Identity and Access Management

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Risk Analysis and Security Strategy Working Practices

      Cyber Maturity

      What do we mean by cyber maturity?  It’s not just about the protections you may have in place, but more about how well your organisation understands the importance of it and its place in your overall business strategy.  It is after all a business issue, not a technical issue and needs to be treated as such. Modern security solutions are increasingly complicated and challenging. These complexities change all the time and with the changes in working patterns and the introduction of AI now at the hands of the cyber criminals, they require a broad understanding of cyber security. Very few SMEs possess this level of expertise and can find themselves struggling to protect themselves and rectify security risks discovered within their business. In a climate of frequent, and potentially devastating, malicious activity organisations need targeted, rapid remediation and effective solutions. In doing this they will improve specific areas of their security systems, reduce their level of exposure and minimise potential losses, which can be very significant.

      Many small and mid-size businesses struggle to combat the threat that cybercrime poses. A simple piece of malware or a social engineering event, can result in the loss of sensitive company and client data, disrupt business and waste staff time. Such incidents are commonly sensationalised by the media, causing client defection and damage to hard-earned reputations, resulting in significant loss of business.

      I’ve described the risk management process before, and I know it can be a bit daunting, and many would fear it’s costs and complexity.  That is why we have designed and taken into use the Cyber Maturity Assessment (CMA), specifically for SMEs which will enable them to go down the risk management road at a pace and price they can afford.  The CMA is designed to obtain a view of where a client sits currently in terms of their Cyber Security posture. It is obtained from the results of interview with the staff, examination of current policies and procedures, including their effectiveness, security architecture and technical controls, and observations to gain an understanding of cyber security by management and staff. It is designed to provide a report which shows a client exactly where they sit in terms of Cyber Risk in a way that is demonstrable and east to understand. It gives a client a starting point from which H2 consultants will be able to scope any problems.

      What Does a Cyber Maturity Assessment Give Me?

      In brief, the CMA is designed to:

      • Understand and define the target state of the system i.e., where does the client want to be in terms of Cyber maturity – in defining the target state there must be a clear understanding of the business drivers, future business demands and business dependencies affecting the organisational area under examination.
      • Understand the current level of Cyber maturity – At this point the matter of cyber maturity will be a somewhat subjective view, obtained from the results of interviews with staff and initial observations by H2 consultants. This element is not intended to replace a detailed understanding, but to provide an initial view and start point, from which H2 consultants will be able to scope the problem and recommend any remediation required, in a phased way.

      We measure both the starting point and the end point using the Carnegie Melon Cyber Maturity Model.  I know other consultancies will use other models for this, but this is one that we have found to be effective, both for SMEs and in the corporate world.  It looks like this:

      I mentioned earlier that this is something used in the corporate world and whilst that’s true it is a matter of scale and need.  Most corporates would have the requirement and budget to aim high, say at around CMMI4 (5 is rarely hit).  For most SMEs that’s a step too far and as a rule of thumb, when we do this, we tend to find we’re starting at around 0.8 to 1.5 with the aim to get to CMMI 2 as soon as is feasible, with the end game at CMMI 3 which is affordable for most SMEs if a phased approach is taken.

      At the end of this initial process and SME is rarely able to just jump in and accept the recommendations and get on with fixing them.  It can be a complex issue requiring a hard look at their staff in terms of cyber awareness training, their policies and processes and their technical solutions, all aimed at prioritising the protections required for each asset in accordance with their vulnerabilities and threats.

      A phased approach is almost always needed, often aligned with budgets.  It can look a bit like this:

      The first transformation project tends to be what we term the Quick Wins Phase ie what can we do relatively easily, quickly and therefore affordably, to give the client the most urgent fixes.  It often, but not always, looks like this:

      This has just been a very quick cantor through the CMA process, and we need to emphasise that each client has a different set of requirements, and we can often jump into the process at a different stage. Call us if you want to know more.

      General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

      Cyber Security Architecture

      In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture.  So, I thought it was worth discussing it further.

      What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should.  Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

      All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

      I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.

      I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

      How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

      Of course, these days that is often exacerbated by the increasingly popular remote working.  I know not every company has embraced this, but many have and have not through the security implications.

      Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

      None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Security Security Tools

      PROACTIVE CYBER SECURITY

      Proactive security, protective monitoring, security operations – all pretty much means the same thing in terms of cyber, at least in the corporate world and the larger, more sensitive Government organisations.  I’ve been involved with the design and commissioning of security operations centres for a long time.  I designed the first for the FCO, under contract to HP, ran the security team for the Identity and Passport Service which included a security operations centre, amongst others.  But the one thing I knew, was that it was too complex and expensive for an SME, even though it would bring them great benefits.

