Risk Analysis and Security Strategy Archives - Page 4 of 6

Business Continuity Planning

How many SMEs have a business continuity plan in place should they be subject to a cyber-attack that seriously disrupts business to the point where you can’t process and order, raise an invoice or get in essential supplies. It happens, don’t kid yourself and business continuity is not the same as disaster Recovery. Business Continuity and Disaster Recovery are two closely related concepts that are often used interchangeably, but they serve different purposes within an organization.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organization can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective. Both are critical components of a comprehensive risk management strategy and should be integrated into an organization’s overall resilience planning efforts.

In general, along with your insurers, the IT support company you have under contract, should be able to help you with disaster recovery, which is often defined by a physical disaster ie fire, flood etc, as well as a cyber-attack. Business continuity on the other hand requires much more thought and planning.

In essence then, business continuity is the ability to recover quickly and continue operating when there has been a serious disruption to the business function caused by equipment failure, power outage, fire, flood, or other type disruption (manmade or otherwise). Business continuity may be achieved through resiliency – which is an essential part of system architecture, associated with business continuity planning. Resiliency considers the business impact and corresponding plans to restore business functionality after a disruptive event. However, as many SMEs have carried out no real risk assessment and have no real risk management plan in regard to cyber security, then it is unlikely that they have a system architecture robust enough to take account of this requirement. The exception is that the majority have taken to cloud computing which goes someway to achieving resilience, although that was probably not their primary reason for going down that road.

There are 4 elements that are essential to the business continuity component of the security operations function are as follows:

Business impact assessments (BIA)
Disaster recovery planning.
Business recovery planning.
Plan, testing and analysis.

Arguably the most important is the BIA, developing an understanding of what could happen to the business if the loss of systems, leading to the loss of access to critical data and the ability to continue to function efficiently, should a disaster overcome you.

These are the issues all business owners should get to grips with and here at H2 we understand that it isn’t easy, and that advice and guidance is necessary.

Innovation – Why Do Many Shy Away from it?

I read an interesting piece recently where the thrust was that true innovation consists of doing now what you should have done ten years ago. Harsh, maybe, but also fair. I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms. We never seem to learn.

Of course, and as I’ve mentioned before, many of these surveys are written, or at least sponsored, by cybersecurity vendors and largish consultancies, who could potentially be seen as biased in that they are pushing their own solutions. But keeping that in mind, there is still and underlying truth.

My focus remains on SMEs, so I’ll skip more talk about the corporate world. In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys. SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access. This list is far from exhaustive. Whilst this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, SMEs continue to rely on technical solutions which simply don’t stack up in many areas. Why? Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell. SME owners and managers are very reluctant to relinquish that argument. Strange when often the best solutions are procedural and as such, much much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs. Some common myths first:

Small to medium size businesses are not worth attacking.
Cyber Security is an IT Issue.
Technology will keep me safe.
My policies and procedures are up to the job.
My staff are young and have been brought up with IT. They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

Lack of awareness around the current real-world cybersecurity risks
False sense of security, with a heavy reliance and dependence on an external IT third-party provider
Lack of cybersecurity knowledge, and understanding
Poor cybersecurity maturity and posture within their businesses
Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it. Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that. But we live in the real world and will be cost, and resource constrained. But that’s not an excuse to not keep a weather eye on the need to innovate. We live in a changing world and what we in the business call the threat landscape, changes constantly. This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning. It was a knee jerk born of necessity and certainly not the way they would have liked to do it. There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members.

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of. There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model. In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base. That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself.

So, what needs to be done if hybrid working patterns are to continue? Well, first and foremost comes your policies. Do they reflect the new hybrid working model? Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address? Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business? That list is not exhaustive.

Secondly comes user training. Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home. It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company. Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years. Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter. With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc. You now have a mobile workforce. What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing. This is something we’ve been at great pains to research and have now come up with such solutions.

We are holding a webinar to discuss and highlight these solutions and would love to see you there:

Event Details:

Date: 8^th May
Time: 12pm
Event link: https://bit.ly/3UDaUy9

Cyber Security Benchmarking

As long as I’ve been in this industry, clients have always had a thing about benchmarking, particularly those in the higher echelons, who are naturally driven by maturity, budgets, and the frequency of cyber breaches in their industry. It’s often how they decide their spend. Fair enough. In the SME world it’s perhaps not that formalised but is still a thing. An SME owner wants to know what other people are doing to try and gauge what they should be doing.

