK GDPR as it is becoming known, and he had heard horror stories of company’s being fined a lot of cash for losing that data.  So, John decided to bring to bring this up at a board meeting and was met with some resistance from the CEO and other board members.  They asked what advice he was getting from their IT providers, and he said not a lot.  They seemed to be happy with the defences in place, which relied on firewalls in the office, and personal firewalls on remote laptops and desktops, anti-virus software and secure channels for sending data to and from the cloud storage.  The cloud provider operated under Ts&Cs which seemed to ensure that they took responsibility for the secure storage of their data.  He was concerned that not all their data was stored on the cloud, even though it was supposed to be.  He knew that staff working from home downloaded data onto their laptops, worked on it, and then uploaded it.  He was sure they ever deleted the copy they had on their laptops and had no way of checking.  He was also sure that data was attached to emails and sent around, so there would be copies on the email server, and on email clients.  But he was told to forget about it as it wasn’t a priority for funding. 

Jumping forward a couple of months and staff were panicking, and his phone was ringing off the hook as IT user after user was seeing a red text box sporting a skull and crossbones and the message that their data was encrypted, and if they wanted to unencrypt it, it would cost £50,000.  The CEO convened an emergency board meeting, and the IT provider was dragged in.  It didn’t take long to ascertain that this was a sophisticated attack and when they attempted to access their cloud storage, they found that the data held there, was also affected.

The CEO asked the IT provider how long this would take to fix, if indeed it was fixable.  He replied that they did have two sources of backups of the data, online and offline.  The problem was that the online data could also be affected and so the safest recourse was the offline backup, but that was only done weekly and therefore they would lose at least 3 days’ worth of data.  The CEO was not pleased.  Added to this, John wasn’t happy with just fixing the immediate issue, he wanted to get to the bottom of how this happened and how can they stop it in the future.  He contacted a specialist cyber security company that was fairly local to them.  Modesty forbids me to mention their name.

Once onsite they identified that there needs to be two strands to this.  First and foremost, the company needs to be gotten up and running, which means restoring from backup.  But there is no point doing that if the ransomware is still sitting on their systems because it would merely encrypt the backup.  It’s never that easy.  How did the ransomware get on the systems, how deeply is it embedded, how did it get on the cloud storage etc.  How it got there was quite easily detected.  It was simple email scam sent to around half of their workforce, at least two of whom clicked on it.  Once that was done it spread itself around the system, infecting all connected machines, and easily jumped to the cloud storage and even the online backup, which was connected to the cloud storage itself.

From then it was a simple but painful exercise which took best part of a week to sort out.  In order to be safe and thorough, all machines were wiped, including the operating systems, and then the OS reinstalled, along with all the applications.  Meanwhile they worked with the cloud storage provider, who was cooperative, to clean up their servers.  The data was then installed from the offline backup.

It was estimated that they lost money well into 6 figures, including fixing the problem, and lost business whilst it was all sorted out.  Trying to get back the 3 days’ worth of data lost, was embarrassing.  But at least they didn’t cave in to extortion as some might have, as we’ll see below.  Luckily there was no indication of a data breach which sometimes accompanies ransomware attacks, so no involvement of the Information Commissioner and the embarrassment of having to contact clients about their personal information.  It could have been worse.

Recommendations asked for by the board included:

  • Cyber Security Awareness training for all staff, including induction and 6 monthly refreshers.
  • Revisit the anti-virus/malware in use to see if there is a better solution for ransomware.
  • Revisit protections for the data itself.  Do they know where it all is?  Can it be audited?  What about encrypting it themselves before anyone else can?  It might not protect against ransomware, but if a data breach happens, it will avoid ICO fines.
  • Revisit the backup routines.
  • Have a solid disaster recovery and business continuity plan to avoid ad hoc and inevitable knee jerk responses.
  • The ransomware code required privileged access to do the real damage.  It got it easily.  Revisit the privileged access management system in place.  Is it up to scratch?
  • Consider annual cyber security health checks.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.

Company Two

Company Two was a transportation and storage company which operated from one site and its core business was transporting and storing produce before it was moved on to the consumer chain ie supermarkets and the like.  As such they had 3 large cold stores which were of course temperature controlled and any prolonged period without temperature control could cost the business thousands in a relatively short space of time.

The problem was that their security architecture was still based on the old bastion model of having a secure perimeter, protected by firewalls, but once inside, there was no segmentation, ie once in, the world was your oyster and the temperature control systems were on the same network as the other IT systems, with nothing separating them.

