There’s a lot being said in various quarters about the Internet of Things (IOT) but whenever it comes up in conversation with senior people in the SME world, even those businesses that are in the medium bracket, with significant numbers of employees, it raises a titter or two.
So, what is it and why would that be? According to Wikipedia IOT describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks. The IOT encompasses electronics, communication, and computer science engineering and encompasses a vast array of devices — from household appliances to industrial equipment — all connected online. These devices often lack robust security features, making them susceptible to attacks. Common vulnerabilities include insecure firmware, weak authentication protocols and unsecured network services. For example, IOT devices can be compromised to create botnets that launch massive Distributed Denial of Service (DDoS) attacks. As the IOT continues to grow, securing these devices becomes increasingly critical, necessitating the development of new security strategies that encompass IOT.
IOT in a nutshell then, does not just refer to everyday household items that have a processor and remote capability, but also systems within your business. For instance, if you can turn on your lights, start a cooker going, turn on the kettle etc, all from your phone on your way home, you can do the same on your way into work. And of course, we have Siri, and Alexa amongst other systems, all interconnected in some way in your home, and increasingly, in your office, and to the internet.
Whenever it’s discussed all the usual lighthearted comments about being hacked by your kettle, or held to ransom by your toaster, come out in the conversation. And there is some amusement to be had. But there is a serious side to this.
Increasingly now we are seeing smart appliances in the workplace, that could be used to jump onto the more serious elements of a network, we are already at a place where some functions, perceived as routine, even mundane, can already be used to jump onto other network devices. For instance, most have security cameras and alarm systems. Many of these are IP based and are connected via the LAN. OK, but many also are remotely maintained by a variety of suppliers. I have found it not uncommon for these suppliers to arrange for their own backdoor into the system to maintain these systems, often without the client knowing how that is done. This provides a very neat circuit around the router and firewall and, when most SME networks are flat, access onward to all parts of the network. A flat network refers to a network that is unsegmented ie all devices are attached to a single WIFI or wired network with no further network protection once through the gateway.
This of course is not the only example, but it shows how poor security architecture, often times by local network providers, can have a quite seriously detrimental effect. So, what I am saying is that as many more devices become ‘smart’ and interconnected via the LAN, security architecture becomes just as important for the SME as it does for the larger enterprise. The problem is that the awareness and support within the SME community and their suppliers, tends to be lacking.
These days we have to add in the move towards remote working, either full or part time, and the increasing use of AI, which adds many other threats to your systems, and I have explored these in other blogs, which you can view on my website, https://hah2.co.uk/news/. How many of your staff, using their home WIFI to connect to your company systems, also have IOT devices connected to the same WIFI router that they are using to connect to you? How are you managing that risk? Or are you?
Cyber Security continues to be, all too often, treated as an IT issue. Now this is a drum that cyber security professionals have been banging for a long long time. Cybersecurity is NOT and IT issue, it is very much a business issue. But we do struggle to get that across, particularly in the SME market who continue to view it as purely technical in nature.
Now, whilst I’m not always enthusiastic about the stats and reports that are published, simply because they tend to be industry publications with the authors often having an axe to grind but they can make some very good points. Let’s look at some key challenges being encountered:
Cybersecurity spending appears to be slowing (although that depends on who you speak to), while boards are starting to push back and ask what they have achieved after years of heavy cybersecurity spend.
Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions.
Many current approaches to improve cybersecurity are falling short of providing appropriate and defensible levels of protection.
SMEs are invariably focused on cost, which means optimising their spend to ensure that they get the biggest bang for their buck, to coin a phrase. However, time and again we see that they have spent, sometimes considerable, sums on technology without actually understanding what risks that technology is there to mitigate, therefore having no real idea if it is doing what they have been told its doing. The amount of money they are spending is of course relative. To a small business the sum invested might be a minor consideration to a much larger business. So, it becomes crucial that the mitigations put in place are appropriate to the risks they are there to mitigate.
This comes down to another drum we like to beat, that of risk management. Below is a link to a short video which explains the risk management process as it appertains to cyber security. Look at it with the view that it can be a matter of scale, and the smaller businesses may not need to go through the whole process but will need to go through much of it.
Note the I use the term mitigate rather than prevent. That’s simply because eradication of risk is simply not possible if you are going to continue to do business. The best you are going to achieve is to mitigate that risk to the lowest level achievable without getting in the way of business.
Let’s consider the following challenges and impacts:
Challenge
Impact
Societal perception of cybersecurity is that it is a technical problem, best handled by technical people, although that tends to be amongst the SME community. There is evidence though that that is changing slowly.
Societal perception is dominated by fear, uncertainty and doubt. It results in poor engagement with between management and suppliers, unproductive exchanges and unrealistic expectations. Ultimately, it leads to bad decisions and bad investments in cybersecurity.
Organisations are focused on the wrong questions about cybersecurity. The question of what do I need to buy to secure my data is asked rather than what do I need to secure and what is the priority.
Unproductive questions are indicative of poor understanding, and drive attention away from an improving that understanding and therefore drive better investments.
Current investments and approaches designed to address known limitations are not productive.
Many SMEs focused on technology and have a poor understanding of cyber risk management. This is often compounded by an equally poor understanding within the IT management company’s they often outsource to. This leads to a combination of poorly scoped solutions and all too often failed execution and unrealistic expectations.
Real failures are not getting enough attention to productively change behaviour.
Compliance with any regulation does not equal appropriate levels of protection.
Now, whilst some of these impacts may not be a 100% fit for many SMEs, particularly at the smaller end of the bracket, they are close enough to be taken very seriously indeed. Poor decisions are being taken every day in regard to the purchase of hardware and software to protect against cyber threats, without having carried out any kind of risk assessment to actually understand what risks they are trying to mitigate. End result, an investment in technology that on its own, will not prevent many of the cyber threats that abound today, coupled with a false sense of security.