I talked, in a post last week, about conformational bias, which is a posh way of talking about the herd mentality and benchmarking falls loosely into that bracket. What we’re actually talking about is the need for reassurance, deflecting plain discomfort, around the proposal to spend money on something that often seems a little esoteric to many.

Of course, not every situation, or every company is the same. Their cyber maturity and risk appetite will often drive different approaches to a similar problem. One company might have a heavy focus on data protection. For example, an accountancy firm, a solicitors, even an estate agency, might assess that a serious data breach involving the Information Commissioner, could, potentially, put them out of business and they would therefore make this a number one risk. On the other hand, a manufacturing company may consider this a risk, but of less importance than say, their designs for their next improvement to their product line.

So how good is a benchmark? Well, it’s a guide, but that’s all it is, and you might think that if you’re close-ish to that guide, and you have an understanding about why you’re not closer, then that is probably OK. What I’m saying is, don’t take an industry benchmark to be gospel, it isn’t, and basing decisions on what is essentially anecdotal evidence, isn’t, in my opinion, a very good basis for making that decision.

This is where building relationships with suppliers is essential for an SME. Trust must be established, especially when dipping your toe in to the murky depths of cyber security. Let’s face it, most people don’t understand it and people don’t trust what they don’t understand. Finding a cyber security company that is happy to work with SMEs is not easy, especially one that isn’t wedded to technology as being the only answer to a problem. Process and procedure can be just as effective as technology in certain circumstances and of course, is much much cheaper. And let’s not forget cyber awareness training, still the cheapest quick win any SME can take to offset the risk of a data breach or scam.

All this is easy to say, but just how do you find a cyber security company you can trust? I vaguely remember hearing the saying that you have to kiss a lot of frogs before you find your prince. But in this case, you can’t afford to do that. Time is not on your side but in doing your due diligence, you still need to be cautious.

What are you looking for? I would suggest:

Proven track record. Look into the past of the ownership of the company, not just the employees.

Their approach. Do they lead with technology? If they do, walk away. Do they take a risk managed approach? That’s what you’re looking for.
Do they talk in jargon, trying to baffle you with science? If they do, walk away. This subject can be explained without getting into technicalities. You want something that addresses threats to your business, and they should demonstrate they understand that.
Do they talk about the FUD factor. Fear, uncertainty and doubt. What they’re trying to do is to scare you into buying. Giving you the facts is one thing, FUD is completely different.
Have they taken the time to fully understand what your business is about, what it is that drives your revenue, what is important to you and what is not so important?
Do they see you as a long term partner or a quick revenue win? Can be difficult to assess but it is crucial to building the trust I talked about earlier.

Of course, this is not an exhaustive list of criteria, and you’ll almost certainly have things you want to add, and maybe things you will discard. But whatever route you take to build that trust, it is essential to your protection and peace of mind in what is becoming a very dangerous online world.

A Company’s Tale – From COVID to Hybrid – Part 2

In last weeks blog we talked about a company that was forced, by COVID restrictions, to move to working from home, and how that affected the organisations’ structure and ability to continue in business, and some of the difficulties they faced.

We reached a point where they had started to get back into the office but had decided to adopt the hybrid method of working, saving money on floor space, fuel and light etc. But this has come with problems of its own which we’ll look at now.

Hybrid working is something that many SMEs like because of the cost savings, providing of course that the business doesn’t require people on site, such as manufacturing, transport etc. Company’s such as lawyers, financial advisors/accountants, HR facilitators, recruiters and the like, can support hybrid working quite easily, from an operational standpoint.

Last week we saw that the 2 partners are aware that they hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients. They were also aware of the Data Protection Act 2018 and GDPR but at a very surface level and were not sure about how much this will affect them. For example, in terms of policies, they have very little that references the DPA 2018 and/or GDPR. Their website does not contain the necessary privacy statement or statements regarding the use of Cookies. They don’t have an overarching security policy or a cyber security strategy in place.