      I’ve been talking and posting a lot recently about this subject because I think it’s extremely important and hasn’t, in the past, resonated with SME owners and management simply because it was considered by many to be purely in the province of the corporate world and was way too expensive for an SME to even consider.  Well, that cost issue is no longer the case and there is a system, which we use to provide a managed service for SMEs, that is very affordable.  So that leaves us to consider whether it is something that an SME would consider as an essential element of their cyber defences, now that it is affordable.

      Typically, an SME would generally want such a solution that balances strong security coverage with affordability, simplicity, and minimal disruption to daily operations.  Here’s what I think they would like to include if they could afford it.

      1. Comprehensive Threat Visibility
      • Log collection from key systems (servers, endpoints, cloud services, firewalls, applications).
      • Real-time monitoring for suspicious activities (e.g., failed logins, privilege escalation, data exfiltration).
      • Ability to spot both external attacks (phishing, malware) and insider threats.
      • Actionable Alerts, Not Noise
      • Intelligent alert prioritisation to avoid alert fatigue.
        • Context-rich notifications so the SME knows what happened, why it matters, and what to do next.
        • Possibly AI-driven correlation of events to detect patterns.
      •  Ease of Use & Low Overhead
      • Simple dashboards that non-experts can navigate, or more likely, a managed service as an SME will have little or no resource to give to this.
      • Minimal in-house expertise required to operate.
      • Fast onboarding and configuration.
      •  Reporting
      • Reports that are east to read, management focused and not full of jargon.
      • Audit trails for investigations.
      • Incident Response Integration
      • Clear escalation paths (automated and manual).
      • Integration with existing tools (ticketing systems, email, Slack/Teams).
      • Ability to block malicious IPs or disable compromised accounts quickly.
      • Affordability & Scalability
      • Pricing that fits SME budgets (no enterprise-only costs).
      • Scales up with business growth without a full rip-and-replace.
      • Easy and flexible deployment.
      • Coverage regardless of where your staff work, in the office, remote or on the move.
      • Resilience & Reliability
      • Works even if parts of the infrastructure are down.
      • Secure storage and backup of monitoring data.
      • Regular updates to threat detection rules.

      In short: An SME doesn’t just want raw data — they want reassurance, clarity, and quick guidance so they can protect their systems without hiring a large security team.  And that’s what we are offering, assurance.  There’s no such thing as 100% security, so if you’re looking for that, then we can’t help you.  Using this system our managed service plays the percentages by monitoring your defences, telling you in no uncertain terms where your defences aren’t up to the job, alerting you to problems and providing advice and guidance on how to fix stuff.

      So, what exactly are we offering.  Well, it’s a 24/7 service which provides a manned interface between you and us, on the end of the phone or by email in working hours, and an automated response service in silent hours.  Doing it that way you don’t have to pay for expensive night shifts.  The staff on duty don’t just monitor your systems but provide advice and guidance as well, giving you a cyber security resource on tap.

      Specifically, we are covering off:

      Email Security – Stay ahead of potential email threats with our user-friendly, API-based active protection.

      Endpoint Security – Safeguard laptops and desktops against cyber threats like malware and ransomware.

      Cloud Data – Enable cloud data protection for secure collaboration with external users.

      Secure Browsing – Keep your browser secure with a provided extension, protecting you from viruses and malicious sites.

      Awareness Training – Empower employees to be the first line of defence against the ever-evolving landscape of cyber threats.

      Phishing Simulation – Regularly simulate cyber-attacks, including phishing emails, to identify vulnerabilities and educate staff to the dangers of Phishing.

      External Risk – Obtain actionable insights on external threats by scanning your digital footprint and exposed vulnerabilities. This includes regular scanning of the dark web looking for compromised email addresses and credentials.

      Insurance – Mitigate the cyber risk associated with evolving threats through tailored coverage at the right price (optional; aligning your premiums with your security posture can lower those costs).

      Here are some questions to ask yourself and if you answer yes to most of them, then you might be a fit for this service:

      • Do you employ around 1-250 staff members?
      • Does falling victim to cybercrime worry you?
      • Could you continue to operate your business without your IT systems?
      • Is a recent cyber scan of your public domain on your radar?
      • Are you aware of the constantly evolving cyber threats and tactics?
      • Does your business need protection against these advancing cyber threats?
      • Are you looking for coverage under a cyber insurance policy?

