Risk Analysis and Security Strategy

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

An Increase in sophistication in cyber-attacks in 2025

Artificial Intelligence (AI) is a fascinating subject, but it’s also a controversial one. These days, we are all using it to some extent. I know I do in the solutions I provide for SMEs, as it allows for a large degree of automation, which in turn lowers costs. Lowering costs is always a priority for an SME.

So what is AI?

Artificial intelligence (AI) refers to computer systems that can perform tasks typically requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

That description was one that was put forward by NCSC, and so it’ll do for me, although I’ve no doubt, you’ll find other descriptions if you look hard enough.

Often, what is called AI isn’t all that intelligent. It’s not taking in information, analysing it and coming up with answers. Of course, some very clever versions are doing just that, but they are mostly not available to you and me. The versions we see are very good at being asked a specific question and data mining various sources at an incredible speed and then producing the answer you want, usually with several variations. And that’s pretty much what most of us want to use it for.

As I said above, I use it in the applications I use for cybersecurity managed services directed at SMEs, not least because automation reduces cost, but also because it is very efficient, meaning that the results it produces need minimal human intervention to analyse the output.

But let’s look at the downside of AI in cybersecurity, which is what the cyber criminals are using it for. Firstly, what is it that is at risk:

  1. Data Leakage. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorised access to sensitive information. A good AI-powered attack could capture huge amounts of personally identifiable information (PII) in a ridiculously short amount of time.
  2. Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but also dangerous.
  3. Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been in this game as long as there’s been a game. It’s something called Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.
  4. Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  5. Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a role in supply chain security.
  6. Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

What we saw in 2025 is an era where cyber‑attacks are AI‑powered, highly targeted, automated, supply‑chain enabled, multi‑stage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AI‑driven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

  1. Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
  2. AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.
  3. RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
  4. Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
  5. Next-gen ransomware is rolling out advanced stealth, data theft, and automated lateral movement techniques, i.e., using an initial breach to jump across to other parts of your network or that of your partners and customers.
  6. Attacks starting via third-party software or vendors allow hackers to move laterally into networks and compromise multiple organisations simultaneously.
  7. Nation-states are not just using espionage but are now partnering with ransomware gangs to conduct financially and politically motivated operations.
  8. Nation state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.
  9. Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
  10. Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.
  11. Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
  12. These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.
  13. Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
  14. Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.
  15. In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.

Let’s not make the mistake of thinking that this is all very sophisticated and requires expertise and resources to pull off. It doesn’t. Take another look at some of the bullets above, where we talk about RaaS or Ransomware as a Service. This takes me back to what we used to term the ‘script kiddie’, that was relatively unskilled and unsophisticated ‘wannabe’ hackers who would visit the dark web and buy scripts from skilled hackers, that they would then try and use to make money, often unsuccessfully.

This has now moved on to using AI, and such services as RaaS; this type of low-skilled individual is back, but this time with a greater level of success. Let me give you a real example of how AI can be used by someone relatively low on the criminal totem pole. Using Chat GPT, the question was posed:

Can you write some ransomware code for me?

So, did ChatGPT help to write Ransomware code? Well, not initially, it gave a stock answer about not being able to write code that might damage a computer system. And some tooing and froing, trying to get around this, achieved the same result. So far, so good. That’s an ethical answer I would like to see.

Coming at it obliquely, via a back-and-forth conversation, can produce different results. Give it the instruction to write some C code to encrypt a single file, and get the result:

Certainly. Here’s an example of how you can use the OpenSSL library to encrypt a single file using the AES-256-CBC encryption algorithm in C.

The next step was to ask it to modify the code to encrypt a whole directory, which it did willingly.

Obviously, this isn’t the complete answer, and there would be more work to do, more research and probably a trip to the dark web, but a relatively unskilled individual can make a good start at producing their own ransomware.

I even asked Chat GPT to give me a description of how AI can be a boon as well as a danger to society:

AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

If you’re looking for answers as to where we stand with AI, there are a multitude of opinions, I’m afraid, mostly because many of us are still trying to work that out for ourselves. However, I will continue to explore it, use it carefully and with forethought. The questions I pose will be based on my own knowledge of cybersecurity and my experience in life. Let’s hope I get it right.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

LESS FEAR MORE FIXES:  WHAT SME LEADERS WANT FROM CYBER SECURITY

That’s a good question and one that I’ve often pondered upon.  Cost effectiveness obviously, everyone’s on a budget, especially these days and there is a healthy reluctance to spend money on what is seen as not being your core business. 