So, what’s are the issues arising from last paragraph? Well, the DPA 2018, or UK GDPR as it’s becoming colloquially known, requires that data is processed and stored securely and that managers and staff are aware of the regulations regarding the safe processing and storage of information, which are quite extensive and can be daunting, but needn’t be an issue for SMEs, if not ignored. The ICO is, in my experience, very helpful in this regard and are not there to hand out heavy fines, threatening to put you out of business. If you can demonstrate that you have done your very best to obey the law, then they will be helpful and conciliatory. On the other hand, if you’ve been neglectful and even a little cavalier about it, then not so much.

But getting back to the case in point, these guys were now at the juncture where they had their staff working from home for about 3 days a week, and coming into the office on 2 days, unless of course they were consultants who were visiting client sites and were working on the move. Everyone now had a company laptop, including admin staff, and data was held on the cloud.

But what didn’t they have, and how would that affect the? Well, firstly they didn’t have a cyber security strategy in place. So, what is a cyber security strategy? It’s a plan that outlines an organisation’s approach to protecting its digitally held assets and information from cyber threats. This strategy typically includes policies, procedures, technologies, and practices that are designed to prevent, detect, respond to, and recover from cyber-attacks. People, Process and Technology combined and integrated to provide protection.

This needn’t be scary, and you can pick and choose what is important to your organisation, what needs to be comprehensive, and what can be less so. The level of risk you are prepared to take, is entirely your call. Key components might include:

Risk assessment: Identifying and prioritizing potential threats and vulnerabilities to the organization’s systems and data.
Security controls: Implementing technical and procedural measures to protect against cyber threats, such as firewalls, encryption, access controls, and employee training.
Incident response plan: Establishing protocols for responding to and recovering from security incidents, including communication plans, containment strategies, and forensic analysis.
Continuous monitoring: Monitoring systems and networks for suspicious activity or anomalies that could indicate a security breach.
Compliance management: Ensuring that the organization complies with relevant laws, regulations, and industry standards related to data protection and privacy.

What the management is doing here, is laying down a framework for how things need to be developed. It doesn’t need to happen all at once,

Not having formulated a strategy, the company didn’t have much of this in place, and what it did have wasn’t well structured and integrated. The security products in use were stand alone, working independently of each other. Another major flaw was that they had no cyber awareness training in place, neither did they have effective policies. Those that they had were downloaded from the internet as a box ticking exercise. They were in fact a cyber disaster looking for somewhere to happen.

The 2 partners were aware of these issues and yes, they took some time to get around to addressing them simply because recovering the business from the issues arising from COVID, took precedence. But they realised that this couldn’t be put off for any longer and took action.

They engaged with us to first carry out a Cyber Maturity Assessment. This covered:

Cyber Security Strategy.
Cyber Security and Data Protection policies.
Protective monitoring and vulnerability assessment.
Incident response and business continuity planning.
Access control.
Employee awareness training.
Compliance.
Technical Security

The strategy they needed could be very much simplified to meet their requirements, but it did cover the salient points and gave a clear indication of what was needed immediately, what could follow and what was more of a nice to have rather than a necessity. To that end we were able to structure remediation that was phased over a number of months, covering 2 budgetary periods.

End result, they had a solution that was affordable as well as appropriate to them. It covered staff in the office, working from home and on the move. It kept them compliant with the relevant legislation and set them up to achieve a standard such as Cyber Essentials, which is next on their list. If necessary, they could even go as far as ISO2700x series, although that might not be appropriate for them at their current size.

Cyber Security Policies – A Must Have or a Nice to Have

How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection. The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike. This piece is all about policies and processes. First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on. Policies have to mean something and have a purpose. Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important. And that means understanding what those risks actually are, and then taking steps to mitigate them. When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them. Well, it’s very often the case that technology is not the answer. There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business. How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who. You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email. Email spoofing, in simple terms, is sending an email purporting to come from someone else. So, it arrives purporting to come from the boss, but actually it’s from the scammer. Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency. This happened recently to someone I know, and when it arrived in the accounts department it didn’t look cosher to the payments clerk, who replied to the email asking if the boss was sure. Of course, she got an email back saying yes, I’m sure. She paid it and the company lost over 30K. The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different. If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction. Instead, she replied to the email and her reply went back to the scammer. A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money. What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type. In broad terms, and as an absolute minimum, the following are required:

Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them. And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
IT Email Policy
IT password policy
IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home. This latter might be a separate policy or can be part of the mobile working policy.
Data Protection Policies – a whole other subject.
Social media policy – this can be really important. Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media? Depends on the person but it could be damaging in reputational terms. The company might also do some digital marketing on social media. Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list. It depends very much on risks that needs mitigating. They will also be accompanied by processes to support the policy.

