Security Tools

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

What is Security Architecture, and what does it mean for SMEs?

Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats.  Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done.  What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows.  OK, I’m being a bit simplistic, but you get the idea.  Once that’s done, the security architect has something to work with to start putting in security layers.  As the design evolves, so does the security architecture.

So now let’s look at the real world.  Most SMEs are way past this phase, with their systems having grown organically as the company grows.  SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc.  Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model.  That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware.  A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking.  Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort.  And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model.  First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access.  Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control.  It took some persuasion and education to bring many of these owners/managers around.  These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure.  But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system.  It is vital to ensure that only the right people have access to the right systems.  SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them.  Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk.  But it doesn’t have to be expensive.  Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD.  I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

  • Mandatory Multi-Factor Authentication
  • Conditional access policies
  • Single Sign-On (SSO)
  • Privileged identity management
  • Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

  • Endpoint detection and response (EDR)
  • Device management
  • Encryption

Controls it should cover include:

  • Automated patching
  • Encryption:
  • Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
    • File-level encryption works by encrypting files that you have deemed to be sensitive and need protection.  It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission.  Sounds complicated, but it really isn’t, and it can be shown to you very easily.
  • Application control
  • USB restrictions
  • Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

  • Anti-phishing protection
  • Attachment sandboxing
  • URL scanning
  • DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

 Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

  • Next-generation firewall
  • VPN or Zero Trust remote access
  • Network segmentation
  • DNS filtering

Good firewall segmentation would include:

  • Company devices
  • Guest WiFi
  • Servers
  • IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure.  Again, this needs some controls, which could include:

  • Secure configuration monitoring
  • Data leakage prevention
  • Access monitoring

Key policies may include:

  • No public file sharing by default
  • Alert on impossible travel logins
  • Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised.  Controls might include:

  • Data classification
  • Data leakage prevention
  • Full disk and file-level encryption

Policies might include:

  • Prevent the sharing of sensitive records externally
  • Block download of sensitive files on unmanaged devices
  • Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

 Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

  • Immutable backups
  • Offline copies
  • Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten.  Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top.  That is no longer the case.  There are systems now available specifically for SMEs.

Typical SME approach:

  • Centralised log collection
  • Security alerts
  • Managed detection and response

Many SMEs outsource this to an MDR provider like H2.  I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation.  Cyber awareness training is a subject that I bang on about all the time.  It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

  • Security training platform
  • Phishing simulation
  • Acceptable use policy
  • Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past.  You need to be prepared for security incidents.  This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

:

  • Incident response playbooks
  • Legal and breach notification procedures
  • Disaster recovery and business continuity plans
  • Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information.  It really is something SMEs should consider and need to take advice about.  Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

MORE ABOUT MANAGED DETECTION AND RESPONSE

This subject has, in the past, been difficult to convey to SMEs.  In the corporate and major government department world, it’s a well-understood issue, more often referred to as a security operations centre, or SOC.  I’ve built several of these over the years in the UK and the Middle East, and one thing is for sure: they are expensive to run in terms of both technology and manpower, which makes them unrealistic for an SME, even if they would be of real benefit.

So why am I even bothering to explain what it is?  Simply because there are now systems on the market, very often AI-driven, that have managed to hit a price point that an SME can afford.  These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.

Why would an SME want such a system?  First and foremost, any such system or service pitched to an SME needs to make business sense.  To maximise its cost effectiveness, having additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes makes it more attractive.  The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown SOC.  Delivering it as a service reduces cost by cutting out the need for an in-house team.

Good questions for all SMEs to ask themselves are:

If an attack or scam happened tomorrow…

Would you know about it?

Would you be able to stop it in time?

Would your team recognise it for what it is?

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department.  It provides peace of mind – you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a short video which you can find on the Features Section on my LinkedIn profile.   But if you don’t want to view that, what follows is an introduction to what the service offers.

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring

For most SMEs, hiring skilled cybersecurity analysts is expensive and difficult. MDR gives access to an appropriate service level at a predictable monthly cost.

Business benefit: Reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built it.  Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

                  •               Identify outdated software, misconfigurations, and exposed services

                  •               Prioritise risks based on severity

                  •               Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen.

Business benefit: Proactive risk reduction instead of reactive damage control.

