Ransomware, Phishing and other Malware Archives

Data Leakage Explained for SMEs

Stopping data leaks from your organisation is an important part of data protection; it is a subset, if you like, of that ever-evolving subject. The rules are evolving here in the UK, with new legislation coming online, and there is a wide requirement that starts with a good mindset and sound rules and processes to guard your most sensitive data. We refer to data leakage when talking about a service we provide to SMEs, which we don’t like to frame as data protection because it is, as I said, a subset of the requirements. However, it is an important subset that lies at the sharp end of the whole thing.

First of all, let’s clarify what Data Loss Prevention (DLP) is. It is a cybersecurity strategy that identifies, monitors, and prevents sensitive information from being accessed, shared, or transmitted without authorisation, whether accidentally or maliciously, across endpoints, networks, cloud services, and email systems. In short, DLP stops sensitive data from leaving where it shouldn’t.

Sounds great until you investigate such systems, which can be extremely effective if you are a large corporate organisation. That’s because these systems can be very expensive, difficult to set up and come with a heavy admin burden. It’s not terribly surprising that SMEs don’t know much about these systems because the organisations that market them simply don’t target SMEs. After all, SMEs, in general, can’t afford them.

A data leak, however, can be one of the most damaging incidents an SME can face. Unlike large enterprises, SMEs often have fewer financial reserves, less technical expertise, and limited crisis-management capacity, making the impact proportionally greater.

Threats to an SME from Data Leakage

Taking a quick glance through the threats to an SME business from a data leak:

Financial Loss

Legal costs from customer or partner lawsuits.
Compensation payments to affected individuals.
Incident response and forensic investigation costs.
Business interruption losses during system shutdowns.
Regulatory fines (e.g., under data protection laws such as GDPR).

For SMEs, even moderate fines can significantly impact cash flow or survival.

Reputational Damage

Loss of customer trust.
Negative media exposure.
Damage to brand credibility.
Loss of competitive advantage.

SMEs often rely heavily on local reputation or niche trust; once damaged, recovery can be slow and costly.

Loss of Customers and Contracts

Clients may terminate contracts.
Prospective customers may choose competitors.
Larger partners may require stronger security compliance before continuing relationships.

Operational Disruption

Systems may need to be taken offline.
Data recovery efforts consume time and resources.
Staff productivity drops during investigation and remediation.

Theft of Intellectual Property

Loss of trade secrets.
Exposure of proprietary processes.
Competitors gaining access to confidential pricing or strategy information.

Increased Cyber Targeting

Once breached, a company may:

Be seen as an “easy target.”
Experience follow-up phishing or ransomware attacks.
Appear on dark web data marketplaces.

What are the Requirements of a Data Leakage Protection Solution?

In a nutshell, a solution that would fit an SME should be proportionate, cost-effective, scalable, and manageable without a large in-house security team.

Such a system needs to:

Identify sensitive data (customer data, financial records, IP).
Classify data based on sensitivity.
Map where data is stored and who has access.

It needs role-based access control (RBACS) using a least privileged principle, with multi-factor authentication and strong password policies. It needs encryption at rest, preferable file level encryption, and use TLS for encryption in transit with secure key management. Such a system needs to be set up with monitoring, logging, alerting for suspicious activity and periodic audits. It needs backup and recovery.

For SMEs specifically, the solution should be:

Affordable and scalable
- Cloud-friendly
- Easy to manage
- Automated where possible
- Supported by managed security providers (if no internal team exists)

How Do SMEs View Such Systems

All too often, we come up against the attitude that such a loss is very rare amongst SMEs, and the threat doesn’t justify the expenditure. That is often because this is a very under-reported issue, and those that are reported are just the tip of the iceberg.

What Is the Source of the “Tip of the Iceberg” Claim?

The idea comes from multiple types of evidence:

Incident Response & Forensics Data

Cybersecurity firms (e.g., Mandiant, CrowdStrike) publish threat intelligence showing:

Many breaches are only discovered during unrelated audits.
Cyber criminals often maintain access for long periods.

Academic Research

Studies in cybersecurity economics suggest breach reporting underestimates actual intrusion frequency due to:

Asymmetric information.
Underreporting incentives.
Detection bias.

Threat Intelligence Monitoring

Security vendors monitoring criminal forums consistently find large datasets being traded that were never publicly linked to a disclosed breach.

