Data Breaches and their consequences

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

How one SME coped with the fall out of a cyber attack

We talk a lot about how to protect ourselves from cyber-attacks and the potential for how easy or difficult it is for cyber criminals to attack companies of all sizes and types, but we don’t often describe real events which could impact those companies until they actually happen, and then, we often only get the information that they want us to have.

So, we thought we’d try and do just that, albeit in a sanitised way (with permission) to protect the privacy of the company involved.

Background

The target was a small. To medium sized design agency based in the UK. They manage branding and marketing materials for a significant number of clients, many of whom share confidential product data and campaign details before public release.  And of course, the company held their own confidential data regarding their operations, finances and personnel.

For years, this agency relied on a mix of free antivirus software, shared passwords, and basic email communication. Like many SMEs, cybersecurity wasn’t seen as a priority until the day that all changed!

So, what happened?

One Friday morning, a manager noticed that all shared project files on their network drive had strange extensions and couldn’t be opened. A ransom note appeared on every folder:

“Your files have been encrypted. Pay x amount of Bitcoin to recover them.”

  • The team had been hit by ransomware.
  • Their business was paralysed, and they couldn’t access their admin and finance systems or their client work, deadlines loomed, and panic set in.

The IT contractor confirmed the bad news: a staff member had unknowingly clicked a link in a fake invoice email that mimicked a well-known supplier. The malware spread across the network overnight.

At this point many companies fall into complete disarray simply because they haven’t got a disaster recovery and business continuity plan and they have no way of operating their systems manually.  Management will be demanding to know how long they can manage without their IT systems and how long it will take to get everything up and running, without paying the ransom.   The IT company will be pressured about backups; are there any and if so when can they be restored, which is when of course they realise that without their systems, there is nothing to restore the backups to.

The IT company confirmed that they did have backups stored off-site as part of the contract but that daily backups were stored on site and that the onsite backup server was also compromised, and the off-site backups were taken once a week, which meant that as by this time it Tuesday, the off-site backups were 2 days old.  But much better than nothing.

The problem remained that they had deadlines to meet and if they didn’t want to lose clients and have their reputation in their industry shattered, they had very little time.  Reluctantly the management made the decision to pay the ransom which meant they had to go cap in hand for extra funding as they operated on tight margins and the ransom in pounds was close to £150k.

This got them back online and saved their projects and reputation but at a cost that really hurt and not just in financial terms, but in their pride as managers.  It really stung.  They knew that had to bite the bullet and take cyber security seriously.  They realised that their local IT company, although excellent in keeping their network up and running efficiently as well as providing their hardware and software, and kept strictly to the terms of the contract, was not going to protect them to the level that they needed.

The rebuild

Having got everything back up and running they were seriously worried that they might get hit again quickly, before they had a chance to sort things out.  There was no room for complacency but at the same time they had to go forward with a strategic plan.  So, they brought in a specialist cybersecurity company who guided them through a strategy to not just recover, but to protect themselves going forward.

One of the first things they learnt is that cyber security is a business issue and not a technical one.  Management must own it and understand it.  It starts with people, having the right people in the right place who understand, at least at a high level, the issues and how to take basic precautions to protect themselves and the business.  Then comes policy and process, coming down from the top, regularly reviewed and updated by management, and promulgated to all staff with regular reminders.  Once that’s in place we can look at technology.  Noone had articulated that to them before.

The first thing their new cyber partner did was to devise a high-level strategy that the company could adopt going forward.  They explained that it needn’t be complicated and in fact, the simpler and easier to understand, the better.  Keep tech jargon out of it and use plain English.  They came up with a plan which identified some quick wins to protect them quickly, before coming up with more detailed projects that could be phased in over time.

The quick wins were:

  1. Cyber awareness training for all staff including management.  Let’s make sure no one ever clicks a link they shouldn’t.  The training should be done at induction and then refreshed regularly throughout the year.  It can be run by the HR staff or a HR company under contract if that is the case.
  • Produce policies starting with a high-level policy signed off by the CEO which clearly outlines everyones responsibility for cyber security and who is responsible for the detailed polices which will underpin this top-level policy.
  • Enforced multi factor authentication (MFA) for all logins and a password manager to replace the spreadsheets they were using.