A competent cyber security professional will approach the problem from the point of view of People, Process and Technology, understanding that many mitigations require a combination of 2 or 3 of those to provide an adequate response to the threat. For many SMEs, one of the biggest and quickest wins they can achieve is cyber awareness training for their staff. If their staff are aware of the issues, they have a much greater chance of recognising a scam, a phishing attack, an attempt at social engineering etc. And oftentimes such things can be mitigated by sound policies and processes. All of this prior to even considering spending money on technology. However, the very first thing that should be considered is to undertake a risk management process to identify the threats and vulnerabilities inherent in the business, thus enabling the risks to be identified and working out what mitigations are needed to drive the risks down to an acceptable level. SMEs almost never do this and it is a fundamental mistake.
All the information below is contained within the website but we thought it might be useful to summarise it in one post to make it easier for people who want to understand what we are all about.
About myself and H2
I like to start any discussion by saying that I’ve been in the cyber security game almost since before it was a game! I started in Information Security at the MOD at a time when IT and databases were in their infancy and got in on the ground floor. I subsequently went to work for the NHS, HP/HPE, CSC and Symantec, during which time I led many major cyber security projects in the public and private sectors, designing and commissioning the Security Operations Centre for the FCO, carrying out several projects for the MOD, leading the security team for the new online passport application, as well as several high street banks.
In 2013 I was asked to go to the middle east to set up a Cyber Security team covering the UAE, Bahrain, Saudi Arabia, and Qatar, growing the team from 3 people to 24.
On return my business partner and I set up H2 to serve the SME community. Sadly, my business partner did not survive the pandemic, and I am now the sole management of the company.
So why SMEs? Surely there’s more money in corporate security?
Well yes there is, but SMEs are at the heart of our ethos. During our time working in the corporate sector, it became clear that there was little to no support given to SMEs, either at the S, or the M end of the scale, and the big security companies and system integrators were content to leave that to their resellers ie those local IT support companies that resold their products.
Here at H2 we understand that the only real difference between an SME and a corporate organisation, in terms of cyber security, is that of scale. We have therefore scaled our services, the products that support them, and our pricing, to fit with an SMEs issues and
pocket. We like to say that we offer a triple A service providing solutions that are Appropriate (to you), Affordable and Accreditable (to standards such as Cyber Essentials).
Take a look at our Blog and social media posts. We try to inform and educate, placing a link between what we know, and what SMEs need to know but are rarely told.
Solutions Provided to SMEs
The first thing that we discovered is that SMEs have a very poor grasp of cyber security issues, although that is changing following the pandemic when many were forced to change their working practices almost overnight and have subsequently embraced a distributed working model. There is no doubt that the propensity for working from home, or other remote locations, since COVID has introduced some very difficult, or at least challenging, security vulnerabilities into SME networks. For instance, prior to the pandemic, when they were 100% office based (except perhaps some mobile salespeople), their local IT provider will have almost certainly set up what we called the bastion security model. Ie, like a castle, a bastion, you had a wall around you, and for belt and braces, you also had a moat. The gateway was robust, had a drawbridge and portcullis, or let’s call it a secure firewall and anti-malware system. Everything was locked up inside and nice and secure (in fact it probably wasn’t but that’s for another day).
Whilst Microsoft didn’t invent the term the ‘new normal’, they were the first, I believe, to apply it to IT, following the enforced change in working practices brought about by the pandemic. Many companies have embraced this new normal and have settled into some form of hybrid working. Of course, this is nothing new, it’s been ‘a thing’ for years now, certainly in corporate organisations. The real change came about in SMEs for whom it really was quite revolutionary. Corporate bodies will have spent a lot of money on a variety of remote access systems to keep their data secure, whilst SMEs not only had to rush unprepared because of the pandemic, but they simply didn’t have the budget to employ more secure connections.
What the pandemic has done is change that, or perhaps arguably, accelerated the change to a more distributed way of working, already underway in corporate organisations but now common amongst SMEs.
Our first challenge then was that of education. Changing the mindset of SMEs, moving them away from being simply technology focused, onto a more business oriented cyber
security focus. Cyber security is a business issue, not a technical issue and that is something that many SMEs fail to grasp. Any true cyber security professional takes a
risk managed approach, identifying the risks posed to their client, and then applying the principles of People, Process and then Technology, in that order. That risk managed
approach is equally applicable to all sizes of organisation in all sectors and has not changed since the advent of the internet.
Taking the services we provide as shown clearly on our website (where pricing is shown), www.hah2.co.uk, the first is that of Board Advisory, where we offer advice and guidance to our clients regarding their security. We often end up providing this advice for free as we are putting forward solutions to solve their issues but there is of course a limit to that. We also offer a Cyber Maturity Assessment (CMA), which is close to a full risk assessment but tries to keep the costs down to an order that an SME can afford. The CMA is fully described on the website, and we won’t reprint that here.
Another service we provide is Penetration Testing and Vulnerability assessment. Pen Testing is a point in time test ie the minute you finish it and have read the report, it’s out of date. It is however useful to do once a year or when you add a new feature to your systems, or take a new system into use. We use a fully qualified CREST team who can, if you wish, also carry out attack simulations.
Vulnerability assessments are carried out continuously via agents deployed on the network. The main difference is that as a Pen Test will find real issues, a vulnerability assessment will find things that you may be vulnerable to, but which haven’t necessarily been exploited and in fact, may not be a real issue once investigated. They are, however, continuous throughout the year and can be more effective.
We talked earlier about People, Process and then Technology. Arguably your first line of defence is your people. They can also be your weakest link. Data leaks often occur inadvertently, due to a lack of awareness rather than malicious intent. We offer cyber awareness training designed to equip your team with the knowledge and skills to safeguard sensitive information.
This training can be delivered in one of 2 ways. The first is classroom based, either on site or over a remote connection such as Zoom or Google Meet. The second is online training provided via another of our solutions which will be described below and allows
staff to pick when they will take some time to undertake the training which is delivered in a modular fashion, taking up very limited time which won’t take staff away from their desks to too long.
