Security Tools

General Security Issues News Security Tools Supply Chain Security

You can outsource your IT, but you can’t outsource your responsibility

It’s hard to look anywhere without seeing reference to the CloudStrike/Microsoft disaster that is still causing issues around the globe.  There is plenty of plaudits for the way that both CloudStrike and Microsoft have handled the fall out and remediation (https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/) but you can’t escape the conclusion that it shouldn’t have happened in the first place.  Something clearly went wrong in the processes either in place, or worse, not in place, to make sure that software releases are thoroughly tested before release.  I also read somewhere that there had been a previous problem with CloudStrike software releases which affected at least 2 versions of Linux, but that this went largely unnoticed.  I suppose the predominance of Windows machines in the marketplace would make it impossible to hide a problem of this magnitude.

All that said, what is clear is that there was nothing that an organisation using this application, could have done themselves to prevent it, neither could most disaster recovery plans have dealt with this successfully.  The remediation has to come from both CloudStrike and Microsoft, which it is. 

I wrote a piece recently which included the difference between disaster recovery and business continuity planning (https://hah2.co.uk/what-are-the-questions-business-owners-ask-when-considering-cyber-security/). Disaster Recovery focuses specifically on restoring IT infrastructure and data after a disaster has occurred, and as already pointed out, in this case that fix has to come from outside the affected organisations and there was very little they could do.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This where organisation can help themselves.  Of course, all we really see on the news is the effects of the crash of systems, it’s what makes good television.  They don’t show organisations that had good business continuity plans in place and could continue to operate, albeit with reduced functionality. 

What struck me, watching it all unfold, was that there were some big organisations that were caught completely on the hop.  We saw airline staff reverting to manual ticketing but the overall impression is that this was being done on the initiative of individuals and onsite managers, it didn’t seem to be part of coherent planning.  Likewise, we saw the same type of issues in the UK NHS and GP surgeries.  If there really was a coherent plan in place, I apologise for suggesting that that wasn’t the case, but it sure didn’t look like it was.  Those 2 examples are the really big ones that hit the news.  There were quite literally hundreds of organisations that were hit and struggled badly.

When I started out in the Cyber Security game, disaster recovery and business continuity planning were absolutely must haves, in fact, as we know, you can’t achieve ISO 2700x certification without it.  These days I see very little emphasis being put on this.  Have we reached a stage of total reliance on technology and tech giants like CloudStrike and Microsoft, so that we have fallen into a complacency, relying on our suppliers to look after us?  If we have, I think that this shows that this is a big mistake.  A great saying is that you can outsource your IT but you can’t outsource your responsibility.

Which leads us neatly onto another point.  Supply chain security.  We talk a lot about making sure our supply chain is as robust as our own systems and that they have good security, and good policies and processes.  But this shows that we need to go further than that.  We just can’t trust that any software installed will work and not cause problems, we need to ask questions about how rigorous their testing is, who signs off on a release, how is released and by whom?  What tests were done before release?  These are perfectly valid questions and any software supplier worth their salt has to have good answers for these questions.  Any of you ever asked?

As a provider of protective monitoring solutions which require a light touch agent to be installed on systems, albeit on a much smaller scale than CloudStrike, this has given considerable pause for thought.  I have already had these discussions with my supply chain and got good answers, but I’m not going to take my foot off the gas and will keep asking before agent upgrades, which admittedly, don’t happen often.  But there will be a certain nervousness in the future when it does happen.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Security Tools

How Can We See a Return on Investment from our Cyber Security Spend?

How are businesses improved through good cyber security?  It’s a question just about every customer, or prospective customer, of ours asks themselves.  They need to see a return on investment, after all, if you don’t see anything tangible for your money, you’re unlikely to keep going down that road.

When my business partner and I set up H2 after we returned from the Middle East where we’d been working for the HP division that was busy merging itself with CSC (been there done that, didn’t fancy returning to it), the whole question of how we could offer something that gave that return on investment, occupied much of our thinking.  What services could we offer at a price that businesses were prepared to pay, and what tangible benefits could we offer?

At first, we were purely a services company, proudly product agnostic, recommending the right products for the right solutions for the right customer.  Not at all altruistic, but rather we felt that was the right thing to do be doing.  Like many people we didn’t see COVID coming around the corner like a freight train.  The pandemic didn’t just change how we would be delivering our services, it changed the whole market, it changed working practices, which are still evolving.  That meant that we had to change or die.  A stark choice but not one that could be avoided or put off.  Like many businesses we had to reengineer the business from the ground up whilst still providing services that customers wanted and could see a need for.

An interesting google search is finding out what businesses are researching online.  I was quite surprised to find that the question ‘what is a cyber-attack?’, is the most searched phrase, by a long shot.  This suggests that many are still confused as to what a cyber-attack actually is.  Breaking that down, its probably not all that surprising because of all the various types of cyber-attack that are constantly being rammed down peoples’ throats and I think the cyber security industry needs to take responsibility for that.  There’s a big difference between education and propaganda.  FUD (fear, uncertainty and doubt) is a common method used by many to sell security.  Personally, I’m not in favour of doing that.  I like to educate, not scare.

