Data Breaches and their consequences Archives - Page 2 of 3

Disaster Recovery and Business Continuity

I’ve made quite a bit recently about cyber resilience and the focus being placed on computer outages caused by third party suppliers, highlighted by not just the CloudStrike issue but also the ransomware attack on the UK NHS, made possible by infiltrating a key supplier. All of this of course highlights the importance of supply chain security, but my focus today will be all about disaster recovery and business continuity.

Disaster recovery and business continuity are very much connected but are different. The former is basically a plan for when things go sideways—like when a natural disaster hits, a cyberattack happens, or even if there’s a major tech failure. It’s all about making sure that businesses can bounce back and keep things running as smoothly as possible. Imagine your favourite coffee shop gets flooded. Disaster recovery is like their game plan for getting back on their feet: they might have backup equipment stored somewhere, a way to communicate with customers, and a strategy for cleaning up and reopening. In the tech world, it often involves regular backups of data, having alternate servers ready to go, and making sure everyone knows what to do in case of an emergency. The goal? To minimize downtime and get everything back to normal without too much hassle. It’s like having an insurance policy but for your operations—very important for keeping the lights on when the unexpected hits!

However, we need to understand that when it comes to the type of outages caused by supply chain cyber failures as we saw with CloudStrike, there isn’t much a customer can do to recover from that, without fixes from the suppliers. So, in this instance disaster recovery planning becomes a little difficult to say the least.

Business continuity on the other hand, is all about making sure that a company can keep running smoothly when it is deprived of their IT systems, in whole or in part. So, it’s about keeping business running whilst the disaster recovery plan kicks in and gets stuff back online. The idea is to have a plan in place that helps the business bounce back quickly. This includes figuring out which critical functions need to keep going, having some way of operating manually if necessary. Can you place an order, process an order, raise an invoice, pay a bill etc. It’s like having an emergency kit for your business—batteries included! Companies should create a business continuity plan (BCP) that outlines the steps they’ll take during a crisis. This way, they don’t just react on the fly; they can hit the ground running. It’s all about minimising downtime and keeping customers happy. In short, it’s like being prepared for a rainy day—just with more spreadsheets and meetings!

The first thing to decide is what the priorities are regarding business processes. What is essential, what is a nice to have and what you can live without in the short to medium term. Don’t leave it to managers and staff to guess, have it documented. This priority order is determined based on what is known as a business impact analysis (BIA). This determines the impact of an outage on the business and its customers. Don’t ever forget that your reputation is on the line, and you need to keep your customers serviced and happy. Each business process should have recovery time attached to it, ie how long you can do without it before it becomes truly disastrous.

It all sounds terribly complicated and therefore expensive, but in fact, it isn’t. All the information you need to work this out is already in your hands. You know your business best and you know what’s important and what isn’t quite so important. You just have probably never written it down. And that’s the crux of the matter.

Disaster recovery planning addresses the processes, technical requirements and infrastructure an organisation needs to implement to recover data and operations as required by the business in the event of a disaster. The planning process will involve identification of critical business processes, business impact analysis and thus determination of the overall requirements for a cost-effective plan.

Following the disaster recovery plan, business recovery planning is the process that organisations must use to assess appropriate timeframes for business resumption, also allowable data losses and risk tolerances for business disruptions. As stated earlier, it also needs a plan to carry on manually whilst the disaster recovery plan is implemented. Budgetary requirements for infrastructure and processes, to meet the disaster recovery plan, will also be determined by the business recovery planning process.

There are also 2 other key parts to this. Firstly, companies must ensure that their plans are tested, that everyone in the company is aware of them, where they can find them, and what their responsibilities are in this regard. Testing is critical to ensure that processes, systems and business restoration can meet the requirements laid down for them. Where the plans rely on third party service providers and/or indicate the need to support key customers, these should be involved in the testing process. This will give re-assurance that support will be received and/or given as expected.

And then we have key stakeholders. Who in your organisation is responsible for what, regarding disaster recovery and business continuity planning? Do they know their respective responsibilities, have they accepted this? Have you placed this in their job descriptions? Can they be held to this responsibility? Are they part of the planning and testing process? All seems a bit obvious when you say it, but you’ll probably not be surprised to know that it’s often totally overlooked.