The system also offers built in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

                  •               Tests employee awareness safely

                  •               Identifies high-risk users

                  •               Reinforces learning through practical scenarios

Business benefit: Fewer successful phishing attacks and reduced likelihood of credential compromise or ransomware infection.  Such simulations are an integral part of cyber awareness training.

We also assist in building a security culture (CBEE Awareness Training Programme).  A structured awareness programme:

  • Trains staff on cyber hygiene and data protection
  • Covers password security, social engineering, safe browsing, etc.
  • Supports compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly.

Business benefit: Employees become a security asset rather than a liability.

A managed system such as this can also help with compliance & insurance requirements.  Many SMEs now face:

  • Regulatory obligations
  • Supply chain security requirements
  • Cyber insurance conditions

Having MDR, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME:  Cost Predictability & Simplicity.  As a managed service, everything is:

  • Subscription-based
  • Centralised under one provider
  • Fully supported by experts

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms you are getting executive-level risk reduction with a simple value:

  • Reduced likelihood of business interruption
  • Reduced financial exposure
  • Protection of brand and customer trust
  • Clear reporting and measurable risk reduction

All through this article I’ve talked about cost effectiveness.  So, what does this service cost?  I’ll add the BBC caveat – other systems are available!!  We charge £15 per seat per month, and you get a lot for your money.  Seems cheap and we’re happy to explain how we can get the price so low.  It’s a 30-day rolling contract, no long-term lock in, simply 30 days’ notice to quit.  We also offer a totally free 14-day trial that is fully functional so you can see the outputs from your own system, rather than look at demos with dummy data.

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

An Increase in sophistication in cyber-attacks in 2025

Artificial Intelligence (AI) is a fascinating subject, but it’s also a controversial one. These days, we are all using it to some extent. I know I do in the solutions I provide for SMEs, as it allows for a large degree of automation, which in turn lowers costs. Lowering costs is always a priority for an SME.

So what is AI?

Artificial intelligence (AI) refers to computer systems that can perform tasks typically requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

That description was one that was put forward by NCSC, and so it’ll do for me, although I’ve no doubt, you’ll find other descriptions if you look hard enough.

Often, what is called AI isn’t all that intelligent. It’s not taking in information, analysing it and coming up with answers. Of course, some very clever versions are doing just that, but they are mostly not available to you and me. The versions we see are very good at being asked a specific question and data mining various sources at an incredible speed and then producing the answer you want, usually with several variations. And that’s pretty much what most of us want to use it for.

As I said above, I use it in the applications I use for cybersecurity managed services directed at SMEs, not least because automation reduces cost, but also because it is very efficient, meaning that the results it produces need minimal human intervention to analyse the output.

But let’s look at the downside of AI in cybersecurity, which is what the cyber criminals are using it for. Firstly, what is it that is at risk:

  1. Data Leakage. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorised access to sensitive information. A good AI-powered attack could capture huge amounts of personally identifiable information (PII) in a ridiculously short amount of time.
  2. Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but also dangerous.
  3. Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been in this game as long as there’s been a game. It’s something called Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.
  4. Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  5. Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a role in supply chain security.
  6. Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

What we saw in 2025 is an era where cyber‑attacks are AI‑powered, highly targeted, automated, supply‑chain enabled, multi‑stage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AI‑driven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

  1. Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
  2. AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.
  3. RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
  4. Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
  5. Next-gen ransomware is rolling out advanced stealth, data theft, and automated lateral movement techniques, i.e., using an initial breach to jump across to other parts of your network or that of your partners and customers.
  6. Attacks starting via third-party software or vendors allow hackers to move laterally into networks and compromise multiple organisations simultaneously.
  7. Nation-states are not just using espionage but are now partnering with ransomware gangs to conduct financially and politically motivated operations.
  8. Nation state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.
  9. Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
  10. Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.
  11. Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
  12. These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.
  13. Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
  14. Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.
  15. In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.

Let’s not make the mistake of thinking that this is all very sophisticated and requires expertise and resources to pull off. It doesn’t. Take another look at some of the bullets above, where we talk about RaaS or Ransomware as a Service. This takes me back to what we used to term the ‘script kiddie’, that was relatively unskilled and unsophisticated ‘wannabe’ hackers who would visit the dark web and buy scripts from skilled hackers, that they would then try and use to make money, often unsuccessfully.