Another very important service which we provide online, cloud based, using a SaaS solution, is aimed at Data Protection. Clients with large amounts of sensitive data that they wish to protect, use this solution. It is essentially a data loss prevention system
that is designed and priced for SMEs, using state of the art file level encryption. This system comes with a 30-day free trial so that clients can see it for themselves.
Based on Actifile it is tailored to the unique needs of the modern business which often sees its staff work remotely as well as in the office. It protects the valuable data you hold and reduces your risk, without breaking the bank. It covers:
Insider Threat Detection: Protect your business from internal threats posed by employees
Ransomware Protection: Safeguard your data from ransomware attacks that can cripple your operations
Data Leakage Prevention (DLP): Prevent confidential information from falling into the wrong hands
Data Privacy and Compliance: Ensure you meet GDPR requirements and avoid costly fines
Automated Encryption: Protect sensitive data with encryption that’s easy to manage.
In the dynamic world of cybersecurity, staying ahead of evolving threats requires a comprehensive approach that adapts to the ever-changing landscape. At H2, we recognise that one-size-fits-all solutions often fall short, which is why we’ve developed a flexible and scalable cybersecurity solution powered by Guardz, to address the needs of our clients.
Our approach is grounded in sound risk management principles, ensuring that our solutions are aligned with your specific cybersecurity requirements. Whether you need one or more of our products woven into a solution, we can tailor that solution to meet your exact needs and budget.
This complements the data protection solution whilst remaining capable of standing alone. Especially devised and priced for SMEs, it maintains our commitment to affordability and accessibility which is reflected in our incredibly competitive price of
£12 per seat, which includes no hidden charges, add-ons, or expensive infrastructure costs. The solution comes with a 14-day trial to give you hands-on experience with our solutions and assess their impact on your business.
This solution comes with a fully loaded Cyber Security Awareness training course, and a Phishing simulation capability.
You should note that we have bundled the 2 managed services together and offer them at a price reduced by £3 per seat per month.
Finally, we offer certification in Cyber Essentials and Cyber Essentials Plus which provide robust defences, endorsed by UK government to guard against common cyber-attacks. They are required certifications to work with public sector entities, and achieving certification signals a commitment to securing client data.
We now offer different pricing options to our clients. For Cyber Essentials we offer:
Our Supported Package whereby we guide you during yourself assessment ensuring that you achieve certification first time, can be purchased at a one-off price which we are happy to quote for or a monthly subscription from £61 per month.
If you are short on time or not too sure what to do, try our Turnkey Package whereby we carry out the assessment for you in total, once again ensuring that you achieve certification first time. This can also be purchased as a one off at a price which we are happy to quote for or there is a subscription price which starts at £120 per month.
We can offer consultancy around ISO 2700X if it is considered desirable or appropriate. We can advise on that.
In the last year, 39% of all businesses in the UK were the victim of a cyber-attack
20% of these lost money or data as a direct consequence
31% of these estimated they were attacked at least once a week
The average financial loss to a business is £19,400
Phishing emails continue to be a major threat to businesses
Hacking of social media and email accounts to extort victims or to enable cases of fraud is increasing – over 8,000 cases in 2021/22, an increase of 23.5% on the previous year
Ransomware attacks are one of the most serious threats to businesses and organisations – they can prevent users accessing their devices, network, and data, and confidential information can be deliberately leaked unless a ransom is paid
There is a rise in Ransomware as a Service (RaaS) transactions where sophisticated ransomware programmes are leased to less technical cyber criminals so they can launch their own attacks
Most ransomware criminal gangs that target the UK are based in and around Russia
The NCSC (the National Cyber Security Centre) dealt with more than two million malicious cyber campaigns over the last 12 months
63 cyber-attacks needed a national level response
Only 33% of businesses conduct a cyber risk assessment
The percentages of business which have Cyber Essentials certification is climbing but is still far too low.
45% of businesses have staff using personally owned devices to carry out work related activities (BYOD – Bring Your Own Device policy)
Only 14% of businesses invested in threat intelligence and only 17% carried out a cyber security vulnerability audit
Only 23% of businesses have a formal cyber security strategy and only 38% have any kind of cyber security insurance (with only 5% having a dedicated cyber security insurance policy)
Only 17% of businesses have had training or awareness raising sessions on cyber security in the last 12 months
Glossary
Phishing
Fraudulent attempts to extract important information, such as passwords, from staff.
Ransomware
A type of malicious software designed to block access to a computer system until a sum of money is paid.
Malware Malware (short for “malicious software”) is a type of computer program designed to infiltrate and damage computers without the user’s consent (e.g. viruses, worms, Trojan horses etc).
Threat Intelligence
Threat intelligence is where an organisation may employ a staff member or contractor or purchase a product to collate information and advice around all the cyber security risks the organisation faces.
Sources
The National Cyber Security Centre (NCSC), part of GCHQ
UK Government Official Statistics – Cyber Security Breaches Survey
Hybrid Working
Welcome to the changing world of work
Whether you’re an employer or an employee, you’ll know the world of work has changed.
The global Covid-19 pandemic and national lockdowns around the world meant factories shut their gates, shops closed their doors, and offices were forced to quickly transition to remote working. And this has fundamentally changed how many businesses operate today.
According to the Office of National Statistics (ONS), despite lockdown being over, a significant percentage of all UK staff now work remotely some or all of the time.
But these hybrid staff are not just working from home when they’re not in the workplace. They are also working from coffee shops, in shared working spaces, in airports and motorway service stations, and from other locations outside of most SME’s security boundaries.
What’s more, they are connecting to your network, downloading and uploading files, and sharing business sensitive information in more ways than ever before. And they’re using Cloud services and messaging apps (such as WhatsApp), and other communication systems and sharing tools, to ‘do business’ because they’re fast and easy.
But this hybrid way of working, and the speed and convenience of these systems and tools, comes at a cost. Your business information and data is now distributed like never before outside of your network and stored in locations that you may never know about.