Key Stakeholders	Roles and Responsibilities
CEO/Board of Directors	Aware of business continuity processes, inputs as required Approval of business continuity processes and integration with other technical functions – Note 1 Ownership of business continuity processes together with relevant business units – Note 1
Infrastructure (IT operations)	Input into business continuity processes. Consideration of any infrastructure changes which may impact security architecture. Provide inputs and coordination for systems’ resiliency testing and remediation. Provide costs/budgets for systems requirements
Business units	Creation of BIA and corresponding recovery requirements. Budgetary approval.

Note 1 – these two functions would be carried out by a CIO and/or and CISO in a larger organisation, but as most, even top end, SMBs are unlikely to have anyone in that role, then it must be owned by other board members. I hope this is helpful, but it can only be a guide and there is no one size fits all solution.

Still on the subject of Cyber Resilience………

Last week I talked about whether our ability to demonstrate resilience in the cyber field, is impacted by an over reliance on the companies who supply our IT products and services, and whether over time, that reliance has grown to the point where we are ignoring our own responsibilities in this area. I have used the phrase that you can outsource your IT, but you can’t outsource your responsibility. At the end of the day, there is only you and your employees who have the best interests of you company at heart. You wouldn’t tolerate a single point of failure in your business, you would try and ensure that there is resilience built into your business processes. Why then do we not apply that to IT?

It’s a fact, which often goes unrecognised or ignored, that cyber security is not a technical issue but a business issue, and as such much of it is reliant on policy and process. It is also a fact that your employees are both your first line of defence and potentially, your weakest link. Technology comes in in third place. The cyber mantra is People, Process, Technology. If your people don’t have at least a basic understanding of the issues involved, and you do not have the right policies and processes, rolled out to, and understood by all who need them, then all the technology in the world is likely to be a waste of money.

People

Let’s take a closer look, starting with People. Many businesses out there don’t have inhouse IT support but outsource that to an IT provider. That’s fine, you can ensure that your contract with them spells out their responsibilities regarding your security, your data. It then becomes their responsibility to ensure they protect to the standard stated in the contract, and that their people understand their responsibility. However, you still have your own staff who interact with suppliers, customers and possibly members of the public, on your behalf. I’ve discussed in my blogs before that most businesses are more likely to suffer from scams, than they are from technical hacks. Even ransomware can be considered a scam, as can most phishing attacks. The cyber-criminal is relying on someone on your staff to click a malicious link, or access something they shouldn’t, in order to facilitate the scam. Staff often make the mistake of opening malware because they didn’t know they shouldn’t, not because they are themselves malicious or lack common sense. If they fail, it’s often because they haven’t had any training. Likewise, staff can make mistakes, such as copying and releasing data to unauthorised persons, because they didn’t know they shouldn’t. So, whose failures are those, staff or managers?

Cyber Awareness Training (https://hah2.co.uk/cyber-awareness-training-smes/)

It is critical to the success of the cyber-security resilience that the organisation develops a mature culture of understanding and awareness about cyber risks. Above all this is an issue that must be driven from the top of the organisation – unless cyber-security has the full support of the Board it will be impossible to generate the level of commitment necessary to develop the culture of awareness.

Awareness and understanding of cyber risks are so important because these are the essential elements of the “human firewall” that is all that stands between the organisation’s critical IT systems and the clever social engineering tactics of sophisticated cyber-criminals. Such tactics are even more ubiquitous in our “always on” culture that is driven by the social media and applications accessed through smartphones and other mobile devices. Employees need to be aware of the cyber risks inherent in the devices that are part of their everyday lives; and of the damage to their occupation and livelihoods that can be done as a result of ignorance, carelessness or inattention in their use (and abuse) of such devices.

For the security function in an organisation, the development of a mature culture of awareness and understanding is also critical. In order to achieve the shift in thinking needed to develop the culture of awareness, four things are required:

Board and CEO Level involvement and support
Training that is relevant to the job function. Giving technical awareness training to a shop floor worker will have no impact. If lessons from the training can be taken home and used there as well, big dividends will accrue from the reinforcement provide.
Training must be fun. A little humour lightens the load and will brighten the day of employees and mean that they are more likely to remember what was taught.
Training must be continual. It is more effective to do a little training each month than to have a single long session.

Policy and Process

Moving onto to processes now. First and foremost, all companies should have a cyber security policy. It doesn’t need to be more than a page and should lay down what other polices are needed and who is responsible for producing them and keeping them in date. Any of you who have achieved an ISO certification, in whatever subject you needed to, will have had a similar process to go through and if you ever wanted to achieve ISO27001, then you would need to fully understand and comply with this.