Bottom Line

The consensus among cybersecurity professionals, regulators, and researchers is that publicly reported data breaches represent only a fraction of actual incidents.

The conclusion is based on:

Detection lag data.
Forensic investigations.
Legal reporting thresholds.
Dark web intelligence.
Academic economic modelling.

How Can an SME Protect Itself?

Having waded your way through the reasons why SMEs don’t see much data on this subject and therefore don’t see the threat, I’m going to reward you with the pitch. Yes, H2 does have a managed solution that is designed, priced and operated specifically for SMEs. It’s a solution that isn’t as comprehensive as a full enterprise-grade DLP solution, but it does do the job for an SME.

The key advantages for a small or medium-sized enterprise (SME) of using our service in practical, business-focused terms are:

Automates Data Discovery and Protection

The service automatically finds, classifies, and assesses sensitive data (such as customer information, IP, and financial records) across endpoints, servers, cloud applications, and remote devices without manual scanning. This saves SMEs considerable time and decreases dependence on specialised security personnel.

Proactive Risk Reduction

Rather than just alerting after an incident, the service can automatically encrypt or block sensitive data based on risk level, minimising exposure before a breach happens. This helps avoid data leaks and insider mishandling.

Real-Time Monitoring and Alerts

The platform continuously tracks data movement and access, sending notifications for unusual activity. This keeps SMEs aware of potential threats or policy violations, even without a full-time security team.

Simplifies Compliance

The service helps businesses meet data privacy rules like GDPR, PCI, and others by providing reports, audit trails, and documented controls, making audits and regulatory compliance far easier.

Low Maintenance and Fast Deployment

Designed to be lightweight and “set-and-forget”, it can be deployed quickly with little disruption and minimal ongoing management, which is ideal for SMEs that don’t have large IT/security teams.

Cost-Efficient Risk Management

By automating complex security workflows and reducing reliance on manual processes or legacy tools, SMEs can keep security budgets lean while still achieving strong protection.

Centralised Visibility

It comes with a dashboard where you can see where sensitive data resides, who accessed it and what its risk level is, providing clear, actionable insights rather than fragmented logs across multiple systems.

Supports Remote & Hybrid Work

Because it works across cloud, endpoint, and server environments, the service helps secure data no matter where employees work or where the data lives, particularly useful as more SMEs adopt remote/hybrid models.

Reduces Human Error

With automatic classification and encryption, the service helps guard against accidental disclosure, which is a common risk in smaller organisations without dedicated security training.

In summary, for an SME, the service can deliver data leakage protection, risk reduction and compliance support without the heavy cost or complexity typically associated with traditional data loss prevention (DLP) or manual security practices.

Cost is something that is guaranteed to concentrate the mind of the SME owner. This service is priced specifically for SMEs at £15 per user per month. There is no contractual lock-in, and a client can quit with 30 days’ notice. We also offer a 14-day trial to allow a client to see the benefits of the system using their own data, rather than a demo with dummy data. We’d be delighted to discuss this with you further.

MORE ABOUT MANAGED DETECTION AND RESPONSE

This subject has, in the past, been difficult to convey to SMEs. In the corporate and major government department world, it’s a well-understood issue, more often referred to as a security operations centre, or SOC. I’ve built several of these over the years in the UK and the Middle East, and one thing is for sure: they are expensive to run in terms of both technology and manpower, which makes them unrealistic for an SME, even if they would be of real benefit.

So why am I even bothering to explain what it is? Simply because there are now systems on the market, very often AI-driven, that have managed to hit a price point that an SME can afford. These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.

Why would an SME want such a system? First and foremost, any such system or service pitched to an SME needs to make business sense. To maximise its cost effectiveness, having additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes makes it more attractive. The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown SOC. Delivering it as a service reduces cost by cutting out the need for an in-house team.

Good questions for all SMEs to ask themselves are:

If an attack or scam happened tomorrow…

Would you know about it?

Would you be able to stop it in time?

Would your team recognise it for what it is?

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department. It provides peace of mind – you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a short video which you can find on the Features Section on my LinkedIn profile. But if you don’t want to view that, what follows is an introduction to what the service offers.

Continuous monitoring of endpoints, servers, and some cloud environments
Rapid detection of ransomware, malware, insider threats, and advanced attacks
Expert-led response
Phishing simulations
Cyber awareness training programme
Dark web monitoring

For most SMEs, hiring skilled cybersecurity analysts is expensive and difficult. MDR gives access to an appropriate service level at a predictable monthly cost.

