Security Tools

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools Working Practices

CYBER ESSENTIALS HAS CHANGED:  ARE YOU READY?

Cyber Essentials has changed recently and one of the most significant changes, in my opinion is the requirement for a senior executive to formally declare that security controls are continuously assessed throughout the year.  A fundamental change, not just a paperwork tweak. It shifts accountability and how organisations approach compliance.

What does this change really mean?

  1. Accountability moves to the top

Executives (often a CEO, CFO, or board-level director) are now personally attesting that controls aren’t just “point-in-time compliant” but actively maintained. This raises the stakes, false declarations could have legal, reputational, and contractual consequences.

  • End of “annual checkbox” compliance

Previously, many organisations treated Cyber Essentials as a once-a-year exercise. This change pushes toward continuous assurance, more in line with standards like ISO/IEC 27001 or frameworks such as NIST Cybersecurity Framework.

  • Increased audit and insurance implications

Cyber insurers and regulators may view this declaration as evidence of due diligence or even negligence if something goes wrong. Expect more scrutiny if a breach occurs.

  • Cultural shift toward operational security

Security becomes an ongoing business process, not an IT task. It requires coordination across the company up to and including management.

How organisations can actually deliver “continuous assessment”?

This is where many companies will struggle, because the declaration implies evidence, not intention.

  1. Continuous monitoring of key controls

Use tools that provide ongoing visibility into:

  • Patch management status
  • Vulnerability scanning
  • Endpoint protection health
  • Firewall and access control configurations

Common tooling might include:

  • Endpoint detection & response (EDR)
  • Vulnerability management platforms
  • Security configuration monitoring tools
  • Defined control testing schedule

Not everything needs real-time monitoring, but you should have:

  • Monthly or quarterly control checks
  • Automated scans (minimum of weekly vulnerability scans)
  • Regular access reviews (e.g., user permissions)
  • Centralised logging and alerting

Implement:

  • An MDR solution.
  • Alerts for control failures (e.g., antivirus disabled, patch failures)

This creates an audit trail—critical if leadership is signing a declaration.

  • Metrics and reporting to leadership

Executives need evidence to sign confidently:

  • Security dashboards
  • KPIs (e.g., patch SLAs, vulnerability remediation times)
  • Regular security reports to the board
  • Policies backed by enforcement

It’s not enough to have policies; you need:

  • Technical enforcement (e.g., blocking unpatched devices)
  • Automated compliance checks
  • Internal audits or independent checks

Periodic internal reviews or external assessments that help validate that controls are actually working.

Practical example

Instead of saying:

“We apply patches”

You now need to demonstrate:

  • All devices report patch status daily
  • Alerts trigger if patches are overdue
  • Reports show compliance over time
  • Exceptions are tracked and approved

The real challenge

The hardest part isn’t technology, it’s evidence and governance.

Many SMEs certified under Cyber Essentials don’t currently have:

  • Centralised visibility
  • Documented control testing
  • Board-level security reporting

So, this change may force investment in:

  • Better tooling
  • Clearer processes
  • Stronger governance structures

Bottom line

This declaration effectively aligns Cyber Essentials with modern security expectations: continuous control validation, not annual self-assessment.

If an organisation can’t produce evidence of ongoing monitoring and review, executives are being asked to take a significant personal risk by signing.

How can an SME meet this requirement without breaking the bank?

You don’t need an enterprise SOC or a six-figure toolchain to meet these new expectations, but you do need joined-up tooling that produces continuous evidence.