The development and documentation of an agreed set of clear and coherent policies and supporting standards, processes and baselines are essential to the success of a cyber-security program. These must be signed off at board level and preferably set within the context of the organisations cyber-security strategy. However, the nature of the policies and supporting elements themselves will, to some extent, also be governed by the risk management controls that are needed in order to manage risk to a level that is consistent with the organisation’s assessed risk, overall risk appetite and budgetary and cost constraints. I talked about risk management last week and that can be found at https://hah2.co.uk/are-we-failing-in-our-cyber-resilience/.

The are 3 elements to this that are essential:

Policy.
Standards and processes.
Minimum baselines.

This may seem onerous and a step too far for many businesses but they are essential to ensure that you are self-reliant and resilient. The whole process need not be that difficult or expensive and it is a lot cheaper than many of the technical solutions managers jump to, without first ensuring that such technologies are actually what is required. We can offer advice and guidance in this area (https://hah2.co.uk/why-use-an-independent-board-advisor/).

Policy is the highest element in the hierarchy – representing “why” the governance controls must be used. Below this, the standards and processes represent “what” needs to be implemented, in order to deliver compliance with the policy. Thirdly, minimum baselines constitute the element that shows “how” the standards and processes should be delivered. Each of the elements is discussed in more detail below.

Technology

Finally, we come to technology. In last weeks blog (https://hah2.co.uk/are-we-failing-in-our-cyber-resilience/ ) I went into more detail about risk management and how we go about putting the right controls in the right place, to reduce our liability to the lowest level we can, without impacting operational resilience. But let’s just reiterate that many of these controls will be procedural and not necessarily technical, or they might be a mix of the two. The message is don’t get hung up on technology, approach it from a risk management point of view, treat IT and cyber security in the same way you would treat any other business process. Don’t get swamped with technical jargon, it’s not that difficult.

Next Week

Another vital piece in our resilience matrix is disaster recovery and business continuity. Not the same thing and I have already touched on this in recent articles (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/), relevant to the current issues around CloudStrike. Disaster recovery is how you plan to recover from a disaster whilst business continuity is all about how you keep the business running whilst you recover your IT assets and data. It’s quite an involved subject and demands an article on its own.

Are we failing in our cyber resilience?

The fallout from the CloudStrike sensor failure, which caused severe outages throughout the globe, is still being felt and will be felt for some time to come. The emphasis has been on recovery but that will start to change, as we focus more on why it happened, and what can be done to mitigate further failures of this kind. I’ve said already, in a piece I wrote last week (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/ ), that we appear to be becoming too reliant on our IT providers, particularly managed services, to ensure that we remain safe and our services can continue, and we aren’t looking too hard at ensuring resilience is built into our systems. It begs the question, is business continuity planning no longer in fashion.

Alexander Rogan of Abatis also wrote a piece that’s worth reading (https://www.linkedin.com/pulse/billions-lost-chaos-lessons-from-crowdstrike-microsoft-rogan-abxde/}. In his article Alexander emphasises the importance of zero trust architecture and processes. What this essentially means is that we cannot afford to trust anyone other than ourselves. Suppliers are there to help and as such they should ensure that their own processes are robust and include thorough pre-production testing, controlled roll outs and good baseline security measures. Where CrowdStrike falls in this regard, will I’m sure, get thoroughly tested in the not too distant future.

The UK Government is also questioning the resilience of business in the UK to cyber threats (https://amp.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister), and in this case a cyber threat is not necessarily confined to security, it can also mean a crash due to a technical or process failure.

In the cyber security industry, there has long been a running war between those that sell products and those of us concerned more with services. Having been in the industry for 30 years, I have seen this time and again and the product sales nearly always win. Why? Simply because services are a hard sell with a long timeline whereas product sales are easier and quicker to achieve. Why would that be? Again, simple, people like to be able to quickly demonstrate a return on investment. They like to see a product, doing its stuff, even when often, they don’t realise how it’s doing what it’s doing, or if it’s the right product in the right place at the right time.