Business benefit: Reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built it. Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

• Identify outdated software, misconfigurations, and exposed services

• Prioritise risks based on severity

• Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen.

Business benefit: Proactive risk reduction instead of reactive damage control.

The system also offers built in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

• Tests employee awareness safely

• Identifies high-risk users

• Reinforces learning through practical scenarios

Business benefit: Fewer successful phishing attacks and reduced likelihood of credential compromise or ransomware infection. Such simulations are an integral part of cyber awareness training.

We also assist in building a security culture (CBEE Awareness Training Programme). A structured awareness programme:

Trains staff on cyber hygiene and data protection
Covers password security, social engineering, safe browsing, etc.
Supports compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly.

Business benefit: Employees become a security asset rather than a liability.

A managed system such as this can also help with compliance & insurance requirements. Many SMEs now face:

Regulatory obligations
Supply chain security requirements
Cyber insurance conditions

Having MDR, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME: Cost Predictability & Simplicity. As a managed service, everything is:

Subscription-based
Centralised under one provider
Fully supported by experts

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms you are getting executive-level risk reduction with a simple value:

Reduced likelihood of business interruption
Reduced financial exposure
Protection of brand and customer trust
Clear reporting and measurable risk reduction

All through this article I’ve talked about cost effectiveness. So, what does this service cost? I’ll add the BBC caveat – other systems are available!! We charge £15 per seat per month, and you get a lot for your money. Seems cheap and we’re happy to explain how we can get the price so low. It’s a 30-day rolling contract, no long-term lock in, simply 30 days’ notice to quit. We also offer a totally free 14-day trial that is fully functional so you can see the outputs from your own system, rather than look at demos with dummy data.

The Dark Figure of Cybercrime: Why SMEs Underreport Security Incidents

Last week, I made a short post about the difference between the perceived and actual threat to SMEs from cyber-attacks and scams, and whether there is any credible evidence to support a conclusion. Taking a hard look at this and doing some research, I have concluded that there is credible evidence from academic research, surveys, and policy reports showing that many small and medium-sized enterprises (SMEs) tend not to report cybercrime incidents, and there are well-documented reasons why. This phenomenon is sometimes described as the “dark figure” of unreported crime in the cyber domain.

We’ll take a look at some of that evidence later, but first, let’s turn to the gap between what people believe is happening and what the data shows is happening. That gap is influenced by psychology, media coverage, reporting behaviour and visibility of incidents.

Let’s break it down into the categories mentioned above.

Perception of Cybercrime Against SMEs

This is shaped by:

Media Coverage

High-profile ransomware attacks or major breaches dominate headlines. They mostly involve large enterprises, and as a result SMEs often feel it’s only those large enterprises that are at risk.

Vendor & Security Marketing

Cybersecurity vendors often emphasise rising threats, which though real, are designed to amplify urgency to drive awareness and sales. However, the use of fear, uncertainty and doubt or FUD, can have the opposite effect if it is seen as a sales tool rather than a real threat, which it all too often is.

Personal Experience

If an SME owner hears about peers being attacked, their perceived risk increases dramatically. Staying quiet about attacks can lower the perceived need for defences.

Fear of the Unknown

Cyber threats are invisible and technical. Lack of understanding increases anxiety and exaggerates perceived exposure. Taking a technical approach to educating business people is counterproductive and generally turns them off.

Underreporting Assumptions

Not all attacks are reported; in fact, the evidence suggests that the instance of underreporting is high.

Result

The result is that perception is often that, whilst cybercrime is constant. Underreporting of attacks on SMEs, coupled with the lack of education, and what education there is tends to be of a technical instead of business focused, leads many SMEs to view the threat as being covered off by technical barriers such as firewalls and anti-virus, and to be far more targeted at the corporate sector, not the SME sector.

Actual Level of Cybercrime Against SMEs

The actual level is measured by:

• Incident reports (law enforcement, insurers, regulators)

• Cybersecurity firm data

• Insurance claims

• Surveys with verified breaches

What data typically shows:

SMEs are frequent targets, especially for phishing, ransomware, and business email compromise.
Most attacks are automated and opportunistic, not targeted.
Many incidents are low-level (phishing attempts), not catastrophic breaches.
Severe attacks do happen, but not every SME experiences them.

