General Security Issues

Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

The Breach They Didn’t See

Last week, we wrote about managed detection and response, and how it benefits SMEs, at a price they can afford.  In that article, we did use a scenario where there was an inadvertent data breach, but the article concentrated more on how breaches can be detected, rather than prevented.  This week, we want to expand on how we can detect and prevent data leaks, and if they do sneak through, there is no such thing as 100% security, then how we can encrypt your most sensitive data so that any impact of a data breach is minimised.

Company profile

A small but growing haulage and cold store company that offers haulage of fresh produce from the grower to a cold store, and then onwards to the wholesaler.  It services growers mostly in their local area, a radius of about 4 counties in all directions.  This area covers a large agricultural sector which relies heavily on getting its produce to the wholesaler promptly, with minimal time in cold storage.

Phase 1: The Quiet Entry (Weeks 0–2)

An employee in the accounts team receives what looks like a legitimate email from a known software provider asking them to “re-authenticate” their account. The link leads to a convincing fake login page.

The employee unknowingly enters their credentials.

No alarms are triggered. The company does not have multi-factor authentication (MFA) enabled on this system.

Phase 2: Undetected Access (Weeks 2–8)

Using the stolen credentials, the attacker logs into the firm’s cloud-based CRM system. Because access controls are overly broad, the compromised account can view and export large volumes of client data.

The attacker:

  • Gradually downloads customer records to avoid detection
  • Accesses archived documents containing invoicing data and financial statements
  • Sets up a forwarding rule in the employee’s email to monitor communications

There is no real-time monitoring or anomaly detection in place, so this activity goes unnoticed.

Phase 3: Data Exploitation (Weeks 6–10)

The stolen data is sold on the dark web. Some clients begin experiencing:

  • Fraudulent loan applications in their name
  • Unauthorised bank transactions
  • Phishing attempts using highly personalised information

Still, the SME remains unaware.

Phase 4: The Discovery (Week 10)

A long-standing client contacts the firm after his accountant flags suspicious activity linked to financial activity, which the accountant deems suspicious.

He says:

“The fraudster replicated your invoice template but with different bank details. The invoice matched the activity between us which only we would know.  How did they do that?”

Initially, the company assumes it’s an isolated incident. But within days, two more clients report similar issues.

Phase 5: Internal Panic & Investigation (Weeks 10–12)

The company initiates an internal review and brings in external cybersecurity consultants. They discover:

  • Unusual login activity from foreign IP addresses
  • Large volumes of data exports
  • The compromised employee account is identified

At this point, leadership realises the breach has been ongoing for weeks, possibly months.

Potential Consequences

  1.  Regulatory & Legal Impact
  • Mandatory reporting to regulators (e.g., data protection authorities)
  • Potential fines for failing to protect personal data (e.g., under GDPR-like frameworks)
  • Investigations into inadequate security controls
  • Lawsuits from affected clients
  •  Financial Losses
  • Direct costs:
    • Incident response and forensic investigations
    • Legal fees
    • Customer notification and credit monitoring services
  • Indirect costs:
    • Loss of business
    • Increased Insurance Premiums
    • Potential Compensation Payouts

 Reputational Damage

  • Loss of client trust, especially critical in ‘just in time’ delivery systems
  • Negative media coverage
  • Clients moving to competitors
  • Difficulty acquiring new customers
  •  Operational Disruption
  • Systems taken offline during the investigation
  • Staff diverted from normal operations
  • Implementation of urgent security upgrades
  •  Client Harm
  • Identity theft
  • Financial fraud
  • Emotional distress and loss of confidence
  •  Internal Consequences
  • Accountability questions for leadership
  • Potential recruitments or restructuring
  • Pressure to overhaul cybersecurity policies
  •  Long-Term Strategic Impact
  • Shift from growth to damage control
  • Mandatory compliance upgrades
  • Board-level scrutiny of risk management

Key Underlying Failures

The breach wasn’t just bad luck; it stemmed from:

  • Lack of multi-factor authentication
  • Overly broad access permissions
  • No monitoring or alerting for unusual activity
  • Limited employee phishing awareness training

Summary Note

What makes this scenario particularly dangerous is that the company didn’t discover the breach itself; the client did. That delay significantly worsened the damage, turning what might have been a contained incident into a full-scale crisis.

How can this be prevented?

I have already said that there is no such thing as 100% security, and if anyone tells you otherwise, you need to take a long, hard look at them and recognise BS when you see it.  What we are trying to do is reduce your risk to a level you find acceptable for your business.  What we call the risk appetite.  That appetite will differ between businesses depending upon what they do and what can damage them, rather than the business next door.

Most Data Loss Prevention (DLP) systems are designed for the corporate market, are expensive and have a considerable admin and maintenance overhead.  All the things that SMEs simply can’t afford and don’t have the staff to run.  We took a good look at this and did a lot of research on the market.  We came up with a solution that works in terms of cost and overhead.  It allows us to offer a managed service at a price and service level that SMEs are comfortable with.

One of the things that we come up against pretty much every time we get into discussions with a prospective client is that they aren’t quite sure what data they are holding, and where it’s stored.  Now this seems strange.  You will no doubt argue that you are very clear about what you hold and where it is.  Well, maybe, but during the 14-day free trial we offer, I am pretty sure that we will discover things that will surprise you.

How are we different?