The risk managed approach is the way to go every time. That has not changed at all in the 30 years I’ve been plugging away at it. It’s all about People, Process and then Technology. I often quote Bruce Schneier, a US scientist on the Harvard Faculty, and a thought leader in this space. He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. Breaking this down, what he’s getting at is that first and foremost, you must understand the risks that you face and to do that, you have to identify your cyber assets. By that we don’t mean hardware and even software, what we are talking about is your data and the ability to keep your systems online and accessing what your staff and/or customers need to access, when they need to access it. Once you identify your assets, you then need to identify the threats to those assets and how vulnerable you are too those threats. Threat and vulnerability = risk. And by that we mean the risk to the business if it all goes pear shaped.

Once that’s done, we can then allocate a risk score to each asset with the aim of managing that risk down to an acceptable level, known as the risk appetite. That will change business to business, even asset to asset. You wouldn’t for example allocate the same level of risk [to the business], to a revenue earning system, as you would to perhaps a purely admin system that contains no personal data.

This all sounds terribly difficult and expensive, and that’s why many companies simply don’t do it, or maybe they do a subset of it. But unless you do, then it can be very difficult to know for sure that you are spending your limited budget on the right protections, in the right place. In the long run, it can save you a lot of money. This same assessment applies equally to the CrowdStrike problem, or for that matter, any other company that you have in your supply chain. You need to assess what damage they could do to you if they fail, and what you can do to mitigate that damage. It’s very well and good reaching for the nearest lawyer when it’s all gone to hell, how much better to stop it, or mitigate it, before you get there.

How Can We See a Return on Investment from our Cyber Security Spend?

How are businesses improved through good cyber security? It’s a question just about every customer, or prospective customer, of ours asks themselves. They need to see a return on investment, after all, if you don’t see anything tangible for your money, you’re unlikely to keep going down that road.

When my business partner and I set up H2 after we returned from the Middle East where we’d been working for the HP division that was busy merging itself with CSC (been there done that, didn’t fancy returning to it), the whole question of how we could offer something that gave that return on investment, occupied much of our thinking. What services could we offer at a price that businesses were prepared to pay, and what tangible benefits could we offer?

At first, we were purely a services company, proudly product agnostic, recommending the right products for the right solutions for the right customer. Not at all altruistic, but rather we felt that was the right thing to do be doing. Like many people we didn’t see COVID coming around the corner like a freight train. The pandemic didn’t just change how we would be delivering our services, it changed the whole market, it changed working practices, which are still evolving. That meant that we had to change or die. A stark choice but not one that could be avoided or put off. Like many businesses we had to reengineer the business from the ground up whilst still providing services that customers wanted and could see a need for.

An interesting google search is finding out what businesses are researching online. I was quite surprised to find that the question ‘what is a cyber-attack?’, is the most searched phrase, by a long shot. This suggests that many are still confused as to what a cyber-attack actually is. Breaking that down, its probably not all that surprising because of all the various types of cyber-attack that are constantly being rammed down peoples’ throats and I think the cyber security industry needs to take responsibility for that. There’s a big difference between education and propaganda. FUD (fear, uncertainty and doubt) is a common method used by many to sell security. Personally, I’m not in favour of doing that. I like to educate, not scare.

Other subjects being searched for are ransomware, phishing, spoofing, cyber threats, insider threats and cyber awareness (there are more but they’re a long way down the list).

What people want to know hasn’t changed all that much, neither has the types of threats. What has changed is how those threats present themselves, how the methodologies have changed in order to match new technologies and working practices, particularly the move to remote or home working and the additional threats that this poses. AI is making a big impact already and that impact is going to get bigger as time goes on. Email spoofing for example, that is faking an email purporting to come someone legitimate in order to get someone to take some action that is in some way fraudulent, is now being done over the phone with AI being used to fake someones voice. It’s a scary development and there are now several well reported instances of this happening in the US. If it’s happening there, it’s only a matter of time for it to happen in the UK and across Europe.

One of the first services we offered was the Cyber Maturity Assessment and our very first client took that service. Our brief was to examine their Cyber Security and Data Protection posture, including policies, processes and technical configuration and controls. They were pleased that our assessment was very comprehensive in discovering the threats and vulnerabilities to their systems and that we described them in terms of business risk. We developed comprehensive policies and processes that were all encompassing and designed to fit in with the style and presentation of their employee handbook. All good but it required us to attend their site for a couple of days which was, at one time, normal and acceptable but in terms of the ‘new normal’, not so much.

Whilst we still offer that service, remote services are much more popular and much more in keeping with how businesses are now operating. It doesn’t much matter where their staff are working, home, office or on the move. What matters is that their protections are maintained regardless.