      Keep your eye out for a webinar that we will shortly be doing which will provide a full demo of the system, or if you prefer, contact us and we will give you a one-to-one demo, with no obligation.  You can follow this with a totally free 14-day trial covering your whole estate, again with no obligation.

      If you wanted this system, you might still think it’s too expensive for you, well, it’s only £14 per user per month, so if you only have 10 IT users amongst your staff, that would be £140 per month on a rolling 30-day contract i.e. you can quit with just 30 days’ notice.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Working Practices

      Scams v Hacks

      We hear a lot about the consequences of cyber-attacks and data breaches but not a lot about the specific threats against SMEs, rather than the generic threats against all businesses.  In general businesses are more likely to be targeted by scammers (social engineering attacks) than by purely technical attacks.  But why?  Attacks against individual SMEs are not going to bring in a lot of profit for the criminal, so they often go after multiple targets all at once.  How they do that is to craft an attack which can be automated and directed at many SMEs all at once.  The easiest way to do that is via a social engineering attack.  Let’s take a look at what we mean by that.

      Scams and social engineering attacks rely heavily on human error.  Not only do SMEs have weaker defences than their corporate cousins, but they spend little, if anything, on cyber awareness training.  The attack that brought down Knights of Old, reducing a once thriving business to bankruptcy in a frighteningly short time, was the result of a weak password being cracked.  That suggests that OK, a stronger password protocol and the use of MFA would have been of great benefit but so would educating the users about social engineering and how they can protect the company and their jobs.

      Typically, we see:

      • Phishing emails that trick employees into giving credentials or downloading malware.
      • Business email compromise (BEC) — attackers impersonate executives to request bank transfers or the immediate payment of an invoice.
      • Fake invoices or supplier fraud.

      It’s done this way simply because it’s easier and cheaper to execute than a technical attack.  It’s scalable with scammers sending thousands of phishing emails, and it often bypasses technical defences by exploiting people directly.

      In addition to the traditional attacks, we are now facing AI generated attacks, enabling criminals to design scams that are even more scalable and to be produced more quickly.  Some examples include:

      Deepfake CEO Fraud (AI-Generated Voice or Video)

      A finance employee receives a video call from someone who appears to be the CEO instructing them to urgently transfer funds to a supplier. The video and voice are AI-generated deepfakes using real footage and voice samples taken from public online sources.  This has happened in the UK causing a UK based firm to lose over £20m in early 2025.  Obviously not an SME but the attack was not difficult to generate.

      Another AI attack was an upscale of the Business Email Compromise:

      Criminals use AI to monitor and mimic email communication styles. They craft perfectly worded emails from a company executive asking the accounting team to update supplier bank details or pay fake invoices.  What is new in 2025 is that AI now personalises these scams based on internal speech patterns and tone scraped from Slack or Teams (when credentials are compromised and that list is not exhaustive – other online messaging systems are available).

      One scam that we are now seeing more of is the fake job applicant scam targeting HR departments and IT onboarding teams.  Scammers apply for remote jobs using fake CVs and AI-generated video interviews. Once hired, they gain access to internal systems and exfiltrate data or install malware.  They’re playing the long game here, but it can really pay off.

      There are lots of examples and I’ll just put in a couple more:

      How many of you use Software as a Service (SaaS) and pay a subscription? In this case a fake renewal notice is sent for services like Microsoft 365, Zoom, or Slack. The email contains a link to a spoofed portal, which steals company admin credentials when they try to “log in.”   A new twist in 2025 is that the phishing emails are personalised with real invoice numbers and recent usage data scraped from prior breaches.

      Most of you are probably on LinkedIn, even if you are not particularly active on there.  We are now seeing more of the LinkedIn Clone Attack.  What happens here is that the scammers clone the LinkedIn profile of a known business leader and use it to reach out to employees or partners, proposing urgent collaborations or investment opportunities that include malicious links.  In a more advanced tactic, they use AI-generated responses in real-time chats that make these accounts seem very real.

      So, in conclusion, whilst we cannot rule out the more technical attack on an SME, we can say that the most likely attack will come via some sort of scam, often nowadays using AI.  The defences need to be in depth and will include some technical defences but often the best defence against social engineering is cyber awareness training and this is generally ignored by SMEs.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy Security Tools

      A Guide to Cyber Security for SMEs

      There’s a continual stream of blogs and posts about cyber security and the sometimes catastrophic effects of getting it wrong, but there is very little that tells SMEs what they should be doing, and it’s generally left to local IT management companies and VARs (Value Added Resellers – i.e. those who sell various products and add value by configuring and managing them).  I’m not knocking those companies; they have a very valid business model.  But what they aren’t are cyber security professionals and generally their security expertise is focused on the products that they sell.  For instance, they will have good skills in installing and configuring security products such as anti-virus and firewalls but there is generally no knowledge of cyber risk management and assessment, thereby ensuring that you have the right defences in the right place, providing the best value for your limited spend, and ignoring the non-technical solutions that are often a better bet than a piece of technology.