I would argue that these days IT is part of your core business, or perhaps part of your core business operations.  Ask yourselves how many of you can continue business without access to your IT systems and the data they hold.  If IT is part of your business operations, then so is its integrity and security.

Let’s take a quick look at some of the reasons why security doesn’t feel like core business to many people:

  • It’s invisible when it works

If cybersecurity is doing its job, nothing happens. No alerts, no fires to put out, no obvious ROI. Compared to sales, ops, or product delivery, it feels abstract and thankless.

  • It’s framed as an IT problem, not a business risk

Many SMEs still see cyber as “the IT guy’s job.” Leaders think in terms of revenue, customers, and growth whereas cybersecurity often isn’t translated into those terms.

  • Short-term survival beats long-term risk

SMEs run lean. Cash flow, hiring, and winning the next customer feel urgent. Cyber risk feels probable someday rather than painful today, so it gets deprioritised.

  • Lack of personal exposure

If a leader hasn’t personally experienced a cyber incident, or heard a close friends horror story, it’s hard to internalise the risk. Threats feel like something that happens to “big companies” or “other people.”

  • Complexity and jargon turn people off

Cybersecurity language is often technical, fear-based, or compliance-heavy. When leaders don’t fully understand something, they’re less likely to own it as core strategy.

  • No clear ownership at the top

In many SMEs there’s no CISO, no risk committee, no board pressure. If no one at leadership level “owns” cyber risk, it floats somewhere below the surface.

  • Seen as a cost centre, not a value driver

Cybersecurity is usually positioned as insurance or compliance spend, not as something that enables trust, customer retention, or business continuity.

  • Optimism bias

Many SME leaders quietly think: “We’re too small / not interesting enough to be targeted.” Unfortunately, attackers often prefer SMEs because they’re easier targets.

Now let’s flip the mindset.  Cybersecurity starts to feel like it’s part of the core business when it’s framed as:

  • Protecting revenue not systems.
  • Protecting customers not servers.
  • Protecting the ability to operate.

Cyber incidents have to be seen as business stopping events, not just technical inconveniences.  Once that is recognised at the top, it tends to be moved into core business territory very quickly.

So, going back to the question I posed above, what do SME owners want from cyber security, assuming now that they truly embrace its importance to the core of the business they are running?  I did mention cost effectiveness above and what follows has to be seen in the context of individual budgets, which will necessarily affect the spend.  In order to make sure that happens any security spending must be targeted on what is important and indeed, critical to the business, and not just what is thought of as critical or important.

What comes top of my list every time is the protection of critical business data.  Think of this in terms of what outcome is wanted.  Generally, that means that customer data, financial records, HR data and intellectual property remain confidential and intact.  From the angle of cost-effectiveness:

  • SMEs prefer low-cost but high-impact controls such as strong passwords, multi-factor authentication, and encrypted backups rather than expensive enterprise systems.
  • Preventing a data breach is far cheaper than paying fines, compensation, or suffering reputational damage.

High on the list of importance comes business continuity and minimal downtime.  It’s vital that systems stay available so the business can keep operating even after an incident.  This generally means simple, automated backups and basic disaster recovery plans that can be pulled own from a shelf, having been regularly updated and tested, and taken into use.  Plans must minimise lost sales and staff productivity.

There’s a lot more too this whilst trying to keep it simple.  Some headlines:

  • Compliance and regulatory requirements – industry dependent except for things like PCI, GDPR etc.
  • Reducing risk to a level that the organisation deems acceptable.  What is known as the risk appetite.  There is no such thing as 100% security, you are essentially managing risk down to a level you can live with.
  • Ease of use for staff.  Security shouldn’t cause frustration and slow things down. 
  • Predictable costs.  Clear, predictable cybersecurity costs that fit within limited budgets.
  • Reputational and customer trust.  Whilst the fallout from loss of trust with your customers can vary from company to company, it is often extremely damaging, especially for companies that hold lots of personal client data.  Maintaining trust through basic security measures is far cheaper than trying to rebuild after a breach.

SME owners and managers are usually not looking for “perfect” security. Their focus is on practical outcomes that protect the business without overspending.  Don’t be lulled into a false sense of security, believing that the technical solutions you have been sold are adequate protection.  Ask questions, look for assurance that you have this covered, remember that often the best solutions are procedural not technical.  Look at things from the angle of people, process and then technology.