The actual level is significant but uneven:

Some SMEs face repeated attacks.
Others may experience mostly low-impact attempts.
Many attacks are blocked before damage occurs.

Is Perception Higher or Lower Than Reality?

It can go both ways:

Perception is Higher Than Reality When:

• SMEs assume every business is constantly breached.

• Media focus on extreme cases.

• Attempts are confused with successful compromises.

Perception is Lower Than Reality When:

• SMEs believe “we’re too small to be targeted.”

• Minor incidents go unnoticed.

• Staff do not recognise breaches.

Interestingly, many SMEs underestimate their exposure before experiencing an attack, and overestimate overall catastrophic frequency after exposure.

In Summary:

The perceived level of cybercrime against SMEs is shaped by media attention, fear, and anecdotal experience, while the actual level is determined by measurable incidents and verified data. The gap exists because cyber threats are both highly publicised and often poorly understood.

Evidence That SMEs Often Don’t Report Cyber Crime

Survey data show high levels of non-reporting

A recent Europe-wide survey found that 44% of cybercrime incidents experienced by SMEs were not reported to anyone, not the police, not a regulator, not a service provider, and that only a minority of attacks were reported formally.

The same EU study found that when SMEs did report incidents, it was more often to a service provider than to public authorities, and that many businesses simply handled incidents internally or judged them “too trivial” to report.

Research identifies specific reluctance factors

Scholarly reviews and empirical work indicate that SMEs are less likely to report cyber incidents for reasons including:

Fear of reputational damage if customers or partners learn the business was breached.
Concern over regulatory or legal scrutiny once an incident is disclosed.
Perceived cost (time, money) of reporting, especially if there’s no regulatory obligation or clear benefit.
Belief that incidents are minor or can be more efficiently handled internally than involving law or regulatory bodies.

These findings align with broader research on businesses and cybercrime reporting, noting that decisions to report are influenced by the perceived severity of impact and whether the firm prioritises cybersecurity or has formal incident-response capabilities.

Structural and awareness challenges contribute to under-reporting

More general research into SMEs and cybersecurity shows that many smaller firms lack the awareness, training, resources, and formal incident-response processes that make reporting to authorities likely in larger firms. This lack of technical know-how and prioritisation often means incidents aren’t even recognised or escalated to reporting.

Why SMEs Might Choose Not to Report

There are several reasons, and looking across studies and surveys, as well as my own experience, common themes emerge explaining this reluctance:

Risk perception: SMEs often don’t think they’re targets, underestimating the likelihood or impact of cybercrime.
Internal handling: Many breaches are kept in-house, either managed by IT support or resolved without escalating to law or regulatory bodies.
Reputational fear: Owners worry about being seen as vulnerable or incompetent.
Cost of reporting: Time and money spent on reporting (especially when not legally required) can seem unjustified.

Does Under-reporting Matter?

Under-reporting matters because it creates a gap in official data on the frequency with which SMEs are victimised by cybercrime. This “dark figure” undermines effective policymaking, resource allocation, and threat intelligence sharing between the private sector, law and regulatory bodies, all of which are vital for improving cybersecurity resilience across the economy.

Finally I hope that this has provided you with a window into the lack of reporting of cybercrime, which is prevalent in, but not confined to, SMEs, and that it might encourage you to report crime if it occurs in your organisation. I also hope that it might encourage you to look at your own defences with a critical eye and perhaps seek advice and guidance to keep you safe.

An Increase in sophistication in cyber-attacks in 2025

Artificial Intelligence (AI) is a fascinating subject, but it’s also a controversial one. These days, we are all using it to some extent. I know I do in the solutions I provide for SMEs, as it allows for a large degree of automation, which in turn lowers costs. Lowering costs is always a priority for an SME.

So what is AI?

Artificial intelligence (AI) refers to computer systems that can perform tasks typically requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

That description was one that was put forward by NCSC, and so it’ll do for me, although I’ve no doubt, you’ll find other descriptions if you look hard enough.

Often, what is called AI isn’t all that intelligent. It’s not taking in information, analysing it and coming up with answers. Of course, some very clever versions are doing just that, but they are mostly not available to you and me. The versions we see are very good at being asked a specific question and data mining various sources at an incredible speed and then producing the answer you want, usually with several variations. And that’s pretty much what most of us want to use it for.