For today’s cybercriminal, this presents a huge opportunity. They no longer need to target a company through their workplace network; instead, they can target businesses and their employees – and most importantly, their sensitive and confidential data – on the sites and in the places outside of your protected security network.
That’s why hacking of social media and email accounts to extort victims or to enable cases of fraud has increased by more than 23% over the last year.
And why the NCSC (the National Cyber Security Centre) had to deal with more than two million malicious cyber campaigns.
But with 39% of all businesses in the UK becoming the victim of a cyber-attack, the threats to SMEs in today’s hybrid world are increasing.
The Challenge for SMEs
In the UK and Europe, a business is classified as a SME (a Small to Medium-sized Enterprise) if it has fewer than 250 staff and a turnover of less than €50 million or a balance sheet of less than €43 million (although this definition has changed over the years).
And according to the DTI, 90% of UK GDP comes from SMEs including micro businesses with fewer than 10 staff.
But worryingly – but perhaps not surprisingly – the NCSC (the UK’s cyber security authority) and ENISA (the EU equivalent) are predicting a spike in cyber-attacks on SMEs, following a rise in attacks on smaller businesses in the US and Australia.
Why are SMEs the main target of cybercriminals?
There are two main reasons why cybercriminals are increasingly targeting smaller businesses, as follows:
1. Resources
Cybercriminals know that most SMEs don’t have the resources of enterprise level companies and therefore haven’t invested in the cyber protection that larger companies often do.
Many enterprise level companies use Managed Security Service Providers (MSSP’s) to provide the cyber protection they need, sometimes working alongside their own internal dedicated cyber security staff.
Most SMEs simply don’t have the ‘deep pockets’ to do this, making them an easy target for cyber attackers.
2. Level of concern
For many smaller businesses, cyber security is simply not something they believe is a priority compared to the numerous other things they have to worry about.
And in most cases, they believe that they are already effectively protected because they use an outsourced IT partner (for things like managing their network or supplying hardware) or because they use Cloud based systems.
But cybercriminals know that things have changed since the onset of Covid and that more and more employees are now working remotely and using many different systems and online tools, outside of their traditional IT security boundary.
What’s more, many companies have adopted a Bring Your Own Device (BYOD) policy that means staff can use their own personal devices – such as laptops and phones – for work purposes.
All of this means cybercriminals have more points of entry then ever before to launch an attack.
Zero Trust Architecture and Shadow IT
When companies have files located in different places and spread across various systems and Cloud based solutions, they need what is known as a zero trust architecture. This model assumes that security breaches will happen, particularly as important data is held on third party systems such as communication apps and third party portals, which are collectively known as shadow IT.
SMEs typically do not understand the principles of zero trust architecture and use (or fail to monitor) shadow IT, meaning they rarely truly know all the locations where their data is held and whether it is protected.
Cyber Security Principles
Despite not having the resources of enterprise level companies, the basic principles of cyber security are the same for small businesses as they are for much larger ones.
Principle 1 – Understand the value of your data
Whether you’re a multibillion pound conglomerate or a sole trader working from home, the first thing you need to know is the value of your information assets and data. This could include your customer records, financial information, your passwords and system login details, intellectual property, and much more. All data has a monetary value.
One way to calculate the value of this is to estimate what the cost would be to your business if this data and information was compromised or stolen. Would the situation be recoverable, or would it mean the end of your business, both financially and reputationally? And even if you’re one of the 5% of UK companies that has a dedicated cyber security insurance policy, would this cover you for all the losses you would experience?
Principle 2 – Understand the threats
Do you really know what cyber-attacks could threaten your business? Could cyber criminals send you or your colleagues phishing emails in an attempt to extract important information or passwords? Or could they attempt to install ransomware software on your network that could lock you and your team out of your systems until a ransom is paid? Or could a virus, worm, or a Trojan horse be installed on your network due to a malware attack aimed at damaging your systems?
It’s important you know the threats facing your business in order to understand your vulnerability to those threats.
Principle 3 – Understand your vulnerability
How exposed is your business to the possibility of a cyber-attack? To understand your vulnerability, think about any security measures you have in place, as well as gaps in your protection that may be easily exploited by a cybercriminal.
But keep in mind that like many other companies nowadays, your staff are most likely working outside of the traditional workplace environment some (if not most) of the time, and the locations they are now working from – and the methods they use to communicate, share, and work – are likely to be outside of your traditional network boundary. This greatly increases your vulnerability to a cyber-attack.
Principle 4 – Know your risk and mitigate
Once you know the value of your information, the threats that exist, and your vulnerability to a cyber-attack, you’ll know the risk that faces your business. But rather than believing you need to eliminate all risk – which even enterprise level companies and national organisations and governments struggle to do – you need to mitigate it to a level that is acceptable for your business.
This may involve implementing new security procedures or installing new software or changing how staff work or providing cyber security training, so all staff know what to watch out for. Or it could mean you have a cyber security audit carried out on your business or hire a (on-premises or remote) Cyber Security Officer who actively monitors your systems and protects you from existing and new cyber threats.
Perimeter-less 360o Protection for SMEs
In today’s hybrid world, what’s needed is a new approach to cyber security. A solution that provides advanced shield technology (proactive protection against all known and unknown security threats) and has the following features specifically designed for SMEs:
Works inside and outside of traditional IT security boundaries across all devices, systems, and platforms
Is built for a ‘perimeter-less’ ecosystem
Is designed for zero trust architecture and the use of shadow IT
Is low cost and flexible
Doesn’t impose unwieldy security barriers or restrictions but rather has been created to provide protection however and wherever staff are working
Protects against all external threats including ransomware (which most data loss prevention solutions don’t)
Has the ability to block ‘zero-day’ threats (an attack that exploits a security vulnerability which a developer has zero days to fix) before a business has even identified that such a threat exists
Stops all attempts to write known and unknown malware onto the permanent storage of any device
Doesn’t require a big (and often expensive) effort setting up blocking rules or ongoing costly maintenance
Doesn’t cause any performance issues and has no impact on a device’s RAM or CPU
Is a real-time low maintenance ‘fit and forget’ solution that blocks 100% of unauthorised attempts to modify a business’s IT systems
An Innovative Solution
H2 Cyber Risk Advisory Services has developed a low cost managed cyber security solution for SMEs that is designed specifically for hybrid working and 360o perimeter-less protection.