Good Luck!!

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy

Security on Paper vs Security in Practice: What Executives Need to Know

My recent articles have been all about data leakage and I very briefly indicated that we have a solution for that.  I am aware though that in cyber security and in fact data protection, technical solutions on their own, are not sufficient.  They must be underpinned by sound policies and procedures.  One of my favourite quotes, that I probably use too often, but I make no apologies for that, is by a Harvard professor and cyber security evangelist, Bruce Schneier.  He says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

What am I getting at here exactly?  Well, some solutions are not about technology and in fact are best done procedurally and with sound cyber awareness training.  Other solutions are technical in nature but must be underpinned with sound policies and processes that are rolled out and understood by staff via sound cyber awareness training which covers these policies and processes and why they are necessary.

The great cry from cyber security professionals is – People, Process and then Technology.

For many SMEs, cybersecurity policies do exist but real visibility into cyber risk does not. Policies are often written to satisfy compliance requirements, reassure clients, and demonstrate intent, yet they rarely answer the questions executives care about most: Where are we vulnerable? What could realistically disrupt the business? Are we investing in the right protections?

What we are saying here is that security documentation should be more than a defensive tick box. When policies are actively mapped to vulnerability assessments, they become a powerful source of risk intelligence. Gaps between documented controls and technical reality surface quickly, exposing weaknesses that attackers are far more likely to exploit than auditors are to find.

In an environment where cyber incidents increasingly target smaller organisations, the difference between written policy and operational security is no longer academic. Converting policy into protection is a practical, achievable step that materially reduces risk and one that executive leadership is uniquely positioned to drive.

The trick is understanding what your risks are and what needs protecting and at what level.  What we mean is separating out what is highly sensitive, sensitive and not so much.  Our system helps you map this and helps you make some informed decisions, but it won’t write your policies for you.

I’ve written articles in the past on risk management and identifying threats and vulnerabilities and mapping them to risks Identifying what could go wrong digitally, understanding how bad it would be for the business, and deciding what to do about it, all within your budget and risk appetite. Think of it like financial or operational risk, just applied to data, systems, and online operations.

You can’t protect everything equally.  You don’t need a threat catalogue, just a broad understanding of the common ones that hit SMEs.  You can then assess:

Risk = Likelihood × Impact

Translate tech issues into:

  • Revenue loss
  • Operational downtime
  • Legal/regulatory exposure
  • Reputational damage
  • Customer trust erosion – reputational damage

What we are looking to do is to decide how we treat each risk.  There are really 4 options that you need to think about in terms of each risk:

  • Reduce – put controls in place (e.g., MFA, backups)
  • Accept – consciously live with the risk
  • Transfer – insurance, contracts, outsourcing
  • Avoid – stop doing the risky thing

There was an interesting post on LinkedIn recently about the Bank of England having just dropped its 2025 CBEST Thematic Report with some interesting findings.


After 13 threat-led penetration tests across UK financial services, the message is clear: most vulnerabilities aren’t sophisticated. They’re foundational.

  • Passwords stored in spreadsheets and shared drives
  • Weak MFA enforcement and poor credential hygiene
  • Inadequate network segmentation
  • Detection capabilities that couldn’t spot simulated attacks early
  • Staff still falling for social engineering

The regulators’ call to action is direct:

  • Harden your systems – patch and configure properly
  • Fix your credentials management – MFA, strong passwords, no plaintext storage
  • Detect faster – monitoring and alerting that actually works
  • Remediate based on risk – with proper oversight, not just tactical patches

What I’m touching upon here is multi layered security, what in the military we referred to as strength in depth.  Monitoring systems has often been thought of as too difficult and expensive for SMEs but that’s no longer true and we now have a solution that is affordable and designed specifically for SMEs which handles monitoring but also has some useful addons such as vulnerability assessment, phishing simulations and a built in cyber awareness programme, all within the licence costs, no hidden extras.

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy

More About Data Leakage

Last weeks newsletter was all about data leakage, and I argued that it wasn’t a well understood problem, which doesn’t get the attention it deserves.  We all know about data protection, at least at a high level, and we know about the regulatory issues around it, although many take the view that talking about that is scare tactics designed to make you buy something.  And OK, it can be just that, but it doesn’t make it any the less real.