At this point the same thing happened to them, as happened to Company One.  They received the ransomware message which was even more damaging because it not only encrypted their data, but it knocked out the temperature control systems.  This meant a more sophisticated attack than just embedding malware in an email, the attackers must have gotten into the system and identified a serious weakness that they could exploit.

This wasn’t as difficult as it seemed.  There were several weaknesses in their defences.  First, they had changed broadband provider, but the old broadband connection was still active and connected to their network.  Second, they had security cameras which were remotely maintained.  These cameras were also on the main network and therefore there was a remote backdoor into the system.  There were other weaknesses, but these will do as explanations as to what happened.

As the gravity of the situation dawned on everyone, the decision was made to pay up and prevent a potential disaster in regard to the cold stores.  Understandable I suppose but ultimately not a good solution.  They did get back online within half a day.  So far so good.  But they wanted to make sure that this couldn’t happen again and so they called in some cyber experts to look things over.  What was discovered was quite horrifying.  Firstly, the attackers left a back door into the system which was discovered and closed down.  This would have allowed the attackers easy access to do it all again.  The issue with clicking on a dodgy link was also raised.  But the real problem was that it was discovered that the ransomware attack was used to also disguise the theft of data.  Missing was a considerable amount of financial information, including bank account details not just for them, but for their customers and suppliers, and PII relating to their customers and suppliers, but nothing too damaging other than business email and postal addresses.  Luckily their HR and payroll was outsourced and so they held very little about their staff.  Nevertheless, it was estimated that the cost of this breach would eventually reach 5 figures.

Lessons included very much the same as Company One but with the addition of having a security architecture review with the aim of tightening things up and introducing network segmentation.

Summary

  • Cyber security is a business issue not an IT issue.  It’s the business that suffers, not the IT support. 
  • Cyber Awareness training is the biggest and cheapest quick win that any company can take to protect itself.
  • Make sure your backups are adequate and up to date.
  • Make sure you have a disaster plan to recover from an attack.
  • Make sure you have a business continuity plan to continue working whist you recover from a disaster.
  • Make sure you privileged access management is adequate.
  • Make sure your anti-malware solution is the best available to protect against modern threats.
  • Don’t be complacent.  Just because your cloud provider is popular, doesn’t necessarily mean it’s up to par.
  • Don’t rely on firewalls alone, the bastion model of security is well out of date now.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.
Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy

What Are The Chances of a Cyber Attack Affecting You?

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Aviva, not of course a cyber security company but who nonetheless do sell insurance, carried out some research reported in December 2023, which seems, on the fact of it, to be a little more realistic.  They have said that one in five UK businesses have experienced a cyber-attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents.  But even this has some problems in that it depends on how many businesses reported such an attack or incident.  There is other research that suggests that many businesses, especially SMEs, keep such things well under wraps.

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Small Business Cyber Attack Statistics 2024 (And What You Can Do About Them) says that SMEs account for 43% of cyber-attacks annually, of which 46% were SMEs with 1,000 or fewer employees.

In the 2023 Not (Cyber) Safe for Work Report, there are some alarming statistics.  A staggering 97% of executives use personal devices to access work accounts, and 74% frequently send work-related emails and texts from these devices.  Behaviour which significantly increases the vulnerability of SMEs to cyber-attacks, putting not just operations at risk but also sensitive employee and customer data.

SMEs are often repositories of a considerable amount of personal and financial information, making them lucrative targets for cyber criminals.  The report further indicates that one in three respondents has fallen victim to data theft via scams.  A single can result in identify theft, financial loss, and severe reputational damage.

This is a suggested list of the top 10 Cybersecurity Threats:

  • Social Engineering (often a precursor to Phishing).
  • Third-Party Exposure.
  • Configuration Mistakes.
  • Poor Cyber Awareness and Practice.
  • Cloud Vulnerabilities.
  • Mobile Device Vulnerabilities.
  • Internet of Things.
  • Ransomware.

Given that many SMEs have now adopted the hybrid working style since COVID, these are not particularly surprising.  Working remotely isolates employees who can be much more easily panicked into doing things that are unsafe, than if they have someone on hand, in the office, they can turn to for advice.  For example, Phishing.  Should I click this, does look a bit iffy?  I’ll ask Fred and see what he thinks.  As opposed to sitting at home, working to a deadline, and getting pressured by well-crafted Phishing emails, and thinking, I’ll just do it, what’s the worst that can happen?