      SMEs generally have very little budget to allocate to this and that means that what budget they have needs to be effectively targeted at what is important.  They need to be aiming for a situation whereby when a potential attacker targets them, they appear to be a more difficult nut to crack than other organisations in their space and their size.  Attackers want things to be easy, not difficult, and they will often move on if things get difficult.  A criminal is in the game of getting easy money.

      Let’s take a look at what cyber security is all about, and more importantly, why you need it?  Let’s tackle the first question – what is cyber security?  One definition is as follows:

      Cybersecurity is the practice of protecting computer systems, networks, software, and data from digital attacks, unauthorised access, damage, or theft. It involves a range of technologies, processes, and practices designed to:

      • Prevent cyberattacks
      • Detect breaches or suspicious activity
      • Respond to security incidents
      • Recover from damage or loss caused by attacks

      The problem is of course that each bullet point there covers a multitude of issues that need to be addressed.  The question is understanding what those issues are, how they affect you and what is the priority i.e. what are the most important things that you need to protect, and what comes next, all managed within whatever budget you can allocate to it.  It’s not easy and you might feel that you don’t need to do everything but that you need to cover off the most important issues.  That means of course that you need to know what those issues are.

      The first thing you need to do is to identify your cyber assets.  Assets are not confined to hardware and software, far from it.  A cybersecurity asset is anything of value that requires protection in a digital context. Identifying and classifying these assets is a foundational step in building a strong cybersecurity posture.  Assets will change from company to company, depending upon how you’re organised and what business you are in, but generally:

      Hardware Assets

      • Servers, routers, laptops, mobile devices, firewalls
      • Why it matters: Physical devices are entry points for attackers and must be secured.

      Software Assets

      • Operating systems, applications, databases etc
      • Why it matters: Vulnerabilities in software can be exploited to gain unauthorised access.

      Data Assets

      • Customer records, financial data, intellectual property, source code
      • Why it matters: Data breaches can lead to regulatory fines, reputational damage, and financial loss.

      Network Assets

      • VPNs, switches, IP addresses, subnets
      • Why it matters: Networks facilitate communication and, if not protected, can be avenues for lateral movement by attackers.

      People Assets

      • Employees, contractors, system administrators
      • Why it matters: Human error is a leading cause of breaches, so training and access control are crucial.

      Cloud and Virtual Assets

      • Virtual machines, containers, cloud storage (e.g., AWS S3, Azure Blob Storage)
      • Why it matters: Cloud environments introduce new attack surfaces that must be monitored and managed.

      An example could be a customer database, maybe on the cloud or via an app, or even an onsite server.  You class this as high value because it contains personally identifiable information (PII) and of course all your interactions with those customers and the value they have to you.  Lose that and you might be out of business.  You decide to encrypt it and use multi factor authentication and have daily backups, not kept online.

      Identifying the assets is the first step in defining what protections you need.  You then have to categorise those assets and decide how important they are to the business before you can decide what levels of protection they need.

      Having categorised your assets, you then need to assign a risk score to them.  Now, this can be done formally via a formal risk assessment, but I accept that many SMEs can’t afford to have that done, and, given the size of the company and the amount/types of information held, it might be relatively easy, when compared to a corporate body, to assign a risk score to each asset.

      The next step then is to apply a risk score to the assets in accordance with how you have assessed them, this in turn informs you of the importance of each asset and how you will need to protect them.  In other words, you are now targeting your spend to where you know it will be most effective.

      We then need to identify the vulnerabilities and the threats and that is where most organisations require help.

      Here at H2 we use our considerable experience in doing this for corporate level organisations, and translating that into doable chunks for SMEs, carving up what is needed into priorities and working with clients to decide what those priorities are.  We do this keeping in mind the principle of People, Process and then Technology, keeping in mind that many protections, or controls as we term them, are actually not technical but are procedural, based on sound policy and process, and therefore costing very little.

      We take a phased approach:

      The first phase works with the client to decide where they are now, on a scale which we take from the Carnegie Melon cyber maturity model.  Most SMEs come out at around 1 to 2 on the scale and aim to get to 3 to 3.5.  The scale goes up to 5 but, as you can see from the phased approach above, this tends to be not necessary for an SME and is often too expensive anyway.