What we are offering is a unique, comprehensive, and autonomous data security platform that can transform how organisations secure their sensitive data. Unlike legacy DLP systems that are based on an event-driven approach and require extensive ongoing rules management built for LAN perimeters, our system is different. It is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in a world of no security perimeters, providing full coverage no matter where your staff are operating from, the office, home or on the move.   Moreover, our set-and-forget method requires little to no maintenance and can be up and running, securing data, in less than 3 working days.

Key principles

Perimeter-less world with hybrid cloud and on-prem usage

The local area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premise repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like Slack or WhatsApp), and 3rd party portals.  We provide an answer to this new data landscape with our cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

Remediate Data Risk rather than handle files

We provide a detailed breakdown of the data risk and leverage the data risk for data

flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Pre-emptive vs Reactive

Most DLP solutions try to prevent a data leakage event by blocking the exfiltration of the file. This approach has a couple of shortcomings:

  • It does not help with an external threat, like ransomware stealing data.
  • It requires an initial extensive effort of setting up all the blocking rules with ongoing maintenance.

Our pre-emptive approach provides an answer for both shortcomings by encrypting files automatically.

How does it work?

It is a cloud-based management platform coupled with a lean agent for workstations

(both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar Docker

instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and Personal Identifiable Data (PII) definitions, the system immediately starts scanning for sensitive data using smart patterns. It then quantifies data risk per PIl type in financial terms.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organisation.

Step 3: Data Risk Remediation by Encryption

Its patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption, takes as little as 72 hours.

The system not only pre-emptively encrypts sensitive private data in files, but it also transitions the data to a safe harbour, per all privacy regulations requirements. The solution helps organisations comply with all statutory data privacy regulations.

So, what does it do for you?

  • Sensitive File Discovery.  SMEs frequently have an incomplete picture of where sensitive data is dispersed and who has access to it. The system locates and maps sensitive data across all your systems, devices, and the cloud.
  • Data Risk Quantification

Actifile calculates the data risk for every PIl type by applying an algorithm that multiplies every PII record by its potential total damage, then aggregates that across all the files and PIl records of the organisation. The aggregation is across file types, file locations, and different silos to provide a complete data risk quantification. The quantification is always up to date, in real time.

  • Real-Time Data Flow Monitoring

The system works silently in the background, monitoring real-time data flow across your entire IT ecosystem through user activities at the endpoints. This real-time monitoring shows how much data is being exfiltrated outside the organisation or imported into it. The monitoring capability does not require any type of integration to the sending or receiving application or website.

Full Audit and Indelible Log

We automatically log all data-related events, including data ingress and egress and the creation of sensitive data. You can instantly audit back to specific dates, times, and locations. The log is never deleted, covering you in the event of a breach. You also have the option to generate alerts on specific events and to integrate the alerts to 3rd party systems, such as SOC or SIEM.

  • 3rd Party Integration and Reporting

3rd party event integration: Everything that we capture can be seamlessly integrated

into a third-party security central system (SOC or SIEM). Users can capture and correlate all events that happen within the organisation.

Online and offline reporting: Conveniently export system reports and analyses in PDF format and white label them as required.

Risk Remediation by Encryption

Automatic encryption is a fast and convenient remediation process that secures sensitive data across your entire IT ecosystem, including remote devices and the cloud.  Even if data is stolen or misplaced, the AES 256 encryption mechanism prohibits bad actors from opening or using the file.  Invisible decryption allows employees to automatically use encrypted files with no latency and without the need for a password. Your employees can work without disruption, but sensitive data remains useless to any hostile actor. Automatic decryption by channel enables users to automatically decrypt any encrypted file when it’s attached to an application. The system easily meets the demands of modern high-tech working environments. Delayed encryption gives you the flexibility to balance security with the demands of daily workflows. You can create a pragmatic, tailored approach to the management of sensitive data.

In a nutshell, this service is designed to protect your data from being stolen or inadvertently leaked by employee action.  It is a layer below intrusion detection and prevention, stopping the scenario outlined above, where a cybercriminal had infiltrated the system and was exfiltrating data without the knowledge of the organisation.  If they had been using this system, their data would have been encrypted and useless to the attacker.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

What is Security Architecture, and what does it mean for SMEs?

Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats.  Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done.  What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows.  OK, I’m being a bit simplistic, but you get the idea.  Once that’s done, the security architect has something to work with to start putting in security layers.  As the design evolves, so does the security architecture.

So now let’s look at the real world.  Most SMEs are way past this phase, with their systems having grown organically as the company grows.  SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc.  Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model.  That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware.  A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking.  Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort.  And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model.  First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access.  Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control.  It took some persuasion and education to bring many of these owners/managers around.  These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure.  But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system.  It is vital to ensure that only the right people have access to the right systems.  SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them.  Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk.  But it doesn’t have to be expensive.  Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD.  I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

  • Mandatory Multi-Factor Authentication
  • Conditional access policies
  • Single Sign-On (SSO)
  • Privileged identity management
  • Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

  • Endpoint detection and response (EDR)
  • Device management
  • Encryption

Controls it should cover include:

  • Automated patching
  • Encryption:
  • Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
    • File-level encryption works by encrypting files that you have deemed to be sensitive and need protection.  It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission.  Sounds complicated, but it really isn’t, and it can be shown to you very easily.
  • Application control
  • USB restrictions
  • Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

  • Anti-phishing protection
  • Attachment sandboxing
  • URL scanning
  • DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

 Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

  • Next-generation firewall
  • VPN or Zero Trust remote access
  • Network segmentation
  • DNS filtering

Good firewall segmentation would include:

  • Company devices
  • Guest WiFi
  • Servers
  • IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure.  Again, this needs some controls, which could include:

  • Secure configuration monitoring
  • Data leakage prevention
  • Access monitoring

Key policies may include:

  • No public file sharing by default
  • Alert on impossible travel logins
  • Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised.  Controls might include:

  • Data classification
  • Data leakage prevention
  • Full disk and file-level encryption

Policies might include:

  • Prevent the sharing of sensitive records externally
  • Block download of sensitive files on unmanaged devices
  • Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

 Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

  • Immutable backups
  • Offline copies
  • Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten.  Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top.  That is no longer the case.  There are systems now available specifically for SMEs.