This is then followed by more detailed projects phased in over time.  The phasing helps to ensure that there is not too much disruption to the business operations and that staff can be carried along with it, ensuring their buy in.  It also helps to make sure that it fits in with the company budget and doesn’t hit the bottom line all at once.  It included:

  1. An examination of the contract with the IT company and making any revisions that might be necessary.  For example, the back-up regime.
  • Migrated to a cloud-based file system with built-in versioning and encryption (in this case MS365 was chosen which is a favourite go to for SMEs and was offered by their IT support company).
  • Every employee completed simulated phishing exercises as part of the awareness training.
  • A detailed incident response plan was produced which clearly detailed who was responsible for what, who to contact and what to do, in a prioritised order.  It also outlined a business continuity plan written by departmental heads, showing how the company would continue to operate whilst systems are recovered.
  • Identification of assets, i.e. databases, client information, HR data, financial data, project plans etc, to prioritise what data needs to be protected to what level.
  • Identity and access management review with a view to moving to a zero-trust access control system.
  • Consider applying for cyber essentials certification.

The Outcome

Within six months, they were back on track and stronger, much more resilient. They were, like most companies, hit with phishing attempts all the time but their employees were trained to recognise them instantly and knew who to report it to. No one clicked the link.

Clients noticed the change, too. The company started to include a short “data protection and security” statement in their contracts, which won them new business. Larger clients trusted them more because they could prove their cyber resilience.  They were now committed to Cyber Essentials and would include that logo on their website and advertising as soon as they qualified.

The big lesson

Their experience shows that cybersecurity isn’t just an IT issue — it’s a business survival issue.  Even small steps, awareness, MFA, and secure backups, can transform an SME from a target into a resilient organisation.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Risk Analysis and Security Strategy Working Practices

      Cyber Maturity

      What do we mean by cyber maturity?  It’s not just about the protections you may have in place, but more about how well your organisation understands the importance of it and its place in your overall business strategy.  It is after all a business issue, not a technical issue and needs to be treated as such. Modern security solutions are increasingly complicated and challenging. These complexities change all the time and with the changes in working patterns and the introduction of AI now at the hands of the cyber criminals, they require a broad understanding of cyber security. Very few SMEs possess this level of expertise and can find themselves struggling to protect themselves and rectify security risks discovered within their business. In a climate of frequent, and potentially devastating, malicious activity organisations need targeted, rapid remediation and effective solutions. In doing this they will improve specific areas of their security systems, reduce their level of exposure and minimise potential losses, which can be very significant.

      Many small and mid-size businesses struggle to combat the threat that cybercrime poses. A simple piece of malware or a social engineering event, can result in the loss of sensitive company and client data, disrupt business and waste staff time. Such incidents are commonly sensationalised by the media, causing client defection and damage to hard-earned reputations, resulting in significant loss of business.

      I’ve described the risk management process before, and I know it can be a bit daunting, and many would fear it’s costs and complexity.  That is why we have designed and taken into use the Cyber Maturity Assessment (CMA), specifically for SMEs which will enable them to go down the risk management road at a pace and price they can afford.  The CMA is designed to obtain a view of where a client sits currently in terms of their Cyber Security posture. It is obtained from the results of interview with the staff, examination of current policies and procedures, including their effectiveness, security architecture and technical controls, and observations to gain an understanding of cyber security by management and staff. It is designed to provide a report which shows a client exactly where they sit in terms of Cyber Risk in a way that is demonstrable and east to understand. It gives a client a starting point from which H2 consultants will be able to scope any problems.

      What Does a Cyber Maturity Assessment Give Me?

      In brief, the CMA is designed to:

      • Understand and define the target state of the system i.e., where does the client want to be in terms of Cyber maturity – in defining the target state there must be a clear understanding of the business drivers, future business demands and business dependencies affecting the organisational area under examination.
      • Understand the current level of Cyber maturity – At this point the matter of cyber maturity will be a somewhat subjective view, obtained from the results of interviews with staff and initial observations by H2 consultants. This element is not intended to replace a detailed understanding, but to provide an initial view and start point, from which H2 consultants will be able to scope the problem and recommend any remediation required, in a phased way.

