Security Tools

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

Is Cyber Security about Tech or the Business?

It’s simply a fact that many owners, managers, directors etc, believe that cyber security is a technology issue and is best left to those guys in IT who understand that stuff.  Here at H2 we spend a lot of time and effort trying to educate C level people, that it really is a business issue, although it has significant input from the techies.  It’s a business issue because breaches can have a significant financial and reputational impact.  It’s also an IT issue because it involves implementing technical measures to protect systems and data.  Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

The crux of the issue though, is that it must be led by the business, and at board level.  It requires a strategy to be followed, which is laid down at board level and which is focused on the goals and aspirations of the business, especially when your IT is outsourced.  You can outsource your IT, but you can’t outsource your responsibility.

A valid argument is that the proliferation of security tools creates an illusion of safety.  Organisations, large and small, often believe that by deploying a firewall, antivirus software and maybe some other tools, such as intrusion detection systems, they are adequately protected.  This ignores the fact that such tools are controls put in place to mitigate risks identified and qualified in terms of importance, in a risk assessment and unless the benefits they bring are properly identified, and the solutions placed and configured correctly, they may well not be doing what you think they are doing.  This thinking can also introduce significant third-party risks into your domain.  The most recent example of this is the CrowdStrike issue which caused so much chaos throughout the globe.

To be fair to most companies in the smaller and mid-market arenas, their focus is on obtaining IT solutions as cost effectively as possible, and with the minimum of support costs.  Cost control is vital to most.  This means that they are extremely reluctant to spend money on what they see as not being part of their core business.  Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.  Unless they have a well thought out risk managed strategy, they are wide open to slick sales pitches which push products.  The rub is that in order to have that well thought out strategy, it means spending on what they see as expensive services that can seem somewhat nebulous, not something they can see and feel, and there is that vague feeling that they are being led to do something that really isn’t all that important.

The approach most take is to trust their IT provider to give them the protections they need.  Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model.  What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because of cost constraints, is targeted where it’s needed and will be most effective.  In other words, the technological approach taken by most IT support company’s will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections are fit for purpose?  Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

How do we approach this then?  First and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

The difference between assessing day to day business risk and assessing risk to cyber assets, is one of understanding.  What is a cyber asset?  In this context insert the word ‘information’ instead of cyber.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers probably in a cloud somewhere (cloud storage and access is a whole other subject) and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  And we haven’t even thought about changes in working patterns.  How many of your staff now work remotely some or all of the time.  I could go on.

How can we be sure where all this information is and how important each bit is to the business?  How can we assess this risk to the business, if information is lost or otherwise compromised?  What about ransomware, phishing scams etc?  The good news is that some of this can now be automated and managed for you at an affordable price and you can even arrange a 14 day totally free trial to assess its effectiveness.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

New Cyber Threats and Innovations

Cybersecurity is an ever-evolving field, with new threats and innovations emerging regularly. Not all these threats will apply to everyone, the trick is, and has always been, identifying the threats that apply to you, working out how vulnerable you are too those threats, and applying controls to bring those down to an acceptable level.  That acceptable level will change, not just from company to company, but also asset to asset.  Don’t waste valuable time and energy trying to achieve a zero-threat level.  It doesn’t exist.  You need to understand clearly what your appetite for risk is, ie what is an acceptable level of risk for you, and then go for it. 

But what emerging threats are there that you just might have to combat in your daily business life.  These trends highlight the ongoing innovation in both cyber threats and defences, driven by the growing reliance on digital infrastructure and the rapid evolution of technology.

Here are some suggestions and trends in cybersecurity as of late 2024:

1. AI-Powered Cyber Attacks and Defences

Threats:  Cybercriminals are increasingly using AI to launch more sophisticated attacks, such as AI-driven phishing campaigns, automated hacking attempts, and machine learning-based malware that adapts to security measures.  We’re seeing AI powered social engineering, phone calls mimicking voices of managers, and similar.  Like with just about all AI usage, what it does it make things much easier by reducing human effort.  So, attacks can be set up using AI and become almost fire and forget, just letting it get on with it in the background.

Defense: Organisations are countering this with AI-based threat detection systems, anomaly detection, and predictive analytics to identify potential breaches before they occur.  What about your defences?  Are they keeping up with these types of threat.  What about mobile workforces, are your staff covered once they leave the office; do you have a hybrid or even fully remote workforce?  If so, are your defences up to the job? Check out https://hah2.co.uk/

2. Ransomware Evolution

Ransomware continues to be a major threat, but it’s evolving with more advanced encryption techniques, and multi-stage attacks where attackers exfiltrate data before encrypting it. They then threaten to publish the stolen data unless a ransom is paid.  I recently heard of a company that had been infiltrated through its website which was transactional, ie it sold stuff via the website and the website was connected to their database of products and sales order processing system.  The web developer didn’t have sufficiently robust security in place.  A good example of an SME being exploited via their supply chain.