Does this resonate with you. If you’d like to know more, we’d like to help.

Scams v Hacks – how does this effect SMEs?

When I speak to SMEs, I make the point that the chances of being ‘hacked’ is relatively low when compared with being scammed. Why? In my view, I look at a hack as being a technical attack on a target by someone who is technically savvy and skilled in identifying and exploiting weaknesses in a company’s defence. A scam on the other hand can be perpetrated by people with relatively low levels of technical ability and scams are in fact, a con, just like any other old fashioned con, in that they get the target to agree to, or to do something, that will benefit the con artist.

We always recommend that our clients try as best as they can to have defence in depth. That’s an old military term which is often used in cyber security now to describe multiple layers of defence. This can be expensive though and it must be tempered by budget, targeting controls where they are most needed. What this does is to deter many attackers who are looking for a quick win, so if they have to work long and hard to break in, they’ll often go elsewhere, where the pickings might be easier. And of course, whilst an SMEs defence might be somewhat less than those of an enterprise organisation, the pickings are likewise smaller, making it not cost effective for the attacker to take too much time with a technical hack.

Does this make scams much more attractive to the criminal? Yes, I believe it does, simply because the amount of effort required is low and they are skilled in manipulating people, especially those that have had minimal cyber awareness training. Scamming, just like hacking is generally preceded by some form of social engineering. Social engineering refers to techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons. So, whilst a hacker modifies a computer’s software and hardware structure to carry out certain tasks, social engineering uses people as weapons to attack selected targets. In this way the manipulation is accomplished by employing trust through different forms of communication.

Typically, social engineering is achieved via Phishing, Vishing (video), Smishing (via SMS), malware and Spear phishing where the targets are selected for their importance to a specific attack. Whatever method is used the aim remains the same, it is to persuade the unwary to give up sensitive information, install malicious software or do things that compromise your business security. The best protection against social engineering remains a work force that are aware of the techniques and dangers posed by this.

What is the cost of scams to the across the globe? One statistic suggests that public sector fraud losses amount to about £50.2 billion whilst frauds committed directly against individuals, including marketing fraud and identity fraud, is around £8.3 billion. The total cost of fraud has risen from about £190 billion in 2017 to almost £219 billion. (Source Peters, Peters and Crowe). Of course, not all of this is via online fraud, but it is becoming the most common type of scam we see today.

Some of the most common types of scams that we see include, but are not limited to:

Copycat government websites. Some scams involve websites designed to look like official government websites such as HMRC. …
Dating and romance scams. …
Holiday frauds. …
Mandate fraud. …
Pharming. …
Phishing emails.

I received an email only yesterday purporting to come from someone called, and I kid you not, Lisa Monaa, inviting me to partake in an extremely profitable project, and I just couldn’t bring myself to read anymore. It was a badly written phishing email with little chance of success.

AI is having an effect as well. I’ve written earlier about the CEO scam whereby a CEOs email is spoofed and sent to an accounts department with an invoice attach, stating that the CEO has received a complaint from a supplier that their invoice is late and to get it paid without delay. That scam has now been updated to a voice simulated by AI, over the phone, demanding the same.

Whilst that scam is quite old, it shows how social engineering has a play. Firstly, they have to find out what the CEOs email is. Not difficult. The company’s email form will almost certainly be shown on their website with a contact like sales@abc.com. So, the attacker knows that the suffix is abc.com. They may well also be able to get the CEOs name from the website or even Company’s House. Next send an email to JSmith@abc.com. If that bounces send it to John.Smith@abc.com and so on until it goes through. Next phone the accounts department, ask for Mary in accounts payable. No Mary here I’m afraid. Oh sorry, I was sure it was Mary, who handles accounts payable then, Oh that’s Julie. So, he now has CEOs email and someone to send the email to. That would probably take about 30 minutes of the scammers time.