      We measure both the starting point and the end point using the Carnegie Melon Cyber Maturity Model.  I know other consultancies will use other models for this, but this is one that we have found to be effective, both for SMEs and in the corporate world.  It looks like this:

      I mentioned earlier that this is something used in the corporate world and whilst that’s true it is a matter of scale and need.  Most corporates would have the requirement and budget to aim high, say at around CMMI4 (5 is rarely hit).  For most SMEs that’s a step too far and as a rule of thumb, when we do this, we tend to find we’re starting at around 0.8 to 1.5 with the aim to get to CMMI 2 as soon as is feasible, with the end game at CMMI 3 which is affordable for most SMEs if a phased approach is taken.

      At the end of this initial process and SME is rarely able to just jump in and accept the recommendations and get on with fixing them.  It can be a complex issue requiring a hard look at their staff in terms of cyber awareness training, their policies and processes and their technical solutions, all aimed at prioritising the protections required for each asset in accordance with their vulnerabilities and threats.

      A phased approach is almost always needed, often aligned with budgets.  It can look a bit like this:

      The first transformation project tends to be what we term the Quick Wins Phase ie what can we do relatively easily, quickly and therefore affordably, to give the client the most urgent fixes.  It often, but not always, looks like this:

      This has just been a very quick cantor through the CMA process, and we need to emphasise that each client has a different set of requirements, and we can often jump into the process at a different stage. Call us if you want to know more.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

      Do You Have a Handle on Your Cyber Maturity Stance?

      Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

      Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

      The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

      As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

      If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

      It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

      Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

      Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

      • Small to medium size businesses are not worth attacking.
      • Cyber Security is an IT Issue.
      • Technology will keep me safe.
      • My policies and procedures are up to the job.
      • My staff are young and have been brought up with IT.  They know the score.

      Now let’s look at some of the more common issues that we see often amongst SMEs:

      • Lack of awareness around the current real-world cybersecurity risks
      • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
      • Lack of cybersecurity knowledge, and understanding
      • Poor cybersecurity maturity and posture within their businesses
      • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

      Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

      During the assessment, we typically examine various aspects, such as:

      • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
      • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
      • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
      • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
      • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
      • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
      • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

      The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

      H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware

      SPOOFING

      I’ve mentioned spoofing quite a bit in various posts and blogs, but what exactly is it?  Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else, attempting to gain our confidence to get access to our systems, steal data, steal money, or spread malware. These attacks come in several forms, including:

      • Email spoofing
      • Website and/or URL spoofing
      • Caller ID spoofing
      • Text message spoofing
      • GPS spoofing
      • Man-in-the-middle attacks
      • Extension spoofing
      • IP spoofing
      • Facial spoofing

      Cyber criminals aren’t all that original and spoofing is another con to fool us into taking some form of action that the criminal wants us to take; in other words, it’s a more technical variation on a con artists skill set.  Very often, merely invoking the name of a big, trusted organisation is enough to get us to give up information or take some kind of action. For example, a spoofed email might inquire about purchases you never made. Concerned about your account, you might click the included link.

      From that malicious link, scammers will send you to a web page with a malware download or a faked login page, complete with a familiar logo and spoofed link to a web page, for the purpose of harvesting your username and password.

      There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on victims falling for the fake. If you never doubt the legitimacy of a website and never suspect an email of being faked, then you could become a victim of a spoofing attack at some point.

      Let’s look at some types of spoofing.

      Email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. An example of this is the fabled CEO attack whereby a spoofed email is sent to someone in your accounts payable department attaching an invoice from a fake supplier and purporting to come from the CEO or other senior manager, with the instruction to pay the invoice now, without delay, and sounding like the senior manager is angry about something.  Of course, this is quite easy to defend against by having a rule in place that if a suspect email is received, the alleged sender should be contacted for verification.  Be aware though, if you simply reply to the email, it will go back to the scammer, you must open a fresh email or make a call.

