It probably won’t surprise many people that the threats to SMEs in 2023, look very much the same as the threats in 2022, and in fact, the years before that really. They can be summarised to include ransomware attacks, phishing scams, supply chain vulnerabilities, insider threats and overall inadequate security measures caused by resource constraints. And as if that wasn’t enough, we can top that off with a remaining issue around cyber awareness training, which can produce huge benefits for little cost, and which many SMEs still don’t carry out.

Insider threats have been exposed widely in the press lately with the exposure of data from 2 police forces, the most serious being PSNI, in terms of threats to police officers’ safety, and yet another has exposed confidential information regarding criminal records, court documents etc.  These things are often not because of any criminal activity, but because of lax processes, not widely published, a lack of security awareness, and in general, employees doing things they shouldn’t, because they didn’t know that they shouldn’t.  Not technical issues at all but I’ve no doubt that someone somewhere will take a simple process and complicate it, taking far too long to fix it, and costing a fortune when it could have been done effectively, relatively cheaply.

Revisiting ransomware. it continues to be a clear and present danger to UK companies, both at the Enterprise and SME level.  There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

Arguably, the biggest and most effective step an SME can take is once again, Cyber Awareness Training for staff.  It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.

An often forgotten element of Cyber security is within a company’s supply chain.  The threat has been around for a while now but is starting to become much more prevalent targeting suppliers to get to an otherwise well protected company.  Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

The goal of such an attack is to grab whatever you have that is of value to the attacker, so it can include infecting legitimate applications to distribute malware, access your IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc.  In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.  If you are in the supply chain for a major company, then consider how damaging to your reputation it would be, if they were attacked via a hole in your security.  I would be prepared to bet the damage would be so significant, that it could take an SME under.

Phishing, a subject we hear a lot about and which most SMEs do nothing about.  Protecting businesses from phishing and other malware is crucial for maintaining a secure online environment. And that brings us straight back to the subject of Cyber Awareness Training once again. Train your employees to recognize and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.

Of course, that isn’t the only thing that will protect you against Phishing.  But it goes a long way towards it at minimal cost.  Strong passwords, 2 factor authentication, keep your systems updated and patched, ensure that your security architecture is designed to match your risk and that the technical controls in place are appropriate and in the right place.  Have adequate email protection, email filters, spam blockers etc.  Good backups and a solid incident response plan.

There’s a lot there, which brings us finally to the lack of adequate security measures because of resource constraint.  SMEs simply can’t afford cyber security professionals on staff.  They will often rely on their suppliers, local IT providers, to give them the protections they require.  This can be a very real risk, simply because the local IT provider doesn’t employ cyber security professionals either, but rather staff that are skilled in the products that they supply.  A cyber security professional takes a much more holistic view and will spend time marrying the business requirements to the protections required.  Considering the policies and processes required, awareness training requirements, as well as technical controls.  People, Process and Technology, in that order.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

The EU is the world’s largest single market area and is the largest economy in the world, whether some people agree or not. Many may attribute that market size to large organizations and multi-national companies. While these are important contributors to the overall EU economy, the Small Medium Enterprise (SME) businesses form the backbone of the EU’s economy. This is also true of the UK where the DTI estimates that SMEs make up 95% of the UKs GDP. A huge percentage and one that might surprise you.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022).

So, what can you do to better protect your business?

In today’s digital landscape, cyber security is a non-negotiable aspect of business success. The threats are real, and SMEs are not immune. In fact, they’re often the most vulnerable to cyber-attacks.

Solutions need not be complicated or expensive, yet many SME owners still act reactively, not proactively, to cyber threats.

The result? Huge costs to put things right and a massive hit on the company’s reputation and trust with their customers.

That’s why I’m excited to share a valuable (FREE) resource that we’ve been working on to help guide SME business owners in the right direction and provide valuable actions to fortify their company’s cyber security.

You can download your copy here: https://bit.ly/3qTCYkW

The common underlying issue common to all SMEs appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of the cybersecurity practices. Six categories of major challenges for SMEs have been identified:

• Low cybersecurity awareness of the personnel.
• Inadequate protection of critical and sensitive information.
• Lack of budget.
• Lack of ICT cybersecurity specialists.
• Lack of suitable cybersecurity guidelines specific to SMEs.
• Low management support.

Some of you who are amongst my regular readers, will be quite aware of my mantra in regard to Cyber Awareness Training for staff and managers.  A big misconception is that because cyber security can be an issue connected to technical measures, it lies squarely within the realm of IT.  Wrong.  Cyber security needs to be part of the culture of the organisation, second nature to all.  Staff need a basic awareness and how their attitude and actions can have a damaging effect on the business.  A report for ENISA, the EU security agency, suggests that 84% of Cyber attacks rely on some form of social engineering, and that the number of phishing attacks within the EU continues to grow.  This is echoed in the UK.

