News

Data Breaches and their consequences General Security Issues News Security

Data Protection – A Timely Reminder

Data Protection is a somewhat dry subject that many companies, particularly SMEs, and many think they can get away from by simply paying a bit of lip service.  The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

As M&S has discovered and now, the Ministry of Justice.   The cyber-attack was on the Legal Aid Agency and appears to have accessed a ‘significant amount’ of applicants’ personal data, to which the government admitted.  ‘This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers [national insurance], criminal history, employment status and financial data such as contribution amounts, debts and payments,’ the MoJ said.

…….. ‘it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down. We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time’.  Serious indeed.

Initial findings suggest that this is the result of systemic issues within the organisation which they have failed to correct, over many years.

What are the possible fall outs from this?

That very much depends on how the Information Commissioner views it.  If this is seen as negligence, then the potential fine could be very significant indeed.  If, on the other hand, it is deemed that the MOJ took all reasonable precautions that they could to protect the data, then that is a good mitigation which will reduce the potential punishment. 

But that’s not the end of it.  The reputational damage that this does is incalculable and the cost of fixing the issues will be high.  Then there is the potential for legal action by anyone whose data was compromised, that could easily be the biggest issues that the MOJ faces.

Only time and a thorough investigation will determine the outcome.

Data Protection and the SME

My subscribers wi8ll know that my focus is the SME, large and small.  So how does data protection impact them.  Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

It’s surprising just how much PII estate agents hold.  Just think about what they ask for when you’re buying a house.  In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

Then, as above, that might not be the end of it.  Individuals can sue companies that release data into the wild.  In fact, there are now law firms advertising no win no fee when representing these cases.  Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

What size does a business need to be for the regulations to apply?

The regulations apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  Just exposing PII can threaten an individual’s right to privacy.

Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as prejudicial to an individual’s rights.  Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.

Do I need written policies and processes?

Yes – What this means is that a significant number of policies and processes will need to be written and taken into use by the organisation.  It is not unusual for many to visit the web and download templates to cover their requirements.  However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.

How is UK GDPR effected by cyber security?

The Act requires personal data to be secured by ‘default and design’.  This means that cyber security requirements must be designed into your protections.  This could mean at least another 6 or 7 policies and procedures.

How can I keep track of all my PII holdings and keep it secure?

When we are first approached by a prospective client and we begin our offer of a 30 day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

Are there solutions suitable and affordable for SMEs?

We have a solution that meets the requirements and not only that, has a built in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management News Ransomware, Phishing and other Malware Security Tools Supply Chain Security

Cyber Attacks on SMEs

We’ve posted a few pieces recently on why setting a realistic budget for cyber security is so important and we thought we’d follow that up with some real-life examples.

Small and medium-sized enterprises (SMEs) are increasingly being targeted by cybercriminals in 2025 and are facing a range of sophisticated threats that exploit limited resources and evolving technologies. Here’s a quick look at some of the most pressing cybersecurity incidents and trends that have affected SMEs so far this year:

Major Cybersecurity Incidents Impacting SMEs

  • Co-op Supermarket Chain Cyberattack (UK)

A “highly sophisticated” cyberattack disrupted Co-op’s IT systems, leading to customer data theft, contactless payment failures, and empty shelves in Scottish stores. The breach also affected other major retailers like Marks & Spencer and Harrods, with investigations pointing towards hacker groups such as Scattered Spider and Lapsus$. 

  • Lockbit Ransomware Group Breach

The notorious ransomware gang Lockbit was itself hacked, resulting in leaked communications that revealed aggressive targeting of small businesses for extortion. This breach has temporarily disrupted Lockbits operations and exposed their tactics.

  • Berkeley Research Group (BRG) Data Breach

A cyberattack on BRG compromised sensitive data related to Catholic Church sex-abuse cases. The attacker used impersonation tactics via Microsoft Teams to deploy Chaos ransomware, leading to concerns over the exposure of victims’ identities.

 Emerging Cyber Threat Trends for SMEs

  • AI-Powered Phishing and Deepfake Attacks

Cybercriminals are leveraging AI to craft convincing phishing emails and deepfake audio impersonations of executives, deceiving employees into authorising fraudulent transactions.

  • Ransomware-as-a-Service (RaaS)

The availability of RaaS platforms has lowered the barrier for launching ransomware attacks, making SMEs prime targets due to their valuable data and often limited security infrastructure.

  • Supply Chain Vulnerabilities

Attackers exploit weaknesses in third-party vendors to infiltrate SMEs’ systems, as seen in incidents involving compromised software packages on platforms like NPM.