Double extortion and Ransomware-as-a-Service (RaaS) have become more common, where hackers sell ransomware kits to other criminals.

3. Zero Trust Architecture

Zero Trust has moved from a buzzword to a mainstream security model. Organisations are adopting a “never trust, always verify” approach, assuming that every user and device, both inside and outside the network, could be compromised.

Implementing least privilege access, micro-segmentation, and continuous authentication are key features of this approach.  And no, this doesn’t have to be cost prohibitive.

4. Supply Chain Attacks

Attacks targeting third-party vendors and software providers have increased. By compromising trusted suppliers, attackers can infiltrate many organisations through a single breach.

Notable Examples: The SolarWinds and Kaseya attacks were significant instances that highlighted the dangers of such supply chain vulnerabilities.  The attack on the NHS via a contracted service provider, is also a good example but it doesn’t just affect the big organisations.  See above for an example of how an SME was attacked via a third-party web designer.

5. Post-Quantum Cryptography

With quantum computing on the horizon, there’s increasing focus on developing encryption algorithms that can resist quantum attacks. Post-quantum cryptography is becoming a hot topic as organisations prepare for the future of computing.

Even without quantum computing, many organisations do not use encryption, even for their critical data.  If you are subject to a data breach, but that data is encrypted, you could save yourself a lot of money and reputational damage.

6. Cloud Security and Misconfiguration

As cloud adoption accelerates, the security of cloud environments remains a top concern. Misconfigured cloud settings continue to expose sensitive data, while cloud-native security solutions (e.g., CSPM, CWPP) are becoming more prevalent.

Securing multi-cloud environments and addressing shared responsibility models are critical challenges.

7. Cybersecurity for IoT and OT

The Internet of Things (IoT) and Operational Technology (OT) are becoming frequent attack targets. Securing connected devices, industrial systems, and critical infrastructure from cyber threats is a growing concern, especially as they are often lacking in adequate security protocols.

This is becoming more critical as home working becomes more and more popular.  Employees connecting to your company cloud and systems using home broadband and WIFI, are also de fact connecting to any IOT devices that they are using in the home, potentially opening up back doors into your system.

8. Data Privacy Regulations and Compliance

Data privacy is a key focus as more countries introduce stricter regulations like the Data Protection Act 2018, now becoming known as UK GDPR (General Data Protection Regulation). There are other compliances such as FSA regulations and other industry bodies, that many need adherence to.  Data breaches can produce fines from regulatory bodies, law suites from those affected, and quite severe reputational damage.

9. Cybersecurity Automation and SOAR

Automation is becoming critical in cybersecurity due to the sheer volume of threats. Security Orchestration, Automation, and Response (SOAR) tools help streamline incident detection and response, freeing up analysts to focus on complex tasks.

Do you have anything in place to automate your defences?  Do you monitor your systems for threats?

10. Identity and Access Management (IAM)

Identity theft and credential stuffing attacks are rising, making IAM solutions more important than ever. Multi-factor authentication (MFA), password less authentication, and biometrics are seeing widespread adoption to prevent unauthorised access.

Data Breaches and their consequences General Security Issues News Risk Analysis and Security Strategy Security Tools Supply Chain Security Uncategorized

Are we failing in our cyber resilience?

The fallout from the CloudStrike sensor failure, which caused severe outages throughout the globe, is still being felt and will be felt for some time to come.  The emphasis has been on recovery but that will start to change, as we focus more on why it happened, and what can be done to mitigate further failures of this kind.  I’ve said already, in a piece I wrote last week (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/ ), that we appear to be becoming too reliant on our IT providers, particularly managed services, to ensure that we remain safe and our services can continue, and we aren’t looking too hard at ensuring resilience is built into our systems.  It begs the question, is business continuity planning no longer in fashion.

Alexander Rogan of Abatis also wrote a piece that’s worth reading (https://www.linkedin.com/pulse/billions-lost-chaos-lessons-from-crowdstrike-microsoft-rogan-abxde/}.  In his article Alexander emphasises the importance of zero trust architecture and processes.  What this essentially means is that we cannot afford to trust anyone other than ourselves.  Suppliers are there to help and as such they should ensure that their own processes are robust and include thorough pre-production testing, controlled roll outs and good baseline security measures.  Where CrowdStrike falls in this regard, will I’m sure, get thoroughly tested in the not too distant future.

The UK Government is also questioning the resilience of business in the UK to cyber threats (https://amp.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister), and in this case a cyber threat is not necessarily confined to security, it can also mean a crash due to a technical or process failure.

In the cyber security industry, there has long been a running war between those that sell products and those of us concerned more with services.  Having been in the industry for 30 years, I have seen this time and again and the product sales nearly always win.  Why?  Simply because services are a hard sell with a long timeline whereas product sales are easier and quicker to achieve.  Why would that be?  Again, simple, people like to be able to quickly demonstrate a return on investment.  They like to see a product, doing its stuff, even when often, they don’t realise how it’s doing what it’s doing, or if it’s the right product in the right place at the right time.