As I said above, I use it in the applications I use for cybersecurity managed services directed at SMEs, not least because automation reduces cost, but also because it is very efficient, meaning that the results it produces need minimal human intervention to analyse the output.

But let’s look at the downside of AI in cybersecurity, which is what the cyber criminals are using it for. Firstly, what is it that is at risk:

Data Leakage. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorised access to sensitive information. A good AI-powered attack could capture huge amounts of personally identifiable information (PII) in a ridiculously short amount of time.
Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but also dangerous.
Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been in this game as long as there’s been a game. It’s something called Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.
Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a role in supply chain security.
Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

What we saw in 2025 is an era where cyber‑attacks are AI‑powered, highly targeted, automated, supply‑chain enabled, multi‑stage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AI‑driven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.
RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
Next-gen ransomware is rolling out advanced stealth, data theft, and automated lateral movement techniques, i.e., using an initial breach to jump across to other parts of your network or that of your partners and customers.
Attacks starting via third-party software or vendors allow hackers to move laterally into networks and compromise multiple organisations simultaneously.
Nation-states are not just using espionage but are now partnering with ransomware gangs to conduct financially and politically motivated operations.
Nation state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.
Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.
Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.
Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.
In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.

Let’s not make the mistake of thinking that this is all very sophisticated and requires expertise and resources to pull off. It doesn’t. Take another look at some of the bullets above, where we talk about RaaS or Ransomware as a Service. This takes me back to what we used to term the ‘script kiddie’, that was relatively unskilled and unsophisticated ‘wannabe’ hackers who would visit the dark web and buy scripts from skilled hackers, that they would then try and use to make money, often unsuccessfully.

This has now moved on to using AI, and such services as RaaS; this type of low-skilled individual is back, but this time with a greater level of success. Let me give you a real example of how AI can be used by someone relatively low on the criminal totem pole. Using Chat GPT, the question was posed:

Can you write some ransomware code for me?

So, did ChatGPT help to write Ransomware code? Well, not initially, it gave a stock answer about not being able to write code that might damage a computer system. And some tooing and froing, trying to get around this, achieved the same result. So far, so good. That’s an ethical answer I would like to see.

Coming at it obliquely, via a back-and-forth conversation, can produce different results. Give it the instruction to write some C code to encrypt a single file, and get the result:

Certainly. Here’s an example of how you can use the OpenSSL library to encrypt a single file using the AES-256-CBC encryption algorithm in C.

The next step was to ask it to modify the code to encrypt a whole directory, which it did willingly.

Obviously, this isn’t the complete answer, and there would be more work to do, more research and probably a trip to the dark web, but a relatively unskilled individual can make a good start at producing their own ransomware.

I even asked Chat GPT to give me a description of how AI can be a boon as well as a danger to society:

AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

If you’re looking for answers as to where we stand with AI, there are a multitude of opinions, I’m afraid, mostly because many of us are still trying to work that out for ourselves. However, I will continue to explore it, use it carefully and with forethought. The questions I pose will be based on my own knowledge of cybersecurity and my experience in life. Let’s hope I get it right.

ENCRYPTION

There are lots of different encryption solutions on the market, some which come with other applications and some that are stand alone. I’m not going to attempt to put one up against another but rather have a more generic look at the subject. I’m also not going to worry too much about the technicalities of how they work as frankly, most clients, many of which are SMEs, don’t really care about that. It’s the effectiveness and what they are going to get for their buck, that they care about.

There are essentially two main types of encryption, whole disc encryption (WDE) and file level encryption (FLE). WDE protects the device if the disk is offline or stolen. It’s the type of encryption that comes with Windows (Bitlocker) and with a Mac (File Vault). FLE on the other hand protects the data itself, even if stored on unlocked or shared systems. It encrypts on a file-to-file basis i.e. it encrypts the files you want to protect, and leaves others unencrypted. It generally operates as an agent-based system and often, but not always, comes as part of another application.

WDE is easy to describe. As you log off, the disc is encrypted so that if the hardware, laptop etc, is stolen, the data on the disc is protected. However as soon as you log on, the disc is unencrypted and so the data is unprotected from an intrusion.

FLE proactively encrypts sensitive files at the file level using AES 256-bit encryption. This makes stolen data completely worthless to attackers, as it cannot be accessed or decrypted without the proper decryption key, which is managed through an agent and defined access controls. By encrypting data automatically and in real-time, FLE ensures data remains protected even if the system is compromised, which can be more effective than traditional reactive security measures that rely on detecting attacks after they occur.

