General Security Issues

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

LESS FEAR MORE FIXES:  WHAT SME LEADERS WANT FROM CYBER SECURITY

That’s a good question and one that I’ve often pondered upon.  Cost effectiveness obviously, everyone’s on a budget, especially these days and there is a healthy reluctance to spend money on what is seen as not being your core business. 

I would argue that these days IT is part of your core business, or perhaps part of your core business operations.  Ask yourselves how many of you can continue business without access to your IT systems and the data they hold.  If IT is part of your business operations, then so is its integrity and security.

Let’s take a quick look at some of the reasons why security doesn’t feel like core business to many people:

  • It’s invisible when it works

If cybersecurity is doing its job, nothing happens. No alerts, no fires to put out, no obvious ROI. Compared to sales, ops, or product delivery, it feels abstract and thankless.

  • It’s framed as an IT problem, not a business risk

Many SMEs still see cyber as “the IT guy’s job.” Leaders think in terms of revenue, customers, and growth whereas cybersecurity often isn’t translated into those terms.

  • Short-term survival beats long-term risk

SMEs run lean. Cash flow, hiring, and winning the next customer feel urgent. Cyber risk feels probable someday rather than painful today, so it gets deprioritised.

  • Lack of personal exposure

If a leader hasn’t personally experienced a cyber incident, or heard a close friends horror story, it’s hard to internalise the risk. Threats feel like something that happens to “big companies” or “other people.”

  • Complexity and jargon turn people off

Cybersecurity language is often technical, fear-based, or compliance-heavy. When leaders don’t fully understand something, they’re less likely to own it as core strategy.

  • No clear ownership at the top

In many SMEs there’s no CISO, no risk committee, no board pressure. If no one at leadership level “owns” cyber risk, it floats somewhere below the surface.

  • Seen as a cost centre, not a value driver

Cybersecurity is usually positioned as insurance or compliance spend, not as something that enables trust, customer retention, or business continuity.

  • Optimism bias

Many SME leaders quietly think: “We’re too small / not interesting enough to be targeted.” Unfortunately, attackers often prefer SMEs because they’re easier targets.

Now let’s flip the mindset.  Cybersecurity starts to feel like it’s part of the core business when it’s framed as:

  • Protecting revenue not systems.
  • Protecting customers not servers.
  • Protecting the ability to operate.

Cyber incidents have to be seen as business stopping events, not just technical inconveniences.  Once that is recognised at the top, it tends to be moved into core business territory very quickly.

So, going back to the question I posed above, what do SME owners want from cyber security, assuming now that they truly embrace its importance to the core of the business they are running?  I did mention cost effectiveness above and what follows has to be seen in the context of individual budgets, which will necessarily affect the spend.  In order to make sure that happens any security spending must be targeted on what is important and indeed, critical to the business, and not just what is thought of as critical or important.

What comes top of my list every time is the protection of critical business data.  Think of this in terms of what outcome is wanted.  Generally, that means that customer data, financial records, HR data and intellectual property remain confidential and intact.  From the angle of cost-effectiveness:

  • SMEs prefer low-cost but high-impact controls such as strong passwords, multi-factor authentication, and encrypted backups rather than expensive enterprise systems.
  • Preventing a data breach is far cheaper than paying fines, compensation, or suffering reputational damage.

High on the list of importance comes business continuity and minimal downtime.  It’s vital that systems stay available so the business can keep operating even after an incident.  This generally means simple, automated backups and basic disaster recovery plans that can be pulled own from a shelf, having been regularly updated and tested, and taken into use.  Plans must minimise lost sales and staff productivity.

There’s a lot more too this whilst trying to keep it simple.  Some headlines:

  • Compliance and regulatory requirements – industry dependent except for things like PCI, GDPR etc.
  • Reducing risk to a level that the organisation deems acceptable.  What is known as the risk appetite.  There is no such thing as 100% security, you are essentially managing risk down to a level you can live with.
  • Ease of use for staff.  Security shouldn’t cause frustration and slow things down. 
  • Predictable costs.  Clear, predictable cybersecurity costs that fit within limited budgets.
  • Reputational and customer trust.  Whilst the fallout from loss of trust with your customers can vary from company to company, it is often extremely damaging, especially for companies that hold lots of personal client data.  Maintaining trust through basic security measures is far cheaper than trying to rebuild after a breach.