      Once we know our starting point, we identify quick wins to tighten up security.  As a rule, that will include things like cyber awareness training for staff, ensuring that all access is controlled using MFA of some sort and making sure that Admin rights are strictly controlled.  Depending on the company and what it does, it might mean instituting some form of identity management.

      As part of the Quick win phase, we also look at policies and processes.  Is there a process for allocating and removing rights?  Is there a policy and process about on and off boarding staff etc.  Other policies we might need to look at include:

      • Top-level policy issued by the board
      • Starters and Leavers Policy
      • Access Control Policy
      • Magnetic Media Policy
      • Mobile Working Policy
      • Password Policy
      • Email Policy
      • Acceptable Use Policy
      • Data Protection

      That done we move on to Phase 2 which is where we might recommend encryption both at rest and in transit, for critical data assets.  We will discuss back up procedures and processes which will ensure that backups are securely stored and that restoring from backups is practiced and works.  We will discuss incident handling procedures and business continuity planning.  Finally, we will discuss monitoring and audit, two things that until quite recently tended to be out of the price range of SMEs.  However, there are now systems and services on the market which are affordable.

      This all seems a bit daunting, but if taken in chunks and phased over perhaps several budgetary periods it is doable, and you really need to consider it.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

      Ransomware – The Threat That Keeps On Giving


      I know I’ve banged on about this quite a bit recently, but I make no apologies for it.  It has sprung to the front again following the Panorama programme on Monday night which highlighted the often catastrophic effects of ransomware on companies, and had interviews with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), with an NCA rep saying that 2025 is shaping up to be the worst year ever for ransomware and the CEO of NSCS calling on businesses to face up to the issue and sort out their cyber defences.

      The programme highlighted that Ransomware as a Service (RaaS) now enables less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
       
      Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers. Next-gen ransomware, e.g. LockBit 4.0, BianLian etc, is rolling out advanced stealth, data theft, and automated lateral movement techniques, using an initial breach to jump across to other parts of your network or that of your partners and customers.
       
      You’ll have to forgive me for being a bit smug as the programme highlighted issues that I’ve been talking about for a long time now.  Firstly, it’s not just the corporates that are targets for this.  SMEs are also very much in the firing line.  The programme highlighted an example I’ve quoted before.  Knight of Old (part of the KNP Logistics Group) suffered consequences that they just couldn’t recover from.

      In June 2023, the Akira ransomware gang infiltrated the company via stolen credentials and encrypted critical systems, including freight-tracking, payments, and internal servers, displaying this chilling message:
       
      “If you’re reading this, it means the internal infrastructure of your company is fully or partially dead.” 
       
      The group also threatened to release over 10,000 confidential documents (payroll, invoices, financial files) as a form of double extortion. Despite having cyber insurance and backups, they couldn’t fully restore financial systems, and some backups were also destroyed.  Insurers covered only the initial cleanup (~£250k) and $1M policy, but this fell far short of covering the estimated $2.7–$5.3 million ransom or the broader economic damage.  Operational disruption prevented them from producing reports and financial statements, essential for securing bank funding. A sale fell through, as buyers wanted director guarantees they couldn’t offer.
       
      The company entered administration in September 2023 and ceased operations.  Around 730 out of 900 employees lost their jobs, including many long-serving drivers and staff who were owed unpaid wages.  Local impact was severe: furloughed staff lost homes, cars, and some experienced severe personal hardship.
       
      It appears that the attack was perpetrated via a weak password and the absence of multi-factor authentication (MFA), with the gang using a brute force method to crack the password.  It underscores the fact that even companies with cyber insurance and accredited systems are vulnerable.
       
      Obviously, we’re not party to the full facts but the company’s directors have been quite candid in interview, and we have to wonder if something as simple as good cyber awareness training and the introduction of MFA could have stopped this attack in its tracks.  There are other factors to consider though.  The backups seemed to have failed, with some of them being destroyed by the attack, suggesting that these backups were on the same network as the main system.
       
      Clearly what is needed is defence in depth, based on the tried and tested method of risk management.  The idea of defence in depth stems from military defences, where there are multiple layers to a defensive system.  In cyber security we talk about People, Process and then Technology.  I’ll once again trot out the quote from Bruce Schneier, ‘If you think technology will solve your cyber security problem, you don’t understand the problem and you don’t understand the technology’.  This aligns very well with the opinion of both NCSC and NCA that the majority of these attacks are more in line with scams than with technical hacking.
       
      Rather than bore you with the components of risk management in cyber, I’ll just point you towards a short video we produced on the subject.
       