We all need to be cognisant of the issues and potential fallout, but it becomes much more of an urgent issue for organisations that depend upon holding and processing large amounts of what is known as Personally Identifiable Information or PII.  That is information that can identify a specific individual, either on its own or when combined with other data.  PII spans quite a large category of data:

a. Direct identifiers (identify someone immediately)

         •        Full name

         •        Social Security number / National ID number

         •        Passport number

         •        Driving license number

         •        Biometric data (fingerprints, facial recognition data)

b. Contact information

         •        Home or mailing address

         •        Email address

         •        Phone number

c. Financial information

         •        Credit or debit card numbers

         •        Bank account and routing numbers

         •        Tax records

         •        Payment transaction histories

d. Digital & online identifiers

         •        IP address

         •        Device IDs (IMEI, MAC address)

         •        Cookies linked to an individual

         •        Account usernames (when tied to a real person)

e. Personal characteristics

         •        Date and place of birth

         •        Gender

         •        Marital status

         •        Employment details

         •        Education records

f. Sensitive PII (higher risk if exposed)

         •        Medical and health records

         •        Insurance information

         •        Genetic data

         •        Precise location data

         •        Criminal history

We all process some data of this kind, if only data pertaining to our own employees, such as payroll information.  However, we often hold personal data regarding our customers and suppliers, names, payment details, addresses etc.  But consider organisations that store and process data covering many of the categories above.  I’m thinking about law firms, financial firms, even real estate agents and recruitment agents, amongst others.  Have you thought about the categories of PII you are holding?  Have you identified the sensitivity of the data you hold, and protect it accordingly?

It’s also important to understand what PII is not. 

  • Fully anonymised or aggregated data
  • General information that cannot be tied to a specific person (i.e., “people aged 20–30 in England”).

If you do hold lots of PII that is critical to your business, what do you need to care about?  This will depend to a certain extent on what you are holding and processing, but generally:

  • Protecting reputation above all else
  • Being seen as a safe pair of hands
  • Keeping clients and the board confident
  • Avoiding public embarrassment or loss of trust
  • Having certainty without complexity

Reputational damage can be far worse than losing say, some money to a scam or ransomware.  Firms can often come back from financial loss, but reputational damage is often permanent and fatal.  You need to be seen as a safe pair of hands.

A core anxiety is often worrying that if something happens, the organisation wouldn’t be able to confidently explain where the sensitive data is and how it’s protected.  Three things that tend to be a common theme amongst those we deal with at the start of their journey:

  • They know the risk exists
  • They don’t know how big the problem is
  • They hope nothing happens before they act

The problem often gets explained like this:

  • “We don’t really know where all our sensitive data is.”
  • “I’m relying on trust and assumptions.”
  • “Our outsourced IT provides storage solutions and gateway security, but they don’t really have a handle on our data.”

At H2 we understand the issues and anxieties.  We have a solution that deals with these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy

Data Leakage

Data leakage is a subject that is not well understood but can have a devastating effect on a business.  It is a somewhat dry subject that many companies, particularly SMEs, pay little attention to, even whilst understanding the requirements of data protection, even if at a high level. 
 
Most data leaks are not the result of a cyber-attack, although many are, particularly ransomware, but are often the result of an employee either making a simple mistake, or more likely doing something that they didn’t know they shouldn’t.
 
I’m minded of an issue that arose a couple of years ago with a government department where magnetic media containing millions of pieces of data belonging to members of the public, was sent to somewhere it shouldn’t have been.  An employee was asked to download the data and send it out.  There was no policy in place for magnetic media handling, and the employee could not be blamed for doing what he was told.
 
Of course, these days electronic data handling make mistakes like that much easier to make, and as such they happen much more often.  The reputational damage from such mistakes can be catastrophic.
 
My subscribers will know that my focus is the SME, large and small.  So how does this impact them.  Not so long ago a small UK housing association experienced a breach when a disgruntled former employee leaked tenant data, exposing names, addresses, financial details, and tenancy agreements of around 3,500 tenants. This case shows how insider threats and inadequate access controls can lead to leakage of sensitive data in a small organisation. 
 
Industry reporting and surveys show that many UK SMEs experience data breaches with around 43 % reporting some kind of cyber security breach or attack in the past year. 
 