As we developed our new offerings we researched and came up with solutions that do just that. We adopted Software as a Service (SaaS) and found some very innovative solutions that we can use to provide a managed security service to our clients at a very affordable price.

Returning to our first paragraph, how do we show a return on investment? Using our SaaS platform, we offer a 14 day free trial during which we can show a client where they currently stand and then carry out some quick remediations to show how that can be improved, so that the client can see the value of what they are going to get, using their own data. It works and I commend it to you.

Check it out – https://hah2.co.uk/

WHAT IS MANAGEMENTS ROLE IN CYBER DEFENCE?

As I move around talking to business leaders of all sizes of company, one thing stands out. And that’s that there are many different views as to how involved management needs to be in cyber defence, and some of these views are markedly different. They range from a very hands off approach, happily leaving it to their IT support, to, and it has to be said, a minority, who see it as their responsibility.

Arguably one of the most, if not the most, important roles any CEO/MD/Chairman (call him or her whatever you like and for the purposes of this article I’ll stick with CEO) is to set the importance of cyber defence in everyones mind. The tone has to come from the top to be accepted and effective. When cyber defence is clearly prioritised by the CEO and the Board, it assumes an importance in the mind of the employees. It is crucial that everyone from the CEO down understands the impact that a cyber breach, or a scam, or a cyber based fraud, can have on the bottom line.

This also aligns cyber defence and data protection with the business goals. Cyber defence is a business issue, not an IT issue. It’s crucial that all clearly understand this and how it should be woven into the very fabric of the business. The CEO and the board have a clear perspective on the company’s strategic goals and direction. By their involvement with cyber defence, they can ensure that it is aligned with the broader business strategy to fully protect the businesses data and systems. It aids with budgets for cyber security tools, training and personnel, addressing the threats to the business.

CEOS might need advice and guidance but their involvement is essential and will help to identify some issues which may not be clear to employees, especially technical employees. One such is reputational damage. The damage to a company from a data breach may not be immediately clear. But once it hits the press, or once the company becomes subject to a fine from a regulatory body such as the Information Commissioner, the word tends to spread. If you can’t be trusted to maintain a level of confidentiality, can you be trusted with other things? Doubt spreads and can destroy vendor, customer and partner relationships.

Cyber defence begins with risk management. Managing cyber risks is no different to managing any other business risk. There is no business without risk, the trick is to manage your risks down to a level that you are prepared to accept, known as the risk appetite. This must involve the CEO and directors and business managers. Each knows what could damage, perhaps catastrophically damage, their part of the business. IT staff don’t have this knowledge, their focus is often on the technical risks, not the business risks.

Risk management itself begins with a clear cyber defence and data protection strategy. Depending upon the size of your business, some elements of the suggested strategy below, may not be relevant to you. This is offered as a guide, not an absolute.

Figure 1- Suggested Cyber Strategy Framework

To help in defining your strategy, you need to undertake a risk analysis which will inform the selection, deployment and management of Appropriate, Affordable and Accreditable (if required) controls.

Appropriate in the sense that controls need to support rather than hinder business process as well as being capable of achieving their goals. Your controls also need to be appropriate to your business. Affordable may seem self-explanatory, however in the context of cyber security controls and overall budgetary constraints, return on investment is as important as cost effectiveness. Accreditation to agreed cyber security standards – of which there are many, is crucial for all organisations. Being able to provide a trail of evidence which demonstrates on going compliance to selected standards is essential in times of crisis.

Having got this far, we need a risk treatment plan to match the identified risks. What you’re trying to achieve here is to manage the risk down to an acceptable level. Don’t get bogged down in trying to eliminate risk, you won’t succeed, but rather get the risk down as low as you can. Don’t make it too complicated, identify your risks as High, Medium and Low. Then manage the high risks down to Low, followed by the medium risks. You do this by applying controls, be they procedural or technical, to the risk and measuring the outcome.

It sounds complicated and you may need guidance, but once done and adhered to, it provides peace of mind to you, that you have done what you need to do to get your Cyber Defence in place.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Please feel free to give us a call or email.