The risk managed approach is the way to go every time.  That has not changed at all in the 30 years I’ve been plugging away at it.  It’s all about People, Process and then Technology.  I often quote Bruce Schneier, a US scientist on the Harvard Faculty, and a thought leader in this space.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.  Breaking this down, what he’s getting at is that first and foremost, you must understand the risks that you face and to do that, you have to identify your cyber assets.  By that we don’t mean hardware and even software, what we are talking about is your data and the ability to keep your systems online and accessing what your staff and/or customers need to access, when they need to access it.  Once you identify your assets, you then need to identify the threats to those assets and how vulnerable you are too those threats.  Threat and vulnerability = risk.  And by that we mean the risk to the business if it all goes pear shaped.

Once that’s done, we can then allocate a risk score to each asset with the aim of managing that risk down to an acceptable level, known as the risk appetite.  That will change business to business, even asset to asset.  You wouldn’t for example allocate the same level of risk [to the business], to a revenue earning system, as you would to perhaps a purely admin system that contains no personal data.

This all sounds terribly difficult and expensive, and that’s why many companies simply don’t do it, or maybe they do a subset of it.  But unless you do, then it can be very difficult to know for sure that you are spending your limited budget on the right protections, in the right place.  In the long run, it can save you a lot of money. This same assessment applies equally to the CrowdStrike problem, or for that matter, any other company that you have in your supply chain.  You need to assess what damage they could do to you if they fail, and what you can do to mitigate that damage.  It’s very well and good reaching for the nearest lawyer when it’s all gone to hell, how much better to stop it, or mitigate it, before you get there.

General Security Issues News Security Tools Supply Chain Security

You can outsource your IT, but you can’t outsource your responsibility

It’s hard to look anywhere without seeing reference to the CloudStrike/Microsoft disaster that is still causing issues around the globe.  There is plenty of plaudits for the way that both CloudStrike and Microsoft have handled the fall out and remediation (https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/) but you can’t escape the conclusion that it shouldn’t have happened in the first place.  Something clearly went wrong in the processes either in place, or worse, not in place, to make sure that software releases are thoroughly tested before release.  I also read somewhere that there had been a previous problem with CloudStrike software releases which affected at least 2 versions of Linux, but that this went largely unnoticed.  I suppose the predominance of Windows machines in the marketplace would make it impossible to hide a problem of this magnitude.

All that said, what is clear is that there was nothing that an organisation using this application, could have done themselves to prevent it, neither could most disaster recovery plans have dealt with this successfully.  The remediation has to come from both CloudStrike and Microsoft, which it is. 

I wrote a piece recently which included the difference between disaster recovery and business continuity planning (https://hah2.co.uk/what-are-the-questions-business-owners-ask-when-considering-cyber-security/). Disaster Recovery focuses specifically on restoring IT infrastructure and data after a disaster has occurred, and as already pointed out, in this case that fix has to come from outside the affected organisations and there was very little they could do.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This where organisation can help themselves.  Of course, all we really see on the news is the effects of the crash of systems, it’s what makes good television.  They don’t show organisations that had good business continuity plans in place and could continue to operate, albeit with reduced functionality. 

What struck me, watching it all unfold, was that there were some big organisations that were caught completely on the hop.  We saw airline staff reverting to manual ticketing but the overall impression is that this was being done on the initiative of individuals and onsite managers, it didn’t seem to be part of coherent planning.  Likewise, we saw the same type of issues in the UK NHS and GP surgeries.  If there really was a coherent plan in place, I apologise for suggesting that that wasn’t the case, but it sure didn’t look like it was.  Those 2 examples are the really big ones that hit the news.  There were quite literally hundreds of organisations that were hit and struggled badly.

When I started out in the Cyber Security game, disaster recovery and business continuity planning were absolutely must haves, in fact, as we know, you can’t achieve ISO 2700x certification without it.  These days I see very little emphasis being put on this.  Have we reached a stage of total reliance on technology and tech giants like CloudStrike and Microsoft, so that we have fallen into a complacency, relying on our suppliers to look after us?  If we have, I think that this shows that this is a big mistake.  A great saying is that you can outsource your IT but you can’t outsource your responsibility.

Which leads us neatly onto another point.  Supply chain security.  We talk a lot about making sure our supply chain is as robust as our own systems and that they have good security, and good policies and processes.  But this shows that we need to go further than that.  We just can’t trust that any software installed will work and not cause problems, we need to ask questions about how rigorous their testing is, who signs off on a release, how is released and by whom?  What tests were done before release?  These are perfectly valid questions and any software supplier worth their salt has to have good answers for these questions.  Any of you ever asked?