      Risk Management – a short video
       
      We produced another video which highlights social engineering.  That is the method by which much of these attacks are undertaken which are not particularly technical in nature.  It’s the People part of the risk management process and is arguably the quickest and cheapest win any company can take.  It’s a continual source of wonder amongst cyber security professionals that a large focus remains on technology whilst ignoring this vital element.  Our short video tries to hit the highlights but in this changing landscape, we haven’t hit them all.
       
      Social Engineering – A Short Video
       
      The takeaway from this should be that no one is safe or immune from a ransomware attack, particularly ransomware as a service.  This latter means that the attacker doesn’t need to be technically proficient, just determined.  It enables attackers to target multiple companies at once.  If they, for instance, attack 1000 companies at the same time, using the same service, and ask for moderate amounts of ransom, they only need to hit around a 40-50% success rate to make a decent profit.  Add in AI which makes this so much easier to do, and you’ve got an idea of how much of a business this is for criminal and nation state sponsored gangs.

      Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Supply Chain Security

      An Increase in sophistication in cyber-attacks in 2025

      There is a lot of discussion about AI, it’s benefits to society in general and its undoubted downside.  It’s a fascinating subject and AI can really become the gift that keeps on giving, but a downside for those of us concerned with cyber security, and really that should be all of us, is that we’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be.  Will it be ransomware, denial of service or perhaps a new and more sophisticated scam?  Who knows?  And there is no doubt that AI is raising the bar.

      I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this breed of wannabe criminals.  For those who maybe don’t now, a script kiddie was a low level, part skilled hacker, who downloaded scripts from the dark web, put there by the more competent hacker who hoped to sell them.  The script kiddie would use those scripts to try and attack targets.  But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard-earned cash.

      What we are seeing in 2025 is an era where cyber‑attacks are AIpowered, highly targeted, automated, supplychain enabled, multistage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

      We are in an accelerating digital arms race that calls for AIdriven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

      a. AI-powered precision and scale

      • Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
      • AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.

      b. Ransomware as a Service (RaaS) 3.0

      • RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
      • Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
      • Next-gen ransomware, e.g. LockBit 4.0, BianLian etc, is rolling out advanced stealth, data theft, and automated lateral movement techniques, ie using an initial breach to jump across to other parts of your network or that of your partners and customers.

      c. Supplychain & thirdparty infiltration

      • Attacks starting via third-party software or vendors (e.g., SolarWinds-style) allow hackers to move laterally into networks and compromise multiple organisations simultaneously.

      d. Statesponsored & geopolitical cyber warfare

      • Nation-states (China, Russia, Iran, North Korea) are not just using espionage but now partnering with ransomware gangs to conduct financially and politically motivated operations.
      • Iranian state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.

      e.  Zerodays and livingofftheland

      • Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
      • Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.

      f.  Credential theft resurgence

      • Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
      • These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.

      g.  Targeting of IoT, OT & mobile platforms

      • Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
      • Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.

      h.  Rise of deception technology and defence adaptability

      • In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.
      • Proactive threat intelligence, zero‑trust frameworks, AI‑driven detection, and adoption of post‑quantum cryptography are becoming critical defensive measures.

      SMEs still have the mind-set that these attacks are just about the corporate sector and that they are safe because they are small and not worth targeting.  Wrong.  SMEs are considered low hanging fruit because they typically spend much less on their defences and tend not to have access to the right levels of support and advice.  SMEs make up over 90% of the UK GDP, that’s huge and it makes them worth attacking if, for example, a nation state wanted to cripple the UK economy.  AI automation makes this much easier to achieve and attackers at all levels can leverage AI to automate attacks against multiple SMEs at the same time using the same methods.  If they attack 1000 SMEs at once, and get a 50% hit rate, that is good business for them.

      We are seeing AI letting attackers scan thousands of targets at once, deploy malware bots and use brute force tools.  They are automating phishing and social engineering allowing them to deepfake audio and video, using cloned voices to mimic senior personnel in companies.  Don’t be lulled into a false sense of security, AI makes this a relatively easy thing to do, doesn’t take high levels of skill, and is highly automated.

      There is a real fear that traditional firewalls and spam filters used by most SMEs may fail to detect these advanced threats.

      In summary AI-driven cyberattacks pose a significant and growing threat to small and medium-sized enterprises (SMEs). While larger corporations may have the resources to defend themselves, SMEs are often more vulnerable due to limited cybersecurity budgets, staffing, and expertise.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Supply Chain Security

      Supply Chain Attacks

      There have been a number of recent cyber-attacks that have used supply chains that many large businesses have.  These businesses rely on smaller ones to provide key components that they require in their manufacturing or other processes.  That supply chain is critical to their operations and therefore needs to be robust and secure.  An attacker is constantly looking for weak links in cyber defences, that can be exploited for financial gain.  They will look at an SME as such a weak link, expecting the SME to have a lower understanding of the threat, and lower expenditure on defence.  They will be looking to piggyback on loopholes in the suppliers defences, to attack their main target.