SME owners and managers are usually not looking for “perfect” security. Their focus is on practical outcomes that protect the business without overspending.  Don’t be lulled into a false sense of security, believing that the technical solutions you have been sold are adequate protection.  Ask questions, look for assurance that you have this covered, remember that often the best solutions are procedural not technical.  Look at things from the angle of people, process and then technology.

Good Luck!!

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

Security on Paper vs Security in Practice: What Executives Need to Know

My recent articles have been all about data leakage and I very briefly indicated that we have a solution for that.  I am aware though that in cyber security and in fact data protection, technical solutions on their own, are not sufficient.  They must be underpinned by sound policies and procedures.  One of my favourite quotes, that I probably use too often, but I make no apologies for that, is by a Harvard professor and cyber security evangelist, Bruce Schneier.  He says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

What am I getting at here exactly?  Well, some solutions are not about technology and in fact are best done procedurally and with sound cyber awareness training.  Other solutions are technical in nature but must be underpinned with sound policies and processes that are rolled out and understood by staff via sound cyber awareness training which covers these policies and processes and why they are necessary.

The great cry from cyber security professionals is – People, Process and then Technology.

For many SMEs, cybersecurity policies do exist but real visibility into cyber risk does not. Policies are often written to satisfy compliance requirements, reassure clients, and demonstrate intent, yet they rarely answer the questions executives care about most: Where are we vulnerable? What could realistically disrupt the business? Are we investing in the right protections?

What we are saying here is that security documentation should be more than a defensive tick box. When policies are actively mapped to vulnerability assessments, they become a powerful source of risk intelligence. Gaps between documented controls and technical reality surface quickly, exposing weaknesses that attackers are far more likely to exploit than auditors are to find.

In an environment where cyber incidents increasingly target smaller organisations, the difference between written policy and operational security is no longer academic. Converting policy into protection is a practical, achievable step that materially reduces risk and one that executive leadership is uniquely positioned to drive.

The trick is understanding what your risks are and what needs protecting and at what level.  What we mean is separating out what is highly sensitive, sensitive and not so much.  Our system helps you map this and helps you make some informed decisions, but it won’t write your policies for you.

I’ve written articles in the past on risk management and identifying threats and vulnerabilities and mapping them to risks Identifying what could go wrong digitally, understanding how bad it would be for the business, and deciding what to do about it, all within your budget and risk appetite. Think of it like financial or operational risk, just applied to data, systems, and online operations.

You can’t protect everything equally.  You don’t need a threat catalogue, just a broad understanding of the common ones that hit SMEs.  You can then assess:

Risk = Likelihood × Impact

Translate tech issues into:

  • Revenue loss
  • Operational downtime
  • Legal/regulatory exposure
  • Reputational damage
  • Customer trust erosion – reputational damage

What we are looking to do is to decide how we treat each risk.  There are really 4 options that you need to think about in terms of each risk:

  • Reduce – put controls in place (e.g., MFA, backups)
  • Accept – consciously live with the risk
  • Transfer – insurance, contracts, outsourcing
  • Avoid – stop doing the risky thing

There was an interesting post on LinkedIn recently about the Bank of England having just dropped its 2025 CBEST Thematic Report with some interesting findings.


After 13 threat-led penetration tests across UK financial services, the message is clear: most vulnerabilities aren’t sophisticated. They’re foundational.

  • Passwords stored in spreadsheets and shared drives
  • Weak MFA enforcement and poor credential hygiene
  • Inadequate network segmentation
  • Detection capabilities that couldn’t spot simulated attacks early
  • Staff still falling for social engineering

The regulators’ call to action is direct:

  • Harden your systems – patch and configure properly
  • Fix your credentials management – MFA, strong passwords, no plaintext storage
  • Detect faster – monitoring and alerting that actually works
  • Remediate based on risk – with proper oversight, not just tactical patches

What I’m touching upon here is multi layered security, what in the military we referred to as strength in depth.  Monitoring systems has often been thought of as too difficult and expensive for SMEs but that’s no longer true and we now have a solution that is affordable and designed specifically for SMEs which handles monitoring but also has some useful addons such as vulnerability assessment, phishing simulations and a built in cyber awareness programme, all within the licence costs, no hidden extras.

