Earlier this week I put a post on LinkedIn talking about why SMEs don’t take cyber security as seriously as they should and often just pay lip service to it.  I said I’d elaborate on that in the next newsletter.  Well, here it is.

When Cyber Security hits the news, and thus our consciousness, it’s nearly always in terms of breaches, regulatory fines, and business disasters, and nearly always concerning a major household name.  We don’t talk about the benefits that it can bring, particularly these days when businesses of all sizes are looking to drive efficiency through digitising their admin and operations.  Cyber-attacks on British businesses are increasing year on year.  When it comes to cybercrime, small and medium-size businesses are not exempt from the disruption that impacts large organisations. If anything, their size can make them more vulnerable as they are perceived as a softer target.

So why SMEs tend to underestimate the chances of being on the receiving end, and often play that down, is something of a mystery.  As is the mindset that it’s an IT matter, not a business matter, when nothing could be further from the truth.  Cyber security must be owned by the business owner or board and driven top down.  It cannot be left to an IT manager, or worse, a company under contract to provide IT services.

Let’s think for a moment about one potential aspect, supply chain security.  Many SMEs sit in a supply chain for a major company or companies.  In fact, for many it’s a critical part of their business, without which they could be in real trouble.  Their customer will spend money and commit resources to their own security and I’m willing to bet that somewhere in their contract with their suppliers, there will be a stipulation laying down some cyber security standards as a minimum that they must adhere to, which I’m also willing to bet that unless audited, are rarely being met.

Large organisations rely on a network of SMEs. If they operate within the EU, they are subject to the EU General Data Protection Regulation (GDPR) and if they operate only with the UK, then they are required to be in line with what has become known as UK GDPR.  The two are very similar indeed. Under both, data controllers (those that collect the data) are responsible for their own compliance as well as that of any third-party processors. Lax compliance in implementing regulations has in fact created a unique opportunity for those SMEs that make the effort to invest in cyber security. With so many damaging data breaches, large organisations are now starting to examine the security practices of any potential third party and seeking agreement with partners to ensure that secure systems are in place. It is the responsibility of the data controller to ensure that third parties within its supply chain take appropriate technical and organisational measures equal to their own.

The UK Government-backed framework Cyber Essentials Plus provides SMEs with a way to demonstrate their security credentials. By gaining Cyber Essentials Plus certification, SMEs can demonstrate that their cyber security has been verified and audited by independent experts. Auditable proof is often requested during tender bids as part of the warrants and liabilities process. Being Cyber Essentials Plus certified can leapfrog a business ahead of the competition.

Supply chains are only as strong as their weakest link and therefore require standardisation in terms of security across the whole chain. SMEs able to prove their cyber security credentials can differentiate themselves from the crowd and maximise on lucrative business opportunities. Some 65% of UK small businesses have no plans in place to deal with potential supply chain disruption, including cybercrime. Ensure your company isn’t one of them by staying ahead of the game – don’t lose business due to supply chain weaknesses.

I’ve already said that the main challenges that I come across is that SMEs do not accept that this is a business issue and continue to see it as an IT Issue.  Consider this; if an attack, say Ransomware, hits the business, who suffers?  Is it the IT department and/or the IT Support company you have under contract to supply your IT/Network?  Or is it the business that takes both a financial hit and reputational damage, perhaps losing contracts from the larger businesses they have been supplying?  You know the answer.  You can outsource your IT, but not your responsibility.

Let’s examine what stops SMEs from taking the view that it is in fact a business issue.  My experience of working with SMEs is that the two main issues are budget and resource, both of which are closely entwined.

SMEs do not budget for Cyber security.  They conflate this with their costs for IT support and will expect their IT support company to provide an adequate level of security within the services and products they supply.  I’ve talked before about this.  Most, if not all, of these companies are what is known as Value Added Resellers, or VARs.  What this means is that they sell other people’s products, firewalls, anti-virus etc. And of course, they push those products, ie the flavours of those products they sell, onto their clients.  The value added bit comes in the services they provide.  In terms of security that generally, although not always, means that their skill set is in the configuration and maintenance of the products they sell.

I’m not knocking that, it’s a perfectly acceptable business plan and has been around for as long as IT has been around.  But from a security perspective, it ignores the basics.  Whilst technology has come on in leaps and bounds, making it sometimes a nightmare to keep up with, the basic principles of security have never changed.  It is built on three towers, People, Process and then Technology.  If you haven’t got the right training and awareness in place, if your processes and policies aren’t sound, up to date and rolled out across the business, then all the technology in the world won’t protect you.  Risk management is crucial.  Understanding the threats to your business and how vulnerable you are to those threats, married to your assets (which aren’t confined to hardware and software), will inform you of the risks you face, in turn allowing you to focus your limited spend on the weakest areas first.

How you arrive at those risks brings us to the second point, resource.  It’s not just SMEs that don’t have the resource, but their IT support company rarely does either.  Cyber security professionals are expensive and very thin on the ground.  Perhaps buying in an advisor for a defined period every month, or on a retainer to be called off as and when required, is the way to go.

Another key plank is innovation.  Finding innovative solutions that SMEs can be sure are appropriate for their business, mitigating identified risks.  Of course, such innovations have also got to be affordable.  This is one of the reasons why many are adopting cloud services, not necessarily for security reasons, but for cost reasons ie no expensive infrastructure to buy in and maintain.  It’s also a reason why many security solutions these days are Software as a Service, SaaS, as again, no expensive infrastructure.