This has now moved on to using AI, and such services as RaaS; this type of low-skilled individual is back, but this time with a greater level of success. Let me give you a real example of how AI can be used by someone relatively low on the criminal totem pole. Using Chat GPT, the question was posed:

Can you write some ransomware code for me?

So, did ChatGPT help to write Ransomware code? Well, not initially, it gave a stock answer about not being able to write code that might damage a computer system. And some tooing and froing, trying to get around this, achieved the same result. So far, so good. That’s an ethical answer I would like to see.

Coming at it obliquely, via a back-and-forth conversation, can produce different results. Give it the instruction to write some C code to encrypt a single file, and get the result:

Certainly. Here’s an example of how you can use the OpenSSL library to encrypt a single file using the AES-256-CBC encryption algorithm in C.

The next step was to ask it to modify the code to encrypt a whole directory, which it did willingly.

Obviously, this isn’t the complete answer, and there would be more work to do, more research and probably a trip to the dark web, but a relatively unskilled individual can make a good start at producing their own ransomware.

I even asked Chat GPT to give me a description of how AI can be a boon as well as a danger to society:

AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

If you’re looking for answers as to where we stand with AI, there are a multitude of opinions, I’m afraid, mostly because many of us are still trying to work that out for ourselves. However, I will continue to explore it, use it carefully and with forethought. The questions I pose will be based on my own knowledge of cybersecurity and my experience in life. Let’s hope I get it right.

General Security Issues Ransomware, Phishing and other Malware Security Security Tools

ENCRYPTION

There are lots of different encryption solutions on the market, some which come with other applications and some that are stand alone.  I’m not going to attempt to put one up against another but rather have a more generic look at the subject.  I’m also not going to worry too much about the technicalities of how they work as frankly, most clients, many of which are SMEs, don’t really care about that.  It’s the effectiveness and what they are going to get for their buck, that they care about.

There are essentially two main types of encryption, whole disc encryption (WDE) and file level encryption (FLE).  WDE protects the device if the disk is offline or stolen.  It’s the type of encryption that comes with Windows (Bitlocker) and with a Mac (File Vault).  FLE on the other hand protects the data itself, even if stored on unlocked or shared systems.  It encrypts on a file-to-file basis i.e. it encrypts the files you want to protect, and leaves others unencrypted.  It generally operates as an agent-based system and often, but not always, comes as part of another application.

WDE is easy to describe. As you log off, the disc is encrypted so that if the hardware, laptop etc, is stolen, the data on the disc is protected.  However as soon as you log on, the disc is unencrypted and so the data is unprotected from an intrusion.

FLE proactively encrypts sensitive files at the file level using AES 256-bit encryption. This makes stolen data completely worthless to attackers, as it cannot be accessed or decrypted without the proper decryption key, which is managed through an agent and defined access controls. By encrypting data automatically and in real-time, FLE ensures data remains protected even if the system is compromised, which can be more effective than traditional reactive security measures that rely on detecting attacks after they occur. 

Let’s take a look in a bit more detail at the differences between WDE and FLE.

FeatureWhole-Disk Encryption (WDE)File-Level Encryption (FLE)
What gets encryptedThe entire drive (OS, apps, swap, all files)Individual files or folders
When data is decryptedAutomatically after the device boots and the user authenticates (e.g., login, pre-boot PIN, TPM key)Each encrypted file decrypts only when accessed by an authorised app/user
Protection scopeStrong against physical theft, lost devices, or disk removalStrong for protecting sensitive data, shared storage, or cloud backups
Visibility of encrypted contentDrive appears unreadable until unlockedFile names can still be visible (depends on tool), but contents are encrypted
Use casesLaptops, desktops, mobile devicesEncrypting documents, databases, specific secrets, or user-chosen data
Performance impactMinimal today, because decryption happens in bulk after unlock, and often uses hardware accelerationCan be higher if many encrypted files are accessed frequently
Granularity / controlLow (all-or-nothing)High (encrypt only what needs protection)
Key managementOne main disk key (often protected by TPM or secure hardware)Many file keys or per-user/per-file keys possible
Security if system is compromised while powered onWeak (disk is unlocked, malware can read everything)Better (files are only decrypted when opened, limiting exposure)

One question I get asked a lot is, does encryption protect against Ransomware.  The short answer is no.  WDE only protects the data when the machine is switched off.  Once booted up the data is unencrypted.  FLE protects data against data leakage or theft in that it can’t be read by unauthorised persons.  However, it can’t prevent encrypted data from being encrypted again by a ransomware attack.