      Phishing emails will typically include a combination of deceptive features:

      • False sender address designed to look like it’s from someone you know and trust, maybe a friend, coworker, family member, or company you do business with. 
      • In the case of a company or organisation, the email may include familiar branding, e.g. logo, colours, font, call to action button, etc.
      • Spear phishing attacks target an individual or small group within a company and will include personalised language and address the recipient by name.
      • Typos. Email scammers can be lazy and often don’t spend much time proofreading their own work. Email spoofs often have typos, or they look like someone translated the text through Google Translate.

      Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent, down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Cybercriminals use spoofed websites to capture your username and password (aka login spoofing) or drop malware onto your computer.

      Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn’t. Scammers have learned that you’re more likely to answer the phone if the caller ID shows an area code the same or near your own.

      Text message spoofing or SMS spoofing is sending a text message with someone else’s phone number or sender ID. If you’ve ever sent a text message from your laptop, you’ve spoofed your own phone number to send the text, because the text did not actually originate from your phone.

      Man-in-the-Middle (MitM) attacks can happen when you use free Wi-Fi at your local coffee shop. Have you considered what would happen if a cybercriminal hacked the Wi-Fi or created another fraudulent Wi-Fi network in the same location?

      Extension spoofing occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of “filename.txt.exe.” The criminals know file extensions are hidden by default in Windows so to the average Windows user this executable file will appear as “filename.txt.”

      IP spoofing is used when someone wants to hide or disguise the location from which they’re sending or requesting data online.

      Facial spoofing might be the most personal, because of the implications it carries for the future of technology and our personal lives. As it stands, facial ID technology is limited. We use our faces to unlock our mobile devices and laptops, and not much else. This is likely to spread, and the use of AI makes facial spoofing more likely.  Imagine if we advance to using facial recognition to make online payments – scary stuff.

      There’s a lot more to this subject, for instance, how do you spot it?  How do you protect yourself against it?  The best form of defence is simply cyber awareness training, something you’re probably getting fed up hearing from me.  But it’s simply a fact that your staff can be your first line of defence, or your biggest threat.

      Malwarebytes have published a more detailed article on this subject but even that needs some understanding and explanation.

      Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Tools

      HOW DO HACKERS HACK?

      I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common.  Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal.  But I suppose hacker is less of a mouthful.

      What is Hacking?

      Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

      Profiling

      One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people.  Favourite open sources of information include:

      • Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram.  Do you have a social media policy in your company?  Do you lay down what an employee can and cannot say about your company on their personal social media pages?  Do you have a designated person in the company who handles your company’s profile on social media?
      • Company Website:  You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published.  I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.
      • Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.
      • Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently.  The same issues that appertain to social media apply here. 
      • Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

      With all of these things you’re walking a bit of a tightrope.  You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away.  Use generic email addresses and phone numbers and limit the information you give in profiles.

      Phishing and Pretexting

      Another favourite is phishing and pretexting.

      • Phishing Emails: We all know, or at least I hope we know, what phishing is.  Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity.  In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company.  That just requires a response showing a signature block, so the phishing email might seem very innocuous.
      • Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

      Favourite Reconnaissance Tools

      Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations.  This is why it’s essential to regularly scan your network for these weaknesses.  Ports can be opened for a particular reason and never closed again.  It’s a common fault.

      We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where  operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

      Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials.  When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords.  You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

      Psychological Profiling

      In terms of cybercrime, who’s heard of psychological profiling?  Cybercriminals analyse:

      • Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.
      • Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

      I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold.  Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

      • LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.
      • Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).
      • Technical Probing: Use of phishing or malware to breach a target’s employer.

      Conclusion

      In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process.  All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

      Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware

      Frequency of Cyber-Attacks and their Effects

      There is a lot of discussion around the number and effects of cyber-attacks in the UK and beyond.  There are those who believe that the instance is under reported, often because the organisation under attack is concerned about reputational damage and this can be a contributing factor to many paying up when subject to a ransomware attack.  And there are those who think the number of attacks is over estimated, especially in reports commissioned by vendors of cyber-security products, to scare up business.  Personally, I can see both arguments, but I tend to come down on the side of under reported.