While not always individually publicised, these incidents often involve:
 
         •       Phishing that leads to credential compromise
         •       Unauthorised access via weak passwords or unmanaged devices
         •       Malware/ransomware encrypting or exfiltrating business data
 
These types of breaches typically result in data leakage of customer contacts, invoices, employee records and sensitive business information that can severely harm small firms.
 
A widespread supply-chain style attack affected companies using compromised versions of popular VoIP software (3CX). While this isn’t a single SME, it demonstrates how attackers target tools widely used by SMEs, leading to stolen data and credentials across hundreds of thousands of business customers globally. 
 
Here at H2, when we are first approached by a prospective client and we begin our offer of a 15-day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.
 
Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, makes life a whole lot easier.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.
 
We have a solution that meets these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.
Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you?  The first part is easy to explain but the second is a little more problematic.  MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team.  That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

CapabilityWhy it matters to SMEs
Around-the-clock monitoringCyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern toolsUses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident ResponseCan remotely contain and remediate attacks before they spread.
Security expertise on demandSMEs gain access to required expertise.
Proactive threat huntingIdentifies hidden attackers or early-stage breaches.
Compliance and reportingHelps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

  • Not a replacement for basic security hygiene (patching, backups, strong access controls)
  • Not just a tool, it’s a combination of technology + human expertise
  • Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it.  SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust.  And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables.  They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them.  They lack:

  • 24/7 threat monitoring
  • Real-time detection and investigation
  • Specialised expertise required for modern cyber threats
  • Rapid response capability to contain breaches

As a result, you potentially face::

  • Increased probability of a successful attack
    • Delayed breach response → attackers remain undetected for months
    • Data exfiltration and business disruption
  • Higher financial and operational impact if one occurs
  • Non-compliance with data protection obligations (e.g., GDPR, industry standards)
  • Reputational damage and loss of customer confidence
  • Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
  • Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable.  A good fit could be:

  • Affordable subscription model with no costly infrastructure
  • Bridges the cybersecurity skills shortage
  • Improves resilience against ransomware, phishing, insider threats, and more
  • Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level.  The latter is obviously cheaper and maybe more appropriate for many.  The coverage they should be looking for needs to include:

  • Endpoints (laptops, servers)
  • Cloud workloads (Microsoft 365, Azure, etc)
  • Identity services (Active Directory)
  • Network visibility
  • Email security
  • Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top.  And for many years this would have been just that.  I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes. 

Generally, these have been way too expensive for an SME to consider.  But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate.  Now I know you’ve been waiting for the pitch and here it comes.  At H2 we provide such a service which is very affordable, and we are happy to stack it up against others.  We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation. 

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy Security

Innovation – Why Do Many Shy Away from it?

We are, by nature, somewhat reserved I think, and we like to trust the known and proven, rather than the unknown and as yet, unproven.  How many of us like to be the first to by the latest model of a car, or the latest ‘phone.  The same applies to our IT infrastructure and security.  Something might advertise some really great innovations, but we want to see someone else try it first, just to be sure.

I read an interesting piece where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

So, what are we referring to here.  In a nutshell, the creation and adoption of new technologies, strategies, and practices that improve the protection of digital systems, data, and networks from cyber threats. It goes beyond simply maintaining existing defences, it’s about staying ahead of attackers by introducing smarter, more efficient, and more resilient security methods.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive, and this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, but SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and SMEs will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

How one SME coped with the fall out of a cyber attack

We talk a lot about how to protect ourselves from cyber-attacks and the potential for how easy or difficult it is for cyber criminals to attack companies of all sizes and types, but we don’t often describe real events which could impact those companies until they actually happen, and then, we often only get the information that they want us to have.

So, we thought we’d try and do just that, albeit in a sanitised way (with permission) to protect the privacy of the company involved.

Background

The target was a small. To medium sized design agency based in the UK. They manage branding and marketing materials for a significant number of clients, many of whom share confidential product data and campaign details before public release.  And of course, the company held their own confidential data regarding their operations, finances and personnel.

For years, this agency relied on a mix of free antivirus software, shared passwords, and basic email communication. Like many SMEs, cybersecurity wasn’t seen as a priority until the day that all changed!

So, what happened?

One Friday morning, a manager noticed that all shared project files on their network drive had strange extensions and couldn’t be opened. A ransom note appeared on every folder:

“Your files have been encrypted. Pay x amount of Bitcoin to recover them.”