Typical SME approach:

  • Centralised log collection
  • Security alerts
  • Managed detection and response

Many SMEs outsource this to an MDR provider like H2.  I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation.  Cyber awareness training is a subject that I bang on about all the time.  It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

  • Security training platform
  • Phishing simulation
  • Acceptable use policy
  • Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past.  You need to be prepared for security incidents.  This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

:

  • Incident response playbooks
  • Legal and breach notification procedures
  • Disaster recovery and business continuity plans
  • Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information.  It really is something SMEs should consider and need to take advice about.  Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Data Leakage Explained for SMEs

Stopping data leaks from your organisation is an important part of data protection; it is a subset, if you like, of that ever-evolving subject.  The rules are evolving here in the UK, with new legislation coming online, and there is a wide requirement that starts with a good mindset and sound rules and processes to guard your most sensitive data.  We refer to data leakage when talking about a service we provide to SMEs, which we don’t like to frame as data protection because it is, as I said, a subset of the requirements.  However, it is an important subset that lies at the sharp end of the whole thing.

First of all, let’s clarify what Data Loss Prevention (DLP) is.  It is a cybersecurity strategy that identifies, monitors, and prevents sensitive information from being accessed, shared, or transmitted without authorisation, whether accidentally or maliciously, across endpoints, networks, cloud services, and email systems.  In short, DLP stops sensitive data from leaving where it shouldn’t.

Sounds great until you investigate such systems, which can be extremely effective if you are a large corporate organisation.  That’s because these systems can be very expensive, difficult to set up and come with a heavy admin burden.  It’s not terribly surprising that SMEs don’t know much about these systems because the organisations that market them simply don’t target SMEs. After all, SMEs, in general, can’t afford them.

A data leak, however, can be one of the most damaging incidents an SME can face. Unlike large enterprises, SMEs often have fewer financial reserves, less technical expertise, and limited crisis-management capacity, making the impact proportionally greater.

Threats to an SME from Data Leakage

Taking a quick glance through the threats to an SME business from a data leak:

Financial Loss

  • Legal costs from customer or partner lawsuits.
  • Compensation payments to affected individuals.
  • Incident response and forensic investigation costs.
  • Business interruption losses during system shutdowns.
  • Regulatory fines (e.g., under data protection laws such as GDPR).

For SMEs, even moderate fines can significantly impact cash flow or survival.

Reputational Damage

  • Loss of customer trust.
  • Negative media exposure.
  • Damage to brand credibility.
  • Loss of competitive advantage.

SMEs often rely heavily on local reputation or niche trust; once damaged, recovery can be slow and costly.

Loss of Customers and Contracts

  • Clients may terminate contracts.
  • Prospective customers may choose competitors.
  • Larger partners may require stronger security compliance before continuing relationships.

Operational Disruption

  • Systems may need to be taken offline.
  • Data recovery efforts consume time and resources.
  • Staff productivity drops during investigation and remediation.

Theft of Intellectual Property

  • Loss of trade secrets.
  • Exposure of proprietary processes.
  • Competitors gaining access to confidential pricing or strategy information.

Increased Cyber Targeting

Once breached, a company may:

  • Be seen as an “easy target.”
  • Experience follow-up phishing or ransomware attacks.
  • Appear on dark web data marketplaces.

What are the Requirements of a Data Leakage Protection Solution?

In a nutshell, a solution that would fit an SME should be proportionate, cost-effective, scalable, and manageable without a large in-house security team.

Such a system needs to:

  • Identify sensitive data (customer data, financial records, IP).
  • Classify data based on sensitivity.
  • Map where data is stored and who has access.

It needs role-based access control (RBACS) using a least privileged principle, with multi-factor authentication and strong password policies.  It needs encryption at rest, preferable file level encryption, and use TLS for encryption in transit with secure key management. Such a system needs to be set up with monitoring, logging, alerting for suspicious activity and periodic audits.  It needs backup and recovery.  

For SMEs specifically, the solution should be:

  • Affordable and scalable
    • Cloud-friendly
    • Easy to manage
    • Automated where possible
    • Supported by managed security providers (if no internal team exists)

How Do SMEs View Such Systems

All too often, we come up against the attitude that such a loss is very rare amongst SMEs, and the threat doesn’t justify the expenditure.  That is often because this is a very under-reported issue, and those that are reported are just the tip of the iceberg.

What Is the Source of the “Tip of the Iceberg” Claim?

The idea comes from multiple types of evidence:

Incident Response & Forensics Data

Cybersecurity firms (e.g., Mandiant, CrowdStrike) publish threat intelligence showing:

  • Many breaches are only discovered during unrelated audits.
  • Cyber criminals often maintain access for long periods.

 Academic Research

Studies in cybersecurity economics suggest breach reporting underestimates actual intrusion frequency due to:

  • Asymmetric information.
  • Underreporting incentives.
  • Detection bias.