The impacts of scams can be very far reaching. Firstly, there is financial loss, which to many SMEs operating on tight margins, can be quite devastating. Then there is the possibility of data breach. If you are a business with lots of client personal data, say a financial advisor, a lawyer, an estate agent, pharmacist, you get the drift, and the aim was to steal data, then you could be hit with a substantial fine from the Information Commissioner not to mention lawsuits from those whose data has been stolen. Reputational damage can be disastrous and then there is the effect on staff who can suffer greatly thinking they have damaged the company and put everyones job at risk.

Bottom line – scamming is endemic, it’s going nowhere, and AI is going to make it more prevalent, not less. SMEs spend far less on their defences and on cyber awareness training making them more likely to be targeted. Combating this threat should be high on your to do list.

More about Risk Management

I’ve decided I haven’t bored you all enough about risk management yet, as it pertains to cyber security. Try not to stretch your jaw too much as you yawn and stay with me because it is extremely important and will become more so as cyber-attacks get more sophisticated and more importantly, ever more common as AI makes them much easier to implement and enables hitherto less skilled criminals, to become more capable.

We are still, in the SME market, suffering from a misunderstanding about what cyber security is all about. I know I bang on about this, but it can’t be overstressed. Without fully understanding the risks you are exposed to, how can you be sure that you are spending your limited budget in the most effective way, and in a way that is doing some good. I threw that last bit in because I come across situations all too often, where an SME is wasting money and resources because they don’t have a handle on their security risks.

Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them. Wrong. Ask them some simple questions:

· Have they fully identified your security assets? Security assets are not just hardware and software, in fact those are often the least of your worries. It’s the data, where it is and how it’s protected that is important.

· Have they done a risk assessment on those assets.

· Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level. That is assuming they have spoken to you about what that acceptable risk is.

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement.

· Tech

Describes the protection of networks, computers, programs, and data. It is a branch of cyber security which is focused on preventing intrusion and therefore theft or manipulation of your systems, from both internal and external sources. Technical security consists of tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers.

Technical security needs to work within a defined and business focused security strategy.

· Business

Encompasses all aspects of protecting digital assets, including computer systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack. It is focused on People, Process and then Technology.

Cybersecurity has a larger role in protecting organizations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.

Bottom line folks – you can outsource your IT, but you can’t outsource your responsibility.

Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated.

There is no business without risk and an acceptable residual risk in one company, will not be acceptable in another. That’s a business decision. Risk must be recognised and then managed in some way or other, classified in some way. And whilst we would all like to abolish risk, that won’t happen.

Whilst working for major providers servicing the big company’s, banks and major government departments, we would recommend that at least 15% of their annual IT budget should be allocated to cyber security. That means not just tech but also reviewing cyber security policies and processes, cyber awareness training for staff and managers, reviewing the threats and vulnerabilities and then revisiting the risk to their assets. It’s interesting to note that the figure of approx. 15% has crept up over the years. About 20 years ago we were saying 5% then 10 and now it’s a minimum of 15% and some company’s are allocating even higher percentages as threats increase year on year. That figure could easily sky rocket once AI becomes prevalent amongst the criminal fraternity.

Just keep in mind that cyber security is a business issue and not an IT issue and that cyber risk must be evaluated and dealt with in the same way that you would any other risk to your livelihood.

Secure By Design

I read a post on LinkedIn the other day, discussing the principle of Secure by Design. It’s a very interesting topic and one that correlates perfectly with my recent posts on the issues surrounding SMEs, and their attitude to Cyber Security, and the posts about risk management.

What do we mean by Secure by Design? Well, it’s all about identifying and managing your risks, so your future cyber security strategy, and the resources needed to fulfil that strategy, might look very different to how it’s structured today. It will take a clear business focus, with the management team clearly communicating the business requirements to the IT and cyber security teams, so that everything is in alignment.