A secondary aim of most ransomware attacks is to steal the data to sell on or to use for other things.  In those cases, FLE does help protect because the ransomware can’t decrypt the already encrypted data.  So, there is a level of protection using FLE that you can’t get with WDE.

FLR can help a little (but still not enough):

It can slow or limit ransomware only if:

  • Keys are stored in a separate secure environment (HSM, smart card, enclave, etc.)
  • Decryption requires per-file user interaction ransomware cannot mimic
  • The storage supports immutable or version-protected encrypted blobs

Even in those cases:

  • Ransomware can still delete files, encrypt them again, or lock the device
  • It usually cannot be used as a full defence strategy

What it does not prevent

  • Files being encrypted again by ransomware
  • Files being deleted or corrupted
  • The system being locked or made unusable

What it can still be good for

         •       Preventing data theft if files are exfiltrated

         •       Limiting extortion via stolen data leaks

  •       Protecting backups stored in cloud/shared drives from being read by attackers

My focus as always is on the SME community and therefore I always aim to keep costs down to a level that makes sense to them.  I am much more a fan of FLE than WDE however, as WDE comes from with both Windows and Mac, then let’s use it.  Many corporate organisations use both as a belt and braces protection.  But remember, on its own it’s not a total solution and should be implemented as part of a more holistic cyber defence.

I hope this has given an insight into the subject and answered some basic questions.  If you would like to understand more about this then please give me a call or an email, I’d be delighted to chat it over.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you?  The first part is easy to explain but the second is a little more problematic.  MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team.  That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

CapabilityWhy it matters to SMEs
Around-the-clock monitoringCyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern toolsUses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident ResponseCan remotely contain and remediate attacks before they spread.
Security expertise on demandSMEs gain access to required expertise.
Proactive threat huntingIdentifies hidden attackers or early-stage breaches.
Compliance and reportingHelps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

  • Not a replacement for basic security hygiene (patching, backups, strong access controls)
  • Not just a tool, it’s a combination of technology + human expertise
  • Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it.  SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust.  And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables.  They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them.  They lack:

  • 24/7 threat monitoring
  • Real-time detection and investigation
  • Specialised expertise required for modern cyber threats
  • Rapid response capability to contain breaches

As a result, you potentially face::

  • Increased probability of a successful attack
    • Delayed breach response → attackers remain undetected for months
    • Data exfiltration and business disruption
  • Higher financial and operational impact if one occurs
  • Non-compliance with data protection obligations (e.g., GDPR, industry standards)
  • Reputational damage and loss of customer confidence
  • Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
  • Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable.  A good fit could be:

  • Affordable subscription model with no costly infrastructure
  • Bridges the cybersecurity skills shortage
  • Improves resilience against ransomware, phishing, insider threats, and more
  • Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level.  The latter is obviously cheaper and maybe more appropriate for many.  The coverage they should be looking for needs to include:

  • Endpoints (laptops, servers)
  • Cloud workloads (Microsoft 365, Azure, etc)
  • Identity services (Active Directory)
  • Network visibility
  • Email security
  • Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top.  And for many years this would have been just that.  I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes. 

Generally, these have been way too expensive for an SME to consider.  But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate.  Now I know you’ve been waiting for the pitch and here it comes.  At H2 we provide such a service which is very affordable, and we are happy to stack it up against others.  We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation. 

General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Cyber Security Architecture

In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture.  So, I thought it was worth discussing it further.

What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should.  Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.

I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

Of course, these days that is often exacerbated by the increasingly popular remote working.  I know not every company has embraced this, but many have and have not through the security implications.

Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

Do You Have a Handle on Your Cyber Maturity Stance?

Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

During the assessment, we typically examine various aspects, such as:

  • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
  • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
  • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
  • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
  • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
  • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
  • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Tools

HOW DO HACKERS HACK?

I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common.  Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal.  But I suppose hacker is less of a mouthful.

What is Hacking?

Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

Profiling

One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people.  Favourite open sources of information include:

  • Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram.  Do you have a social media policy in your company?  Do you lay down what an employee can and cannot say about your company on their personal social media pages?  Do you have a designated person in the company who handles your company’s profile on social media?
  • Company Website:  You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published.  I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.
  • Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.
  • Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently.  The same issues that appertain to social media apply here. 
  • Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

With all of these things you’re walking a bit of a tightrope.  You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away.  Use generic email addresses and phone numbers and limit the information you give in profiles.

Phishing and Pretexting

Another favourite is phishing and pretexting.

  • Phishing Emails: We all know, or at least I hope we know, what phishing is.  Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity.  In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company.  That just requires a response showing a signature block, so the phishing email might seem very innocuous.
  • Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

Favourite Reconnaissance Tools

Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations.  This is why it’s essential to regularly scan your network for these weaknesses.  Ports can be opened for a particular reason and never closed again.  It’s a common fault.

We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where  operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials.  When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords.  You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

Psychological Profiling

In terms of cybercrime, who’s heard of psychological profiling?  Cybercriminals analyse:

  • Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.
  • Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold.  Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

  • LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.
  • Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).
  • Technical Probing: Use of phishing or malware to breach a target’s employer.

Conclusion

In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process.  All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Security Security Tools

PROACTIVE CYBER SECURITY

Proactive security, protective monitoring, security operations – all pretty much means the same thing in terms of cyber, at least in the corporate world and the larger, more sensitive Government organisations.  I’ve been involved with the design and commissioning of security operations centres for a long time.  I designed the first for the FCO, under contract to HP, ran the security team for the Identity and Passport Service which included a security operations centre, amongst others.  But the one thing I knew, was that it was too complex and expensive for an SME, even though it would bring them great benefits.

I’ve been talking and posting a lot recently about this subject because I think it’s extremely important and hasn’t, in the past, resonated with SME owners and management simply because it was considered by many to be purely in the province of the corporate world and was way too expensive for an SME to even consider.  Well, that cost issue is no longer the case and there is a system, which we use to provide a managed service for SMEs, that is very affordable.  So that leaves us to consider whether it is something that an SME would consider as an essential element of their cyber defences, now that it is affordable.

Typically, an SME would generally want such a solution that balances strong security coverage with affordability, simplicity, and minimal disruption to daily operations.  Here’s what I think they would like to include if they could afford it.

  1. Comprehensive Threat Visibility
  • Log collection from key systems (servers, endpoints, cloud services, firewalls, applications).
  • Real-time monitoring for suspicious activities (e.g., failed logins, privilege escalation, data exfiltration).
  • Ability to spot both external attacks (phishing, malware) and insider threats.
  • Actionable Alerts, Not Noise
  • Intelligent alert prioritisation to avoid alert fatigue.
    • Context-rich notifications so the SME knows what happened, why it matters, and what to do next.
    • Possibly AI-driven correlation of events to detect patterns.
  •  Ease of Use & Low Overhead
  • Simple dashboards that non-experts can navigate, or more likely, a managed service as an SME will have little or no resource to give to this.
  • Minimal in-house expertise required to operate.
  • Fast onboarding and configuration.
  •  Reporting
  • Reports that are east to read, management focused and not full of jargon.
  • Audit trails for investigations.
  • Incident Response Integration
  • Clear escalation paths (automated and manual).
  • Integration with existing tools (ticketing systems, email, Slack/Teams).
  • Ability to block malicious IPs or disable compromised accounts quickly.
  • Affordability & Scalability
  • Pricing that fits SME budgets (no enterprise-only costs).
  • Scales up with business growth without a full rip-and-replace.
  • Easy and flexible deployment.
  • Coverage regardless of where your staff work, in the office, remote or on the move.
  • Resilience & Reliability
  • Works even if parts of the infrastructure are down.
  • Secure storage and backup of monitoring data.
  • Regular updates to threat detection rules.

In short: An SME doesn’t just want raw data — they want reassurance, clarity, and quick guidance so they can protect their systems without hiring a large security team.  And that’s what we are offering, assurance.  There’s no such thing as 100% security, so if you’re looking for that, then we can’t help you.  Using this system our managed service plays the percentages by monitoring your defences, telling you in no uncertain terms where your defences aren’t up to the job, alerting you to problems and providing advice and guidance on how to fix stuff.