  • Business Email Compromise (BEC)

Scammers use AI to mimic emails from corporate partners and managers, leading to fraudulent financial transactions. In Australia, BEC attacks have increased by 7% year-on-year, with SMEs being particularly vulnerable.

Proactive Measures for SMEs

To mitigate these threats, SMEs should consider the following actions:

  • Implement Multi-Factor Authentication (MFA)

Enhance account security by requiring multiple verification methods.

  • Regular Employee Training

Your staff are your first line of defence and need to be educated on recognising phishing attempts and social engineering tactics.

  • Secure Supply Chains

Vet third-party vendors for cybersecurity compliance and monitor for unusual activities.   Are you in a supply chain for a major company?  Are you facilitating a back door into their systems?

  • Invest in AI powered security tools

Utilise advanced solutions capable of detecting and responding to sophisticated threats.  H2 has a couple of suggestion here that are affordable to SMEs.

  • Protective Monitoring

How do you know that your expensive solutions are protecting you?  Do you know if you’ve suffered a stealth attack where the attacker has built a back door into your systems?  Do you know if you’re hard-earned cash is being siphoned off?  How vulnerable are you to an attack? A monitoring solution for SMEs is now available at an affordable price.

  • Data Loss Prevention

Are you sure you know exactly where all your data is?  Are you sure that documents attached to emails aren’t still sitting on your email server?  Do you know if other documents have been downloaded from your cloud storage whilst your staff work from home, and then uploaded but a copy is still sitting on their laptop?  Data proliferation over time is almost a given.  Can you encrypt your sensitive data so that even if it’s stolen, it’s useless to the thief?  An affordable solution now exists.

  • Develop an Incident response and business continuity plan

No matter how well you protect yourself, you still need to prepare for potential breaches with a clear strategy to minimise impact and recover operations swiftly.

Data Breaches and their consequences General Security Issues News Risk Analysis and Security Strategy Security Tools Supply Chain Security Uncategorized

Are we failing in our cyber resilience?

The fallout from the CloudStrike sensor failure, which caused severe outages throughout the globe, is still being felt and will be felt for some time to come.  The emphasis has been on recovery but that will start to change, as we focus more on why it happened, and what can be done to mitigate further failures of this kind.  I’ve said already, in a piece I wrote last week (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/ ), that we appear to be becoming too reliant on our IT providers, particularly managed services, to ensure that we remain safe and our services can continue, and we aren’t looking too hard at ensuring resilience is built into our systems.  It begs the question, is business continuity planning no longer in fashion.

Alexander Rogan of Abatis also wrote a piece that’s worth reading (https://www.linkedin.com/pulse/billions-lost-chaos-lessons-from-crowdstrike-microsoft-rogan-abxde/}.  In his article Alexander emphasises the importance of zero trust architecture and processes.  What this essentially means is that we cannot afford to trust anyone other than ourselves.  Suppliers are there to help and as such they should ensure that their own processes are robust and include thorough pre-production testing, controlled roll outs and good baseline security measures.  Where CrowdStrike falls in this regard, will I’m sure, get thoroughly tested in the not too distant future.

The UK Government is also questioning the resilience of business in the UK to cyber threats (https://amp.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister), and in this case a cyber threat is not necessarily confined to security, it can also mean a crash due to a technical or process failure.

In the cyber security industry, there has long been a running war between those that sell products and those of us concerned more with services.  Having been in the industry for 30 years, I have seen this time and again and the product sales nearly always win.  Why?  Simply because services are a hard sell with a long timeline whereas product sales are easier and quicker to achieve.  Why would that be?  Again, simple, people like to be able to quickly demonstrate a return on investment.  They like to see a product, doing its stuff, even when often, they don’t realise how it’s doing what it’s doing, or if it’s the right product in the right place at the right time.

The risk managed approach is the way to go every time.  That has not changed at all in the 30 years I’ve been plugging away at it.  It’s all about People, Process and then Technology.  I often quote Bruce Schneier, a US scientist on the Harvard Faculty, and a thought leader in this space.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.  Breaking this down, what he’s getting at is that first and foremost, you must understand the risks that you face and to do that, you have to identify your cyber assets.  By that we don’t mean hardware and even software, what we are talking about is your data and the ability to keep your systems online and accessing what your staff and/or customers need to access, when they need to access it.  Once you identify your assets, you then need to identify the threats to those assets and how vulnerable you are too those threats.  Threat and vulnerability = risk.  And by that we mean the risk to the business if it all goes pear shaped.