Cyber Awareness Training General Security Issues Security Working Practices

Cyber Security Policies – A Must Have or a Nice to Have

I’ve written about this a couple of times now but it’s worth reminding people that policies and attendant processes are a cost-effective necessity in terms of cyber security.  How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection.  The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s often the case that technology is not the answer.  There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So, it arrives purporting to come from the boss, but it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened not so lo g ago to someone I know, and when it arrived in the accounts department it didn’t look genuine to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type.  In broad terms, and as an absolute minimum, the following are required:

  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them.  And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home.  This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important.  Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list.  It depends very much on risks that needs mitigating.  They will also be accompanied by processes to support the policy.

General Security Issues Ransomware, Phishing and other Malware Security Security Tools

ENCRYPTION

There are lots of different encryption solutions on the market, some which come with other applications and some that are stand alone.  I’m not going to attempt to put one up against another but rather have a more generic look at the subject.  I’m also not going to worry too much about the technicalities of how they work as frankly, most clients, many of which are SMEs, don’t really care about that.  It’s the effectiveness and what they are going to get for their buck, that they care about.

There are essentially two main types of encryption, whole disc encryption (WDE) and file level encryption (FLE).  WDE protects the device if the disk is offline or stolen.  It’s the type of encryption that comes with Windows (Bitlocker) and with a Mac (File Vault).  FLE on the other hand protects the data itself, even if stored on unlocked or shared systems.  It encrypts on a file-to-file basis i.e. it encrypts the files you want to protect, and leaves others unencrypted.  It generally operates as an agent-based system and often, but not always, comes as part of another application.

WDE is easy to describe. As you log off, the disc is encrypted so that if the hardware, laptop etc, is stolen, the data on the disc is protected.  However as soon as you log on, the disc is unencrypted and so the data is unprotected from an intrusion.

FLE proactively encrypts sensitive files at the file level using AES 256-bit encryption. This makes stolen data completely worthless to attackers, as it cannot be accessed or decrypted without the proper decryption key, which is managed through an agent and defined access controls. By encrypting data automatically and in real-time, FLE ensures data remains protected even if the system is compromised, which can be more effective than traditional reactive security measures that rely on detecting attacks after they occur. 

Let’s take a look in a bit more detail at the differences between WDE and FLE.

FeatureWhole-Disk Encryption (WDE)File-Level Encryption (FLE)
What gets encryptedThe entire drive (OS, apps, swap, all files)Individual files or folders
When data is decryptedAutomatically after the device boots and the user authenticates (e.g., login, pre-boot PIN, TPM key)Each encrypted file decrypts only when accessed by an authorised app/user
Protection scopeStrong against physical theft, lost devices, or disk removalStrong for protecting sensitive data, shared storage, or cloud backups
Visibility of encrypted contentDrive appears unreadable until unlockedFile names can still be visible (depends on tool), but contents are encrypted
Use casesLaptops, desktops, mobile devicesEncrypting documents, databases, specific secrets, or user-chosen data
Performance impactMinimal today, because decryption happens in bulk after unlock, and often uses hardware accelerationCan be higher if many encrypted files are accessed frequently
Granularity / controlLow (all-or-nothing)High (encrypt only what needs protection)
Key managementOne main disk key (often protected by TPM or secure hardware)Many file keys or per-user/per-file keys possible
Security if system is compromised while powered onWeak (disk is unlocked, malware can read everything)Better (files are only decrypted when opened, limiting exposure)

One question I get asked a lot is, does encryption protect against Ransomware.  The short answer is no.  WDE only protects the data when the machine is switched off.  Once booted up the data is unencrypted.  FLE protects data against data leakage or theft in that it can’t be read by unauthorised persons.  However, it can’t prevent encrypted data from being encrypted again by a ransomware attack.