  • The team had been hit by ransomware.
  • Their business was paralysed, and they couldn’t access their admin and finance systems or their client work, deadlines loomed, and panic set in.

The IT contractor confirmed the bad news: a staff member had unknowingly clicked a link in a fake invoice email that mimicked a well-known supplier. The malware spread across the network overnight.

At this point many companies fall into complete disarray simply because they haven’t got a disaster recovery and business continuity plan and they have no way of operating their systems manually.  Management will be demanding to know how long they can manage without their IT systems and how long it will take to get everything up and running, without paying the ransom.   The IT company will be pressured about backups; are there any and if so when can they be restored, which is when of course they realise that without their systems, there is nothing to restore the backups to.

The IT company confirmed that they did have backups stored off-site as part of the contract but that daily backups were stored on site and that the onsite backup server was also compromised, and the off-site backups were taken once a week, which meant that as by this time it Tuesday, the off-site backups were 2 days old.  But much better than nothing.

The problem remained that they had deadlines to meet and if they didn’t want to lose clients and have their reputation in their industry shattered, they had very little time.  Reluctantly the management made the decision to pay the ransom which meant they had to go cap in hand for extra funding as they operated on tight margins and the ransom in pounds was close to £150k.

This got them back online and saved their projects and reputation but at a cost that really hurt and not just in financial terms, but in their pride as managers.  It really stung.  They knew that had to bite the bullet and take cyber security seriously.  They realised that their local IT company, although excellent in keeping their network up and running efficiently as well as providing their hardware and software, and kept strictly to the terms of the contract, was not going to protect them to the level that they needed.

The rebuild

Having got everything back up and running they were seriously worried that they might get hit again quickly, before they had a chance to sort things out.  There was no room for complacency but at the same time they had to go forward with a strategic plan.  So, they brought in a specialist cybersecurity company who guided them through a strategy to not just recover, but to protect themselves going forward.

One of the first things they learnt is that cyber security is a business issue and not a technical one.  Management must own it and understand it.  It starts with people, having the right people in the right place who understand, at least at a high level, the issues and how to take basic precautions to protect themselves and the business.  Then comes policy and process, coming down from the top, regularly reviewed and updated by management, and promulgated to all staff with regular reminders.  Once that’s in place we can look at technology.  Noone had articulated that to them before.

The first thing their new cyber partner did was to devise a high-level strategy that the company could adopt going forward.  They explained that it needn’t be complicated and in fact, the simpler and easier to understand, the better.  Keep tech jargon out of it and use plain English.  They came up with a plan which identified some quick wins to protect them quickly, before coming up with more detailed projects that could be phased in over time.

The quick wins were:

  1. Cyber awareness training for all staff including management.  Let’s make sure no one ever clicks a link they shouldn’t.  The training should be done at induction and then refreshed regularly throughout the year.  It can be run by the HR staff or a HR company under contract if that is the case.
  • Produce policies starting with a high-level policy signed off by the CEO which clearly outlines everyones responsibility for cyber security and who is responsible for the detailed polices which will underpin this top-level policy.
  • Enforced multi factor authentication (MFA) for all logins and a password manager to replace the spreadsheets they were using.

This is then followed by more detailed projects phased in over time.  The phasing helps to ensure that there is not too much disruption to the business operations and that staff can be carried along with it, ensuring their buy in.  It also helps to make sure that it fits in with the company budget and doesn’t hit the bottom line all at once.  It included:

  1. An examination of the contract with the IT company and making any revisions that might be necessary.  For example, the back-up regime.
  • Migrated to a cloud-based file system with built-in versioning and encryption (in this case MS365 was chosen which is a favourite go to for SMEs and was offered by their IT support company).
  • Every employee completed simulated phishing exercises as part of the awareness training.
  • A detailed incident response plan was produced which clearly detailed who was responsible for what, who to contact and what to do, in a prioritised order.  It also outlined a business continuity plan written by departmental heads, showing how the company would continue to operate whilst systems are recovered.
  • Identification of assets, i.e. databases, client information, HR data, financial data, project plans etc, to prioritise what data needs to be protected to what level.
  • Identity and access management review with a view to moving to a zero-trust access control system.
  • Consider applying for cyber essentials certification.

The Outcome

Within six months, they were back on track and stronger, much more resilient. They were, like most companies, hit with phishing attempts all the time but their employees were trained to recognise them instantly and knew who to report it to. No one clicked the link.