      The exact number of UK businesses failing solely due to cyber incidents is difficult to pinpoint, research indicates that a significant percentage of businesses have been impacted by cyber-attacks, and a substantial portion of those that are targeted end up closing down. Specifically, one study showed that 60% of small businesses close within six months of a cyber-attack. Furthermore, a recent report states that more than one in four UK businesses have experienced a cyber-attack in the past year.  The sources I used to put this together include:

      • Cyber security breaches survey 2024 – GOV.UK9 Apr 2024
      • Which UK
      • Raconteur







      • Simpson Wreford LLP








      Note:  I did not use data from reports commissioned from Vendors.

      Let’s take a closer look:

      • Prevalence of cyber-attacks:
  More than 25% of UK businesses have reported being hit by a cyber-attack in the past year.



      • Impact on small businesses:
  A concerning 60% of small businesses fail within six months of experiencing a cyber-attack. 





      • Factors contributing to business failure:
  Cyber-attacks can lead to financial losses, reputational damage, data breaches, and operational disruptions, all of which can severely impact a business’s ability to survive, especially small businesses. 





      • Business impact:
  The survey we mentioned highlighted that nearly three-quarters of business leaders believe a cybersecurity incident will disrupt their business in the next 12 to 24 months. 
      • Specific examples:  
In the past few months, major UK retailers like Marks and Spencer, the Co-operative Group, and Harrods have been targeted by cyberattacks as well as businesses that have now ceased trading, such as Knights of Old.

      While these statistics highlight the severity of the issue, it’s important to note that cyber-attacks can be a contributing factor to business failure, rather than the sole cause. Other factors like poor management, economic downturns, or market competition can also play a role. However, the increasing sophistication and frequency of cyber threats make it crucial for businesses of all sizes to prioritise cybersecurity measures to mitigate risks and protect their operations. 

      With my focus remaining with SMEs, it concerns me that SMEs of all sizes still do not prioritise cyber security other than putting a tick in the box, by, for example, obtaining certifications like cyber essentials.  Whilst this is a good thing and not to be dismissed, they are often doing this for marketing purposes rather than any commitment to cyber security which can mean that once the certification is obtained for a 12 month period, standards can then be let slip and I base this on obtaining the certification for a client, returning 12 months later, and finding many of the same issues recurring that we dealt with the year previous.

      Cyber criminals target SMEs, don’t think that because an SME has smaller revenue and therefore smaller reward for the criminal, that they are immune.  SMEs are often targeted because they will have spent much less in terms of money and effort in protecting themselves against attacks.  They lack good advice and guidance, they can’t afford a full-time cyber security professionals and in fact, probably don’t need one full time, but they do not seek that vital guidance.  SMEs must understand that they are seen a low hanging fruit.

      I’ve made this final point many times, and that is cyber awareness training.  Most cyber-attacks begin with some form of social engineering.  Your company will be profiled, and the attacker will obtain information from open sources such as companies house, your website and marketing, simple phone calls to obtain names and phone numbers etc.  Then comes the emails phishing for information or to plant malware on your systems.  The first line of defence here is always your employees, the more they know, the more they can protect your business.  Cyber Awareness training is not a nice to have, it’s essential and is the cheapest and quickest win you can make in your cyber defences.

      Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Supply Chain Security

      The Effects of Downtime on Your Business Can Be Devastating

      I’ve talked in the past about what SMEs really care about when it comes to cyber security.  Do they really care about the technicalities of an attack or scam?  Do they really care about the technical aspects of a piece of protective software or hardware?  My argument is that they neither need nor want to know how this stuff works.  What they do want to know can be summed up pretty easily.

      1. How vulnerable are they to an attack and/or scam?
      2. What would be the effects if that attack or scam succeeded?
      3. What can they do about it, and how much will it cost them?

      I wrote mostly about points a and c in a blog earlier in the year, https://hah2.co.uk/what-do-sme-owners-and-directors-want-from-cyber-security/, and I’ve included the link if you want to read it.  This time I’m concentrating on point b and the effects of the downtime that it creates.