      A cyberattack on a supply chain can have far-reaching and severe consequences, not just for the targeted organisation, but also for its partners, customers, and even national security when considering the critical national infrastructure, nuclear, transport, energy, water etc.  In short SMEs are a highrisk conduit for supply chain attacks. Even minor breaches in small firms can ripple out, causing data loss, operational shutdowns, regulatory scrutiny, and reputational damage—highlighting why third‑party cybersecurity should be a top priority for all.

      What real world examples can we give, particularly in the UK.  Below are some notable UK supply chain cyberattacks that impacted SMEs and their customers, especially within third-party and vendor ecosystems

      • CTS breach — affecting dozens of UK law firms via SME IT provider

      In 2023, CTS, a small IT supplier to multiple conveyancing and legal firms, was compromised. This granted attackers access to the networks of multiple SMEs in the legal sector, enabling potential data theft and operational disruption.

      • Metropolitan Police — hack via a small supplier

      In 2023, hackers penetrated the Metropolitan Police by targeting a supplier responsible for police ID badges. Because the SME provider’s systems were breached, attacker access extended to personal staff data (names, ranks, photos, pay numbers), highlighting how SMEs serve as gateways for attacks on major institutions.

      • Synnovis ransomware — disrupting NHS clinical services

      In June 2024, Synnovis, a pathology service provider for NHS hospitals, was hit by a Clop ransomware attack. Though Synnovis is not a front-line NHS body, as an essential subcontractor, the breach led to cancellations and testing disruptions in major London hospitals.

      • Blue Yonder — supply chain SaaS hack hits supermarkets & small logistics partners

      In November 2024, Blue Yonder, a logistics SaaS provider, suffered a ransomware attack. Major supermarkets like Sainsbury’s and Morrisons were impacted—but crucially, many small UK warehouses and logistics SMEs that rely on the platform had to revert to manual operations, enduring days or weeks of chaos.

      • Systemic SMEs-vulnerability in UK supply chains

      Research shows 77% of UK SMEs lack in-house cybersecurity, making them “soft targets” for attackers looking to pivot into larger clients. Meanwhile, 95% of larger UK companies reported experiencing negative impacts via vendor incidents.

      Why SMEs are often the weak link in supply chains

      • SMEs often run with minimal cybersecurity budgets, lacking formal certifications.
      • Granted privileged access to larger clients.  Many large organisations operate a just in time supply system, requiring their suppliers to be integrated into their systems.
      • When compromised, they become easy stepping-stones into bigger networks.

      Summary Table of SME related supply chain attacks

      Incident & DateSME RoleImpact
      CTS (2023)IT supplier to law firmsDozens of SMEs exposed
      Met Police (2023)Badge/ID card vendorPolice data compromised
      Synnovis (June 2024)Pathology providerHospital labs disrupted
      Blue Yonder (Nov 2024)Logistics SaaS providerSME warehouses/businesses disrupted

      What consequences can we expect from a supply chain attack?

      • Data Breach and Intellectual Property Theft
        • Exposure of sensitive data: Customer data, supplier contracts, or internal communications.
        • Theft of intellectual property: Designs, formulas, or proprietary technologies can be stolen and exploited.
      • Operational Disruption
        • Production halts: If a manufacturer’s software is attacked, it may stop production.
        • Delayed shipments: Logistic partners may be unable to fulfil deliveries.
        • Inventory management issues: Automated systems may become unreliable or inaccessible.
      • Financial Loss

               •       Direct losses: Ransom payments, remediation costs, and legal fees.

               •       Indirect losses: Lost sales, customer churn, and regulatory fines.

                  •     Stock impact: Public companies may see a drop in share price following disclosure.

      • Ripple Effects Across the Ecosystem
        • Third-party impact: A breach in one company can compromise many others (CTS attack).
        • Supplier distrust: Loss of trust among partners can damage relationships and business opportunities.
        • Geopolitical risks: If critical infrastructure or government suppliers are hit, it can trigger national security concerns.
      • Legal and Regulatory Consequences
      • Violations of GDPR, PCI, etc.: Leading to hefty fines and legal action.
      • Breach notification requirements: Mandatory reporting can hurt brand image and cause public fallout.
      • Reputational Damage
      • Loss of customer trust: Perception of weak cybersecurity can cause long-term brand damage.
        • Negative media coverage: Public awareness of the breach can linger for years.
      • Competitive Disadvantage
      • Loss of proprietary data: Competitors may gain an edge.
      • Resource diversion: Time and money spent on recovery rather than innovation or expansion.