Once that’s done, we can then allocate a risk score to each asset with the aim of managing that risk down to an acceptable level, known as the risk appetite.  That will change business to business, even asset to asset.  You wouldn’t for example allocate the same level of risk [to the business], to a revenue earning system, as you would to perhaps a purely admin system that contains no personal data.

This all sounds terribly difficult and expensive, and that’s why many companies simply don’t do it, or maybe they do a subset of it.  But unless you do, then it can be very difficult to know for sure that you are spending your limited budget on the right protections, in the right place.  In the long run, it can save you a lot of money. This same assessment applies equally to the CrowdStrike problem, or for that matter, any other company that you have in your supply chain.  You need to assess what damage they could do to you if they fail, and what you can do to mitigate that damage.  It’s very well and good reaching for the nearest lawyer when it’s all gone to hell, how much better to stop it, or mitigate it, before you get there.

General Security Issues News Security Tools Supply Chain Security

You can outsource your IT, but you can’t outsource your responsibility

It’s hard to look anywhere without seeing reference to the CloudStrike/Microsoft disaster that is still causing issues around the globe.  There is plenty of plaudits for the way that both CloudStrike and Microsoft have handled the fall out and remediation (https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/) but you can’t escape the conclusion that it shouldn’t have happened in the first place.  Something clearly went wrong in the processes either in place, or worse, not in place, to make sure that software releases are thoroughly tested before release.  I also read somewhere that there had been a previous problem with CloudStrike software releases which affected at least 2 versions of Linux, but that this went largely unnoticed.  I suppose the predominance of Windows machines in the marketplace would make it impossible to hide a problem of this magnitude.

All that said, what is clear is that there was nothing that an organisation using this application, could have done themselves to prevent it, neither could most disaster recovery plans have dealt with this successfully.  The remediation has to come from both CloudStrike and Microsoft, which it is. 

I wrote a piece recently which included the difference between disaster recovery and business continuity planning (https://hah2.co.uk/what-are-the-questions-business-owners-ask-when-considering-cyber-security/). Disaster Recovery focuses specifically on restoring IT infrastructure and data after a disaster has occurred, and as already pointed out, in this case that fix has to come from outside the affected organisations and there was very little they could do.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This where organisation can help themselves.  Of course, all we really see on the news is the effects of the crash of systems, it’s what makes good television.  They don’t show organisations that had good business continuity plans in place and could continue to operate, albeit with reduced functionality. 

What struck me, watching it all unfold, was that there were some big organisations that were caught completely on the hop.  We saw airline staff reverting to manual ticketing but the overall impression is that this was being done on the initiative of individuals and onsite managers, it didn’t seem to be part of coherent planning.  Likewise, we saw the same type of issues in the UK NHS and GP surgeries.  If there really was a coherent plan in place, I apologise for suggesting that that wasn’t the case, but it sure didn’t look like it was.  Those 2 examples are the really big ones that hit the news.  There were quite literally hundreds of organisations that were hit and struggled badly.

When I started out in the Cyber Security game, disaster recovery and business continuity planning were absolutely must haves, in fact, as we know, you can’t achieve ISO 2700x certification without it.  These days I see very little emphasis being put on this.  Have we reached a stage of total reliance on technology and tech giants like CloudStrike and Microsoft, so that we have fallen into a complacency, relying on our suppliers to look after us?  If we have, I think that this shows that this is a big mistake.  A great saying is that you can outsource your IT but you can’t outsource your responsibility.

Which leads us neatly onto another point.  Supply chain security.  We talk a lot about making sure our supply chain is as robust as our own systems and that they have good security, and good policies and processes.  But this shows that we need to go further than that.  We just can’t trust that any software installed will work and not cause problems, we need to ask questions about how rigorous their testing is, who signs off on a release, how is released and by whom?  What tests were done before release?  These are perfectly valid questions and any software supplier worth their salt has to have good answers for these questions.  Any of you ever asked?

As a provider of protective monitoring solutions which require a light touch agent to be installed on systems, albeit on a much smaller scale than CloudStrike, this has given considerable pause for thought.  I have already had these discussions with my supply chain and got good answers, but I’m not going to take my foot off the gas and will keep asking before agent upgrades, which admittedly, don’t happen often.  But there will be a certain nervousness in the future when it does happen.