360o Real Time Work Anywhere Cyber Protection fuses industry leading cross platform data discovery functionality with robust and innovative data flow monitoring capabilities so that you’ll know where every one of your files and all of your data is and how to protect it.
It provides both valuable insight and protection to stop you becoming the next victim of cybercrime.
Insight
The system analyses your cyber-attack vulnerabilities and risks factoring in every device connected on your network.
It quantifies the threats against your organisation’s particular appetite or tolerance for risk.
It prioritises responses based on factors important to your business and monitors the effects of your actions.
It provides clear actionable insight including security recommendations such as security patches, updates, or workarounds.
Protection
Advanced shield technology that provides a ‘one time’ fit security solution that prevents against malware, ransomware, zero-day attacks, and all other cyber threats, known and unknown.
Shield technology does not use signatures so there is no need for constant updates to add newly discovered threats and no risk of becoming a zero-day victim.
The system proactively scans workstations, laptops, and other devices for sensitive data using smart patterning, and assigns a financial value to the risks you’re exposed to.
It tracks and audits data risk in real time by continually monitoring incoming and outgoing sensitive data flows to and from your perimeter-less organisation.
It uses a patented encryption process to automatically secure sensitive data across all endpoints, Cloud apps, third party portals, and shadow IT. The entire process from initial deployment through to data risk analysis and remediation by automatic encryption takes as little as 72 hours.
Benefits
H2’s 360o Real Time Work Anywhere Cyber Protection provides the following benefits:
Perimeter-less cyber protection for wherever you or your staff are working – at home, in a coffee shop, at an airport, or anywhere else
Ideal for remote and hybrid workers
Real time 24-hour protection inside and outside of the Cloud
Protects your network, your devices, and your information
Enterprise grade shield technology specifically developed for the growing number of SMEs being targeted by hackers and cyber criminals
360o protection against data breaches and cyber-attacks and scams
Simple subscription-based per month pricing – pay for just what you need and cancel anytime with 30 days notice
Ask yourself, do you know with absolute certainty where your data is? Are you sure that an employee hasn’t downloaded a piece of sensitive data onto their laptop or desktop at home to work on, before uploading it again? Have they forgotten to remove the copy they have on their machine, resulting in there now being two copies of the sensitive data, one sitting outside of your security boundary or outside of your Cloud systems? Or have they used a shadow IT tool, such as WhatsApp or some other communication system, to share the data outside of your network?
Ask about our free no-obligation trial to see how H2’s 360o Real Time Work Anywhere Cyber Protection can protect your business however and wherever your staff are working.
The Experts in Cyber Protection
H2 Cyber Risk Advisory Services was founded by industry leading experts in cyber protection who previously worked for a number of Fortune 500 companies, national governments, and leading technology companies including Symantec, Hewlett-Packard (HP), and BAE Systems.
Their experience in the security sector goes back to the late 1980s and includes designing the first security operations centre for the Foreign and Commonwealth Office (FCO), as well as leading security projects for the Ministry of Defence (MOD) and the Passport Office.
H2 was established in 2016 to provide the same quality of cyber and data protection to mid-market businesses and SMEs in the UK.
What else can H2 do for you?
As well as providing 360o Real Time Work Anywhere Cyber Protection, H2 provides the following services, each of which can be bundled into a comprehensive managed service:
Managed Cyber Security Officer – dedicated remote cyber security expert who proactively monitors your systems and cyber threats to your business, offered on a number of hours a month basis to suit the client
Innovative anti-malware solutions – these protect against malware threats and ransomware attacks
Patch management across your entire network
Cyber maturity assessments – examines and analyses all aspects of your cyber security stance, including policies and processes
Cyber Awareness Training for your staff – aimed at IT users and non-technical staff, and offered on-line as well as face to face
Cyber Essentials and Cyber Essentials + certification
I wrote a post earlier this week exploring what SME owners and directors really care about when it comes to cyber security! Do they really care about the how the latest technological solutions work? Do they really care about the scare stories, or at least, do they really think that they apply to them. Oh, they might have a sneaky suspicion that it could be a problem but is it on their mind enough for them to do something about it.
The argument was made that this is especially true in an economic downturn when they are focused on costs, even more than they normally are. They want robust cyber security solutions that don’t cost an arm and a leg. And what they don’t want is jargon and tech speak that they feel is aimed at bamboozling them with science in order to convince them they should buy something that they don’t actually need.
We are believers that what is needed is simplicity. SMEs are looking for user-friendly security measures that don’t require a PhD in Cyber Science. They don’t want jargon or even industry metrics. Remember the KISS principle – Keep It Simple Stupid.
Of course they are going to have a focus, and you need to understand what is important to them and what isn’t. That will depend on the nature of their business to a great extent. Whilst there are commonalities regardless of the vertical they work in, there will always be differences, some big, some more subtle, that will impact any cyber security solutioning.
Nowadays many SMEs are increasingly aware of cybersecurity risks, but a significant number still underestimate the importance of cybersecurity risk management. SMEs often face unique challenges in this area due to limited resources, competing priorities, and often a lack of expertise not just in their organisation but also in the IT support company’s they use. Here are some insights into the current landscape:
Growing Awareness: SMEs have started to recognise that they are just as likely to be targeted by cyber threats as larger companies, partly due to high-profile ransomware attacks and data breaches affecting businesses of all sizes. As a result, awareness is rising, especially as more businesses transition to digital platforms and remote work, which increases exposure to cyber risks.