Alternatively book a demo on our Calendly link https://bit.ly/3yoT0qi

T: 0845 5443742

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

Cyber Security Defence

When you are an owner or director of a company, you will have to face many challenges starting from employing the right people to protecting the sensitive data regarding the company, your workers, suppliers and clients, who buy products and services from you. Nowadays, data leakage prevention is essential in every business. Last week I touched on cyber security strategy, and I’ll expand on that a little more in a week or two, but I’ll just reiterate here that cyber security and data protection are inextricably linked, both practically and legally. They apply equally to the large corporate entities and SMEs alike. It’s purely a matter of scale. So, let’s dive in and learn more about the security and data protection services that you may wish to consider, having first identified your risks and come up with what is called a risk treatment plan, ie a plan to remediate the identified risks to an appropriate level, taking account of the residual risk that your organisation finds acceptable.

Cyber Security Defence – What Are the Most Common Services?

The Insider Threat

There are a lot of actions that can be taken regarding cyber defence. You need to cover both external and insider threat detection. We need to simplify, and where possible, automate our responses and solutions. The more complicated we make it, the more chance of it becoming a liability rather than a solution. The insider threat is one that is often misunderstood and in fact, often ignored. It is one of the most fascinating and alarming aspects of cybersecurity! It refers to the potential risks posed by individuals within an organisation who have access to sensitive information and can misuse it for personal gain or to sabotage the company. These insiders could be employees, contractors, or even business partners who have intimate knowledge of the company’s processes and systems. It’s like a real-life spy thriller unfolding right within the walls of your own organisation! The challenge lies in identifying and mitigating these risks before they cause serious damage. It’s an adrenaline-pumping game of cat and mouse that keeps cybersecurity professionals on their toes! It is important to note that many insider threats come not from any intended action by an employee, but rather a mistaken action taken by an employee who didn’t know they shouldn’t do whatever it is they had done. It’s a primary reason why cyber awareness training is so important. I can’t stress enough how important a comprehensive campaign of such training is.

To protect against insider threats you need, as well as awareness training, a good mix of procedural and technical security. You need a sound access control policy that clearly lays down how to onboard an employee, what access to allow, and how to protect against employees gaining privilege they don’t need and shouldn’t have. That policy should also cover off-boarding when an employee leaves. Here at H2 we have partnered with Cyber Elements to provide solutions to provide the correct provisioning in an easy to administer way.

External Threats

These are the threats that everyone thinks of when the subject of cyber security comes up. It can be very easy, such as identifying and blocking a virus, or it can be very complex. It all depends on the size and range of the problem. For example, ransomware protection. We have partnered with Platinum-HIT (UK) to provide the HDF concept. This provides a unique approach to anti malware and provides a good level of ransomware, and indeed, phishing, protection. On any computer system, data is stored either as non-runnable information data or runnable application programs. Malware is a type of runnable program with undesirable behaviours. HDF prevents malware infection by stopping malware program files from being stored and run on a computer. Simply put, if a program can’t run, it can’t infect your system. This does require a period of examination of your system to identify what does need to run, to run the business, and that is provided within the product.

We have introduced a fully managed proactive cyber defence solution that complements our data protection solution, described below, whilst remaining able to stand alone, in the unlikely event that the data protection element is not required.

In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognize that one-size-fits-all solutions often fall short, which is why we’ve developed a flexible and scalable cybersecurity solution powered by Guardz, to address the needs of our clients.

Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our solutions, we can tailor an approach that meets your exact needs and budget.

I talked earlier about the symbiotic relationship between cyber security and data protection, which of course includes data leakage prevention, data privacy and compliance. Once again, we have this covered. Our data protection solution is very comprehensive and looks not just at the technical, but also at the procedural aspect of data protection, from providing a virtual data protection officer, to writing and/or reviewing your policies and processes, to identifying where your data actual is, what it’s status is ie sensitive or non-sensitive, and provides the ability to encrypt the sensitive data in order to reduce your risk. If you have a data leak and the data is encrypted, then you are significantly reducing any risk.

Summary

All cyber security defence solutions are designed and implemented in collaboration with the client, during a trial period that consists of between 14 and 30 days, depending upon the solution. All actions can be performed remotely and online and there is no requirement for us to be on site, thus reducing time and expense. Additionally, all solutions are based on SaaS and therefore there is no expensive infrastructure or hardware requirements and being cloud based, it provides the additional advantage that it can monitor and protect end points regardless of where they are, in the office, on the move, or at home.

What’s the advantage of using a cyber defence managed service?