As a provider of protective monitoring solutions which require a light touch agent to be installed on systems, albeit on a much smaller scale than CloudStrike, this has given considerable pause for thought.  I have already had these discussions with my supply chain and got good answers, but I’m not going to take my foot off the gas and will keep asking before agent upgrades, which admittedly, don’t happen often.  But there will be a certain nervousness in the future when it does happen.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Security Tools

How Can We See a Return on Investment from our Cyber Security Spend?

How are businesses improved through good cyber security?  It’s a question just about every customer, or prospective customer, of ours asks themselves.  They need to see a return on investment, after all, if you don’t see anything tangible for your money, you’re unlikely to keep going down that road.

When my business partner and I set up H2 after we returned from the Middle East where we’d been working for the HP division that was busy merging itself with CSC (been there done that, didn’t fancy returning to it), the whole question of how we could offer something that gave that return on investment, occupied much of our thinking.  What services could we offer at a price that businesses were prepared to pay, and what tangible benefits could we offer?

At first, we were purely a services company, proudly product agnostic, recommending the right products for the right solutions for the right customer.  Not at all altruistic, but rather we felt that was the right thing to do be doing.  Like many people we didn’t see COVID coming around the corner like a freight train.  The pandemic didn’t just change how we would be delivering our services, it changed the whole market, it changed working practices, which are still evolving.  That meant that we had to change or die.  A stark choice but not one that could be avoided or put off.  Like many businesses we had to reengineer the business from the ground up whilst still providing services that customers wanted and could see a need for.

An interesting google search is finding out what businesses are researching online.  I was quite surprised to find that the question ‘what is a cyber-attack?’, is the most searched phrase, by a long shot.  This suggests that many are still confused as to what a cyber-attack actually is.  Breaking that down, its probably not all that surprising because of all the various types of cyber-attack that are constantly being rammed down peoples’ throats and I think the cyber security industry needs to take responsibility for that.  There’s a big difference between education and propaganda.  FUD (fear, uncertainty and doubt) is a common method used by many to sell security.  Personally, I’m not in favour of doing that.  I like to educate, not scare.

Other subjects being searched for are ransomware, phishing, spoofing, cyber threats, insider threats and cyber awareness (there are more but they’re a long way down the list).

What people want to know hasn’t changed all that much, neither has the types of threats.  What has changed is how those threats present themselves, how the methodologies have changed in order to match new technologies and working practices, particularly the move to remote or home working and the additional threats that this poses.  AI is making a big impact already and that impact is going to get bigger as time goes on.  Email spoofing for example, that is faking an email purporting to come someone legitimate in order to get someone to take some action that is in some way fraudulent, is now being done over the phone with AI being used to fake someones voice.  It’s a scary development and there are now several well reported instances of this happening in the US.  If it’s happening there, it’s only a matter of time for it to happen in the UK and across Europe.

One of the first services we offered was the Cyber Maturity Assessment and our very first client took that service.  Our brief was to examine their Cyber Security and Data Protection posture, including policies, processes and technical configuration and controls. They were pleased that our assessment was very comprehensive in discovering the threats and vulnerabilities to their systems and that we described them in terms of business risk.  We developed comprehensive policies and processes that were all encompassing and designed to fit in with the style and presentation of their employee handbook.  All good but it required us to attend their site for a couple of days which was, at one time, normal and acceptable but in terms of the ‘new normal’, not so much.

Whilst we still offer that service, remote services are much more popular and much more in keeping with how businesses are now operating.  It doesn’t much matter where their staff are working, home, office or on the move.  What matters is that their protections are maintained regardless.

As we developed our new offerings we researched and came up with solutions that do just that.  We adopted Software as a Service (SaaS) and found some very innovative solutions that we can use to provide a managed security service to our clients at a very affordable price. 

Returning to our first paragraph, how do we show a return on investment?  Using our SaaS platform, we offer a 14 day free trial during which we can show a client where they currently stand and then carry out some quick remediations to show how that can be improved, so that the client can see the value of what they are going to get, using their own data.  It works and I commend it to you.

Check it out – https://hah2.co.uk/

General Security Issues News Ransomware, Phishing and other Malware Security Tools

KASPERSKY BANNED IN THE US

The US has announced plans to ban the sale of antivirus software made by Russian firm Kaspersky due to its alleged links to the Kremlin (source article https://www.bbc.co.uk/news/articles/ceqq7663wd2o).  This shouldn’t have come as a great shock.  In 2017 the Department of Homeland Security banned the anti-virus product from federal networks, and it has long been a target for US regulators.

There have always been some rather vague clouds over Kaspersky.  I well remember going back to 2010//11, working on a major UK Government sensitive project where we had one guy pushing Kaspersky hard, really fighting its corner but it soon became clear that the customer wasn’t going to use it under any circumstances.  But why?  Kaspersky has always scored very high, in fact near perfect scores, when tested independently by AV-TEST, the most trusted source for independent testing. 