Resource Constraints: For many SMEs, the cost of robust cybersecurity measures can be prohibitive. They often lack dedicated IT and cybersecurity teams, which makes it challenging to implement and maintain comprehensive security protocols. Cybersecurity solutions can be expensive, so SMEs may prioritise short-term operational needs over what they might perceive as longer-term security investments.
Risk Perception and Underestimation: Some SMEs mistakenly believe they are too small to be targeted by cybercriminals, assuming that attackers primarily focus on large corporations. However, this “security by obscurity” mindset has been proven false, as attackers often view SMEs as easier targets due to their weaker defences.
Impact of a Breach on SMEs: Unlike larger companies, SMEs are less likely to recover from a significant cyber incident. A data breach or ransomware attack can be devastating, leading to financial losses, reputational damage, and even closure. Despite this, many SMEs may not fully understand the potential scale of these consequences.
Compliance and Regulatory Pressure: With increasing data protection regulations (e.g., GDPR, PCI), SMEs are under more pressure to adopt better cybersecurity practices to remain compliant. This has led to greater awareness among some SMEs, especially those handling sensitive data like healthcare, finance, or customer and payment information.
Cybersecurity Awareness Training and Culture: Even when SMEs implement some cybersecurity measures, they may lack the necessary employee training and risk management practices that foster a security-focused culture. Human error remains a leading cause of data breaches, so SMEs need to prioritize employee awareness and training.
In summary, while awareness of cybersecurity risk management is growing among SMEs, gaps remain, particularly around adequate investment, robust risk perception, and ongoing management of cybersecurity threats. Cybersecurity can seem overwhelming for small businesses, but as the digital landscape continues to evolve, understanding and addressing these risks is becoming essential for SME survival and growth.
I’ve talked about protective monitoring in the past but there is still some misperceptions about it, particularly amongst SMEs. Probably first and foremost is that it is way too expensive, which leads to thinking that it’s not for them and is much more of a nice to have than a necessity. I thought I’d take a bit of a deeper dive into this.
So, what is it?
Protective monitoring in cyber defence is a systematic approach to continuously observing and analysing an organisation’s digital environment to detect, prevent, and respond to security threats. It involves gathering and analysing data about network traffic, system activity, and user behaviours to identify potential vulnerabilities or malicious activities. Here’s a breakdown of its key components and purposes:
For a small or medium-sized enterprise (SME), implementing cyber protective monitoring is crucial for a variety of reasons. This proactive approach can be the difference between quickly identifying and mitigating threats or facing significant damage from a cyber-attack. Here are key reasons why SMEs should consider cyber protective monitoring:
1. Protection Against Data Breaches
SMEs often hold sensitive data like customer information, financial records, and intellectual property. Companies like law firms, financial advisors and estate agents, will hold years worth of personal identifiable information as defined by the Data Protection Act, or UK GDPR if you prefer. Protective monitoring helps identify unusual activity within their network, such as unauthorised access or data exfiltration attempts, allowing for swift action to prevent breaches.
This is especially important as SMEs can be perceived as easier targets by cybercriminals compared to larger enterprises with more robust defences.
2. Regulatory Compliance
Many industries have strict regulations around data privacy and cybersecurity, such as GDPR and PCI-DSS. Protective monitoring helps SMEs stay compliant by providing visibility into how data is accessed, used, and secured.
It allows them to maintain audit trails of activity, which are often required to prove compliance during an audit or investigation.
3. Early Threat Detection
Cyber threats are constantly evolving, and attackers are often inside a network for days or weeks before launching an attack (such as ransomware). Protective monitoring enables the detection of anomalous behaviour that could indicate a security threat before it becomes critical.
This helps minimise damage by enabling a faster response to potential threats like malware infections, unauthorized access, or network vulnerabilities.
4. Cost-Effectiveness in the Long Run
While some SMEs may view cyber protective monitoring as an additional cost, it is often more cost-effective than dealing with the fallout of a cyber-attack. The financial impact of a breach includes legal fees, loss of business, damage to reputation, and potential fines from regulatory bodies.
By investing in monitoring, SMEs can save significantly on these potential costs, making it a smart investment, especially now that there are systems specifically designed and costed for SMEs.
5. Building Trust with Clients and Partners
Customers and business partners expect their data to be handled securely. An SME with strong cybersecurity practices, including protective monitoring, can build trust and demonstrate its commitment to data security.
This can serve as a competitive advantage, especially when dealing with larger enterprises or industries that prioritise security.
6. Rapid Incident Response
When a security incident occurs, the speed of the response is critical. Cyber protective monitoring provides real-time alerts when suspicious activities are detected, enabling SMEs to quickly isolate affected systems and take necessary actions.
A rapid response can help contain potential damage, maintain business continuity, and limit operational disruptions.
7. Mitigating Insider Threats
Not all cybersecurity risks come from outside the organisation. Insider threats, whether malicious or accidental, can cause significant damage. Protective monitoring can help detect unusual behaviour from employees or contractors, such as unauthorised access to sensitive data or suspicious data transfers.
This allows SMEs to address these issues before they lead to data leaks or other security incidents.
8. Scalability and Adaptability
As SMEs grow, their digital footprint and potential vulnerabilities expand as well. Cyber protective monitoring solutions can scale alongside the business, ensuring that security measures remain effective even as new systems, networks, and applications are added.
This adaptability makes it easier for SMEs to adjust their cybersecurity strategy as their needs change, without a complete overhaul of their security infrastructure.
9. Insights for Better Decision-Making
Beyond just identifying threats, protective monitoring can provide valuable insights into network usage and performance. SMEs can leverage this data to make better strategic decisions regarding their IT infrastructure, such as identifying redundant systems or optimising network resources.
It can also highlight areas that require further security investments, helping prioritise spending on cybersecurity.
10. Improving Overall Cybersecurity Posture
Cyber protective monitoring is a key part of a broader cybersecurity strategy. By continuously monitoring and analysing network activities, SMEs can better understand their vulnerabilities and areas for improvement.