So, what exactly are we offering.  Well, it’s a 24/7 service which provides a manned interface between you and us, on the end of the phone or by email in working hours, and an automated response service in silent hours.  Doing it that way you don’t have to pay for expensive night shifts.  The staff on duty don’t just monitor your systems but provide advice and guidance as well, giving you a cyber security resource on tap.

Specifically, we are covering off:

Email Security – Stay ahead of potential email threats with our user-friendly, API-based active protection.

Endpoint Security – Safeguard laptops and desktops against cyber threats like malware and ransomware.

Cloud Data – Enable cloud data protection for secure collaboration with external users.

Secure Browsing – Keep your browser secure with a provided extension, protecting you from viruses and malicious sites.

Awareness Training – Empower employees to be the first line of defence against the ever-evolving landscape of cyber threats.

Phishing Simulation – Regularly simulate cyber-attacks, including phishing emails, to identify vulnerabilities and educate staff to the dangers of Phishing.

External Risk – Obtain actionable insights on external threats by scanning your digital footprint and exposed vulnerabilities. This includes regular scanning of the dark web looking for compromised email addresses and credentials.

Insurance – Mitigate the cyber risk associated with evolving threats through tailored coverage at the right price (optional; aligning your premiums with your security posture can lower those costs).

Here are some questions to ask yourself and if you answer yes to most of them, then you might be a fit for this service:

  • Do you employ around 1-250 staff members?
  • Does falling victim to cybercrime worry you?
  • Could you continue to operate your business without your IT systems?
  • Is a recent cyber scan of your public domain on your radar?
  • Are you aware of the constantly evolving cyber threats and tactics?
  • Does your business need protection against these advancing cyber threats?
  • Are you looking for coverage under a cyber insurance policy?

Keep your eye out for a webinar that we will shortly be doing which will provide a full demo of the system, or if you prefer, contact us and we will give you a one-to-one demo, with no obligation.  You can follow this with a totally free 14-day trial covering your whole estate, again with no obligation.

If you wanted this system, you might still think it’s too expensive for you, well, it’s only £14 per user per month, so if you only have 10 IT users amongst your staff, that would be £140 per month on a rolling 30-day contract i.e. you can quit with just 30 days’ notice.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy Security Tools

A Guide to Cyber Security for SMEs

There’s a continual stream of blogs and posts about cyber security and the sometimes catastrophic effects of getting it wrong, but there is very little that tells SMEs what they should be doing, and it’s generally left to local IT management companies and VARs (Value Added Resellers – i.e. those who sell various products and add value by configuring and managing them).  I’m not knocking those companies; they have a very valid business model.  But what they aren’t are cyber security professionals and generally their security expertise is focused on the products that they sell.  For instance, they will have good skills in installing and configuring security products such as anti-virus and firewalls but there is generally no knowledge of cyber risk management and assessment, thereby ensuring that you have the right defences in the right place, providing the best value for your limited spend, and ignoring the non-technical solutions that are often a better bet than a piece of technology.

SMEs generally have very little budget to allocate to this and that means that what budget they have needs to be effectively targeted at what is important.  They need to be aiming for a situation whereby when a potential attacker targets them, they appear to be a more difficult nut to crack than other organisations in their space and their size.  Attackers want things to be easy, not difficult, and they will often move on if things get difficult.  A criminal is in the game of getting easy money.

Let’s take a look at what cyber security is all about, and more importantly, why you need it?  Let’s tackle the first question – what is cyber security?  One definition is as follows:

Cybersecurity is the practice of protecting computer systems, networks, software, and data from digital attacks, unauthorised access, damage, or theft. It involves a range of technologies, processes, and practices designed to:

  • Prevent cyberattacks
  • Detect breaches or suspicious activity
  • Respond to security incidents
  • Recover from damage or loss caused by attacks

The problem is of course that each bullet point there covers a multitude of issues that need to be addressed.  The question is understanding what those issues are, how they affect you and what is the priority i.e. what are the most important things that you need to protect, and what comes next, all managed within whatever budget you can allocate to it.  It’s not easy and you might feel that you don’t need to do everything but that you need to cover off the most important issues.  That means of course that you need to know what those issues are.