Clients noticed the change, too. The company started to include a short “data protection and security” statement in their contracts, which won them new business. Larger clients trusted them more because they could prove their cyber resilience.  They were now committed to Cyber Essentials and would include that logo on their website and advertising as soon as they qualified.

The big lesson

Their experience shows that cybersecurity isn’t just an IT issue — it’s a business survival issue.  Even small steps, awareness, MFA, and secure backups, can transform an SME from a target into a resilient organisation.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Risk Analysis and Security Strategy Working Practices

      Cyber Maturity

      What do we mean by cyber maturity?  It’s not just about the protections you may have in place, but more about how well your organisation understands the importance of it and its place in your overall business strategy.  It is after all a business issue, not a technical issue and needs to be treated as such. Modern security solutions are increasingly complicated and challenging. These complexities change all the time and with the changes in working patterns and the introduction of AI now at the hands of the cyber criminals, they require a broad understanding of cyber security. Very few SMEs possess this level of expertise and can find themselves struggling to protect themselves and rectify security risks discovered within their business. In a climate of frequent, and potentially devastating, malicious activity organisations need targeted, rapid remediation and effective solutions. In doing this they will improve specific areas of their security systems, reduce their level of exposure and minimise potential losses, which can be very significant.

      Many small and mid-size businesses struggle to combat the threat that cybercrime poses. A simple piece of malware or a social engineering event, can result in the loss of sensitive company and client data, disrupt business and waste staff time. Such incidents are commonly sensationalised by the media, causing client defection and damage to hard-earned reputations, resulting in significant loss of business.

      I’ve described the risk management process before, and I know it can be a bit daunting, and many would fear it’s costs and complexity.  That is why we have designed and taken into use the Cyber Maturity Assessment (CMA), specifically for SMEs which will enable them to go down the risk management road at a pace and price they can afford.  The CMA is designed to obtain a view of where a client sits currently in terms of their Cyber Security posture. It is obtained from the results of interview with the staff, examination of current policies and procedures, including their effectiveness, security architecture and technical controls, and observations to gain an understanding of cyber security by management and staff. It is designed to provide a report which shows a client exactly where they sit in terms of Cyber Risk in a way that is demonstrable and east to understand. It gives a client a starting point from which H2 consultants will be able to scope any problems.

      What Does a Cyber Maturity Assessment Give Me?

      In brief, the CMA is designed to:

      • Understand and define the target state of the system i.e., where does the client want to be in terms of Cyber maturity – in defining the target state there must be a clear understanding of the business drivers, future business demands and business dependencies affecting the organisational area under examination.
      • Understand the current level of Cyber maturity – At this point the matter of cyber maturity will be a somewhat subjective view, obtained from the results of interviews with staff and initial observations by H2 consultants. This element is not intended to replace a detailed understanding, but to provide an initial view and start point, from which H2 consultants will be able to scope the problem and recommend any remediation required, in a phased way.

      We measure both the starting point and the end point using the Carnegie Melon Cyber Maturity Model.  I know other consultancies will use other models for this, but this is one that we have found to be effective, both for SMEs and in the corporate world.  It looks like this:

      I mentioned earlier that this is something used in the corporate world and whilst that’s true it is a matter of scale and need.  Most corporates would have the requirement and budget to aim high, say at around CMMI4 (5 is rarely hit).  For most SMEs that’s a step too far and as a rule of thumb, when we do this, we tend to find we’re starting at around 0.8 to 1.5 with the aim to get to CMMI 2 as soon as is feasible, with the end game at CMMI 3 which is affordable for most SMEs if a phased approach is taken.

      At the end of this initial process and SME is rarely able to just jump in and accept the recommendations and get on with fixing them.  It can be a complex issue requiring a hard look at their staff in terms of cyber awareness training, their policies and processes and their technical solutions, all aimed at prioritising the protections required for each asset in accordance with their vulnerabilities and threats.

      A phased approach is almost always needed, often aligned with budgets.  It can look a bit like this:

      The first transformation project tends to be what we term the Quick Wins Phase ie what can we do relatively easily, quickly and therefore affordably, to give the client the most urgent fixes.  It often, but not always, looks like this:

      This has just been a very quick cantor through the CMA process, and we need to emphasise that each client has a different set of requirements, and we can often jump into the process at a different stage. Call us if you want to know more.

      Scroll to top