Well, it’s all about the problem that it’s Russian owned and to provide a transliteration from Russian, Laboratoriya Kasperskogo.  In the UK it’s operated by a holding company.  Nonetheless the code comes from Russia and that’s going to have a very real impact on the US, especially given it’s almost total breakdown of relations and the ongoing Ukraine conflict.  Only the US Dept of Homeland Security knows whether this is a very real threat to western company’s using this suite of products, or if there’s a political element to it.  Either way, it’s going to damage Kaspersky, totally decimating its sales in the US.

The big question here in the UK, and across Europe and many Asian countries, is, is it safe to use?  In the UK, the British Standards Institute (BSI) has found no evidence of current problems with Kaspersky products.  However, it went on to recommend that its anti-virus products be replaced with alternatives.  Talk about sitting on the fence and damning with faint praise! 

On 29 March the UK’s National Cyber Security Centre (NCSC)  issued refreshed guidance on UK organisations’ use of technology originating from Russian companies, saying it is not at this time necessary, or necessarily wise, to discontinue use of products such as Kaspersky antivirus (AV) products.  That guidance is now nearly 3 months old, and it remains to be seen if it gets updated following the US action.

The judgement that companies will need to make is, whether renewing or looking to replace a current vendor, do we take a risk on Kaspersky?  Having been in this industry for many years, I know that there are lovers out there, of specific products and/or vendors, who will make this a hill to die on, but there are others who will adopt a much more cautious approach.  I don’t expect to see organisations rushing to ditch Kaspersky but I think their sales people, and their resellers, will find new sales and renewals, a real challenge.

Of course I can’t let this pass without a pitch.  So, if you want to take what I say as being tainted by the fact that I re-sell another product, then guilty m’lud, and I’ll take that on the chin.  The product we sell is one that is in heavy use by the US Department of Defense, as well as industries akin, including the nuclear industry.  It’s been pen tested to death and proof can be shown.  It has a unique approach in that it simply stops unauthorised programs from running.  But how?  Data is stored either as non-runnable info data or runnable application programs. Malware is a type of runnable program with undesirable behaviours.  The system uses what is called a Hard Disk Firewall (HDF).  HDF prevents malware infection, stopping malware program files from being stored and run on a computer.  Simply put it takes about a 30 day period to examine your network and end points, identifying what executables are being run and then, working with you, we decide which of those should be whitelisted to ensure your business isn’t impacted in any way, and anything not on the whitelist is blocked from running.  If you want to know more you can contact us on the links below.

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy Security Tools

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

No unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security Tools

Is Cyber Security making the grade for Small to Medium Enterprises?

I’ve touched on this subject several times in the past but was encouraged to revisit it after reading a book by Jean-Christophe Gaillard entitled The Cyber Security Spiral of Failure.  A provocative title and of course, the subject matter was aimed at the corporate sector.  But my view is the difference between the 2 sectors, in terms of solutions is often one of scale, with corporations being more complex and faced with many problems that the SME sector doesn’t.  They do however have the same threats and consequences of failure, as each other.

The author argues that for a couple of decades now, many organisations have been trapped in this spiral of failure, driven by endemic business short termism and the box-ticking culture of many executives in regard to compliance.  This really does resonate in the SME world with short termism often driven by financial necessity and especially during and since COVID, where survival was paramount, often requiring day to day management.  Of course, no SME owner or manager likes that and would love to have a solid and well-funded plan going forward, if only! 

Successful transformation takes time and often requires changing the culture of the organisation, and this at a time when many owners are struggling with the emerging business practices of a more distributed work force, following the pandemic.  Coming up with any transformative planning around IT naturally comes below that required for the business in general.  Bottom line is often that if it isn’t our core business, it can wait.  Even though of course, there are very few businesses that can continue to operate efficiently without their IT systems.

Which brings us to compliance.  For most SMEs compliance often means data protection, although there are the financial services regulations, and many do have industry standards governing IT and data, that they must comply with.  This often means that owners and managers undertake quick wins using box-ticking measures which often come a cropper sooner or later.

The book quotes from the BT Security survey released in January 2022.  One aspect which I fully agree with is the emphasis on getting security basics right and the importance of awareness development amongst employees.  Getting this right and training our employees are essential pillars of any cyber security practice, so as the book says, the question remains, why are we still banging on about it? – and everyone who reads my stuff knows I do that a lot.

There are a lot of traditional good security practices which have been pushed and re-emphasised time and time again.  Patch management, access management, anti-virus/malware, firewalls etc, and from my time working in the corporate space, I know that large enterprises have spent millions on traditional areas of cyber security over the last 2 decades.

But are we really still stuck there, entrenched in traditional thinking when our working practices are changing, technology is changing, compliance requirements are changing?