A secondary aim of most ransomware attacks is to steal the data to sell on or to use for other things.  In those cases, FLE does help protect because the ransomware can’t decrypt the already encrypted data.  So, there is a level of protection using FLE that you can’t get with WDE.

FLR can help a little (but still not enough):

It can slow or limit ransomware only if:

  • Keys are stored in a separate secure environment (HSM, smart card, enclave, etc.)
  • Decryption requires per-file user interaction ransomware cannot mimic
  • The storage supports immutable or version-protected encrypted blobs

Even in those cases:

  • Ransomware can still delete files, encrypt them again, or lock the device
  • It usually cannot be used as a full defence strategy

What it does not prevent

  • Files being encrypted again by ransomware
  • Files being deleted or corrupted
  • The system being locked or made unusable

What it can still be good for

         •       Preventing data theft if files are exfiltrated

         •       Limiting extortion via stolen data leaks

  •       Protecting backups stored in cloud/shared drives from being read by attackers

My focus as always is on the SME community and therefore I always aim to keep costs down to a level that makes sense to them.  I am much more a fan of FLE than WDE however, as WDE comes from with both Windows and Mac, then let’s use it.  Many corporate organisations use both as a belt and braces protection.  But remember, on its own it’s not a total solution and should be implemented as part of a more holistic cyber defence.

I hope this has given an insight into the subject and answered some basic questions.  If you would like to understand more about this then please give me a call or an email, I’d be delighted to chat it over.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

      Cyber Security Architecture

      In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture.  So, I thought it was worth discussing it further.

      What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should.  Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

      All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

      I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.

      I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

      How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

      Of course, these days that is often exacerbated by the increasingly popular remote working.  I know not every company has embraced this, but many have and have not through the security implications.

      Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

      None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

      Do You Have a Handle on Your Cyber Maturity Stance?

      Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

      Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

      The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

      As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

      If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

      It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

      Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

      Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

      • Small to medium size businesses are not worth attacking.
      • Cyber Security is an IT Issue.
      • Technology will keep me safe.
      • My policies and procedures are up to the job.
      • My staff are young and have been brought up with IT.  They know the score.

      Now let’s look at some of the more common issues that we see often amongst SMEs:

      • Lack of awareness around the current real-world cybersecurity risks
      • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
      • Lack of cybersecurity knowledge, and understanding
      • Poor cybersecurity maturity and posture within their businesses
      • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

      Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

      During the assessment, we typically examine various aspects, such as:

      • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
      • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
      • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
      • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
      • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
      • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
      • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

      The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

      H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware

      SPOOFING

      I’ve mentioned spoofing quite a bit in various posts and blogs, but what exactly is it?  Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else, attempting to gain our confidence to get access to our systems, steal data, steal money, or spread malware. These attacks come in several forms, including:

      • Email spoofing
      • Website and/or URL spoofing
      • Caller ID spoofing
      • Text message spoofing
      • GPS spoofing
      • Man-in-the-middle attacks
      • Extension spoofing
      • IP spoofing
      • Facial spoofing

      Cyber criminals aren’t all that original and spoofing is another con to fool us into taking some form of action that the criminal wants us to take; in other words, it’s a more technical variation on a con artists skill set.  Very often, merely invoking the name of a big, trusted organisation is enough to get us to give up information or take some kind of action. For example, a spoofed email might inquire about purchases you never made. Concerned about your account, you might click the included link.

      From that malicious link, scammers will send you to a web page with a malware download or a faked login page, complete with a familiar logo and spoofed link to a web page, for the purpose of harvesting your username and password.

      There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on victims falling for the fake. If you never doubt the legitimacy of a website and never suspect an email of being faked, then you could become a victim of a spoofing attack at some point.

      Let’s look at some types of spoofing.

      Email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. An example of this is the fabled CEO attack whereby a spoofed email is sent to someone in your accounts payable department attaching an invoice from a fake supplier and purporting to come from the CEO or other senior manager, with the instruction to pay the invoice now, without delay, and sounding like the senior manager is angry about something.  Of course, this is quite easy to defend against by having a rule in place that if a suspect email is received, the alleged sender should be contacted for verification.  Be aware though, if you simply reply to the email, it will go back to the scammer, you must open a fresh email or make a call.