The first thing you need to do is to identify your cyber assets.  Assets are not confined to hardware and software, far from it.  A cybersecurity asset is anything of value that requires protection in a digital context. Identifying and classifying these assets is a foundational step in building a strong cybersecurity posture.  Assets will change from company to company, depending upon how you’re organised and what business you are in, but generally:

Hardware Assets

  • Servers, routers, laptops, mobile devices, firewalls
  • Why it matters: Physical devices are entry points for attackers and must be secured.

Software Assets

  • Operating systems, applications, databases etc
  • Why it matters: Vulnerabilities in software can be exploited to gain unauthorised access.

Data Assets

  • Customer records, financial data, intellectual property, source code
  • Why it matters: Data breaches can lead to regulatory fines, reputational damage, and financial loss.

Network Assets

  • VPNs, switches, IP addresses, subnets
  • Why it matters: Networks facilitate communication and, if not protected, can be avenues for lateral movement by attackers.

People Assets

  • Employees, contractors, system administrators
  • Why it matters: Human error is a leading cause of breaches, so training and access control are crucial.

Cloud and Virtual Assets

  • Virtual machines, containers, cloud storage (e.g., AWS S3, Azure Blob Storage)
  • Why it matters: Cloud environments introduce new attack surfaces that must be monitored and managed.

An example could be a customer database, maybe on the cloud or via an app, or even an onsite server.  You class this as high value because it contains personally identifiable information (PII) and of course all your interactions with those customers and the value they have to you.  Lose that and you might be out of business.  You decide to encrypt it and use multi factor authentication and have daily backups, not kept online.

Identifying the assets is the first step in defining what protections you need.  You then have to categorise those assets and decide how important they are to the business before you can decide what levels of protection they need.

Having categorised your assets, you then need to assign a risk score to them.  Now, this can be done formally via a formal risk assessment, but I accept that many SMEs can’t afford to have that done, and, given the size of the company and the amount/types of information held, it might be relatively easy, when compared to a corporate body, to assign a risk score to each asset.

The next step then is to apply a risk score to the assets in accordance with how you have assessed them, this in turn informs you of the importance of each asset and how you will need to protect them.  In other words, you are now targeting your spend to where you know it will be most effective.

We then need to identify the vulnerabilities and the threats and that is where most organisations require help.

Here at H2 we use our considerable experience in doing this for corporate level organisations, and translating that into doable chunks for SMEs, carving up what is needed into priorities and working with clients to decide what those priorities are.  We do this keeping in mind the principle of People, Process and then Technology, keeping in mind that many protections, or controls as we term them, are actually not technical but are procedural, based on sound policy and process, and therefore costing very little.

We take a phased approach:

The first phase works with the client to decide where they are now, on a scale which we take from the Carnegie Melon cyber maturity model.  Most SMEs come out at around 1 to 2 on the scale and aim to get to 3 to 3.5.  The scale goes up to 5 but, as you can see from the phased approach above, this tends to be not necessary for an SME and is often too expensive anyway.

Once we know our starting point, we identify quick wins to tighten up security.  As a rule, that will include things like cyber awareness training for staff, ensuring that all access is controlled using MFA of some sort and making sure that Admin rights are strictly controlled.  Depending on the company and what it does, it might mean instituting some form of identity management.

As part of the Quick win phase, we also look at policies and processes.  Is there a process for allocating and removing rights?  Is there a policy and process about on and off boarding staff etc.  Other policies we might need to look at include:

  • Top-level policy issued by the board
  • Starters and Leavers Policy
  • Access Control Policy
  • Magnetic Media Policy
  • Mobile Working Policy
  • Password Policy
  • Email Policy
  • Acceptable Use Policy
  • Data Protection

That done we move on to Phase 2 which is where we might recommend encryption both at rest and in transit, for critical data assets.  We will discuss back up procedures and processes which will ensure that backups are securely stored and that restoring from backups is practiced and works.  We will discuss incident handling procedures and business continuity planning.  Finally, we will discuss monitoring and audit, two things that until quite recently tended to be out of the price range of SMEs.  However, there are now systems and services on the market which are affordable.

This all seems a bit daunting, but if taken in chunks and phased over perhaps several budgetary periods it is doable, and you really need to consider it.

Scroll to top