SME management is often completely left behind by these changes.  They have enough problems just keeping their businesses afloat and trying to grow, they don’t have enough time or resource to keep abreast of these many and varied issues.  Let’s face it, if corporate management is struggling with this changing landscape given their resources, what hope for the SME.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022 (stats for 2023 are starting to trickle through), up from 39% in 2020 (Vodafone Study, 2022).  As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

But now we have the ‘new normal’ with many businesses enjoying the financial bonus of having a smaller office footprint whilst many people work remotely, bringing with it an increase in security problems.  Earlier we mentioned traditional security solutions that have been around for a long time, most of which pre-date the pandemic and were based on the old bastion security methodology ie a network perimeter, protected with traditional solutions.  But that bastion model no longer exists in many places, or if it does, it only protects half the workforce in the office, whilst the other half work remotely.  What is needed is new solutions that protect your staff wherever they might be working from.

Luckily for you, we have such a solution.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Protecting Your Business from Cyber Attacks – Part 2 – Plus some info on a Ransomware Attack

efore I begin I thought it would be appropriate first, to discuss an issue that has cropped up in the news, which I believe is extremely pertinent to SMEs, because many use MS365 and Azure in part or in whole, for storing their data and as part of their access controls.  Many IT companies that service SMEs, will claim that Azure provides excellent protections, and that it’s enough on its own.  Now, I’m not here to denigrate Microsoft, heaven forefend, but it would be remiss of me not to point out a recent breach, which might well be a state backed attack, but nonethess has created what is known as an Advanced Persistent Threat (APT), known as Storm-0558 breach.

This breach has allowed China-linked APT actors to potentially have single-hop access to the gamut of Microsoft cloud services and apps, including SharePoint, Teams, and OneDrive, among many others.  It is estimated that the breach could have given access to emails within at least 25 US government agencies and could be much further reaching and impactful than anyone anticipated, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought.

A lack of authentication logging at many organizations means that the full scope of actual compromise stemming from the situation will take weeks, if not months, to determine.  This of course raises issues with authentication even amongst large enterprises and government departments.  SMEs are far more reliant on such technologies and are subsequently far more at risk.

This breach was caused by a stolen Microsoft account key which allowed the bad guys to forge authentication tokens to masquerade as authorised Azure AD users, and therefore obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.  However, it gets worse, as it turns out that the swiped MSA key could have allowed the threat actor to also forge access tokens for “multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams and One Drive.

It should be noted that Microsoft took swift action and revoked the stolen key, however despite this some Azure AD customers could potentially still be sitting ducks, given that Storm-0558 could have leveraged its access to establish persistence by issuing itself application-specific access keys, or setting up backdoors.  Further, any applications that retained copies of the Azure AD public keys prior to the revocation, and applications that rely on local certificate stores or cached keys that may not have updated, remain susceptible to token forgery.

OK, now back to the original subject.  Steps 6 to 10 in my suggested top ten list.