Let’s look at how most SMEs approach cyber security today. To be fair to them, their focus is on obtaining IT solutions that support the business, and obtaining them as cost effectively as possible, and with the minimum of support costs. Cost control is vital to many SMEs. This means that they are extremely reluctant to spend money on what they see as not being part of their core business. Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.

The approach most take is to trust their IT provider to give them the protections they need. Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model. What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because the SME is cost constrained, is targeted where it’s needed and will be most effective. In other words, the technological approach taken by most IT support company’s, will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections, are fit for purpose? Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

Business risk, in terms of cyber security, encompasses all aspects of protecting your assets, including computer systems and networks, from unintended or unauthorized access, change or destruction. Cybersecurity includes controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack.

Cybersecurity protects organisations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.

This differs from the purely technical approach which is a branch of cyber security focused on protecting computers, networks, and programs from unauthorized access to data either by hackers or other malicious players using tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers. It is subservient to the overall strategy, which is focused on People, Process and then Technology.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. And whilst we would all like to abolish risk, that won’t happen. There is no business without some risk, the trick being to minimise risk to an acceptable level.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined? Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’? This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium, or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.

Don’t try and chase the Holy Grailof perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber-attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

In summary Risk Management is a proactive attempt to recognise and manage internal events and external threats that affect the likelihood of a cyber-attack or data breach.

What can go wrong (risk event).
How to minimise the risk events impact (consequences).
What can be done before an event occurs (anticipation).
What to do when an event occurs (contingency planning).

Of course, we do hear the argument that an SME can’t get involved with Secure by Design because they can’t afford the resources to do so. We suggest you have a word with us and see how we can help in a cost effective way that won’t break the bank.

Can a Board Advisor Help You Devise Your Cyber Security Strategy?

I’ve always dabbled in Board Advisory roles, even when working for major IT integrators, because consultancy at a senior level, often crosses that boundary. The bigger companies will often value having independent advice, although I have found it’s not always welcomed by their in house IT/Cyber team, who can become quite defensive. The more experienced of them do see the value, even if it’s only validating what they have already put forward as a solution to a particular problem. And they often use a Board advisor to craft the boring bits, around strategy and policies. And I’m OK with that.

When we set up H2 to service the SME sector, we naively thought that they’d welcome an advisor who could guide them through what can be a difficult minefield. It was a bit of an eye opener that SMEs don’t see the value in this at all. In fact, what they see is a drain on resources. It’s a little strange because they are very happy to spend money on getting advice from their local IT company that supplies, and often manages, their IT infrastructure, but who are also focused of selling a product set, dressed up as a solution. Now, I know that that will upset some IT providers and I’ll water my comments down a little by saying I’m referring to Cyber Security which is a distinct discipline which many nibble around the edges without any in depth knowledge or experience.

So, what does a Board Advisor do?

Board Advisors help to guide businesses but are not legally authorised to bind them. As companies establish themselves, moving from an idea to a fully structured and realised organisation, they typically prepare for full operation, sales, and/or fundraising, and in my case, Cyber Security.

As they begin these processes, experts in the field – including mentors or specialists brought into the organisation by a mentor – become hugely valuable as the organisation works to achieve its goals. Advisors are key assets, and it’s crucial to formalise exactly what they will provide, their availability, who they can introduce you to, and how much time they can give you – as well as how they will be compensated in exchange for these services. A board advisor can help fill in any gaps in your team in terms of both experience and expertise. They can also help you bring in new team members and sometimes sources of funding as opportunities allow. Most crucially, they can do all of this while giving you time to think about what you need to be doing to grow your business, or just get it and keep it, running.

Board Advisors are also far more flexible, offering services either on an ongoing basis, in parallel to a Board of Directors, or as part of your transition into a formal, Board-run business. In other words, they are not full time employees, but work on a part time basis where you pay them for their time, bounded as you see fit.

How does a board advisor add value?

In terms of cyber security, a Board Advisor is an experienced cyber security professional who provides advice and support to a business’s leadership without sitting on their Board. They provide counsel based on their prior experience in this field to help the Board make decisions, especially when faced with unfamiliar challenges. And most challenges in the field of Cyber Security will be unfamiliar to them.