      Downtime following a cyberattack can have serious consequences for businesses, and individuals. We can categorise these into several key areas:

      1. Financial Costs
      • Lost Revenue: For e-commerce platforms, financial institutions, or other time-sensitive industries, downtime directly results in revenue losses.  All businesses will suffer some degree of revenue loss if they can’t carry out their business because their access to suppliers, customers and operations are seriously curtailed.
      • Operational Costs: Companies may need to pay overtime to staff to keep the business going manually without access to IT, hire external cybersecurity experts, or invest in replacement hardware or software.
      • Regulatory Fines: Non-compliance with regulations like GDPR or industry focused standards, due to downtime or data breaches can lead to significant fines.
      • Damage to Reputation
      • Loss of Customer Trust: Downtime can erode confidence, especially if sensitive customer data is exposed or if services are unavailable for extended periods.
      • Brand Damage: Affected organisations may face negative publicity, making it harder to attract and retain customers or partners.
      •  Operational Disruption
      • Service Outages: Critical systems might be offline, affecting production lines, supply chains, or essential services.
        • Loss of Productivity: Employees unable to access IT systems are effectively idle, causing delays in work and project completion.

      Note:  Points d and c were what essentially led to the collapse of Knights of Old.  When they were hit with a ransomware attack which took out their IT systems, they were unable to fulfil time sensitive orders which led to the cancellation of those orders, damaging their brand and seriously impacting customer trust.  They never recovered and are now out of business.

      • Data Loss
      • Corruption or Deletion: Cyberattacks like ransomware can encrypt, leak or destroy critical data, which may take days or weeks to recover, even with backups.
      • Intellectual Property Theft: If attackers steal proprietary information, it can be sold to competitors or leaked online.
      • Security Gap
      • Exploitation of Vulnerabilities: Downtime often exposes weak points in an organisation’s infrastructure, which may need to be patched or rebuilt.
      • Increased Risk of Future Attacks: Downtime may signal to attackers that the organisation is a viable target.
      •  Legal and Regulatory Implications
      • Breach of Contract: Failure to meet service-level agreements (SLAs) due to downtime can result in legal action from customers or partners.
      • Insurance Implications: Cyber insurance claims may be denied if the company failed to follow adequate preventative measures.
      •  Psychological and Social Impact
      • Employee Stress: Staff may feel pressured to resolve issues quickly, leading to burnout.
      • Customer Frustration: Extended downtime can alienate loyal customers, particularly in industries where continuity is critical, such as healthcare or finance.
      •  Broader Economic and Societal Impacts
      • Supply Chain Disruption: Downtime in one organisation can ripple through its partners, affecting entire supply chains.
        • Critical Infrastructure Risks: Attacks on essential services like utilities or healthcare systems can have life-threatening consequences.

      I have blogged many times about the mitigation strategies you can take, that don’t need to break the bank, but the bottom line, proactive measures can significantly reduce the impact of cyberattacks and the associated downtime.  Understand your vulnerabilities and threats, base your spend on protecting against those threats, starting with the most serious, and then working down.  Don’t try and get to 100% security, it doesn’t exist, so understand what risks you find acceptable and what risks you don’t.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Security Security Tools

      PROACTIVE CYBER SECURITY

      Proactive security, protective monitoring, security operations – all pretty much means the same thing in terms of cyber, at least in the corporate world and the larger, more sensitive Government organisations.  I’ve been involved with the design and commissioning of security operations centres for a long time.  I designed the first for the FCO, under contract to HP, ran the security team for the Identity and Passport Service which included a security operations centre, amongst others.  But the one thing I knew, was that it was too complex and expensive for an SME, even though it would bring them great benefits.

      I’ve been talking and posting a lot recently about this subject because I think it’s extremely important and hasn’t, in the past, resonated with SME owners and management simply because it was considered by many to be purely in the province of the corporate world and was way too expensive for an SME to even consider.  Well, that cost issue is no longer the case and there is a system, which we use to provide a managed service for SMEs, that is very affordable.  So that leaves us to consider whether it is something that an SME would consider as an essential element of their cyber defences, now that it is affordable.