This helps create a culture of security within the organisation, where cybersecurity is not just an afterthought but an ongoing priority.
Overall, cyber protective monitoring provides visibility, control, and peace of mind for SMEs, helping them navigate the complex and ever-changing landscape of cyber threats. By taking a proactive stance, they can protect their assets, maintain customer trust, and ensure long-term resilience against cyber-attacks.
Protective monitoring is not just for corporate organisations, but is for everyone, especially now that there are systems and services designed especially for SMEs and priced accordingly. Don’t leave it until it’s too late. Playing catch up and fixing problems after the event, is always much more expensive that taking a pro-active stance.
To learn more about the protective monitoring managed solutions we provide please click here https://www.hah2.co.uk/
How are businesses improved through good cyber security? It’s a question just about every customer, or prospective customer, of ours asks themselves. They need to see a return on investment, after all, if you don’t see anything tangible for your money, you’re unlikely to keep going down that road.
When my business partner and I set up H2 after we returned from the Middle East where we’d been working for the HP division that was busy merging itself with CSC (been there done that, didn’t fancy returning to it), the whole question of how we could offer something that gave that return on investment, occupied much of our thinking. What services could we offer at a price that businesses were prepared to pay, and what tangible benefits could we offer?
At first, we were purely a services company, proudly product agnostic, recommending the right products for the right solutions for the right customer. Not at all altruistic, but rather we felt that was the right thing to do be doing. Like many people we didn’t see COVID coming around the corner like a freight train. The pandemic didn’t just change how we would be delivering our services, it changed the whole market, it changed working practices, which are still evolving. That meant that we had to change or die. A stark choice but not one that could be avoided or put off. Like many businesses we had to reengineer the business from the ground up whilst still providing services that customers wanted and could see a need for.
An interesting google search is finding out what businesses are researching online. I was quite surprised to find that the question ‘what is a cyber-attack?’, is the most searched phrase, by a long shot. This suggests that many are still confused as to what a cyber-attack actually is. Breaking that down, its probably not all that surprising because of all the various types of cyber-attack that are constantly being rammed down peoples’ throats and I think the cyber security industry needs to take responsibility for that. There’s a big difference between education and propaganda. FUD (fear, uncertainty and doubt) is a common method used by many to sell security. Personally, I’m not in favour of doing that. I like to educate, not scare.
Other subjects being searched for are ransomware, phishing, spoofing, cyber threats, insider threats and cyber awareness (there are more but they’re a long way down the list).
What people want to know hasn’t changed all that much, neither has the types of threats. What has changed is how those threats present themselves, how the methodologies have changed in order to match new technologies and working practices, particularly the move to remote or home working and the additional threats that this poses. AI is making a big impact already and that impact is going to get bigger as time goes on. Email spoofing for example, that is faking an email purporting to come someone legitimate in order to get someone to take some action that is in some way fraudulent, is now being done over the phone with AI being used to fake someones voice. It’s a scary development and there are now several well reported instances of this happening in the US. If it’s happening there, it’s only a matter of time for it to happen in the UK and across Europe.
One of the first services we offered was the Cyber Maturity Assessment and our very first client took that service. Our brief was to examine their Cyber Security and Data Protection posture, including policies, processes and technical configuration and controls. They were pleased that our assessment was very comprehensive in discovering the threats and vulnerabilities to their systems and that we described them in terms of business risk. We developed comprehensive policies and processes that were all encompassing and designed to fit in with the style and presentation of their employee handbook. All good but it required us to attend their site for a couple of days which was, at one time, normal and acceptable but in terms of the ‘new normal’, not so much.
Whilst we still offer that service, remote services are much more popular and much more in keeping with how businesses are now operating. It doesn’t much matter where their staff are working, home, office or on the move. What matters is that their protections are maintained regardless.
As we developed our new offerings we researched and came up with solutions that do just that. We adopted Software as a Service (SaaS) and found some very innovative solutions that we can use to provide a managed security service to our clients at a very affordable price.
Returning to our first paragraph, how do we show a return on investment? Using our SaaS platform, we offer a 14 day free trial during which we can show a client where they currently stand and then carry out some quick remediations to show how that can be improved, so that the client can see the value of what they are going to get, using their own data. It works and I commend it to you.
Some introspection is good for the soul they say, and I can’t help but try and apply that to how we, ie so called cyber security professionals, approach prospective clients, or indeed, converse with existing clients. Is there a certain smugness involved where we believe we know best and whether we do or not, try and push what we think a client should have, rather than what a client needs. Does this attitude, no matter how hard we try to suppress it, make prospective clients wary of what we have to say?
Of course we have our methodologies, particularly regarding risk management, and I am a great exponent of getting that right, but how many of us take the time and make the effort, to understand the clients situation. It’s what we used to call situational awareness. It didn’t just refer to a client understanding their own situation, but us appreciating that situation as well. After all, not all clients, even those in the same vertical and the same size of business, has exactly the same problems.
A lot depends on who you are and who you work for. The larger IT system integrators and consultancies do take the time to try and understand their clients. In fact, going back to the early 2000s, working for a multinational IT product and services giant, we never actually outright tried to sell anything. Our salespeople at the enterprise level, were very much relationship managers, they built relationships with their clients, got to know their businesses and made suggestions that the client might be interested in. The mantra was that people buy from people, not from brands. Brands are great in the marketing context, building awareness and a market presence, but they never seal the deal.
Of course, at the start of a sales year some bright young thing sporting an MBA and a burning ambition would move the salespeople around, ruining years of relationship building and vertical knowledge, because ‘it needs shaking up’. The end result is hacked off employees who look elsewhere and hacked off clients who think, well, if I have to start with someone else, I’d might as well see what else is out there. But that’s a whole other story.
Research your client, understand their business, make sure you’re building a relationship with the right person. Understand the industry, their pain points and needs. Only then can you really start to craft a value proposition and call to action that the client can relate to. Foster that relationship, make sure that not every call you make is about your products and/or services, make it more personal. Above all, be genuine, it pays off in the end.