When working as an advisor it is essential that we are excellent coaches and can demonstrate our deep knowledge of the subject. We need to take both their board members, their in house IT teams and IT users, getting them onside and letting them know that we are there to enhance their knowledge and skills, we are not their enemies. We must also be prepared to work with any IT company they may have under contract, although that can be a bigger challenge.

Summary

Having a Board Advisor who can mentor the leadership team and other employees, either on a retainer or paid for actually hours worked, can be a great boon for an SME. Just having someone who can debunk the myths and devise strategy, training programmes and advise on cyber risk, is something that any SME management team should value.

What Are The Chances of a Cyber Attack Affecting You?

That’s a really good question and one that’s very difficult to pin down. There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight. Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration. And I get that, I really do.

Aviva, not of course a cyber security company but who nonetheless do sell insurance, carried out some research reported in December 2023, which seems, on the fact of it, to be a little more realistic. They have said that one in five UK businesses have experienced a cyber-attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents. But even this has some problems in that it depends on how many businesses reported such an attack or incident. There is other research that suggests that many businesses, especially SMEs, keep such things well under wraps.

Small Business Cyber Attack Statistics 2024 (And What You Can Do About Them) says that SMEs account for 43% of cyber-attacks annually, of which 46% were SMEs with 1,000 or fewer employees.

In the 2023 Not (Cyber) Safe for Work Report, there are some alarming statistics. A staggering 97% of executives use personal devices to access work accounts, and 74% frequently send work-related emails and texts from these devices. Behaviour which significantly increases the vulnerability of SMEs to cyber-attacks, putting not just operations at risk but also sensitive employee and customer data.

SMEs are often repositories of a considerable amount of personal and financial information, making them lucrative targets for cyber criminals. The report further indicates that one in three respondents has fallen victim to data theft via scams. A single can result in identify theft, financial loss, and severe reputational damage.

This is a suggested list of the top 10 Cybersecurity Threats:

Social Engineering (often a precursor to Phishing).
Third-Party Exposure.
Configuration Mistakes.
Poor Cyber Awareness and Practice.
Cloud Vulnerabilities.
Mobile Device Vulnerabilities.
Internet of Things.
Ransomware.

Given that many SMEs have now adopted the hybrid working style since COVID, these are not particularly surprising. Working remotely isolates employees who can be much more easily panicked into doing things that are unsafe, than if they have someone on hand, in the office, they can turn to for advice. For example, Phishing. Should I click this, does look a bit iffy? I’ll ask Fred and see what he thinks. As opposed to sitting at home, working to a deadline, and getting pressured by well-crafted Phishing emails, and thinking, I’ll just do it, what’s the worst that can happen?

One of the major problems facing all sizes of business is the lack of cyber security skills available for hire, either as an FTE or a contractor. Shockingly, In September 2023, 50% of all UK businesses had a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap. These figures are consistent with those from 2022 and 2021, highlighting the persistent skills gap issue.

We talked a little bit above, about people using their devices. This isn’t necessary a major issue, providing the individual is prepared to adhere to some security controls being placed on that device, if it is to be used for work. It’s a bit of a balancing act. It is reported that 80% of employees are uncomfortable with the idea of their personal devices being monitored by their companies, yet 73% would consent to having cyber security software installed on their devices. So, a balanced approach is needed, which respects individual privacy while ensure collective security. Not easy.

Here are 5 actionable steps we are recommending SMEs take:

Employee cyber awareness training. Probably the biggest and cheapest quick win any SME can and should be taking.

Strong access control using multi factor authentication. This should be a no brainer.

Cyber Security audits and monitoring. Not easy for many SMEs who will be put off by thinking about costs. However, this has become much more affordable, and all SMEs should be having conversations around this.

Encryption. Again, becoming much more affordable and easier to use. If your sensitive data is encrypted, the chances of falling foul of data protection becomes much less of an issue.

Supply chain security. Many SMEs are in the supply chains of the bigger companies, often utilising online processes, connecting direct to the customer. What would happen if a cyber-criminal gained access to a customer of yours, through your systems?

There is no silver bullet for this. First and foremost, it must be recognised as a business issue, not an IT issue. It must be owned from the top, and dealt with by the board, as they would any other business issue. You can outsource your IT management, but you can’t outsource your responsibility.

Risk Analysis and Security Strategy