General Security Issues News Ransomware, Phishing and other Malware Security Tools

KASPERSKY BANNED IN THE US

The US has announced plans to ban the sale of antivirus software made by Russian firm Kaspersky due to its alleged links to the Kremlin (source article https://www.bbc.co.uk/news/articles/ceqq7663wd2o).  This shouldn’t have come as a great shock.  In 2017 the Department of Homeland Security banned the anti-virus product from federal networks, and it has long been a target for US regulators.

There have always been some rather vague clouds over Kaspersky.  I well remember going back to 2010//11, working on a major UK Government sensitive project where we had one guy pushing Kaspersky hard, really fighting its corner but it soon became clear that the customer wasn’t going to use it under any circumstances.  But why?  Kaspersky has always scored very high, in fact near perfect scores, when tested independently by AV-TEST, the most trusted source for independent testing. 

Well, it’s all about the problem that it’s Russian owned and to provide a transliteration from Russian, Laboratoriya Kasperskogo.  In the UK it’s operated by a holding company.  Nonetheless the code comes from Russia and that’s going to have a very real impact on the US, especially given it’s almost total breakdown of relations and the ongoing Ukraine conflict.  Only the US Dept of Homeland Security knows whether this is a very real threat to western company’s using this suite of products, or if there’s a political element to it.  Either way, it’s going to damage Kaspersky, totally decimating its sales in the US.

The big question here in the UK, and across Europe and many Asian countries, is, is it safe to use?  In the UK, the British Standards Institute (BSI) has found no evidence of current problems with Kaspersky products.  However, it went on to recommend that its anti-virus products be replaced with alternatives.  Talk about sitting on the fence and damning with faint praise! 

On 29 March the UK’s National Cyber Security Centre (NCSC)  issued refreshed guidance on UK organisations’ use of technology originating from Russian companies, saying it is not at this time necessary, or necessarily wise, to discontinue use of products such as Kaspersky antivirus (AV) products.  That guidance is now nearly 3 months old, and it remains to be seen if it gets updated following the US action.

The judgement that companies will need to make is, whether renewing or looking to replace a current vendor, do we take a risk on Kaspersky?  Having been in this industry for many years, I know that there are lovers out there, of specific products and/or vendors, who will make this a hill to die on, but there are others who will adopt a much more cautious approach.  I don’t expect to see organisations rushing to ditch Kaspersky but I think their sales people, and their resellers, will find new sales and renewals, a real challenge.

Of course I can’t let this pass without a pitch.  So, if you want to take what I say as being tainted by the fact that I re-sell another product, then guilty m’lud, and I’ll take that on the chin.  The product we sell is one that is in heavy use by the US Department of Defense, as well as industries akin, including the nuclear industry.  It’s been pen tested to death and proof can be shown.  It has a unique approach in that it simply stops unauthorised programs from running.  But how?  Data is stored either as non-runnable info data or runnable application programs. Malware is a type of runnable program with undesirable behaviours.  The system uses what is called a Hard Disk Firewall (HDF).  HDF prevents malware infection, stopping malware program files from being stored and run on a computer.  Simply put it takes about a 30 day period to examine your network and end points, identifying what executables are being run and then, working with you, we decide which of those should be whitelisted to ensure your business isn’t impacted in any way, and anything not on the whitelist is blocked from running.  If you want to know more you can contact us on the links below.

General Security Issues Identity and Access Management News Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Innovation – Why Do Many Shy Away from it?

I read an interesting piece recently where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

Of course, and as I’ve mentioned before, many of these surveys are written, or at least sponsored, by cybersecurity vendors and largish consultancies, who could potentially be seen as biased in that they are pushing their own solutions.  But keeping that in mind, there is still and underlying truth.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive.  Whilst this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

We are holding a webinar to discuss and highlight these solutions and would love to see you there:

Event Details:

General Security Issues News

Cyber Threats to SMEs

I’m not a big fan of FUD – Fear, Uncertainty and Doubt – which is often used when selling, or attempting to sell, cyber security solutions.  I’ve always considered it a little unethical and unsavoury.  However, there is a clear difference between telling people what they need to know and spreading FUD around to scare up sales opportunities.  SMEs, just like the corporate world, need, and deserve, to know the truth about what they are facing.  I’m also not a fan of the saying ‘you don’t know what you don’t know’, but it’s sadly true.  Being uninformed can lead to complacency which can, in turn, lead to some quite disastrous consequences.

It’s being reported that SMEs experienced a 37% surge in cyber security warnings in 2023.  That’s a lot, and whilst there is always a little scepticism about stats, if only because many SMEs will simply not involve themselves in gathering such stats, preferring to keep things to themselves regarding their security, you can argue that 37% is a conservative estimate given that reluctance to take part.