Threat Intelligence Monitoring

Security vendors monitoring criminal forums consistently find large datasets being traded that were never publicly linked to a disclosed breach.

Bottom Line

The consensus among cybersecurity professionals, regulators, and researchers is that publicly reported data breaches represent only a fraction of actual incidents.

The conclusion is based on:

  • Detection lag data.
  • Forensic investigations.
  • Legal reporting thresholds.
  • Dark web intelligence.
  • Academic economic modelling.

How Can an SME Protect Itself?

Having waded your way through the reasons why SMEs don’t see much data on this subject and therefore don’t see the threat, I’m going to reward you with the pitch.  Yes, H2 does have a managed solution that is designed, priced and operated specifically for SMEs.  It’s a solution that isn’t as comprehensive as a full enterprise-grade DLP solution, but it does do the job for an SME.

The key advantages for a small or medium-sized enterprise (SME) of using our service in practical, business-focused terms are: 

Automates Data Discovery and Protection

The service automatically finds, classifies, and assesses sensitive data (such as customer information, IP, and financial records) across endpoints, servers, cloud applications, and remote devices without manual scanning. This saves SMEs considerable time and decreases dependence on specialised security personnel. 

Proactive Risk Reduction

Rather than just alerting after an incident, the service can automatically encrypt or block sensitive data based on risk level, minimising exposure before a breach happens. This helps avoid data leaks and insider mishandling. 

Real-Time Monitoring and Alerts

The platform continuously tracks data movement and access, sending notifications for unusual activity. This keeps SMEs aware of potential threats or policy violations, even without a full-time security team. 

Simplifies Compliance

The service helps businesses meet data privacy rules like GDPR, PCI, and others by providing reports, audit trails, and documented controls, making audits and regulatory compliance far easier. 

Low Maintenance and Fast Deployment

Designed to be lightweight and “set-and-forget”, it can be deployed quickly with little disruption and minimal ongoing management, which is ideal for SMEs that don’t have large IT/security teams. 

Cost-Efficient Risk Management

By automating complex security workflows and reducing reliance on manual processes or legacy tools, SMEs can keep security budgets lean while still achieving strong protection. 

Centralised Visibility

It comes with a dashboard where you can see where sensitive data resides, who accessed it and what its risk level is, providing clear, actionable insights rather than fragmented logs across multiple systems. 

Supports Remote & Hybrid Work

Because it works across cloud, endpoint, and server environments, the service helps secure data no matter where employees work or where the data lives, particularly useful as more SMEs adopt remote/hybrid models. 

Reduces Human Error

With automatic classification and encryption, the service helps guard against accidental disclosure, which is a common risk in smaller organisations without dedicated security training. 

In summary, for an SME, the service can deliver data leakage protection, risk reduction and compliance support without the heavy cost or complexity typically associated with traditional data loss prevention (DLP) or manual security practices. 

Cost is something that is guaranteed to concentrate the mind of the SME owner.  This service is priced specifically for SMEs at £15 per user per month.  There is no contractual lock-in, and a client can quit with 30 days’ notice.  We also offer a 14-day trial to allow a client to see the benefits of the system using their own data, rather than a demo with dummy data.  We’d be delighted to discuss this with you further.

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

The Dark Figure of Cybercrime: Why SMEs Underreport Security Incidents

Last week, I made a short post about the difference between the perceived and actual threat to SMEs from cyber-attacks and scams, and whether there is any credible evidence to support a conclusion.  Taking a hard look at this and doing some research, I have concluded that there is credible evidence from academic research, surveys, and policy reports showing that many small and medium-sized enterprises (SMEs) tend not to report cybercrime incidents, and there are well-documented reasons why. This phenomenon is sometimes described as the “dark figure” of unreported crime in the cyber domain. 

We’ll take a look at some of that evidence later, but first, let’s turn to the gap between what people believe is happening and what the data shows is happening.  That gap is influenced by psychology, media coverage, reporting behaviour and visibility of incidents.

Let’s break it down into the categories mentioned above.

Perception of Cybercrime Against SMEs

This is shaped by:

Media Coverage

High-profile ransomware attacks or major breaches dominate headlines. They mostly involve large enterprises, and as a result SMEs often feel it’s only those large enterprises that are at risk.

Vendor & Security Marketing

Cybersecurity vendors often emphasise rising threats, which though real, are designed to amplify urgency to drive awareness and sales.  However, the use of fear, uncertainty and doubt or FUD, can have the opposite effect if it is seen as a sales tool rather than a real threat, which it all too often is.

Personal Experience

If an SME owner hears about peers being attacked, their perceived risk increases dramatically.  Staying quiet about attacks can lower the perceived need for defences.

Fear of the Unknown

Cyber threats are invisible and technical. Lack of understanding increases anxiety and exaggerates perceived exposure.  Taking a technical approach to educating business people is counterproductive and generally turns them off.

Underreporting Assumptions

Not all attacks are reported; in fact, the evidence suggests that the instance of underreporting is high.

Result

The result is that perception is often that, whilst cybercrime is constant. Underreporting of attacks on SMEs, coupled with the lack of education, and what education there is tends to be of a technical instead of business focused, leads many SMEs to view the threat as being covered off by technical barriers such as firewalls and anti-virus, and to be far more targeted at the corporate sector, not the SME sector.