Budgets remain a problem.  Many SMEs are low margin organisations, heavily reliant on cash flow, and therefore reluctant to spend on things that are not connected to their core business.  But they must get used to asking themselves, ‘Is IT part of my core business?’, and ‘how long could I continue to operate my business if I lost my IT systems?’.  Cyber security needs to be factored into budgets. Cyber security is an iterative process, it isn’t something that needs to be done once and then forgotten about.  The criminals are constantly evolving, and defences must evolve with them.

Cyber security expertise is something that isn’t cheap and easy to obtain.  Many IT companies will talk about their expertise in this area but if you delve into that, it is generally focused on products, mainly firewalls and anti-malware.  Cyber security expertise goes much much deeper than that and is as much procedural as it is technical.  It starts with risk management, understanding the risks you face, which in turn is derived from threat and vulnerability analysis, matched to your cyber security assets.  Those latter are not necessarily hardware and software but can be much wider ranging than that.  Typically, the type of person who can legitimately call themselves experts in this field, can command salaries north of £80K.  I doubt there are many SMEs prepared to pay that, or indeed, many of the smaller IT companies.

It can also be advantageous to follow a standard.  By far the most comprehensive is the International Standard for Cyber Security, ISO27000 series.  However, this might be seen as a little heavy for many SMEs, although at the higher end, they may want to follow it, rather than seek certification.  At the lower end the UK Cyber Essentials scheme, mandated for anyone wishing to do business with the public sector, is very suitable, inexpensive, and obtainable.

More and more SMEs are now moving to a cloud environment.  Be it MS365, Amazon Web Services, Digital Ocean, amongst others.  I usually recommend that SMEs take this approach as it can solve a lot of problems, particular with home working still very much in vogue.  However, it is not the panacea that most think it is and still has some security issues, usually but not always at the user end, that need to be addressed.

Here at H2 we use our long experience of providing cyber security solutions to the large enterprises, to craft solutions for the SME community, having first identified the issues that the business faces.  We take an approach that looks at things from the business point of view, managing risk and coming up with cost effective solutions which can be brought in in a phased way, for a subscription price.  No large bills to damage that all important cash flow.

An interesting article by the cyber security consultancy Savanti, was brought to my attention yesterday. It was focused on UK companies and their struggle to address the growing cyber security threats. This is especially pertinent to SMEs. In 2022, global cyberattacks saw a 38 per cent increase compared to the previous year. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries. The financial impact of cybercrime is also significant. According to Cybersecurity Ventures, the cost of cybercrime to businesses could reach £8.4trillion annually by 2025, positioning it as the third-largest global economy after the US and China. Many boards appear to be struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.

Savanti have highlighted a compelling correlation between effective cybersecurity measures and business success. Companies with digitally-savvy, cyber-engaged executive teams experienced higher revenue growth, increased valuations, and improved net margins.

Furthermore, effective cybersecurity practices led to higher success rates when competing for new clients, enhanced data insights, increased investor confidence, and preserved shareholder value during mergers and acquisitions.

There are several measures all companies can take but the issue with SMEs remains a lack of resources and expertise in the field of cyber security.  They are very reliant on outside support and often attempt to get that support from the local IT company that provides their hardware and software, often managing their network. Managed Security Service Providers (MSSP) have long ignored this sector primarily because of cost.  The services they provide traditionally have simply been too expensive.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks.  And this latter is what we’re looking at today.

What is Protective Monitoring, and how would be it benefit you?  After all you’re an SME and this all sounds just a bit over the top.

Well, it’s central to the identification and detection of threats to your IT systems. It acts as your eyes and ears when detecting and recovering from security incidents and it enables you to ensure that devices are used in accordance with your organisational policies.

Effective monitoring relies on proportionate, reliable logging and device management practices. This guidance is designed to give system and network admins advice on the logging and monitoring options available on modern platforms.

What use is it to me, I hear you ask?  Well, many incidents have been shown to target individual hosts, from which attackers will attempt to further strengthen their access through lateral movement techniques such as credential theft, account impersonation, use of legitimate network tools or known exploits in outdated versions of network protocols to propagate and compromise additional devices to access additional data and services.

In a cloud environment some of these techniques may be less effective or not apply, however your users still have to access these cloud services and monitoring device activity, health and configuration are still important, perhaps more so, when deciding whether or not to permit access to organisational services and data.

The key to making this affordable and appropriate for SMEs, is automation, which is becoming more and more possible using AI enhancements.  I’ve highlighted before that here at H2 we are constantly on the lookout for innovative solutions that allow us to provide appropriate and effective services to our clients, at a price that is affordable.  And we think we’ve found another gem.

This is yet another SaaS service, so no expensive infrastructure costs and no additional software required to run it.  The agents required to scan the data can be installed remotely and within minutes, without your users knowing it’s happening.

We leverage:

• Generative AI, phishing simulation emails are crafted on the fly based on custom inputs, targeting groups of employees, and reporting on pass/fail status.
• Automatically receive real-time alerts when a threat is verified, or action is required.
• Respond swiftly to cyber events with one-click remediation and powerful integrations.
• Generate a report summarizing your risk across their digital footprint, with just a single click.
• Demonstrate ROI by reflecting the value of this services using language that resonates at a business level.
• Provides continuous vulnerability assessments.