      Typically, an SME would generally want such a solution that balances strong security coverage with affordability, simplicity, and minimal disruption to daily operations.  Here’s what I think they would like to include if they could afford it.

      1. Comprehensive Threat Visibility
      • Log collection from key systems (servers, endpoints, cloud services, firewalls, applications).
      • Real-time monitoring for suspicious activities (e.g., failed logins, privilege escalation, data exfiltration).
      • Ability to spot both external attacks (phishing, malware) and insider threats.
      • Actionable Alerts, Not Noise
      • Intelligent alert prioritisation to avoid alert fatigue.
        • Context-rich notifications so the SME knows what happened, why it matters, and what to do next.
        • Possibly AI-driven correlation of events to detect patterns.
      •  Ease of Use & Low Overhead
      • Simple dashboards that non-experts can navigate, or more likely, a managed service as an SME will have little or no resource to give to this.
      • Minimal in-house expertise required to operate.
      • Fast onboarding and configuration.
      •  Reporting
      • Reports that are east to read, management focused and not full of jargon.
      • Audit trails for investigations.
      • Incident Response Integration
      • Clear escalation paths (automated and manual).
      • Integration with existing tools (ticketing systems, email, Slack/Teams).
      • Ability to block malicious IPs or disable compromised accounts quickly.
      • Affordability & Scalability
      • Pricing that fits SME budgets (no enterprise-only costs).
      • Scales up with business growth without a full rip-and-replace.
      • Easy and flexible deployment.
      • Coverage regardless of where your staff work, in the office, remote or on the move.
      • Resilience & Reliability
      • Works even if parts of the infrastructure are down.
      • Secure storage and backup of monitoring data.
      • Regular updates to threat detection rules.

      In short: An SME doesn’t just want raw data — they want reassurance, clarity, and quick guidance so they can protect their systems without hiring a large security team.  And that’s what we are offering, assurance.  There’s no such thing as 100% security, so if you’re looking for that, then we can’t help you.  Using this system our managed service plays the percentages by monitoring your defences, telling you in no uncertain terms where your defences aren’t up to the job, alerting you to problems and providing advice and guidance on how to fix stuff.

      So, what exactly are we offering.  Well, it’s a 24/7 service which provides a manned interface between you and us, on the end of the phone or by email in working hours, and an automated response service in silent hours.  Doing it that way you don’t have to pay for expensive night shifts.  The staff on duty don’t just monitor your systems but provide advice and guidance as well, giving you a cyber security resource on tap.

      Specifically, we are covering off:

      Email Security – Stay ahead of potential email threats with our user-friendly, API-based active protection.

      Endpoint Security – Safeguard laptops and desktops against cyber threats like malware and ransomware.

      Cloud Data – Enable cloud data protection for secure collaboration with external users.

      Secure Browsing – Keep your browser secure with a provided extension, protecting you from viruses and malicious sites.

      Awareness Training – Empower employees to be the first line of defence against the ever-evolving landscape of cyber threats.

      Phishing Simulation – Regularly simulate cyber-attacks, including phishing emails, to identify vulnerabilities and educate staff to the dangers of Phishing.

      External Risk – Obtain actionable insights on external threats by scanning your digital footprint and exposed vulnerabilities. This includes regular scanning of the dark web looking for compromised email addresses and credentials.

      Insurance – Mitigate the cyber risk associated with evolving threats through tailored coverage at the right price (optional; aligning your premiums with your security posture can lower those costs).

      Here are some questions to ask yourself and if you answer yes to most of them, then you might be a fit for this service:

      • Do you employ around 1-250 staff members?
      • Does falling victim to cybercrime worry you?
      • Could you continue to operate your business without your IT systems?
      • Is a recent cyber scan of your public domain on your radar?
      • Are you aware of the constantly evolving cyber threats and tactics?
      • Does your business need protection against these advancing cyber threats?
      • Are you looking for coverage under a cyber insurance policy?

      Keep your eye out for a webinar that we will shortly be doing which will provide a full demo of the system, or if you prefer, contact us and we will give you a one-to-one demo, with no obligation.  You can follow this with a totally free 14-day trial covering your whole estate, again with no obligation.