  1. What steps should I take to protect my business from ransomware attacks? A very good question with a multi thread answer.
  • Keep Software Updated. Regularly update your operating system, applications, and antivirus software to ensure you have the latest security patches.
  • Use Strong Passwords. Use unique and complex passwords for all your accounts and consider using a password manager to keep track of them securely.
  • Enable Two-Factor Authentication (2FA).  Add an extra layer of security by enabling 2FA whenever possible, as it helps prevent unauthorized access to your accounts.
  • Be Cautious with Email. Avoid opening attachments or clicking on links from unknown or suspicious senders. Be wary of phishing attempts.
  • Backup Your Data.  Regularly back up your important files and data to an external hard drive or a secure cloud service. This way, even if you fall victim to ransomware, you can restore your files without paying the ransom.
  • Use Reliable Security Software. Install reputable antivirus and anti-malware software to help detect and block ransomware threats.
  • Educate Yourself and Others. Stay informed about the latest ransomware threats and educate your family or colleagues about the risks and preventive measures.
  • Secure Network Connections. Use a firewall and be cautious when connecting to public Wi-Fi networks.
  • Limit User Privileges. Restrict user access privileges on your devices, granting administrative rights only when necessary.
  • Monitor for Suspicious Activity. Regularly monitor your devices and network for any unusual or suspicious activity that might indicate a potential ransomware attack.
  1. What can I do to ensure that my data is backed up in case of a cyber-attack? This is straight forward and highlights a problem whereby many SMEs think that if their data is on a cloud service, they don’t need to back it up.    You need a backup routine that separates your backed up data, from your data storage.  What I mean by that, is that if an attacker, or a piece of malware, can jump from one system to another, then having a live connection to your back up defeats the object, but it’s surprising how many people do this.  So, there are a number of methods.  The first is the good old fashioned tape backup.  Becoming less and less used nowadays but still very effective.  Another is that several cloud providers also provide a backup solution that disconnects once the backup has been done and will allow you to go back to a ‘clean’ backup if the current one has been compromised.  Check this out, but do back up your data, don’t be convinced that you don’t need to, you do.
  1. What cyber security measures should I put in place to protect my business from external threats? To protect against external cyber threats, you should consider implementing the following cybersecurity measures:
  • Strong Passwords: Encourage employees to use complex passwords and enable multi-factor authentication wherever possible.
  • Regular Updates: Keep all software, operating systems, and applications up to date to patch known vulnerabilities.
  • Firewall: Set up and maintain a firewall to control incoming and outgoing network traffic.
  • Antivirus Software: Install reputable antivirus software to detect and remove malware.
  • Employee Training: Educate your staff about cybersecurity best practices and potential threats, such as phishing and social engineering.
  • Data Encryption: Encrypt sensitive data to prevent unauthorized access if it gets intercepted.
  • Access Control: Implement role-based access control to limit users’ access to only the data and systems they need.
  • Regular Backups: Regularly backup your important data and keep the backups in a secure location.
  • Network Monitoring: Use intrusion detection and prevention systems to monitor network activity for suspicious behaviour.
  • Incident Response Plan: Develop a comprehensive incident response plan to handle cybersecurity incidents effectively.
  • Vendor Security: Ensure third-party vendors and partners also have strong security measures in place, especially if they have access to your data.
  • Physical Security: Protect physical access to servers and sensitive equipment.
  1. How can I stay up to date with the latest cyber security threats and best practices? There is a number of things you can do but a lot depends on how much time you have available to devote to this.  Probably not much and you may wish to consider having an advisor on tap, and surprise, we provide such an advisor.  But pointers that might want to consider include:
  • Subscribe to reputable cyber security news sources and blogs, like this one!
  • Attend cyber security webinars.
  • Follow cyber security experts on social media.
  • Sign up for security alerts: Many organizations and government agencies offer email alerts for the latest cyber threats.
  • Participate in cyber security training. I can’t emphasise enough the value of cyber awareness training for your staff.
  • Read official reports and advisories: Stay informed about security bulletins and advisories released by software vendors and security organizations.
  • Practice good cyber hygiene: Implement strong passwords, use multi-factor authentication, keep your software up to date, and regularly backup your data.
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

This is going to depend on several factors, such as the business you are in.  Many organisations must adhere to a variety of standards within their area of business and of course, many use a variety of International Standards such as ISO9000 series.  On top of this there are legal frameworks that you also must adhere to, amongst those are UK GDPR and financial services regulations.  Not an exhaustive list.  It can be a minefield.

It is somewhat surprising to me, that many SMEs that I visit don’t know what data is subject to these regulations and what isn’t, and where that data is actually stored, how it is processed and protected.  They will argue that they do know most of this, at least at a high level, but that they outsource to their local IT provider.  That won’t help you if a regulator comes after you.  You can outsource your IT, but not your responsibility.  Take advice, get guidance, there are some great protections and audit tools out there which don’t have to cost a fortune.  Check them out.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Protecting your business from cyber attacks – Part 1

Protecting your business from cyber attacks and scams is a challenge, and I get it, it can be expensive, especially when the most effective solutions are aimed at enterprise businesses with big budgets that SMEs simply can’t match. And that of course, is why they are so tempting to the cyber criminal. Cybersecurity is an ongoing effort. It’s important, no matter how difficult you may think it is, to stay informed about the latest threats and continuously adapt your security measures to address emerging risks. SMEs and local IT company’s simple can’t afford professional cyber security advice and skills, so consider consulting with cybersecurity professionals for additional guidance tailored to your specific business needs.

There are a number of protections that you need to consider.  I’ve picked the top 5, at least in my opinion, but that’s far from exhaustive.