One of the major problems facing all sizes of business is the lack of cyber security skills available for hire, either as an FTE or a contractor.  Shockingly, In September 2023, 50% of all UK businesses had a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap. These figures are consistent with those from 2022 and 2021, highlighting the persistent skills gap issue.

We talked a little bit above, about people using their devices.  This isn’t necessary a major issue, providing the individual is prepared to adhere to some security controls being placed on that device, if it is to be used for work.  It’s a bit of a balancing act.  It is reported that 80% of employees are uncomfortable with the idea of their personal devices being monitored by their companies, yet 73% would consent to having cyber security software installed on their devices.  So, a balanced approach is needed, which respects individual privacy while ensure collective security.  Not easy.

Here are 5 actionable steps we are recommending SMEs take:

  • Employee cyber awareness training.  Probably the biggest and cheapest quick win any SME can and should be taking.
  • Strong access control using multi factor authentication.  This should be a no brainer.
  • Cyber Security audits and monitoring.  Not easy for many SMEs who will be put off by thinking about costs.  However, this has become much more affordable, and all SMEs should be having conversations around this.
  • Encryption.  Again, becoming much more affordable and easier to use.  If your sensitive data is encrypted, the chances of falling foul of data protection becomes much less of an issue.
  • Supply chain security.  Many SMEs are in the supply chains of the bigger companies, often utilising online processes, connecting direct to the customer.  What would happen if a cyber-criminal gained access to a customer of yours, through your systems?

There is no silver bullet for this.  First and foremost, it must be recognised as a business issue, not an IT issue.  It must be owned from the top, and dealt with by the board, as they would any other business issue.  You can outsource your IT management, but you can’t outsource your responsibility.

Data Breaches and their consequences

UK GDPR

UK GDPR just won’t lie down, and as citizens we shouldn’t want it to as it provides us with a great deal of protection against the unwanted use of our personal information.  Businesses on the other hand can find it somewhat onerous, although it doesn’t have to be.  Once you understand it’s basics, following the rules isn’t all that difficult, or so you’d think.

The Information Commissioners Office publishes penalty notices that it enforces against breaches of the Regulations, on its web site, and arguably one of the biggest differences between the current Regulations and their predecessors, is that this time, the ICO has real teeth, something that many companies find out the hard way.

I breach raises some questions for any company of course, such as how will this effect customer and supplier confidence?  How much will it damage the brand and what will be the reputational fall out?  All of that before remediation costs and any penalties from the ICO kick in.

As I said above the Data Protection Act 2018, based as it very much is on GDPR, is a very different beast from its predecessor.  The ICO now has powers to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing.  Such penalties are intended to be effective and proportionate, rather than punitive, and are judged on a case-by-case basis.

These penalties come in two flavours, firstly the higher maximum amount, which is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Ouch!

Then there is the standard maximum, which applies If there are infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Still Ouch!

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

DPA/GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  So how does that work for most SMEs?  How many process sensitive information that could threaten individuals’ rights?  What is sensitive information?

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
  • trade-union membership.
  • genetic data, biometric data processed solely to identify a human being.
  • health-related data.
  • data concerning a person’s sex life or sexual orientation.

So how much of this type of data is likely to be held by the average SME?  Well, that depends very much on what that company does for a living.  Whilst many companies, such as manufacturers for instance, will be holding personal data regarding its employees and possibly some data concerning their client base, all of which it is lawful to hold, and should not pose a great problem to process and store securely within the Regulations.  However, when you stop to think about it, there are a considerable number of company’s out there that process large amounts of personal data and are required to hold it for many years because of other legislation.  For example, financial data must be held for 7 years, and many companies’ deal with financial data.

Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as a regular activity and prejudicial to an individual’s rights. Think about financial advisors, estate agents, pharmacies, solicitors, recruitment agencies all of whom hold huge amounts of personal information.  I recently spoke to one financial advisor who told me that they had received a Data Subject Access Request (DSAR), from a client.  This essential means that under the Regulations, anyone is allowed to submit a DSAR and have that organisation declare exactly what data it holds on that person, why and for how long.  It took a partner offline for nearly 10 days to identify that data, before they could declare it.  It’s also worth knowing that there is a time limit on how long you can take to satisfy that requirement.

On the ICO website it lists a solicitor who were fined £98,000 for failing to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.  Solicitors are excellent on telling you what to do to ensure you stay within the law, but they are not always all that good at telling you how to do it.

GDPR compliance requires that companies who process or handle personal data and have more than 10-15 employees must appoint a Data Protection Officer (DPO). A DPO will help with the maintenance and regular monitoring of data subjects as well as the processing of special categories of data on a large scale.  Personal data is any information which is related to an identified or identifiable natural person. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it.  There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP.  These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed.  Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost.  If you don’t like it, we take it away.