The following services are provided as standard:

• External Risk Assessment
• Phishing simulation
• Identity theft protection
• Secure browsing
• Cloud apps security
• Email security
• Device protection
• Cyber Awareness programme
• Automated remediation
• Continuous threat detection

And as bonus, if you wish, a cyber insurance policy starting at around £400 annually, which is priced according to the risks identified within the product, i.e., the more the risk is reduced, the more the premium is reduced.

This whole package is offered as a managed service so that the risk, risk reduction, reporting and monitoring is all carried out by us, within the incredibly low price shown above.

In the coming days we will be offering a demonstration of the product, followed by an introductory offer of a 7 day free trial and a service priced at a fixed price of £10 per month per user, plus VAT.  No fixed term contract, terminate on 30 days’ notice.

BOTS have been around for a long time now, and most people now have at least a basic idea of what they are.  For those that aren’t sure, a bot is a software application that is programmed to do certain tasks. Bots are automated, which means they run according to their instructions without a human user needing to manually start them up every time. Bots often imitate or replace a human user’s behaviour. Typically, they do repetitive tasks, and they can do them much faster than human users could.

Sound benign don’t they, and to be fair, there are many that are benign, carrying out functions that lend themselves to automation.  But they are used for other purposes that aren’t so great.  There are many examples of malicious BOTS that scrape content, spread spam content, or carry out credential stuffing attacks.

Malicious BOTS often work in what is known as a Botnet, short for robot network, which refers to an assembly of computers than malware has compromised.  Such infected machines, individually known as BOTS, are remotely controlled by an attacker.  These networks can and do run synchronised, large scale attacks on targeted systems or networks.

That is one reason why attacks such as ransomware, perpetrated on SMEs, are profitable for cyber criminals.  By using a Botnet, they can send such attacks to hundreds of targets at the same time, which requires only a percentage to pay up, to produce a return on a very small investment.

Bot activity is expected to increase even further this year, the researchers claimed, due to the arrival of generative AI tools like OpenAI’s ChatGPT and Google’s Bard.

“Bots have evolved rapidly since 2013, but with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years,” said Karl Triebes, a senior vice president at Imperva.

“Cyber criminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years.”

This is something I have talked about before.  AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

We have nothing to fear from ethical AI development which integrates ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.  Sadly, we are already seeing signs of AI being used in cyber-attacks.  Some of you may remember that at one time we had what was known as the ‘script kiddy.  These were budding criminals who did not have a deep skill level but were downloading, often purchasing, scripts on the dark web, written by skilled hackers who made a good living selling them online.  The script kiddy would then attempt to use these scripts to hack, also taking all the risk.

The script kiddy has all but disappeared of recent years, but AI is allowing them to make a comeback – in spades.  They can now use AI to create code that allow them to produce their own malware, which is, in turn, creating an upsurge in cyber-attacks and threats.

So don’t be complacent, 2024 could become even more of a problem than 2023, in terms of cyber-attacks.  Time to take some action now, to protect yourself.

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach.  For the small business this could result in costs of around £1400, for the medium business, considerably more.  One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a back up regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So what does he mean?

As he’s not here to ask I suggest that he’s saying that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are in order to ensure that your solution to those risks, vulnerabilities and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

What is the risk? How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate in order to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

There’s a lot being said in various quarters about the Internet of Things (IOT) but whenever it comes up in conversation with senior people in the SME world, even those businesses that are definitely in the Medium bracket, with 25m upwards turnover,  it raises a titter or two.

Why would that be?  All the usual light hearted comments about being hacked by your kettle, or held to ransom by your toaster, come out in the conversation.  And I suppose, there can be some amusement to be had.   But there is a serious side to this.   The graphic below, which I have unashamedly stolen from The Joy of Tech, whilst lighthearted, gives clues to potential disasters.

Whilst we are some way away from having smart appliances in most SME work places that could be used jump onto the more serious elements of a network, we are already at a place where some functions, perceived as routine, even mundane, can already be used to jump onto other network devices.  For instance, most have security cameras and alarm systems.  Many of these are IP based and are connected via the LAN.  OK, but many also are remotely maintained by a variety of suppliers.  I have found it not uncommon for these suppliers to arrange for their own backdoor into the system to maintain these systems, often without the client actually knowing how that is done.  This provides a very neat circuit around the router and firewall and, when most SME networks are flat, access onward to all parts of the network.

This of course is not the only example but it shows how poor security architecture, often times by local network providers, can have a quite seriously detrimental effect.  So what I am saying is that as many more devices become ‘smart’ and interconnected via the LAN, security architecture becomes just as important for the SME as it does for the larger enterprise.  The problem is that the awareness and support within the SME community and their suppliers, tends to be lacking.