  1. What are the best practices for keeping my business secure from cyber threats? A sound strategy is a mixture of process, procedure and technical controls, coupled with sound security awareness training.  Here are some of the highlights:
  • Strong Passwords: Enforce the use of complex, unique passwords for all accounts, and consider implementing multi-factor authentication (MFA) for an extra layer of security.
  • Regular Updates: Keep all software, operating systems, and applications up to date with the latest patches and security updates to address known vulnerabilities.
  • Employee Education: Train employees on cybersecurity awareness, including recognising phishing attempts, social engineering, and safe browsing habits. Regularly remind them about the importance of maintaining security practices.
  • Network Security: Use firewalls, intrusion detection and prevention systems, and virtual private networks (VPNs) to safeguard your network against unauthorised access.
  • Data Encryption: Encrypt sensitive data both in transit and at rest. This helps protect data if it is intercepted or stolen.
  • Backup and Recovery: Regularly back up critical data and test the restoration process. This ensures that important information can be recovered in the event of a cyber incident.
  • Access Controls: Implement a least privilege approach, granting employees access only to the resources they need for their job roles. Regularly review and revoke access for former employees or those who no longer require it.
  • Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in case of a cybersecurity incident. This helps minimize damage and facilitates a swift recovery.
  • Vendor Management: Assess the security practices of third-party vendors and partners to ensure they meet your standards. Establish clear security requirements and monitor compliance.
  • Periodic security assessments, remember nothing stays the same and new vulnerabilities and threats emerge all the time.
  1. How can I protect my business from phishing, malware, and other online attacks?
  • Employee Education: Train your employees to recognise and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.
  • Strong Passwords: Enforce the use of strong, unique passwords for all business accounts. Consider implementing two-factor authentication (2FA) for an extra layer of security.
  • Regular Updates and Patches: Keep all software and operating systems up to date with the latest security patches. Regularly update antivirus and anti-malware software as well.
  • Secure Network: Implement robust network security measures, including firewalls, intrusion detection systems, and secure Wi-Fi networks. Regularly monitor and audit network activity for any anomalies.
  • Email Protection: Deploy email filters and spam blockers to prevent malicious emails from reaching employees’ inboxes. Consider using email authentication protocols such as SPF, DKIM, and DMARC.
  • Web Browsing Security: Advise employees to exercise caution when visiting websites, especially those with suspicious or unknown origins. Encourage the use of secure browsing practices, such as avoiding clicking on unfamiliar links.
  • Data Backups: Regularly back up all critical business data to secure, off-site locations. This ensures that even if malware or ransomware attacks occur, you can restore your data without paying a ransom.
  • Incident Response Plan: Develop a comprehensive incident response plan outlining the steps to be taken in case of a security breach. This plan should include communication protocols, containment measures, and recovery procedures.
  • Ongoing Security Awareness: Maintain a culture of security awareness within your organisation. Regularly remind employees about the importance of staying vigilant and following security best practices.
  1. What type of cyber security training should I provide for my employees? It’s important to cover several key topics.  Here are some suggestions:
  • Phishing Awareness: Teach employees how to recognise and report phishing emails, suspicious links, and potential scams.
  • Password Security: Educate employees on creating strong passwords, using password managers, and avoiding password reuse.
  • Social Engineering: Raise awareness about social engineering techniques, such as pretexting and tailgating, and provide guidelines for handling suspicious requests.
  • Data Protection: Train employees on handling sensitive data, including proper data classification, encryption, and secure file transfer methods.
  • Malware Defence: Teach employees about malware threats, safe browsing habits, and the importance of keeping their devices and software up to date.
  • Mobile Security: Highlight best practices for securing mobile devices, such as using secure Wi-Fi networks, enabling device encryption, and being cautious about downloading apps.
  • Incident Reporting: Establish clear procedures for reporting security incidents, so employees know how to promptly and effectively respond to potential breaches.
  • Remote Work Security: Provide guidelines on securing home networks, using VPNs, and maintaining the security of devices when working remotely.
  • Physical Security: Emphasise the importance of physical security measures, such as locking screens, securing work areas, and preventing unauthorized access to sensitive areas.
  • Ongoing Training and Updates: Keep employees informed about emerging threats, new attack techniques, and evolving security practices through regular training sessions, newsletters, or online resources.

Remember to tailor the training to your organisation’s specific needs and provide practical examples to reinforce the concepts. Training should reflect the policies and processes that you have put in place.  Additionally, consider conducting periodic security assessments and simulations to test employees’ knowledge and readiness.

  1. How can I secure my customer data, and what regulations and best practices should I follow?

To a large extent, this is going to depend on what regulations and requirements the industry that you work in, require of you.  However, there are some things that remain common.  For instance, UK GDPR, the Computer Misuse Act, Financial regulations requiring you to maintain records for 7 years, which, for some industries (financial services, legal etc), can require a considerable effort.  One of the first requirements will be finding out where all your data actually is.  I know many will say well, I know where it is, it’s on my cloud and/or network storage.  But is it?  How many records containing personal identifiable information (PII), has been copied from one directory to another, usually for sound working reasons, or perhaps attached to email and not removed thus leaving a copy of it residing on your email server, etc.  Once you know where it is, then you can start to assess the risk.

  1. How can I quickly and effectively respond to a cyber security incident?

This is a procedural issue.  Do you have a sound incident response plan, which ideally is linked to a business continuity plan?  Are these the same thing?  An incident response plan is just what it says, it’s how you respond and technically recover from a security incident.  Whilst business continuity is about how you continue to work and service your customers whilst recovering from the incident.  Deeply related but not the same thing.

Next week I’ll take a look at the next 5 steps on my list, which are:

  1. What steps should I take to protect my business from ransomware attacks?
  1. What can I do to ensure that my data is backed up in case of a cyber attack?
  1. What cyber security measures should I put in place to protect my business from external threats?
  1. How can I stay up-to-date with the latest cyber security threats and best practices?
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Scroll to top