They go on to say that Private sector organisations were hit harder by cyber threats, receiving 18% more alerts than their public sector counterparts. As threat levels rose, IT teams also showed signs of shrinking – the mean size of each security team at the beginning of 2024 was 2.63 people, slightly down from 2.7 people in 2021.  And that’s for organisations that can afford their own in house IT whilst most rely on contracted IT management companies, often local and themselves resource challenged.

They report that:

  • Two in five SMEs were taken offline – 41% of SMEs had to take systems and applications offline due to an incident over the last year. For one in seven of those (14%), the outage lasted more than a day.
  • Data loss hit almost two in five – 39% of SMEs lost data due to a cyber-attack in 2023, a 13% jump since 2021. Nearly a third (30%) of SMEs also lost data due to user error in the last 12 months and 27% lost data due to disgruntled employees.
  • One in five fell victim to ransomware – 20% SMEs fell victim to a ransomware attack – although the pace of attack has remained consistent over the last three years.
  • 34% paid out after a ransomware attack, with the average pay-out standing at £139,368. And, one in five were subjected to a regulatory fine as a result.
  • Nearly a quarter experienced an email attack – 23% of SMEs suffered from an employee opening a suspicious or malicious email that led to a serious attack.

Perhaps one of the most concerning issues for SMEs, is that it was reported that those employing some form of cyber security expertise were requiring their staff to work out of hours regularly in order to keep up with the issues, with 38% having been called at night and 34% having their holiday interrupted.  Not hugely surprising as cyber criminals don’t keep regular hours.  And of course, as I said earlier, most SMEs don’t employ their own in house staff but rely on IT management company’s and it would perhaps pay SMEs to re-visit their Ts & Cs to see if they have any out of hours coverage, and what it entails.

At least 70% of SMEs are struggling with the plethora of security solutions being sold to them, especially as most of these don’t inter operate with each other and instead, work independently and often overlap.  It’s essential that any solutions that are in place complement each other and where they do overlap, it’s for a good and useful purpose, providing belt and braces, requiring some form of reporting that allows us to see that these solutions are doing what we think they are doing.  All too often that’s not the case.

Getting advice and guidance, ensuring that you ask the right questions to get your knowledge to the point where you can realistically start to assess where you stand in regard to cyber security, is essential.  To that end we are holding a webinar on the 8th of May where we’ll explore some strategies you can adopt to protect your information from cyber threats, providing practical tips and best practices to secure your data effectively, and provide you with a tailored solution specially designed and priced for SMEs. This session is an excellent opportunity to enhance your digital security and protect the data you hold within your network that is critical to the operation of your business and your fiscal security.

You can register via Eventbrite:

https://www.eventbrite.com/e/protect-your-digital-assets-before-they-become-digital-liabilities-tickets-880741630927

Data Breaches and their consequences News Security

Data Breaches – How bad could it be?

“Fujitsu Hacked – Attackers Stolen Personal Information”

Fujitsu confirmed a cyberattack that led hackers to steal personal data and customer information.

Now there’s a headline to put fear into their customers, both current and potential.  Not a great look for one of our premier IT system integrators and manufacturers.

But what’s that got to do with me you say?  I don’t have any Fujitsu kit and I’m way too small to feature on the radar of a hacker or team of hackers, that would target someone like this.  OK, maybe true, maybe not so true.

Did you know that since 2005 the Information Commissioners Office (ICO) has ruled on 13,500 freedom of information and environmental information cases. Many of these would be classed as SMEs and small government departments, particularly local government.  Last year alone, 86 enforcement actions were taken which included 37 reprimands, 24 enforcement notices, 23 monetary penalties and 2 prosecutions.  Fines of around 80K are not uncommon, and a fine of that size would be a severe blow to an SME.  The ICO has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.

Fines and enforcement notices cannot be hidden, they are published on the ICO website for all to see, which can have an impact on the reputations of companies, adding to the pain of any fine caused by a unwanted marketing calls or data breaches.

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

It is, for most SMEs, about doing what is reasonable to prevent a data breach.  That will include having the right policies and procedures, known to all staff, and rolled out.  Don’t play lip service to this, you will be found out.  It is important to be aware of the threat and take the necessary actions to prevent breaches.

Lack of adequate data security is an important basis for imposing fines.  Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need? 

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.  Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch.  For example, financial data which under other legislation, they must keep for 7 years.  I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it.  There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP.  These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment. 

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed.  Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost.  If you don’t like it, we take it away.

Scroll to top