This will differ company to company, and some will have more of an issue, certainly regarding the protection of what is known as Personally Identifiable Information or PII, as defined in the Data Protection Act 2018. Each must decide what their threshold is for residual risk, ie what risk is acceptable to them, once protections have been put in place.

Professional cyber security staff are, currently, difficult to source. There is a global shortage of experienced personnel. They are also expensive to employ. You could also argue that there isn’t a full time job for more than one or two, in many organisations. It therefore makes both operational and financial sense, to outsource at least some of your security operations.

DATA PROTECTION – HOW BADLY COULD I BE HIT?

How does data protection effect SMEs?

Data Protection, a somewhat dry subject that many companies, particularly SMEs, think they can get away from by simply paying a bit of lip service. The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

Businesses that you might not think about, like Estate Agents, hold large amounts of personally identifiable information or PII, that is information that can identify a living individual.

Are SMEs subject to punitive fines?

Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

It’s surprising just how much PII estate agents hold. Just think about what they ask for when you’re buying a house. In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

But in some cases that might not be the end of it. Individuals can sue companies that release data into the wild. In fact, there are now law firms advertising no win no fee when representing these cases. Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

What size does a business need to be for the regulations to apply?

The regulations apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights. Just exposing PII can threaten an individual’s right to privacy.

Just about everyone processes personal data of some sort. Data that can identify a living individual. HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers. The exposure of some or all of that could be judged as prejudicial to an individual’s rights. Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.

Do I need written policies and processes?

Yes – What this means is that a significant number of policies and processes will need to be written and taken into use by the organisation. It is not unusual for many to visit the web and download templates to cover their requirements. However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.

How is GDPR effected by cyber security?

The Act requires personal data to be secured by ‘default and design’. This means that cyber security requirements must be designed into your protections. This could mean at least another 6 or 7 policies and procedures.

How can I keep track of all my PII holdings and keep it secure?

When we are first approached by a prospective client and we begin our offer of a 30 day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is. Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy. And then we install our software that first carries out a discovery exercise and we discover that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s). How does that happen? Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine. Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

Then comes the issue with audit trails. If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential. And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person. The law insists on it, and you can’t refuse it. I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

Are there solutions suitable and affordable for SMEs?

We have a solution that meets the requirements and not only that, has a built in encryption system, all within the same monthly cost. It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

Check it out at https://hah2.co.uk/gdpr-data-protection/

Cyber Security Benchmarking

As long as I’ve been in this industry, clients have always had a thing about benchmarking, particularly those in the higher echelons, who are naturally driven by maturity, budgets, and the frequency of cyber breaches in their industry. It’s often how they decide their spend. Fair enough. In the SME world it’s perhaps not that formalised but is still a thing. An SME owner wants to know what other people are doing to try and gauge what they should be doing.

I talked, in a post last week, about conformational bias, which is a posh way of talking about the herd mentality and benchmarking falls loosely into that bracket. What we’re actually talking about is the need for reassurance, deflecting plain discomfort, around the proposal to spend money on something that often seems a little esoteric to many.

Of course, not every situation, or every company is the same. Their cyber maturity and risk appetite will often drive different approaches to a similar problem. One company might have a heavy focus on data protection. For example, an accountancy firm, a solicitors, even an estate agency, might assess that a serious data breach involving the Information Commissioner, could, potentially, put them out of business and they would therefore make this a number one risk. On the other hand, a manufacturing company may consider this a risk, but of less importance than say, their designs for their next improvement to their product line.

So how good is a benchmark? Well, it’s a guide, but that’s all it is, and you might think that if you’re close-ish to that guide, and you have an understanding about why you’re not closer, then that is probably OK. What I’m saying is, don’t take an industry benchmark to be gospel, it isn’t, and basing decisions on what is essentially anecdotal evidence, isn’t, in my opinion, a very good basis for making that decision.

This is where building relationships with suppliers is essential for an SME. Trust must be established, especially when dipping your toe in to the murky depths of cyber security. Let’s face it, most people don’t understand it and people don’t trust what they don’t understand. Finding a cyber security company that is happy to work with SMEs is not easy, especially one that isn’t wedded to technology as being the only answer to a problem. Process and procedure can be just as effective as technology in certain circumstances and of course, is much much cheaper. And let’s not forget cyber awareness training, still the cheapest quick win any SME can take to offset the risk of a data breach or scam.