Let’s take a look in a bit more detail at the differences between WDE and FLE.

Feature	Whole-Disk Encryption (WDE)	File-Level Encryption (FLE)
What gets encrypted	The entire drive (OS, apps, swap, all files)	Individual files or folders
When data is decrypted	Automatically after the device boots and the user authenticates (e.g., login, pre-boot PIN, TPM key)	Each encrypted file decrypts only when accessed by an authorised app/user
Protection scope	Strong against physical theft, lost devices, or disk removal	Strong for protecting sensitive data, shared storage, or cloud backups
Visibility of encrypted content	Drive appears unreadable until unlocked	File names can still be visible (depends on tool), but contents are encrypted
Use cases	Laptops, desktops, mobile devices	Encrypting documents, databases, specific secrets, or user-chosen data
Performance impact	Minimal today, because decryption happens in bulk after unlock, and often uses hardware acceleration	Can be higher if many encrypted files are accessed frequently
Granularity / control	Low (all-or-nothing)	High (encrypt only what needs protection)
Key management	One main disk key (often protected by TPM or secure hardware)	Many file keys or per-user/per-file keys possible
Security if system is compromised while powered on	Weak (disk is unlocked, malware can read everything)	Better (files are only decrypted when opened, limiting exposure)

One question I get asked a lot is, does encryption protect against Ransomware. The short answer is no. WDE only protects the data when the machine is switched off. Once booted up the data is unencrypted. FLE protects data against data leakage or theft in that it can’t be read by unauthorised persons. However, it can’t prevent encrypted data from being encrypted again by a ransomware attack.

A secondary aim of most ransomware attacks is to steal the data to sell on or to use for other things. In those cases, FLE does help protect because the ransomware can’t decrypt the already encrypted data. So, there is a level of protection using FLE that you can’t get with WDE.

FLR can help a little (but still not enough):

It can slow or limit ransomware only if:

Keys are stored in a separate secure environment (HSM, smart card, enclave, etc.)
Decryption requires per-file user interaction ransomware cannot mimic
The storage supports immutable or version-protected encrypted blobs

Even in those cases:

Ransomware can still delete files, encrypt them again, or lock the device
It usually cannot be used as a full defence strategy

What it does not prevent

Files being encrypted again by ransomware
Files being deleted or corrupted
The system being locked or made unusable

What it can still be good for

• Preventing data theft if files are exfiltrated

• Limiting extortion via stolen data leaks

• Protecting backups stored in cloud/shared drives from being read by attackers

My focus as always is on the SME community and therefore I always aim to keep costs down to a level that makes sense to them. I am much more a fan of FLE than WDE however, as WDE comes from with both Windows and Mac, then let’s use it. Many corporate organisations use both as a belt and braces protection. But remember, on its own it’s not a total solution and should be implemented as part of a more holistic cyber defence.

I hope this has given an insight into the subject and answered some basic questions. If you would like to understand more about this then please give me a call or an email, I’d be delighted to chat it over.

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you? The first part is easy to explain but the second is a little more problematic. MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team. That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

Capability	Why it matters to SMEs
Around-the-clock monitoring	Cyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern tools	Uses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident Response	Can remotely contain and remediate attacks before they spread.
Security expertise on demand	SMEs gain access to required expertise.
Proactive threat hunting	Identifies hidden attackers or early-stage breaches.
Compliance and reporting	Helps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

Not a replacement for basic security hygiene (patching, backups, strong access controls)
Not just a tool, it’s a combination of technology + human expertise
Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it. SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust. And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables. They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them. They lack:

24/7 threat monitoring
Real-time detection and investigation
Specialised expertise required for modern cyber threats
Rapid response capability to contain breaches

As a result, you potentially face::

Increased probability of a successful attack
- Delayed breach response → attackers remain undetected for months
- Data exfiltration and business disruption
Higher financial and operational impact if one occurs
Non-compliance with data protection obligations (e.g., GDPR, industry standards)
Reputational damage and loss of customer confidence
Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable. A good fit could be:

Affordable subscription model with no costly infrastructure
Bridges the cybersecurity skills shortage
Improves resilience against ransomware, phishing, insider threats, and more
Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level. The latter is obviously cheaper and maybe more appropriate for many. The coverage they should be looking for needs to include:

Endpoints (laptops, servers)
Cloud workloads (Microsoft 365, Azure, etc)
Identity services (Active Directory)
Network visibility
Email security
Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top. And for many years this would have been just that. I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes.