The principle: “Good enough + visible + provable”

For an executive to sign the declaration, you must:

  • Cover all five control areas
  • Be centrally visible
  • Generate reports + alerts automatically
  • Require minimal manual effort

The issue for many SMEs that a system that integrates many of the issues simply hasn’t existed in a form that is financially viable, and that doesn’t require a dedicated cyber individual on staff, until now.  Such a system does now exist, and I have put up a short video on the features section of my profile page on LinkedIn, the link is A short video on protective monitoring for SMEs.  This should help you without having to read reams of information.  You will also find a couple of articles on that particular subject.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide, please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or drop us an email:

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Security Tools

Protecting Your Data on Public Networks

Remote working is here to stay, and whilst it’s not for everyone, many employers and employees alike, have taken to it.  There are multiple problems related to cyber security around this, working from home or on the move, and today I’m going to concentrate on the prevalence of people working from insecure sites such as coffee shops, railway and air terminals etc.   It’s a subject that I tend to jump on every so often because it’s one that people just don’t seem to get.  I dropped into a coffee shop this morning for my caffeine infusion, and there were six people with their laptops open, working away on business issues.  I could see open spreadsheets (and easy to read if you were sitting behind them), and all had their email open.  One was on a video call, and I heard all her side of the conversation, annoying enough for other café users but she wasn’t aware of the data she was releasing into the wild, at all.

Of course, this is nothing new, it’s been ‘a thing’ for years now, but is it a safe thing to be doing?  A recent survey suggests that a significant proportion of the connections to unsecured Wi-Fi networks result in hacking incidents, when from working in coffee shops, restaurants, airports, and other public places.

If you are among those Wi-Fi lovers, there’s bad news for you… your online privacy and security is at risk, if you rely on the weak to non-existent Wi-Fi security protocolsat these insecure locations.  This means that you could be exposed to various threats such as identity theft which has over 15 million cases each year, data theft/breaches, introducing malware to your business network and that of your customers/suppliers.  This list is not exhaustive.

Free or public Wi-Fi’s are hotspots for hackers and data snoopers who want to steal your private data or financial information. It is easy for cyber criminals to do that nowadays. You will be surprised to know the different ways they can compromise your device or your private information and why you shouldn’t rely on public Wi-Fi security as it comes with a lot of risk.  Using insecure public Wi-Fi exposes you to a range of cybersecurity risks because you’re sharing a network with unknown and potentially malicious persons. The core issue is that these networks often lack proper encryption and authentication, making it much easier for attackers to intercept or manipulate your data.

One of the biggest risks is data interception (packet sniffing). On an unsecured network, attackers can use simple tools to capture data packets traveling between your device and the internet. If the data isn’t encrypted (for example, websites not using HTTPS), sensitive information like passwords, emails, or credit card details can be read directly.

A closely related threat is the Man-in-the-Middle (MitM) attack. Here, an attacker secretly positions themselves between you and the service you’re accessing. Instead of communicating directly with a website, your traffic is routed through the attacker, who can monitor, alter, or inject malicious content into the communication without your knowledge.

Another common issue is rogue hotspots or “evil twin” attacks. Attackers set up fake Wi-Fi networks with names that look legitimate (e.g., “Free Airport Wi-Fi”). When you connect, all your traffic passes through their system, giving them full visibility and control over your activity.

Public Wi-Fi also increases the risk of session hijacking. Even if you log into a secure site, attackers may capture session cookies, small pieces of data that keep you logged in, and use them to impersonate you without needing your password.

There’s also the danger of malware distribution. Some attackers exploit vulnerabilities in devices connected to the same network to push malicious software. Others may trick users into downloading infected files via fake pop-ups or compromised websites.

Many public networks lack proper network segmentation, meaning devices on the same network can sometimes directly communicate with each other. This makes it easier for attackers to scan for vulnerable devices, open ports, or shared files, potentially gaining unauthorised access.

Another issue is unencrypted connections and misconfigured security protocols. Some networks use outdated encryption standards (like WEP) or even none at all, making it trivial to crack passwords or decrypt traffic.

Additionally, automatic connectivity on devices can be exploited. If your device is set to automatically connect to known networks, attackers can spoof those network names and trick your device into connecting without your explicit approval.

Finally, there’s a broader privacy concern: even if attackers don’t actively interfere, network operators themselves (or anyone monitoring the network) may log your browsing habits, device information, and other metadata.