      Phishing emails will typically include a combination of deceptive features:

      • False sender address designed to look like it’s from someone you know and trust, maybe a friend, coworker, family member, or company you do business with. 
      • In the case of a company or organisation, the email may include familiar branding, e.g. logo, colours, font, call to action button, etc.
      • Spear phishing attacks target an individual or small group within a company and will include personalised language and address the recipient by name.
      • Typos. Email scammers can be lazy and often don’t spend much time proofreading their own work. Email spoofs often have typos, or they look like someone translated the text through Google Translate.

      Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent, down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Cybercriminals use spoofed websites to capture your username and password (aka login spoofing) or drop malware onto your computer.

      Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn’t. Scammers have learned that you’re more likely to answer the phone if the caller ID shows an area code the same or near your own.

      Text message spoofing or SMS spoofing is sending a text message with someone else’s phone number or sender ID. If you’ve ever sent a text message from your laptop, you’ve spoofed your own phone number to send the text, because the text did not actually originate from your phone.

      Man-in-the-Middle (MitM) attacks can happen when you use free Wi-Fi at your local coffee shop. Have you considered what would happen if a cybercriminal hacked the Wi-Fi or created another fraudulent Wi-Fi network in the same location?

      Extension spoofing occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of “filename.txt.exe.” The criminals know file extensions are hidden by default in Windows so to the average Windows user this executable file will appear as “filename.txt.”

      IP spoofing is used when someone wants to hide or disguise the location from which they’re sending or requesting data online.

      Facial spoofing might be the most personal, because of the implications it carries for the future of technology and our personal lives. As it stands, facial ID technology is limited. We use our faces to unlock our mobile devices and laptops, and not much else. This is likely to spread, and the use of AI makes facial spoofing more likely.  Imagine if we advance to using facial recognition to make online payments – scary stuff.

      There’s a lot more to this subject, for instance, how do you spot it?  How do you protect yourself against it?  The best form of defence is simply cyber awareness training, something you’re probably getting fed up hearing from me.  But it’s simply a fact that your staff can be your first line of defence, or your biggest threat.

      Malwarebytes have published a more detailed article on this subject but even that needs some understanding and explanation.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Working Practices

      Scams v Hacks

      We hear a lot about the consequences of cyber-attacks and data breaches but not a lot about the specific threats against SMEs, rather than the generic threats against all businesses.  In general businesses are more likely to be targeted by scammers (social engineering attacks) than by purely technical attacks.  But why?  Attacks against individual SMEs are not going to bring in a lot of profit for the criminal, so they often go after multiple targets all at once.  How they do that is to craft an attack which can be automated and directed at many SMEs all at once.  The easiest way to do that is via a social engineering attack.  Let’s take a look at what we mean by that.

      Scams and social engineering attacks rely heavily on human error.  Not only do SMEs have weaker defences than their corporate cousins, but they spend little, if anything, on cyber awareness training.  The attack that brought down Knights of Old, reducing a once thriving business to bankruptcy in a frighteningly short time, was the result of a weak password being cracked.  That suggests that OK, a stronger password protocol and the use of MFA would have been of great benefit but so would educating the users about social engineering and how they can protect the company and their jobs.

      Typically, we see:

      • Phishing emails that trick employees into giving credentials or downloading malware.
      • Business email compromise (BEC) — attackers impersonate executives to request bank transfers or the immediate payment of an invoice.
      • Fake invoices or supplier fraud.

      It’s done this way simply because it’s easier and cheaper to execute than a technical attack.  It’s scalable with scammers sending thousands of phishing emails, and it often bypasses technical defences by exploiting people directly.

      In addition to the traditional attacks, we are now facing AI generated attacks, enabling criminals to design scams that are even more scalable and to be produced more quickly.  Some examples include:

      Deepfake CEO Fraud (AI-Generated Voice or Video)

      A finance employee receives a video call from someone who appears to be the CEO instructing them to urgently transfer funds to a supplier. The video and voice are AI-generated deepfakes using real footage and voice samples taken from public online sources.  This has happened in the UK causing a UK based firm to lose over £20m in early 2025.  Obviously not an SME but the attack was not difficult to generate.