      If you wanted this system, you might still think it’s too expensive for you, well, it’s only £14 per user per month, so if you only have 10 IT users amongst your staff, that would be £140 per month on a rolling 30-day contract i.e. you can quit with just 30 days’ notice.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Working Practices

      Scams v Hacks

      We hear a lot about the consequences of cyber-attacks and data breaches but not a lot about the specific threats against SMEs, rather than the generic threats against all businesses.  In general businesses are more likely to be targeted by scammers (social engineering attacks) than by purely technical attacks.  But why?  Attacks against individual SMEs are not going to bring in a lot of profit for the criminal, so they often go after multiple targets all at once.  How they do that is to craft an attack which can be automated and directed at many SMEs all at once.  The easiest way to do that is via a social engineering attack.  Let’s take a look at what we mean by that.

      Scams and social engineering attacks rely heavily on human error.  Not only do SMEs have weaker defences than their corporate cousins, but they spend little, if anything, on cyber awareness training.  The attack that brought down Knights of Old, reducing a once thriving business to bankruptcy in a frighteningly short time, was the result of a weak password being cracked.  That suggests that OK, a stronger password protocol and the use of MFA would have been of great benefit but so would educating the users about social engineering and how they can protect the company and their jobs.

      Typically, we see:

      • Phishing emails that trick employees into giving credentials or downloading malware.
      • Business email compromise (BEC) — attackers impersonate executives to request bank transfers or the immediate payment of an invoice.
      • Fake invoices or supplier fraud.

      It’s done this way simply because it’s easier and cheaper to execute than a technical attack.  It’s scalable with scammers sending thousands of phishing emails, and it often bypasses technical defences by exploiting people directly.

      In addition to the traditional attacks, we are now facing AI generated attacks, enabling criminals to design scams that are even more scalable and to be produced more quickly.  Some examples include:

      Deepfake CEO Fraud (AI-Generated Voice or Video)

      A finance employee receives a video call from someone who appears to be the CEO instructing them to urgently transfer funds to a supplier. The video and voice are AI-generated deepfakes using real footage and voice samples taken from public online sources.  This has happened in the UK causing a UK based firm to lose over £20m in early 2025.  Obviously not an SME but the attack was not difficult to generate.

      Another AI attack was an upscale of the Business Email Compromise:

      Criminals use AI to monitor and mimic email communication styles. They craft perfectly worded emails from a company executive asking the accounting team to update supplier bank details or pay fake invoices.  What is new in 2025 is that AI now personalises these scams based on internal speech patterns and tone scraped from Slack or Teams (when credentials are compromised and that list is not exhaustive – other online messaging systems are available).

      One scam that we are now seeing more of is the fake job applicant scam targeting HR departments and IT onboarding teams.  Scammers apply for remote jobs using fake CVs and AI-generated video interviews. Once hired, they gain access to internal systems and exfiltrate data or install malware.  They’re playing the long game here, but it can really pay off.

      There are lots of examples and I’ll just put in a couple more:

      How many of you use Software as a Service (SaaS) and pay a subscription? In this case a fake renewal notice is sent for services like Microsoft 365, Zoom, or Slack. The email contains a link to a spoofed portal, which steals company admin credentials when they try to “log in.”   A new twist in 2025 is that the phishing emails are personalised with real invoice numbers and recent usage data scraped from prior breaches.

      Most of you are probably on LinkedIn, even if you are not particularly active on there.  We are now seeing more of the LinkedIn Clone Attack.  What happens here is that the scammers clone the LinkedIn profile of a known business leader and use it to reach out to employees or partners, proposing urgent collaborations or investment opportunities that include malicious links.  In a more advanced tactic, they use AI-generated responses in real-time chats that make these accounts seem very real.

      So, in conclusion, whilst we cannot rule out the more technical attack on an SME, we can say that the most likely attack will come via some sort of scam, often nowadays using AI.  The defences need to be in depth and will include some technical defences but often the best defence against social engineering is cyber awareness training and this is generally ignored by SMEs.

      Scroll to top