Actual Level of Cybercrime Against SMEs

The actual level is measured by:

            •          Incident reports (law enforcement, insurers, regulators)

            •          Cybersecurity firm data

            •          Insurance claims

            •          Surveys with verified breaches

What data typically shows:

  • SMEs are frequent targets, especially for phishing, ransomware, and business email compromise.
  • Most attacks are automated and opportunistic, not targeted.
  • Many incidents are low-level (phishing attempts), not catastrophic breaches.
  • Severe attacks do happen, but not every SME experiences them.

The actual level is significant but uneven:

  • Some SMEs face repeated attacks.
  • Others may experience mostly low-impact attempts.
  • Many attacks are blocked before damage occurs.

Is Perception Higher or Lower Than Reality?

It can go both ways:

Perception is Higher Than Reality When:

            •          SMEs assume every business is constantly breached.

            •          Media focus on extreme cases.

            •          Attempts are confused with successful compromises.

Perception is Lower Than Reality When:

            •          SMEs believe “we’re too small to be targeted.”

            •          Minor incidents go unnoticed.

            •          Staff do not recognise breaches.

Interestingly, many SMEs underestimate their exposure before experiencing an attack, and overestimate overall catastrophic frequency after exposure.

In Summary:

The perceived level of cybercrime against SMEs is shaped by media attention, fear, and anecdotal experience, while the actual level is determined by measurable incidents and verified data. The gap exists because cyber threats are both highly publicised and often poorly understood.

Evidence That SMEs Often Don’t Report Cyber Crime

Survey data show high levels of non-reporting

A recent Europe-wide survey found that 44% of cybercrime incidents experienced by SMEs were not reported to anyone, not the police, not a regulator, not a service provider, and that only a minority of attacks were reported formally. 

The same EU study found that when SMEs did report incidents, it was more often to a service provider than to public authorities, and that many businesses simply handled incidents internally or judged them “too trivial” to report. 

Research identifies specific reluctance factors

Scholarly reviews and empirical work indicate that SMEs are less likely to report cyber incidents for reasons including:

  • Fear of reputational damage if customers or partners learn the business was breached.
  • Concern over regulatory or legal scrutiny once an incident is disclosed.
  • Perceived cost (time, money) of reporting, especially if there’s no regulatory obligation or clear benefit.
  • Belief that incidents are minor or can be more efficiently handled internally than involving law or regulatory bodies. 

These findings align with broader research on businesses and cybercrime reporting, noting that decisions to report are influenced by the perceived severity of impact and whether the firm prioritises cybersecurity or has formal incident-response capabilities. 

Structural and awareness challenges contribute to under-reporting

More general research into SMEs and cybersecurity shows that many smaller firms lack the awareness, training, resources, and formal incident-response processes that make reporting to authorities likely in larger firms. This lack of technical know-how and prioritisation often means incidents aren’t even recognised or escalated to reporting. 

Why SMEs Might Choose Not to Report

There are several reasons, and looking across studies and surveys, as well as my own experience, common themes emerge explaining this reluctance:

  • Risk perception: SMEs often don’t think they’re targets, underestimating the likelihood or impact of cybercrime. 
  • Internal handling: Many breaches are kept in-house, either managed by IT support or resolved without escalating to law or regulatory bodies. 
  • Reputational fear: Owners worry about being seen as vulnerable or incompetent. 
  • Cost of reporting: Time and money spent on reporting (especially when not legally required) can seem unjustified. 

Does Under-reporting Matter?

Under-reporting matters because it creates a gap in official data on the frequency with which SMEs are victimised by cybercrime. This “dark figure” undermines effective policymaking, resource allocation, and threat intelligence sharing between the private sector, law and regulatory bodies, all of which are vital for improving cybersecurity resilience across the economy. 

Finally I hope that this has provided you with a window into the lack of reporting of cybercrime, which is prevalent in, but not confined to, SMEs, and that it might encourage you to report crime if it occurs in your organisation.  I also hope that it might encourage you to look at your own defences with a critical eye and perhaps seek advice and guidance to keep you safe.

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

An Increase in sophistication in cyber-attacks in 2025

Artificial Intelligence (AI) is a fascinating subject, but it’s also a controversial one. These days, we are all using it to some extent. I know I do in the solutions I provide for SMEs, as it allows for a large degree of automation, which in turn lowers costs. Lowering costs is always a priority for an SME.

So what is AI?

Artificial intelligence (AI) refers to computer systems that can perform tasks typically requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

That description was one that was put forward by NCSC, and so it’ll do for me, although I’ve no doubt, you’ll find other descriptions if you look hard enough.

Often, what is called AI isn’t all that intelligent. It’s not taking in information, analysing it and coming up with answers. Of course, some very clever versions are doing just that, but they are mostly not available to you and me. The versions we see are very good at being asked a specific question and data mining various sources at an incredible speed and then producing the answer you want, usually with several variations. And that’s pretty much what most of us want to use it for.

As I said above, I use it in the applications I use for cybersecurity managed services directed at SMEs, not least because automation reduces cost, but also because it is very efficient, meaning that the results it produces need minimal human intervention to analyse the output.