      Another AI attack was an upscale of the Business Email Compromise:

      Criminals use AI to monitor and mimic email communication styles. They craft perfectly worded emails from a company executive asking the accounting team to update supplier bank details or pay fake invoices.  What is new in 2025 is that AI now personalises these scams based on internal speech patterns and tone scraped from Slack or Teams (when credentials are compromised and that list is not exhaustive – other online messaging systems are available).

      One scam that we are now seeing more of is the fake job applicant scam targeting HR departments and IT onboarding teams.  Scammers apply for remote jobs using fake CVs and AI-generated video interviews. Once hired, they gain access to internal systems and exfiltrate data or install malware.  They’re playing the long game here, but it can really pay off.

      There are lots of examples and I’ll just put in a couple more:

      How many of you use Software as a Service (SaaS) and pay a subscription? In this case a fake renewal notice is sent for services like Microsoft 365, Zoom, or Slack. The email contains a link to a spoofed portal, which steals company admin credentials when they try to “log in.”   A new twist in 2025 is that the phishing emails are personalised with real invoice numbers and recent usage data scraped from prior breaches.

      Most of you are probably on LinkedIn, even if you are not particularly active on there.  We are now seeing more of the LinkedIn Clone Attack.  What happens here is that the scammers clone the LinkedIn profile of a known business leader and use it to reach out to employees or partners, proposing urgent collaborations or investment opportunities that include malicious links.  In a more advanced tactic, they use AI-generated responses in real-time chats that make these accounts seem very real.

      So, in conclusion, whilst we cannot rule out the more technical attack on an SME, we can say that the most likely attack will come via some sort of scam, often nowadays using AI.  The defences need to be in depth and will include some technical defences but often the best defence against social engineering is cyber awareness training and this is generally ignored by SMEs.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy Security Tools

      A Guide to Cyber Security for SMEs

      There’s a continual stream of blogs and posts about cyber security and the sometimes catastrophic effects of getting it wrong, but there is very little that tells SMEs what they should be doing, and it’s generally left to local IT management companies and VARs (Value Added Resellers – i.e. those who sell various products and add value by configuring and managing them).  I’m not knocking those companies; they have a very valid business model.  But what they aren’t are cyber security professionals and generally their security expertise is focused on the products that they sell.  For instance, they will have good skills in installing and configuring security products such as anti-virus and firewalls but there is generally no knowledge of cyber risk management and assessment, thereby ensuring that you have the right defences in the right place, providing the best value for your limited spend, and ignoring the non-technical solutions that are often a better bet than a piece of technology.

      SMEs generally have very little budget to allocate to this and that means that what budget they have needs to be effectively targeted at what is important.  They need to be aiming for a situation whereby when a potential attacker targets them, they appear to be a more difficult nut to crack than other organisations in their space and their size.  Attackers want things to be easy, not difficult, and they will often move on if things get difficult.  A criminal is in the game of getting easy money.

      Let’s take a look at what cyber security is all about, and more importantly, why you need it?  Let’s tackle the first question – what is cyber security?  One definition is as follows:

      Cybersecurity is the practice of protecting computer systems, networks, software, and data from digital attacks, unauthorised access, damage, or theft. It involves a range of technologies, processes, and practices designed to:

      • Prevent cyberattacks
      • Detect breaches or suspicious activity
      • Respond to security incidents
      • Recover from damage or loss caused by attacks

      The problem is of course that each bullet point there covers a multitude of issues that need to be addressed.  The question is understanding what those issues are, how they affect you and what is the priority i.e. what are the most important things that you need to protect, and what comes next, all managed within whatever budget you can allocate to it.  It’s not easy and you might feel that you don’t need to do everything but that you need to cover off the most important issues.  That means of course that you need to know what those issues are.