All this is easy to say, but just how do you find a cyber security company you can trust? I vaguely remember hearing the saying that you have to kiss a lot of frogs before you find your prince. But in this case, you can’t afford to do that. Time is not on your side but in doing your due diligence, you still need to be cautious.

What are you looking for? I would suggest:

Proven track record. Look into the past of the ownership of the company, not just the employees.

Their approach. Do they lead with technology? If they do, walk away. Do they take a risk managed approach? That’s what you’re looking for.
Do they talk in jargon, trying to baffle you with science? If they do, walk away. This subject can be explained without getting into technicalities. You want something that addresses threats to your business, and they should demonstrate they understand that.
Do they talk about the FUD factor. Fear, uncertainty and doubt. What they’re trying to do is to scare you into buying. Giving you the facts is one thing, FUD is completely different.
Have they taken the time to fully understand what your business is about, what it is that drives your revenue, what is important to you and what is not so important?
Do they see you as a long term partner or a quick revenue win? Can be difficult to assess but it is crucial to building the trust I talked about earlier.

Of course, this is not an exhaustive list of criteria, and you’ll almost certainly have things you want to add, and maybe things you will discard. But whatever route you take to build that trust, it is essential to your protection and peace of mind in what is becoming a very dangerous online world.

Data Breaches – How bad could it be?

“Fujitsu Hacked – Attackers Stolen Personal Information”

Fujitsu confirmed a cyberattack that led hackers to steal personal data and customer information.

Now there’s a headline to put fear into their customers, both current and potential. Not a great look for one of our premier IT system integrators and manufacturers.

But what’s that got to do with me you say? I don’t have any Fujitsu kit and I’m way too small to feature on the radar of a hacker or team of hackers, that would target someone like this. OK, maybe true, maybe not so true.

Did you know that since 2005 the Information Commissioners Office (ICO) has ruled on 13,500 freedom of information and environmental information cases. Many of these would be classed as SMEs and small government departments, particularly local government. Last year alone, 86 enforcement actions were taken which included 37 reprimands, 24 enforcement notices, 23 monetary penalties and 2 prosecutions. Fines of around 80K are not uncommon, and a fine of that size would be a severe blow to an SME. The ICO has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.

Fines and enforcement notices cannot be hidden, they are published on the ICO website for all to see, which can have an impact on the reputations of companies, adding to the pain of any fine caused by a unwanted marketing calls or data breaches.

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

It is, for most SMEs, about doing what is reasonable to prevent a data breach. That will include having the right policies and procedures, known to all staff, and rolled out. Don’t play lip service to this, you will be found out. It is important to be aware of the threat and take the necessary actions to prevent breaches.

Lack of adequate data security is an important basis for imposing fines. Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need?

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law. Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch. For example, financial data which under other legislation, they must keep for 7 years. I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it. There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP. These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed. Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost. If you don’t like it, we take it away.

Another Tilt at AI

At the risk of boring you about the risks inherent in AI, I’m going to have another go, simply because it’s a fascinating subject. AI can really become the gift that keeps on giving. We’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be. Will it be ransomware, denial of service or perhaps a new and more sophisticated scam? Who knows? But there is no doubt that AI is raising the bar.

I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this particular breed of wannabe criminals. But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard earned cash.

There is a lot going around within the IT and cyber industry about the ethical usage of AI, its ethical development, and that IT system integrators have a cast of thousands working on such ethical development and usage. Fine, I applaud them. But what does that mean for cyber security, and indeed data protection? Well, I have to say, in my humble opinion, not a great deal. I say that simple because no matter how ethical we are, the criminal doesn’t give a damn, he or she will continue on their own sweet way and do what criminals have always done, which is to completely disregard ethics. So, whilst we can applaud and support those companies who are producing software and systems which use AI ethically, for the good, but just like old times, the criminals will do their own thing.

So, let’s take a look at some of what is at risk in terms of our data and systems:

Data Protection. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorized access to sensitive information. A good AI powered attack could capture huge amounts of personally identifiable information (PII), in a ridiculously short amount of time.

Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but dangerous.

Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been this game as long as there’s been a game. It’s something call Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.

Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.

Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a play in supply chain security.

Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

Addressing these risks requires a multi-faceted approach, including robust security measures, thorough testing, ongoing monitoring, and regular updates to mitigate emerging threats.

The real danger is complacency. AI isn’t a future hypothetical threat but is very real and here now, already making itself felt, for both good and bad.

Data Breaches and their consequences