      Protecting against a supply chain attack

      This will involve a mix of technical, procedural, and strategic measures. You need to understand that technology alone will not protect you.  You must take a risk managed approach and understand that these attacks target vulnerabilities in third-party vendors, partners, or software dependencies.  They will employ social engineering techniques and phishing in all its forms.

      • Know Your Suppliers and Vendors
      • If you are managing suppliers:
      • Inventory all third parties: Maintain an up-to-date list of all external vendors, software providers, cloud services, and contractors.
      • Assess risk levels: Identify which vendors have access to critical systems or sensitive data.
      • Ensure that you suppliers are aware of your security policies and that they have agreed to abide by them.  Audit that.
      • Include security requirements in contracts (such as regular audits, breach notification timelines, etc.).
      • Ask for compliance evidence (ie, Cyber Essentials etc.).
      • If you are a supplier to a larger organisation:
      • Know and understand your customers security policies and undertake to abide by them.  Don’t pay lip service, actually do it.
      • Make sure you understand your contractual obligations in this regard.  Failure to do so could put you out of business.
      • Use Zero Trust Architecture
      • Apply least privilege access to vendors and third-party applications.
      • Isolate critical systems from less-trusted networks using segmentation.
      • Verify before trusting: Always authenticate and validate access requests, even from trusted sources.
      • Secure Your Software Supply Chain
      • Ensure your software comes from reputable sources and is regularly updated and patches applied.
      • Validate the integrity of software updates (e.g., use code signing and secure CI/CD pipelines).
      • Monitor for tampered or malicious packages.
      • Continuous Monitoring and Audit
      • Monitoring has long been considered too costly for most SMEs with systems such as SIEM not only being expensive but requiring constant analysis by a SOC analyst.  However, there is now a system which is effective, managed and within most SME budgets.  H2 can advise on this.
      • Log and audit changes to critical infrastructure or data access.
      • Use threat intelligence to stay ahead of known supply chain threats.
      • Patch Management and Updates

               •       Stay current with software and firmware updates.

               •       Use automated patch management tools where possible.

               •       Vet updates from vendors for authenticity and origin.

      • Incident Response Planning
        • Create and test a supply chain-specific incident response plan.
        • Ensure you can quickly revoke unauthorised or administrative access if needed.
        • Conduct tabletop exercises that simulate supply chain attacks.
      • Train Your Staff
      • This is often the most effective quick win any organisation can make.
      • Educate employees about phishing, social engineering, and how supply chain attacks often begin.
      • Train procurement and legal teams to evaluate vendors with security in mind.

      There is a lot too this subject and you might feel that you need advice and guidance.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

      WHAT DO SMES REALLY NEED TO KNOW ABOUT CYBER SECURITY

      Maybe I should have titled this ‘What do SMEs WANT to know’ rather than need to know.  That’s because all too often they want a very cut down version of what they need, because simply put, they don’t have the budget or expertise to get into too much detail and will often look for the easy way out.  That’s becoming more and more of a problem given the concerted effort by cyber criminals to attack all sizes and types of business, here in the UK.  I posted a bit about this earlier, you can read it here.  Do SMEs really need a cyber strategy and if so, what exactly does that entail.

      What is a Cyber Security Strategy?

      A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

      Do I really need that – I’m an SME and not really a target, am I?

      Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

      Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

      The real trick here is in devising a strategy that works whilst staying within budget and having the resources to make it work.  Not an easy path to tread but one that is very definitely a must.

      Secure by default and design

      Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

      It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

      The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

      Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

      What should I be considering in my Cyber Security Strategy

      We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.  I know, it’s a pain and you’ve got enough to do without increased paperwork.  But this isn’t red tape, this is designed to keep your business protected and can save you a lot of money, time and trouble.

      You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

      1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.
      • Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.
      • Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.
      • Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.
      • Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      So, to wind this up, everyone needs a strategy that is tailored to them and covers off their needs.  In order to make sure that your cyber, or if you prefer, your information assets, are secured, you need to understand what they are and how vulnerable they are to attack.  Only then can you start to put in place protections that are appropriate to you, and affordable, making sure that your budget is spent wisely.  Don’t be put off by all the stuff above, some of it, or perhaps much of it, won’t apply to you, but some of it definitely will.  Don’t be afraid to take advice from those who know what they are talking about.

      Scroll to top