      The first thing you need to do is to identify your cyber assets.  Assets are not confined to hardware and software, far from it.  A cybersecurity asset is anything of value that requires protection in a digital context. Identifying and classifying these assets is a foundational step in building a strong cybersecurity posture.  Assets will change from company to company, depending upon how you’re organised and what business you are in, but generally:

      Hardware Assets

      • Servers, routers, laptops, mobile devices, firewalls
      • Why it matters: Physical devices are entry points for attackers and must be secured.

      Software Assets

      • Operating systems, applications, databases etc
      • Why it matters: Vulnerabilities in software can be exploited to gain unauthorised access.

      Data Assets

      • Customer records, financial data, intellectual property, source code
      • Why it matters: Data breaches can lead to regulatory fines, reputational damage, and financial loss.

      Network Assets

      • VPNs, switches, IP addresses, subnets
      • Why it matters: Networks facilitate communication and, if not protected, can be avenues for lateral movement by attackers.

      People Assets

      • Employees, contractors, system administrators
      • Why it matters: Human error is a leading cause of breaches, so training and access control are crucial.

      Cloud and Virtual Assets

      • Virtual machines, containers, cloud storage (e.g., AWS S3, Azure Blob Storage)
      • Why it matters: Cloud environments introduce new attack surfaces that must be monitored and managed.

      An example could be a customer database, maybe on the cloud or via an app, or even an onsite server.  You class this as high value because it contains personally identifiable information (PII) and of course all your interactions with those customers and the value they have to you.  Lose that and you might be out of business.  You decide to encrypt it and use multi factor authentication and have daily backups, not kept online.

      Identifying the assets is the first step in defining what protections you need.  You then have to categorise those assets and decide how important they are to the business before you can decide what levels of protection they need.

      Having categorised your assets, you then need to assign a risk score to them.  Now, this can be done formally via a formal risk assessment, but I accept that many SMEs can’t afford to have that done, and, given the size of the company and the amount/types of information held, it might be relatively easy, when compared to a corporate body, to assign a risk score to each asset.

      The next step then is to apply a risk score to the assets in accordance with how you have assessed them, this in turn informs you of the importance of each asset and how you will need to protect them.  In other words, you are now targeting your spend to where you know it will be most effective.

      We then need to identify the vulnerabilities and the threats and that is where most organisations require help.

      Here at H2 we use our considerable experience in doing this for corporate level organisations, and translating that into doable chunks for SMEs, carving up what is needed into priorities and working with clients to decide what those priorities are.  We do this keeping in mind the principle of People, Process and then Technology, keeping in mind that many protections, or controls as we term them, are actually not technical but are procedural, based on sound policy and process, and therefore costing very little.

      We take a phased approach:

      The first phase works with the client to decide where they are now, on a scale which we take from the Carnegie Melon cyber maturity model.  Most SMEs come out at around 1 to 2 on the scale and aim to get to 3 to 3.5.  The scale goes up to 5 but, as you can see from the phased approach above, this tends to be not necessary for an SME and is often too expensive anyway.

      Once we know our starting point, we identify quick wins to tighten up security.  As a rule, that will include things like cyber awareness training for staff, ensuring that all access is controlled using MFA of some sort and making sure that Admin rights are strictly controlled.  Depending on the company and what it does, it might mean instituting some form of identity management.

      As part of the Quick win phase, we also look at policies and processes.  Is there a process for allocating and removing rights?  Is there a policy and process about on and off boarding staff etc.  Other policies we might need to look at include:

      • Top-level policy issued by the board
      • Starters and Leavers Policy
      • Access Control Policy
      • Magnetic Media Policy
      • Mobile Working Policy
      • Password Policy
      • Email Policy
      • Acceptable Use Policy
      • Data Protection

      That done we move on to Phase 2 which is where we might recommend encryption both at rest and in transit, for critical data assets.  We will discuss back up procedures and processes which will ensure that backups are securely stored and that restoring from backups is practiced and works.  We will discuss incident handling procedures and business continuity planning.  Finally, we will discuss monitoring and audit, two things that until quite recently tended to be out of the price range of SMEs.  However, there are now systems and services on the market which are affordable.

      This all seems a bit daunting, but if taken in chunks and phased over perhaps several budgetary periods it is doable, and you really need to consider it.

      Scroll to top