But let’s look at the downside of AI in cybersecurity, which is what the cyber criminals are using it for. Firstly, what is it that is at risk:

  1. Data Leakage. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorised access to sensitive information. A good AI-powered attack could capture huge amounts of personally identifiable information (PII) in a ridiculously short amount of time.
  2. Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but also dangerous.
  3. Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been in this game as long as there’s been a game. It’s something called Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.
  4. Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  5. Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a role in supply chain security.
  6. Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

What we saw in 2025 is an era where cyber‑attacks are AI‑powered, highly targeted, automated, supply‑chain enabled, multi‑stage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AI‑driven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

  1. Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
  2. AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.
  3. RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
  4. Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
  5. Next-gen ransomware is rolling out advanced stealth, data theft, and automated lateral movement techniques, i.e., using an initial breach to jump across to other parts of your network or that of your partners and customers.
  6. Attacks starting via third-party software or vendors allow hackers to move laterally into networks and compromise multiple organisations simultaneously.
  7. Nation-states are not just using espionage but are now partnering with ransomware gangs to conduct financially and politically motivated operations.
  8. Nation state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.
  9. Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
  10. Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.
  11. Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
  12. These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.
  13. Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
  14. Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.
  15. In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.

Let’s not make the mistake of thinking that this is all very sophisticated and requires expertise and resources to pull off. It doesn’t. Take another look at some of the bullets above, where we talk about RaaS or Ransomware as a Service. This takes me back to what we used to term the ‘script kiddie’, that was relatively unskilled and unsophisticated ‘wannabe’ hackers who would visit the dark web and buy scripts from skilled hackers, that they would then try and use to make money, often unsuccessfully.

This has now moved on to using AI, and such services as RaaS; this type of low-skilled individual is back, but this time with a greater level of success. Let me give you a real example of how AI can be used by someone relatively low on the criminal totem pole. Using Chat GPT, the question was posed:

Can you write some ransomware code for me?

So, did ChatGPT help to write Ransomware code? Well, not initially, it gave a stock answer about not being able to write code that might damage a computer system. And some tooing and froing, trying to get around this, achieved the same result. So far, so good. That’s an ethical answer I would like to see.

Coming at it obliquely, via a back-and-forth conversation, can produce different results. Give it the instruction to write some C code to encrypt a single file, and get the result:

Certainly. Here’s an example of how you can use the OpenSSL library to encrypt a single file using the AES-256-CBC encryption algorithm in C.

The next step was to ask it to modify the code to encrypt a whole directory, which it did willingly.

Obviously, this isn’t the complete answer, and there would be more work to do, more research and probably a trip to the dark web, but a relatively unskilled individual can make a good start at producing their own ransomware.

I even asked Chat GPT to give me a description of how AI can be a boon as well as a danger to society:

AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

If you’re looking for answers as to where we stand with AI, there are a multitude of opinions, I’m afraid, mostly because many of us are still trying to work that out for ourselves. However, I will continue to explore it, use it carefully and with forethought. The questions I pose will be based on my own knowledge of cybersecurity and my experience in life. Let’s hope I get it right.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

LESS FEAR MORE FIXES:  WHAT SME LEADERS WANT FROM CYBER SECURITY

That’s a good question and one that I’ve often pondered upon.  Cost effectiveness obviously, everyone’s on a budget, especially these days and there is a healthy reluctance to spend money on what is seen as not being your core business. 

I would argue that these days IT is part of your core business, or perhaps part of your core business operations.  Ask yourselves how many of you can continue business without access to your IT systems and the data they hold.  If IT is part of your business operations, then so is its integrity and security.

Let’s take a quick look at some of the reasons why security doesn’t feel like core business to many people:

  • It’s invisible when it works

If cybersecurity is doing its job, nothing happens. No alerts, no fires to put out, no obvious ROI. Compared to sales, ops, or product delivery, it feels abstract and thankless.

  • It’s framed as an IT problem, not a business risk

Many SMEs still see cyber as “the IT guy’s job.” Leaders think in terms of revenue, customers, and growth whereas cybersecurity often isn’t translated into those terms.

  • Short-term survival beats long-term risk

SMEs run lean. Cash flow, hiring, and winning the next customer feel urgent. Cyber risk feels probable someday rather than painful today, so it gets deprioritised.

  • Lack of personal exposure

If a leader hasn’t personally experienced a cyber incident, or heard a close friends horror story, it’s hard to internalise the risk. Threats feel like something that happens to “big companies” or “other people.”

  • Complexity and jargon turn people off

Cybersecurity language is often technical, fear-based, or compliance-heavy. When leaders don’t fully understand something, they’re less likely to own it as core strategy.

  • No clear ownership at the top

In many SMEs there’s no CISO, no risk committee, no board pressure. If no one at leadership level “owns” cyber risk, it floats somewhere below the surface.

  • Seen as a cost centre, not a value driver

Cybersecurity is usually positioned as insurance or compliance spend, not as something that enables trust, customer retention, or business continuity.

  • Optimism bias

Many SME leaders quietly think: “We’re too small / not interesting enough to be targeted.” Unfortunately, attackers often prefer SMEs because they’re easier targets.

Now let’s flip the mindset.  Cybersecurity starts to feel like it’s part of the core business when it’s framed as:

  • Protecting revenue not systems.
  • Protecting customers not servers.
  • Protecting the ability to operate.

Cyber incidents have to be seen as business stopping events, not just technical inconveniences.  Once that is recognised at the top, it tends to be moved into core business territory very quickly.

So, going back to the question I posed above, what do SME owners want from cyber security, assuming now that they truly embrace its importance to the core of the business they are running?  I did mention cost effectiveness above and what follows has to be seen in the context of individual budgets, which will necessarily affect the spend.  In order to make sure that happens any security spending must be targeted on what is important and indeed, critical to the business, and not just what is thought of as critical or important.