I guess what I’m getting at is that it really is all about building relationships with people. You can have a deep understanding of your subject, fantastic product knowledge and a sparkling personality, but if you talk down to a prospective client, come across as in anyway condescending or patronising, you’ve lost the game. You have to listen, ask intelligent questions, show that you are really interested in understanding the issues that face this prospective client, and make suggestions that might be suitable to solve the pain points being put in front of you.
We decided a couple of years ago, to offer a service which we entitle Board Advisor (https://hah2.co.uk/why-use-an-independent-board-advisor). The point was not to try and sell solutions, not to try and sell any particular product, but to work with our clients to identify the issues they really do face and work through those issues to identify potential solutions that will help them in their business by protecting those critical assets that would cripple the business if they were not available or were corrupted in some way. It’s all about putting appropriate measures in place before disaster strikes and preventing the vastly higher costs of recovery post-breach, from immediate financial impacts to lasting reputational damage.
The security threat landscape is becoming both more sophisticated and easier to exploit by the less sophisticated. This seems to be at odds but such things as artificial intelligence (AI) is transforming nearly every industry, including cybersecurity. Whilst AI enables enhanced threat detection and response, this powerful technology can also be weaponised by cyber criminals. As AI-driven cyber-attacks grow more advanced, organisations must act quickly to implement robust defences. Trying to keep abreast of this whilst running a business and focusing on your core requirements, is daunting and frankly, you’re not going to succeed.
If you’d like to discuss the art of the possible, give us call.
“Fujitsu Hacked – Attackers Stolen Personal Information”
Fujitsu confirmed a cyberattack that led hackers to steal personal data and customer information.
Now there’s a headline to put fear into their customers, both current and potential. Not a great look for one of our premier IT system integrators and manufacturers.
But what’s that got to do with me you say? I don’t have any Fujitsu kit and I’m way too small to feature on the radar of a hacker or team of hackers, that would target someone like this. OK, maybe true, maybe not so true.
Did you know that since 2005 the Information Commissioners Office (ICO) has ruled on 13,500 freedom of information and environmental information cases. Many of these would be classed as SMEs and small government departments, particularly local government. Last year alone, 86 enforcement actions were taken which included 37 reprimands, 24 enforcement notices, 23 monetary penalties and 2 prosecutions. Fines of around 80K are not uncommon, and a fine of that size would be a severe blow to an SME. The ICO has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.
Fines and enforcement notices cannot be hidden, they are published on the ICO website for all to see, which can have an impact on the reputations of companies, adding to the pain of any fine caused by a unwanted marketing calls or data breaches.
In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.
It is, for most SMEs, about doing what is reasonable to prevent a data breach. That will include having the right policies and procedures, known to all staff, and rolled out. Don’t play lip service to this, you will be found out. It is important to be aware of the threat and take the necessary actions to prevent breaches.
Lack of adequate data security is an important basis for imposing fines. Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need?
In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law. Have you got that covered with an adequate policy and process in place and understood?
This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch. For example, financial data which under other legislation, they must keep for 7 years. I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.
One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.
We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it. There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP. These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.
Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.
We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed. Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.
Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).
Step 1: Data Risk Discovery and Quantification
Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.
Step 2: Data Risk Monitoring and Auditing
Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.
Step 3: Data Risk Remediation by Encryption
Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.
Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost. If you don’t like it, we take it away.
I’ve decided I haven’t bored you all enough about risk management yet, as it pertains to cyber security. Try not to stretch your jaw too much as you yawn and stay with me because it is extremely important and will become more so as cyber-attacks get more sophisticated and more importantly, ever more common as AI makes them much easier to implement and enables hitherto less skilled criminals, to become more capable.
We are still, in the SME market, suffering from a misunderstanding about what cyber security is all about. I know I bang on about this, but it can’t be overstressed. Without fully understanding the risks you are exposed to, how can you be sure that you are spending your limited budget in the most effective way, and in a way that is doing some good. I threw that last bit in because I come across situations all too often, where an SME is wasting money and resources because they don’t have a handle on their security risks.
Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them. Wrong. Ask them some simple questions:
· Have they fully identified your security assets? Security assets are not just hardware and software, in fact those are often the least of your worries. It’s the data, where it is and how it’s protected that is important.
· Have they done a risk assessment on those assets.
· Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level. That is assuming they have spoken to you about what that acceptable risk is.
It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement.
· Tech
Describes the protection of networks, computers, programs, and data. It is a branch of cyber security which is focused on preventing intrusion and therefore theft or manipulation of your systems, from both internal and external sources. Technical security consists of tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers.
Technical security needs to work within a defined and business focused security strategy.
· Business
Encompasses all aspects of protecting digital assets, including computer systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack. It is focused on People, Process and then Technology.
Cybersecurity has a larger role in protecting organizations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.
Bottom line folks – you can outsource your IT, but you can’t outsource your responsibility.
Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.
We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated.
There is no business without risk and an acceptable residual risk in one company, will not be acceptable in another. That’s a business decision. Risk must be recognised and then managed in some way or other, classified in some way. And whilst we would all like to abolish risk, that won’t happen.
Whilst working for major providers servicing the big company’s, banks and major government departments, we would recommend that at least 15% of their annual IT budget should be allocated to cyber security. That means not just tech but also reviewing cyber security policies and processes, cyber awareness training for staff and managers, reviewing the threats and vulnerabilities and then revisiting the risk to their assets. It’s interesting to note that the figure of approx. 15% has crept up over the years. About 20 years ago we were saying 5% then 10 and now it’s a minimum of 15% and some company’s are allocating even higher percentages as threats increase year on year. That figure could easily sky rocket once AI becomes prevalent amongst the criminal fraternity.
Just keep in mind that cyber security is a business issue and not an IT issue and that cyber risk must be evaluated and dealt with in the same way that you would any other risk to your livelihood.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Recent Comments