How to reduce risk:

  • Use a VPN to encrypt your traffic
  • Only access HTTPS websites (look for the padlock icon)
  • Avoid logging into sensitive accounts on public Wi-Fi
  • Disable file sharing and use a firewall
  • Turn off automatic Wi-Fi connections
  • Verify network names with the venue before connecting
  • Only use authorised protocols to access your company network or cloud

In short, insecure public Wi-Fi removes many of the protections that normally keep your data private, making it far easier for attackers to observe, intercept, or manipulate your online activity.

The risk reductions above are essential but even then, don’t get complacent.  A VPN for instance, encrypts your data as it transits the internet, putting up a secure ‘tunnel’ for it to move through.  However, that data is only protected once you start sending it.  Other data on your laptop is not encrypted and remains vulnerable.  Disk encryption such as Bitlocker on Windows or File Vault on Macs, is designed to encrypt your disk as you are shutting down, so that if your machine is stolen, the data can’t be accessed.  But once you start it up and log on, the disk is unencrypted.  The safest encryption uses what is known as file level encryption which encrypts your files by sensitivity level and only allows them to be read by authorised persons on your corporate network.  That way if your machine is accessed whilst it is up and running in your coffee shop, the sensitive data can’t be read.

Stay aware and stay vigilant.  You have to be successful all the time; the criminal has to be successful just once.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

What is Security Architecture, and what does it mean for SMEs?

Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats.  Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done.  What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows.  OK, I’m being a bit simplistic, but you get the idea.  Once that’s done, the security architect has something to work with to start putting in security layers.  As the design evolves, so does the security architecture.

So now let’s look at the real world.  Most SMEs are way past this phase, with their systems having grown organically as the company grows.  SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc.  Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model.  That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware.  A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking.  Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort.  And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model.  First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access.  Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control.  It took some persuasion and education to bring many of these owners/managers around.  These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure.  But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system.  It is vital to ensure that only the right people have access to the right systems.  SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them.  Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk.  But it doesn’t have to be expensive.  Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD.  I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

  • Mandatory Multi-Factor Authentication
  • Conditional access policies
  • Single Sign-On (SSO)
  • Privileged identity management
  • Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

  • Endpoint detection and response (EDR)
  • Device management
  • Encryption

Controls it should cover include:

  • Automated patching
  • Encryption:
  • Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
    • File-level encryption works by encrypting files that you have deemed to be sensitive and need protection.  It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission.  Sounds complicated, but it really isn’t, and it can be shown to you very easily.
  • Application control
  • USB restrictions
  • Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

  • Anti-phishing protection
  • Attachment sandboxing
  • URL scanning
  • DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

 Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

  • Next-generation firewall
  • VPN or Zero Trust remote access
  • Network segmentation
  • DNS filtering

Good firewall segmentation would include:

  • Company devices
  • Guest WiFi
  • Servers
  • IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure.  Again, this needs some controls, which could include:

  • Secure configuration monitoring
  • Data leakage prevention
  • Access monitoring

Key policies may include:

  • No public file sharing by default
  • Alert on impossible travel logins
  • Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised.  Controls might include:

  • Data classification
  • Data leakage prevention
  • Full disk and file-level encryption

Policies might include:

  • Prevent the sharing of sensitive records externally
  • Block download of sensitive files on unmanaged devices
  • Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

 Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

  • Immutable backups
  • Offline copies
  • Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten.  Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top.  That is no longer the case.  There are systems now available specifically for SMEs.