Data Breaches and their consequences Ransomware, Phishing and other Malware

Another look at Ransomware

I’ve been reading about how Ransomware is affecting the insurance industry. A Ransomware group has added 90 organisations to their data leak site as victims of the MOVEit exploitation campaign. Currently the insurance industry is listed as having the highest number of victims. Now clearly the insurance industry is not alone in this, although it’s an obvious target given that it holds considerable amounts of personally identifiable data (PII), as defined in UK GDPR. It’s long been known that personal data, misappropriated or downright stolen, has been available for sale on the dark web, for many years. It’s one of the reasons why paying ransomware demands can be so wrong. Whilst I know the stated purpose of ransomware is to obtain a few to release the data and make it available again to the victim, it is also often a cover for a larger stealth attack which steals data without you knowing it.

Ransomware demands on SMEs tend to be very modest, often under 1K, so you have to wonder how many people are being hit to make it profitable.  And the small amounts are why company’s often pay up to get back access to their data quickly.  But as I said above, while this is going on the attacker is already on your system siphoning of any personal data you might have, safe in the knowledge that you’re going to pay up and they don’t have to worry about any investigations, even if such investigations are likely to bear any fruit.

But back to the news I opened with.

A criminal online marketplace selling millions of sets of stolen personal information for as little as 56p per entry has been taken down in an international crackdown.

The sting, led by the FBI and Dutch police and involving law enforcement agencies across 18 countries including the UK’s National Crime Agency (NCA), took Genesis Market offline on Tuesday night.

Users trying to access the site were greeted with a page emblazoned with the FBI investigation name Operation Cookie Monster.

The marketplace, one of the most significant of its kind in the world, had 80 million sets of credentials available for sale, affecting two million victims. Details, including online banking, Facebook, Amazon, PayPal and Netflix account information were up for sale alongside so-called digital fingerprints containing data from the victims’ devices. This enabled criminals to bypass online security checks by pretending to be the victim.

Investigators from the NCA carried out a series of raids yesterday targeting around 20 users of the site, with dozens of arrests abroad.

Source – Evening Standard

The Head of Cyber Intelligence at the NCA has said that Genesis Market is one of the top criminal marketplaces anywhere in the world, enabling fraud and a range of other criminal activities online by facilitating that initial access to victims, which is a critical part of the business mode in a whole range of nefarious activity.

I am often asked, ‘how do hackers hack’?  Often the first step is to profile businesses and their employees.  There is a plethora of data available on open sources if you google it.  Company’s House, for a small fee, can disclose who the key players are, what you last set of accounts looked like etc.  Social Media accounts are another rich source of data, but buying personal information is a quick and easy way of obtaining data and at the cost of 59p a record, also cheap.

This type of attack can by a real double or even triple whammy for an SME.  First you have to fork out to get your data released, then if the data breach becomes public, there is a risk of a very punitive fine from the ICO, (check out their website, they publish fines handed out), and there is a very real risk of being sued by those whose data has been breached, (check out the no win no fee lawyers out there now advertising their services for anyone who suspects their data has been stolen or made public).

How much better to secure your data and systems to prevent this from happening. The threat landscape has always been ever changing and we have long been playing catch up to the cyber criminals and scammers but working patterns have now changed so much and in such a short space of time, that we have created a whole new avenue of problems for ourselves.  The global pandemic has changed working patterns so that the office is no longer the bastion that it was, and our network boundary is now our laptop, phone, or tablet, wherever we may be working from.

Here at H2 we have been very busy coming up with solutions to meet these new requirements.  We have aimed at driving down complexity and cost and at the same time recognising the ‘new normal’, whatever that may mean for your company, and covering off zero day attacks and ransomware, two of the most dangerous threats to all organisations. But our solutions are aimed at the SME which means they must be affordable as well as innovative and comprehensive.  We think we’ve done just that.

Our solution is based on sound risk management techniques allied with products which work seamlessly together or as individual solutions.  Whether you need one of these, two, three or all four, depends on your requirements and to some extent, your size of company and the vertical you operate in.  Two of these products are very new to the UK market but are tried and tested in other countries, notably the US.  The access management solution has been in use in Europe for some time whilst the anti-malware solution which covers off zero day and ransomware, has been in use in the enterprise market, especially government and CNI for some years and is only now available in an affordable way, for SMEs.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Scroll to top