In summary, what I’m saying is that SMEs have to:

• Accept cyber security as a business, not an IT issue.
• Have a senior manager or preferably, board member, take responsibility for it.
• Have an adequate budget. Of course, that will be subject to what you can afford.  Take advice on what is important and what can wait.  It just might save you a lot of time, money, and angst.
• Have a defined strategy for improving your security stance, perhaps phased over budgetary periods.
• Consider a standard such as Cyber Essentials or, for the larger SME, perhaps even ISO2700x.

The last few years have been strange, to say the least. But arguably the biggest effect it has had on the way we do business has been the necessity for working from home. Many SMEs had very little experience of this and were bounced into it with very little time to prepare, or to understand many of the implications of what this meant.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

I’ve blogged about Artificial Intelligence (AI) before (click on General Security Issues and you’ll find it), in that blog I was concentrating on how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams.

The following is taken from CNN.

Jennifer DeStefano’s phone rang one afternoon as she climbed out of her car outside the dance studio where her younger daughter Aubrey had a rehearsal. The caller showed up as unknown, and she briefly contemplated not picking up.

But her older daughter, 15-year-old Brianna, was away training for a ski race and DeStefano feared it could be a medical emergency.

“Hello?” she answered on speaker phone as she locked her car and lugged her purse and laptop bag into the studio.

She was greeted by yelling and sobbing.

“Mom! I messed up!” screamed a girl’s voice.

“What did you do?!? What happened?!?” DeStefano asked.

“The voice sounded just like Brie’s, the inflection, everything,” she told CNN recently. “Then, all of a sudden, I heard a man say, ‘Lay down, put your head back.’ I’m thinking she’s being gurnied off the mountain, which is common in skiing. So I started to panic.”

As the cries for help continued in the background, a deep male voice started firing off commands: “Listen here. I have your daughter. You call the police, you call anybody, I’m gonna pop her something so full of drugs. I’m gonna have my way with her then drop her off in Mexico, and you’re never going to see her again.”

DeStefano froze. Then she ran into the dance studio, shaking and screaming for help. She felt like she was suddenly drowning.

After a chaotic, rapid-fire series of events that included a $1 million ransom demand, a 911 call and a frantic effort to reach Brianna, the “kidnapping” was exposed as a scam. A puzzled Brianna called to tell her mother that she didn’t know what the fuss was about and that everything was fine.

But DeStefano, who lives in Arizona, will never forget those four minutes of terror and confusion – and the eerie sound of that familiar voice.

“A mother knows her child,” she said later. “You can hear your child cry across the building, and you know it’s yours.”

Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people.  If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post and this time, it’s an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI.  It went something like this:

Earlier this year, a sales director in India for tech security firm Zscaler got a call that seemed to be from the company’s chief executive. 

As his cell phone displayed founder Jay Chaudhry’s picture, a familiar voice said “Hi, it’s Jay. I need you to do something for me,” before the call dropped. A follow-up text over WhatsApp explained why. “I think I’m having poor network coverage as I am traveling at the moment. Is it okay to text here in the meantime?” 

Then the caller asked for assistance moving money to a bank in Singapore. Trying to help, the salesman went to his manager, who smelled a rat and turned the matter over to internal investigators. They determined that scammers had reconstituted Chaudhry’s voice from clips of his public remarks in an attempt to steal from the company. 

Chaudhry recounted the incident last month on the sidelines of the annual RSA cybersecurity conference in San Francisco, where concerns about the revolution in artificial intelligence dominated the conversation. 

Criminals have been early adopters, with Zscaler citing AI as a factor in the 47 percent surge in phishing attacks it saw last year. Crooks are automating more personalized texts and scripted voice recordings while dodging alarms by going through such unmonitored channels as encrypted WhatsApp messages on personal cell phones. Translations to the target language are getting better, and disinformation is harder to spot, security researchers said. 

Scammers can and do, use every advantage, every advance in technology, to make a few quid.  It’s a nightmare trying to keep up with this and it is essential that you have some method, be it electronic (difficult), or procedural (an easier no cost option), to identify such scams.  Your staff need training but first you have to have someone on tap to keep you up to date with what’s going on.

As AI continues to develop and is taken into use more and more, we will see a clash between its proponents and the security world. That’s nothing new. Everytime there is a new development in applications, operating systems etc, there is always a lag before security catches up. This time however AI can be taken into use with low levels of skill, at a rapid pace. Cyber security needs to be on its metal, as do IT departments, CISOs, CIOs etc. Companies at all levels need to be on their guard.

I wrote a piece back in May about AI entitled ‘AI – Good or Evil? A Clear and Present Danger to Cyber Security? I’ve discussed how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams. I also quoted a story from CNN where a lady in the US received a call allegedly from her daughter, which was very scary indeed and the ‘daughter’ was yelling and sobbing that she’d been kidnapped, and other voices could be heard in the background. Of course, these were all generated by AI and turned out to be totally untrue, the daughter having called her mother and assured her she was safe. Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people. If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

Two bad examples of AI.  I’m not putting AI down or saying we shouldn’t be utilising it, but cyber security is my thing, and I can’t ignore the warning signs.  Cyber criminals are never slow in adopting new technologies and methods.  We need to be aware of that.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, is almost certainly not going to be realistic.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations: 

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation. 

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment. 

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats. 

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations. 

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches. 

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences. 

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges. 

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats. 

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  But much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).