What comes top of my list every time is the protection of critical business data.  Think of this in terms of what outcome is wanted.  Generally, that means that customer data, financial records, HR data and intellectual property remain confidential and intact.  From the angle of cost-effectiveness:

  • SMEs prefer low-cost but high-impact controls such as strong passwords, multi-factor authentication, and encrypted backups rather than expensive enterprise systems.
  • Preventing a data breach is far cheaper than paying fines, compensation, or suffering reputational damage.

High on the list of importance comes business continuity and minimal downtime.  It’s vital that systems stay available so the business can keep operating even after an incident.  This generally means simple, automated backups and basic disaster recovery plans that can be pulled own from a shelf, having been regularly updated and tested, and taken into use.  Plans must minimise lost sales and staff productivity.

There’s a lot more too this whilst trying to keep it simple.  Some headlines:

  • Compliance and regulatory requirements – industry dependent except for things like PCI, GDPR etc.
  • Reducing risk to a level that the organisation deems acceptable.  What is known as the risk appetite.  There is no such thing as 100% security, you are essentially managing risk down to a level you can live with.
  • Ease of use for staff.  Security shouldn’t cause frustration and slow things down. 
  • Predictable costs.  Clear, predictable cybersecurity costs that fit within limited budgets.
  • Reputational and customer trust.  Whilst the fallout from loss of trust with your customers can vary from company to company, it is often extremely damaging, especially for companies that hold lots of personal client data.  Maintaining trust through basic security measures is far cheaper than trying to rebuild after a breach.

SME owners and managers are usually not looking for “perfect” security. Their focus is on practical outcomes that protect the business without overspending.  Don’t be lulled into a false sense of security, believing that the technical solutions you have been sold are adequate protection.  Ask questions, look for assurance that you have this covered, remember that often the best solutions are procedural not technical.  Look at things from the angle of people, process and then technology.

Good Luck!!

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

Security on Paper vs Security in Practice: What Executives Need to Know

My recent articles have been all about data leakage and I very briefly indicated that we have a solution for that.  I am aware though that in cyber security and in fact data protection, technical solutions on their own, are not sufficient.  They must be underpinned by sound policies and procedures.  One of my favourite quotes, that I probably use too often, but I make no apologies for that, is by a Harvard professor and cyber security evangelist, Bruce Schneier.  He says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

What am I getting at here exactly?  Well, some solutions are not about technology and in fact are best done procedurally and with sound cyber awareness training.  Other solutions are technical in nature but must be underpinned with sound policies and processes that are rolled out and understood by staff via sound cyber awareness training which covers these policies and processes and why they are necessary.

The great cry from cyber security professionals is – People, Process and then Technology.

For many SMEs, cybersecurity policies do exist but real visibility into cyber risk does not. Policies are often written to satisfy compliance requirements, reassure clients, and demonstrate intent, yet they rarely answer the questions executives care about most: Where are we vulnerable? What could realistically disrupt the business? Are we investing in the right protections?

What we are saying here is that security documentation should be more than a defensive tick box. When policies are actively mapped to vulnerability assessments, they become a powerful source of risk intelligence. Gaps between documented controls and technical reality surface quickly, exposing weaknesses that attackers are far more likely to exploit than auditors are to find.

In an environment where cyber incidents increasingly target smaller organisations, the difference between written policy and operational security is no longer academic. Converting policy into protection is a practical, achievable step that materially reduces risk and one that executive leadership is uniquely positioned to drive.

The trick is understanding what your risks are and what needs protecting and at what level.  What we mean is separating out what is highly sensitive, sensitive and not so much.  Our system helps you map this and helps you make some informed decisions, but it won’t write your policies for you.

I’ve written articles in the past on risk management and identifying threats and vulnerabilities and mapping them to risks Identifying what could go wrong digitally, understanding how bad it would be for the business, and deciding what to do about it, all within your budget and risk appetite. Think of it like financial or operational risk, just applied to data, systems, and online operations.

You can’t protect everything equally.  You don’t need a threat catalogue, just a broad understanding of the common ones that hit SMEs.  You can then assess:

Risk = Likelihood × Impact

Translate tech issues into:

  • Revenue loss
  • Operational downtime
  • Legal/regulatory exposure
  • Reputational damage
  • Customer trust erosion – reputational damage

What we are looking to do is to decide how we treat each risk.  There are really 4 options that you need to think about in terms of each risk:

  • Reduce – put controls in place (e.g., MFA, backups)
  • Accept – consciously live with the risk
  • Transfer – insurance, contracts, outsourcing
  • Avoid – stop doing the risky thing

There was an interesting post on LinkedIn recently about the Bank of England having just dropped its 2025 CBEST Thematic Report with some interesting findings.


After 13 threat-led penetration tests across UK financial services, the message is clear: most vulnerabilities aren’t sophisticated. They’re foundational.

  • Passwords stored in spreadsheets and shared drives
  • Weak MFA enforcement and poor credential hygiene
  • Inadequate network segmentation
  • Detection capabilities that couldn’t spot simulated attacks early
  • Staff still falling for social engineering

The regulators’ call to action is direct:

  • Harden your systems – patch and configure properly
  • Fix your credentials management – MFA, strong passwords, no plaintext storage
  • Detect faster – monitoring and alerting that actually works
  • Remediate based on risk – with proper oversight, not just tactical patches

What I’m touching upon here is multi layered security, what in the military we referred to as strength in depth.  Monitoring systems has often been thought of as too difficult and expensive for SMEs but that’s no longer true and we now have a solution that is affordable and designed specifically for SMEs which handles monitoring but also has some useful addons such as vulnerability assessment, phishing simulations and a built in cyber awareness programme, all within the licence costs, no hidden extras.