Generally, these have been way too expensive for an SME to consider. But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate. Now I know you’ve been waiting for the pitch and here it comes. At H2 we provide such a service which is very affordable, and we are happy to stack it up against others. We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation.

How one SME coped with the fall out of a cyber attack

We talk a lot about how to protect ourselves from cyber-attacks and the potential for how easy or difficult it is for cyber criminals to attack companies of all sizes and types, but we don’t often describe real events which could impact those companies until they actually happen, and then, we often only get the information that they want us to have.

So, we thought we’d try and do just that, albeit in a sanitised way (with permission) to protect the privacy of the company involved.

Background

The target was a small. To medium sized design agency based in the UK. They manage branding and marketing materials for a significant number of clients, many of whom share confidential product data and campaign details before public release. And of course, the company held their own confidential data regarding their operations, finances and personnel.

For years, this agency relied on a mix of free antivirus software, shared passwords, and basic email communication. Like many SMEs, cybersecurity wasn’t seen as a priority until the day that all changed!

So, what happened?

One Friday morning, a manager noticed that all shared project files on their network drive had strange extensions and couldn’t be opened. A ransom note appeared on every folder:

“Your files have been encrypted. Pay x amount of Bitcoin to recover them.”

The team had been hit by ransomware.
Their business was paralysed, and they couldn’t access their admin and finance systems or their client work, deadlines loomed, and panic set in.

The IT contractor confirmed the bad news: a staff member had unknowingly clicked a link in a fake invoice email that mimicked a well-known supplier. The malware spread across the network overnight.

At this point many companies fall into complete disarray simply because they haven’t got a disaster recovery and business continuity plan and they have no way of operating their systems manually. Management will be demanding to know how long they can manage without their IT systems and how long it will take to get everything up and running, without paying the ransom. The IT company will be pressured about backups; are there any and if so when can they be restored, which is when of course they realise that without their systems, there is nothing to restore the backups to.

The IT company confirmed that they did have backups stored off-site as part of the contract but that daily backups were stored on site and that the onsite backup server was also compromised, and the off-site backups were taken once a week, which meant that as by this time it Tuesday, the off-site backups were 2 days old. But much better than nothing.

The problem remained that they had deadlines to meet and if they didn’t want to lose clients and have their reputation in their industry shattered, they had very little time. Reluctantly the management made the decision to pay the ransom which meant they had to go cap in hand for extra funding as they operated on tight margins and the ransom in pounds was close to £150k.

This got them back online and saved their projects and reputation but at a cost that really hurt and not just in financial terms, but in their pride as managers. It really stung. They knew that had to bite the bullet and take cyber security seriously. They realised that their local IT company, although excellent in keeping their network up and running efficiently as well as providing their hardware and software, and kept strictly to the terms of the contract, was not going to protect them to the level that they needed.

The rebuild

Having got everything back up and running they were seriously worried that they might get hit again quickly, before they had a chance to sort things out. There was no room for complacency but at the same time they had to go forward with a strategic plan. So, they brought in a specialist cybersecurity company who guided them through a strategy to not just recover, but to protect themselves going forward.

One of the first things they learnt is that cyber security is a business issue and not a technical one. Management must own it and understand it. It starts with people, having the right people in the right place who understand, at least at a high level, the issues and how to take basic precautions to protect themselves and the business. Then comes policy and process, coming down from the top, regularly reviewed and updated by management, and promulgated to all staff with regular reminders. Once that’s in place we can look at technology. Noone had articulated that to them before.

The first thing their new cyber partner did was to devise a high-level strategy that the company could adopt going forward. They explained that it needn’t be complicated and in fact, the simpler and easier to understand, the better. Keep tech jargon out of it and use plain English. They came up with a plan which identified some quick wins to protect them quickly, before coming up with more detailed projects that could be phased in over time.

The quick wins were:

Cyber awareness training for all staff including management. Let’s make sure no one ever clicks a link they shouldn’t. The training should be done at induction and then refreshed regularly throughout the year. It can be run by the HR staff or a HR company under contract if that is the case.