Typical SME approach:

  • Centralised log collection
  • Security alerts
  • Managed detection and response

Many SMEs outsource this to an MDR provider like H2.  I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation.  Cyber awareness training is a subject that I bang on about all the time.  It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

  • Security training platform
  • Phishing simulation
  • Acceptable use policy
  • Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past.  You need to be prepared for security incidents.  This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

:

  • Incident response playbooks
  • Legal and breach notification procedures
  • Disaster recovery and business continuity plans
  • Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information.  It really is something SMEs should consider and need to take advice about.  Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

MORE ABOUT MANAGED DETECTION AND RESPONSE

This subject has, in the past, been difficult to convey to SMEs.  In the corporate and major government department world, it’s a well-understood issue, more often referred to as a security operations centre, or SOC.  I’ve built several of these over the years in the UK and the Middle East, and one thing is for sure: they are expensive to run in terms of both technology and manpower, which makes them unrealistic for an SME, even if they would be of real benefit.

So why am I even bothering to explain what it is?  Simply because there are now systems on the market, very often AI-driven, that have managed to hit a price point that an SME can afford.  These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.

Why would an SME want such a system?  First and foremost, any such system or service pitched to an SME needs to make business sense.  To maximise its cost effectiveness, having additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes makes it more attractive.  The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown SOC.  Delivering it as a service reduces cost by cutting out the need for an in-house team.

Good questions for all SMEs to ask themselves are:

If an attack or scam happened tomorrow…

Would you know about it?

Would you be able to stop it in time?

Would your team recognise it for what it is?

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department.  It provides peace of mind – you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a short video which you can find on the Features Section on my LinkedIn profile.   But if you don’t want to view that, what follows is an introduction to what the service offers.

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring

For most SMEs, hiring skilled cybersecurity analysts is expensive and difficult. MDR gives access to an appropriate service level at a predictable monthly cost.

Business benefit: Reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built it.  Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

                  •               Identify outdated software, misconfigurations, and exposed services

                  •               Prioritise risks based on severity

                  •               Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen.

Business benefit: Proactive risk reduction instead of reactive damage control.

The system also offers built in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

                  •               Tests employee awareness safely

                  •               Identifies high-risk users

                  •               Reinforces learning through practical scenarios

Business benefit: Fewer successful phishing attacks and reduced likelihood of credential compromise or ransomware infection.  Such simulations are an integral part of cyber awareness training.

We also assist in building a security culture (CBEE Awareness Training Programme).  A structured awareness programme:

  • Trains staff on cyber hygiene and data protection
  • Covers password security, social engineering, safe browsing, etc.
  • Supports compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly.

Business benefit: Employees become a security asset rather than a liability.

A managed system such as this can also help with compliance & insurance requirements.  Many SMEs now face:

  • Regulatory obligations
  • Supply chain security requirements
  • Cyber insurance conditions

Having MDR, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME:  Cost Predictability & Simplicity.  As a managed service, everything is:

  • Subscription-based
  • Centralised under one provider
  • Fully supported by experts

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms you are getting executive-level risk reduction with a simple value:

  • Reduced likelihood of business interruption
  • Reduced financial exposure
  • Protection of brand and customer trust
  • Clear reporting and measurable risk reduction

All through this article I’ve talked about cost effectiveness.  So, what does this service cost?  I’ll add the BBC caveat – other systems are available!!  We charge £15 per seat per month, and you get a lot for your money.  Seems cheap and we’re happy to explain how we can get the price so low.  It’s a 30-day rolling contract, no long-term lock in, simply 30 days’ notice to quit.  We also offer a totally free 14-day trial that is fully functional so you can see the outputs from your own system, rather than look at demos with dummy data.

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

An Increase in sophistication in cyber-attacks in 2025

Artificial Intelligence (AI) is a fascinating subject, but it’s also a controversial one. These days, we are all using it to some extent. I know I do in the solutions I provide for SMEs, as it allows for a large degree of automation, which in turn lowers costs. Lowering costs is always a priority for an SME.

So what is AI?

Artificial intelligence (AI) refers to computer systems that can perform tasks typically requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

That description was one that was put forward by NCSC, and so it’ll do for me, although I’ve no doubt, you’ll find other descriptions if you look hard enough.