Cyber Awareness Training General Security Issues Security Working Practices

Cyber Security Policies – A Must Have or a Nice to Have

I’ve written about this a couple of times now but it’s worth reminding people that policies and attendant processes are a cost-effective necessity in terms of cyber security.  How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection.  The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s often the case that technology is not the answer.  There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So, it arrives purporting to come from the boss, but it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened not so lo g ago to someone I know, and when it arrived in the accounts department it didn’t look genuine to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type.  In broad terms, and as an absolute minimum, the following are required:

  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them.  And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home.  This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important.  Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list.  It depends very much on risks that needs mitigating.  They will also be accompanied by processes to support the policy.

General Security Issues Ransomware, Phishing and other Malware Security Security Tools

ENCRYPTION

There are lots of different encryption solutions on the market, some which come with other applications and some that are stand alone.  I’m not going to attempt to put one up against another but rather have a more generic look at the subject.  I’m also not going to worry too much about the technicalities of how they work as frankly, most clients, many of which are SMEs, don’t really care about that.  It’s the effectiveness and what they are going to get for their buck, that they care about.

There are essentially two main types of encryption, whole disc encryption (WDE) and file level encryption (FLE).  WDE protects the device if the disk is offline or stolen.  It’s the type of encryption that comes with Windows (Bitlocker) and with a Mac (File Vault).  FLE on the other hand protects the data itself, even if stored on unlocked or shared systems.  It encrypts on a file-to-file basis i.e. it encrypts the files you want to protect, and leaves others unencrypted.  It generally operates as an agent-based system and often, but not always, comes as part of another application.

WDE is easy to describe. As you log off, the disc is encrypted so that if the hardware, laptop etc, is stolen, the data on the disc is protected.  However as soon as you log on, the disc is unencrypted and so the data is unprotected from an intrusion.

FLE proactively encrypts sensitive files at the file level using AES 256-bit encryption. This makes stolen data completely worthless to attackers, as it cannot be accessed or decrypted without the proper decryption key, which is managed through an agent and defined access controls. By encrypting data automatically and in real-time, FLE ensures data remains protected even if the system is compromised, which can be more effective than traditional reactive security measures that rely on detecting attacks after they occur. 

Let’s take a look in a bit more detail at the differences between WDE and FLE.

FeatureWhole-Disk Encryption (WDE)File-Level Encryption (FLE)
What gets encryptedThe entire drive (OS, apps, swap, all files)Individual files or folders
When data is decryptedAutomatically after the device boots and the user authenticates (e.g., login, pre-boot PIN, TPM key)Each encrypted file decrypts only when accessed by an authorised app/user
Protection scopeStrong against physical theft, lost devices, or disk removalStrong for protecting sensitive data, shared storage, or cloud backups
Visibility of encrypted contentDrive appears unreadable until unlockedFile names can still be visible (depends on tool), but contents are encrypted
Use casesLaptops, desktops, mobile devicesEncrypting documents, databases, specific secrets, or user-chosen data
Performance impactMinimal today, because decryption happens in bulk after unlock, and often uses hardware accelerationCan be higher if many encrypted files are accessed frequently
Granularity / controlLow (all-or-nothing)High (encrypt only what needs protection)
Key managementOne main disk key (often protected by TPM or secure hardware)Many file keys or per-user/per-file keys possible
Security if system is compromised while powered onWeak (disk is unlocked, malware can read everything)Better (files are only decrypted when opened, limiting exposure)

One question I get asked a lot is, does encryption protect against Ransomware.  The short answer is no.  WDE only protects the data when the machine is switched off.  Once booted up the data is unencrypted.  FLE protects data against data leakage or theft in that it can’t be read by unauthorised persons.  However, it can’t prevent encrypted data from being encrypted again by a ransomware attack.

A secondary aim of most ransomware attacks is to steal the data to sell on or to use for other things.  In those cases, FLE does help protect because the ransomware can’t decrypt the already encrypted data.  So, there is a level of protection using FLE that you can’t get with WDE.

FLR can help a little (but still not enough):

It can slow or limit ransomware only if:

  • Keys are stored in a separate secure environment (HSM, smart card, enclave, etc.)
  • Decryption requires per-file user interaction ransomware cannot mimic
  • The storage supports immutable or version-protected encrypted blobs

Even in those cases:

  • Ransomware can still delete files, encrypt them again, or lock the device
  • It usually cannot be used as a full defence strategy

What it does not prevent

  • Files being encrypted again by ransomware
  • Files being deleted or corrupted
  • The system being locked or made unusable

What it can still be good for

         •       Preventing data theft if files are exfiltrated

         •       Limiting extortion via stolen data leaks

  •       Protecting backups stored in cloud/shared drives from being read by attackers

My focus as always is on the SME community and therefore I always aim to keep costs down to a level that makes sense to them.  I am much more a fan of FLE than WDE however, as WDE comes from with both Windows and Mac, then let’s use it.  Many corporate organisations use both as a belt and braces protection.  But remember, on its own it’s not a total solution and should be implemented as part of a more holistic cyber defence.

I hope this has given an insight into the subject and answered some basic questions.  If you would like to understand more about this then please give me a call or an email, I’d be delighted to chat it over.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Scroll to top