Produce policies starting with a high-level policy signed off by the CEO which clearly outlines everyones responsibility for cyber security and who is responsible for the detailed polices which will underpin this top-level policy.

Enforced multi factor authentication (MFA) for all logins and a password manager to replace the spreadsheets they were using.

This is then followed by more detailed projects phased in over time. The phasing helps to ensure that there is not too much disruption to the business operations and that staff can be carried along with it, ensuring their buy in. It also helps to make sure that it fits in with the company budget and doesn’t hit the bottom line all at once. It included:

An examination of the contract with the IT company and making any revisions that might be necessary. For example, the back-up regime.

Migrated to a cloud-based file system with built-in versioning and encryption (in this case MS365 was chosen which is a favourite go to for SMEs and was offered by their IT support company).

Every employee completed simulated phishing exercises as part of the awareness training.

A detailed incident response plan was produced which clearly detailed who was responsible for what, who to contact and what to do, in a prioritised order. It also outlined a business continuity plan written by departmental heads, showing how the company would continue to operate whilst systems are recovered.

Identification of assets, i.e. databases, client information, HR data, financial data, project plans etc, to prioritise what data needs to be protected to what level.

Identity and access management review with a view to moving to a zero-trust access control system.

Consider applying for cyber essentials certification.

The Outcome

Within six months, they were back on track and stronger, much more resilient. They were, like most companies, hit with phishing attempts all the time but their employees were trained to recognise them instantly and knew who to report it to. No one clicked the link.

Clients noticed the change, too. The company started to include a short “data protection and security” statement in their contracts, which won them new business. Larger clients trusted them more because they could prove their cyber resilience. They were now committed to Cyber Essentials and would include that logo on their website and advertising as soon as they qualified.

The big lesson

Their experience shows that cybersecurity isn’t just an IT issue — it’s a business survival issue. Even small steps, awareness, MFA, and secure backups, can transform an SME from a target into a resilient organisation.

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals. There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences. Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault. Most are focused on their core business, trying make a quid or two and are pressed for time. They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer. The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach. In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter. Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean? Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design. In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else. And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate? No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

Cyber Security Architecture

In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture. So, I thought it was worth discussing it further.

What is security architecture? Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks. Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like. And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should. Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks. But how did they arrive at the products they have purchased and taken into use. Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from. Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs. What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software. Is that a problem? That depends very much on how the requirement for a solution was arrived at. Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with? All too often it’s the latter.

I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them? It is typical, when I visit SMEs, to find that they have what is known as a flat network. That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network. Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

Of course, these days that is often exacerbated by the increasingly popular remote working. I know not every company has embraced this, but many have and have not through the security implications.

Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run. But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not. Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

Cyber Security is a Business Issue

This is a subject I return to quite often and it’s all about how cyber security is viewed by many SMEs, and I’ll explore why that view appears to be paramount. I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

We tend to flood potential clients with adverts and articles, mainly focused on technology. Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

Let me give you a couple of quotes. The first comes from a renowned Harvard scientist and cyber security specialist. He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’ The second comes from Stephane Nappo, Vice President and Global Chief Information Security Officer for Groupe SEB, ‘It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.’

Boil that down and they are saying that this is not an IT issue, it’s a business issue. That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture. Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need. We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology. They rely on their IT provider to give the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime. All well and dandy. Let’s just remind ourselves of the quote from Bruce Schneier:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

So, what does he mean? As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI). It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force. To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution. Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it? Taking risks is a part of business. You assess risk every day when doing business. Do you want to do this deal? What happens if it goes not as expected? Do I want to take this person on? Etc etc etc. Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding. What is an information asset? Note the word ‘information’ rather than IT. It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on. You understand your business risk, after all it is your business, but do you understand information risk? Do you have a clear idea of what information assets you have and where they are? Before you answer that think it through. Do you really know where all the data is? OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business. How much of that data has been saved onto staff workstations when they needed it to carry out some work? How much has been copied off somewhere else for what was probably a very good reason at one point? How well is your firewall functioning? Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations. I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team. That needs to be understood fully by those at the top. That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims. You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated. At H2 we tend to produce an information security and data protection handbook which can run into many pages. Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management. One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way. Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end. User education is probably the most important element of all for an SME. Ensuring that your staff are aware of the policies and why they exist. Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks. Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

Ransomware, Phishing and other Malware