Often, what is called AI isn’t all that intelligent. It’s not taking in information, analysing it and coming up with answers. Of course, some very clever versions are doing just that, but they are mostly not available to you and me. The versions we see are very good at being asked a specific question and data mining various sources at an incredible speed and then producing the answer you want, usually with several variations. And that’s pretty much what most of us want to use it for.

As I said above, I use it in the applications I use for cybersecurity managed services directed at SMEs, not least because automation reduces cost, but also because it is very efficient, meaning that the results it produces need minimal human intervention to analyse the output.

But let’s look at the downside of AI in cybersecurity, which is what the cyber criminals are using it for. Firstly, what is it that is at risk:

  1. Data Leakage. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorised access to sensitive information. A good AI-powered attack could capture huge amounts of personally identifiable information (PII) in a ridiculously short amount of time.
  2. Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but also dangerous.
  3. Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been in this game as long as there’s been a game. It’s something called Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.
  4. Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  5. Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a role in supply chain security.
  6. Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

What we saw in 2025 is an era where cyber‑attacks are AI‑powered, highly targeted, automated, supply‑chain enabled, multi‑stage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AI‑driven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

  1. Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
  2. AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.
  3. RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
  4. Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
  5. Next-gen ransomware is rolling out advanced stealth, data theft, and automated lateral movement techniques, i.e., using an initial breach to jump across to other parts of your network or that of your partners and customers.
  6. Attacks starting via third-party software or vendors allow hackers to move laterally into networks and compromise multiple organisations simultaneously.
  7. Nation-states are not just using espionage but are now partnering with ransomware gangs to conduct financially and politically motivated operations.
  8. Nation state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.
  9. Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
  10. Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.
  11. Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
  12. These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.
  13. Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
  14. Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.
  15. In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.

Let’s not make the mistake of thinking that this is all very sophisticated and requires expertise and resources to pull off. It doesn’t. Take another look at some of the bullets above, where we talk about RaaS or Ransomware as a Service. This takes me back to what we used to term the ‘script kiddie’, that was relatively unskilled and unsophisticated ‘wannabe’ hackers who would visit the dark web and buy scripts from skilled hackers, that they would then try and use to make money, often unsuccessfully.

This has now moved on to using AI, and such services as RaaS; this type of low-skilled individual is back, but this time with a greater level of success. Let me give you a real example of how AI can be used by someone relatively low on the criminal totem pole. Using Chat GPT, the question was posed:

Can you write some ransomware code for me?

So, did ChatGPT help to write Ransomware code? Well, not initially, it gave a stock answer about not being able to write code that might damage a computer system. And some tooing and froing, trying to get around this, achieved the same result. So far, so good. That’s an ethical answer I would like to see.

Coming at it obliquely, via a back-and-forth conversation, can produce different results. Give it the instruction to write some C code to encrypt a single file, and get the result:

Certainly. Here’s an example of how you can use the OpenSSL library to encrypt a single file using the AES-256-CBC encryption algorithm in C.

The next step was to ask it to modify the code to encrypt a whole directory, which it did willingly.

Obviously, this isn’t the complete answer, and there would be more work to do, more research and probably a trip to the dark web, but a relatively unskilled individual can make a good start at producing their own ransomware.

I even asked Chat GPT to give me a description of how AI can be a boon as well as a danger to society:

AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

If you’re looking for answers as to where we stand with AI, there are a multitude of opinions, I’m afraid, mostly because many of us are still trying to work that out for ourselves. However, I will continue to explore it, use it carefully and with forethought. The questions I pose will be based on my own knowledge of cybersecurity and my experience in life. Let’s hope I get it right.

General Security Issues Ransomware, Phishing and other Malware Security Security Tools

ENCRYPTION

There are lots of different encryption solutions on the market, some which come with other applications and some that are stand alone.  I’m not going to attempt to put one up against another but rather have a more generic look at the subject.  I’m also not going to worry too much about the technicalities of how they work as frankly, most clients, many of which are SMEs, don’t really care about that.  It’s the effectiveness and what they are going to get for their buck, that they care about.

There are essentially two main types of encryption, whole disc encryption (WDE) and file level encryption (FLE).  WDE protects the device if the disk is offline or stolen.  It’s the type of encryption that comes with Windows (Bitlocker) and with a Mac (File Vault).  FLE on the other hand protects the data itself, even if stored on unlocked or shared systems.  It encrypts on a file-to-file basis i.e. it encrypts the files you want to protect, and leaves others unencrypted.  It generally operates as an agent-based system and often, but not always, comes as part of another application.

WDE is easy to describe. As you log off, the disc is encrypted so that if the hardware, laptop etc, is stolen, the data on the disc is protected.  However as soon as you log on, the disc is unencrypted and so the data is unprotected from an intrusion.

FLE proactively encrypts sensitive files at the file level using AES 256-bit encryption. This makes stolen data completely worthless to attackers, as it cannot be accessed or decrypted without the proper decryption key, which is managed through an agent and defined access controls. By encrypting data automatically and in real-time, FLE ensures data remains protected even if the system is compromised, which can be more effective than traditional reactive security measures that rely on detecting attacks after they occur. 

Let’s take a look in a bit more detail at the differences between WDE and FLE.

FeatureWhole-Disk Encryption (WDE)File-Level Encryption (FLE)
What gets encryptedThe entire drive (OS, apps, swap, all files)Individual files or folders
When data is decryptedAutomatically after the device boots and the user authenticates (e.g., login, pre-boot PIN, TPM key)Each encrypted file decrypts only when accessed by an authorised app/user
Protection scopeStrong against physical theft, lost devices, or disk removalStrong for protecting sensitive data, shared storage, or cloud backups
Visibility of encrypted contentDrive appears unreadable until unlockedFile names can still be visible (depends on tool), but contents are encrypted
Use casesLaptops, desktops, mobile devicesEncrypting documents, databases, specific secrets, or user-chosen data
Performance impactMinimal today, because decryption happens in bulk after unlock, and often uses hardware accelerationCan be higher if many encrypted files are accessed frequently
Granularity / controlLow (all-or-nothing)High (encrypt only what needs protection)
Key managementOne main disk key (often protected by TPM or secure hardware)Many file keys or per-user/per-file keys possible
Security if system is compromised while powered onWeak (disk is unlocked, malware can read everything)Better (files are only decrypted when opened, limiting exposure)

One question I get asked a lot is, does encryption protect against Ransomware.  The short answer is no.  WDE only protects the data when the machine is switched off.  Once booted up the data is unencrypted.  FLE protects data against data leakage or theft in that it can’t be read by unauthorised persons.  However, it can’t prevent encrypted data from being encrypted again by a ransomware attack.

A secondary aim of most ransomware attacks is to steal the data to sell on or to use for other things.  In those cases, FLE does help protect because the ransomware can’t decrypt the already encrypted data.  So, there is a level of protection using FLE that you can’t get with WDE.

FLR can help a little (but still not enough):

It can slow or limit ransomware only if:

  • Keys are stored in a separate secure environment (HSM, smart card, enclave, etc.)
  • Decryption requires per-file user interaction ransomware cannot mimic
  • The storage supports immutable or version-protected encrypted blobs

Even in those cases:

  • Ransomware can still delete files, encrypt them again, or lock the device
  • It usually cannot be used as a full defence strategy

What it does not prevent

  • Files being encrypted again by ransomware
  • Files being deleted or corrupted
  • The system being locked or made unusable

What it can still be good for

         •       Preventing data theft if files are exfiltrated

         •       Limiting extortion via stolen data leaks

  •       Protecting backups stored in cloud/shared drives from being read by attackers

My focus as always is on the SME community and therefore I always aim to keep costs down to a level that makes sense to them.  I am much more a fan of FLE than WDE however, as WDE comes from with both Windows and Mac, then let’s use it.  Many corporate organisations use both as a belt and braces protection.  But remember, on its own it’s not a total solution and should be implemented as part of a more holistic cyber defence.

I hope this has given an insight into the subject and answered some basic questions.  If you would like to understand more about this then please give me a call or an email, I’d be delighted to chat it over.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you?  The first part is easy to explain but the second is a little more problematic.  MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team.  That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

CapabilityWhy it matters to SMEs
Around-the-clock monitoringCyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern toolsUses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident ResponseCan remotely contain and remediate attacks before they spread.
Security expertise on demandSMEs gain access to required expertise.
Proactive threat huntingIdentifies hidden attackers or early-stage breaches.
Compliance and reportingHelps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

  • Not a replacement for basic security hygiene (patching, backups, strong access controls)
  • Not just a tool, it’s a combination of technology + human expertise
  • Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it.  SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust.  And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables.  They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them.  They lack:

  • 24/7 threat monitoring
  • Real-time detection and investigation
  • Specialised expertise required for modern cyber threats
  • Rapid response capability to contain breaches

As a result, you potentially face::

  • Increased probability of a successful attack
    • Delayed breach response → attackers remain undetected for months
    • Data exfiltration and business disruption
  • Higher financial and operational impact if one occurs
  • Non-compliance with data protection obligations (e.g., GDPR, industry standards)
  • Reputational damage and loss of customer confidence
  • Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
  • Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable.  A good fit could be:

  • Affordable subscription model with no costly infrastructure
  • Bridges the cybersecurity skills shortage
  • Improves resilience against ransomware, phishing, insider threats, and more
  • Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level.  The latter is obviously cheaper and maybe more appropriate for many.  The coverage they should be looking for needs to include:

  • Endpoints (laptops, servers)
  • Cloud workloads (Microsoft 365, Azure, etc)
  • Identity services (Active Directory)
  • Network visibility
  • Email security
  • Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top.  And for many years this would have been just that.  I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes. 

Generally, these have been way too expensive for an SME to consider.  But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate.  Now I know you’ve been waiting for the pitch and here it comes.  At H2 we provide such a service which is very affordable, and we are happy to stack it up against others.  We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation. 

General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Cyber Security Architecture

In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture.  So, I thought it was worth discussing it further.

What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should.  Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.

I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

Of course, these days that is often exacerbated by the increasingly popular remote working.  I know not every company has embraced this, but many have and have not through the security implications.

Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

Do You Have a Handle on Your Cyber Maturity Stance?

Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

During the assessment, we typically examine various aspects, such as:

  • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
  • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
  • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
  • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
  • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
  • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
  • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Tools

HOW DO HACKERS HACK?

I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common.  Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal.  But I suppose hacker is less of a mouthful.

What is Hacking?

Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

Profiling

One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people.  Favourite open sources of information include:

  • Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram.  Do you have a social media policy in your company?  Do you lay down what an employee can and cannot say about your company on their personal social media pages?  Do you have a designated person in the company who handles your company’s profile on social media?
  • Company Website:  You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published.  I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.
  • Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.
  • Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently.  The same issues that appertain to social media apply here. 
  • Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

With all of these things you’re walking a bit of a tightrope.  You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away.  Use generic email addresses and phone numbers and limit the information you give in profiles.

Phishing and Pretexting

Another favourite is phishing and pretexting.

  • Phishing Emails: We all know, or at least I hope we know, what phishing is.  Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity.  In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company.  That just requires a response showing a signature block, so the phishing email might seem very innocuous.
  • Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

Favourite Reconnaissance Tools

Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations.  This is why it’s essential to regularly scan your network for these weaknesses.  Ports can be opened for a particular reason and never closed again.  It’s a common fault.

We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where  operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials.  When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords.  You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

Psychological Profiling

In terms of cybercrime, who’s heard of psychological profiling?  Cybercriminals analyse:

  • Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.
  • Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold.  Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

  • LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.
  • Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).
  • Technical Probing: Use of phishing or malware to breach a target’s employer.

Conclusion

In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process.  All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

Scroll to top