Other subjects being searched for are ransomware, phishing, spoofing, cyber threats, insider threats and cyber awareness (there are more but they’re a long way down the list).

What people want to know hasn’t changed all that much, neither has the types of threats.  What has changed is how those threats present themselves, how the methodologies have changed in order to match new technologies and working practices, particularly the move to remote or home working and the additional threats that this poses.  AI is making a big impact already and that impact is going to get bigger as time goes on.  Email spoofing for example, that is faking an email purporting to come someone legitimate in order to get someone to take some action that is in some way fraudulent, is now being done over the phone with AI being used to fake someones voice.  It’s a scary development and there are now several well reported instances of this happening in the US.  If it’s happening there, it’s only a matter of time for it to happen in the UK and across Europe.

One of the first services we offered was the Cyber Maturity Assessment and our very first client took that service.  Our brief was to examine their Cyber Security and Data Protection posture, including policies, processes and technical configuration and controls. They were pleased that our assessment was very comprehensive in discovering the threats and vulnerabilities to their systems and that we described them in terms of business risk.  We developed comprehensive policies and processes that were all encompassing and designed to fit in with the style and presentation of their employee handbook.  All good but it required us to attend their site for a couple of days which was, at one time, normal and acceptable but in terms of the ‘new normal’, not so much.

Whilst we still offer that service, remote services are much more popular and much more in keeping with how businesses are now operating.  It doesn’t much matter where their staff are working, home, office or on the move.  What matters is that their protections are maintained regardless.

As we developed our new offerings we researched and came up with solutions that do just that.  We adopted Software as a Service (SaaS) and found some very innovative solutions that we can use to provide a managed security service to our clients at a very affordable price. 

Returning to our first paragraph, how do we show a return on investment?  Using our SaaS platform, we offer a 14 day free trial during which we can show a client where they currently stand and then carry out some quick remediations to show how that can be improved, so that the client can see the value of what they are going to get, using their own data.  It works and I commend it to you.

Check it out – https://hah2.co.uk/

General Security Issues News Ransomware, Phishing and other Malware Security Tools

KASPERSKY BANNED IN THE US

The US has announced plans to ban the sale of antivirus software made by Russian firm Kaspersky due to its alleged links to the Kremlin (source article https://www.bbc.co.uk/news/articles/ceqq7663wd2o).  This shouldn’t have come as a great shock.  In 2017 the Department of Homeland Security banned the anti-virus product from federal networks, and it has long been a target for US regulators.

There have always been some rather vague clouds over Kaspersky.  I well remember going back to 2010//11, working on a major UK Government sensitive project where we had one guy pushing Kaspersky hard, really fighting its corner but it soon became clear that the customer wasn’t going to use it under any circumstances.  But why?  Kaspersky has always scored very high, in fact near perfect scores, when tested independently by AV-TEST, the most trusted source for independent testing. 

Well, it’s all about the problem that it’s Russian owned and to provide a transliteration from Russian, Laboratoriya Kasperskogo.  In the UK it’s operated by a holding company.  Nonetheless the code comes from Russia and that’s going to have a very real impact on the US, especially given it’s almost total breakdown of relations and the ongoing Ukraine conflict.  Only the US Dept of Homeland Security knows whether this is a very real threat to western company’s using this suite of products, or if there’s a political element to it.  Either way, it’s going to damage Kaspersky, totally decimating its sales in the US.

The big question here in the UK, and across Europe and many Asian countries, is, is it safe to use?  In the UK, the British Standards Institute (BSI) has found no evidence of current problems with Kaspersky products.  However, it went on to recommend that its anti-virus products be replaced with alternatives.  Talk about sitting on the fence and damning with faint praise! 

On 29 March the UK’s National Cyber Security Centre (NCSC)  issued refreshed guidance on UK organisations’ use of technology originating from Russian companies, saying it is not at this time necessary, or necessarily wise, to discontinue use of products such as Kaspersky antivirus (AV) products.  That guidance is now nearly 3 months old, and it remains to be seen if it gets updated following the US action.

The judgement that companies will need to make is, whether renewing or looking to replace a current vendor, do we take a risk on Kaspersky?  Having been in this industry for many years, I know that there are lovers out there, of specific products and/or vendors, who will make this a hill to die on, but there are others who will adopt a much more cautious approach.  I don’t expect to see organisations rushing to ditch Kaspersky but I think their sales people, and their resellers, will find new sales and renewals, a real challenge.

Of course I can’t let this pass without a pitch.  So, if you want to take what I say as being tainted by the fact that I re-sell another product, then guilty m’lud, and I’ll take that on the chin.  The product we sell is one that is in heavy use by the US Department of Defense, as well as industries akin, including the nuclear industry.  It’s been pen tested to death and proof can be shown.  It has a unique approach in that it simply stops unauthorised programs from running.  But how?  Data is stored either as non-runnable info data or runnable application programs. Malware is a type of runnable program with undesirable behaviours.  The system uses what is called a Hard Disk Firewall (HDF).  HDF prevents malware infection, stopping malware program files from being stored and run on a computer.  Simply put it takes about a 30 day period to examine your network and end points, identifying what executables are being run and then, working with you, we decide which of those should be whitelisted to ensure your business isn’t impacted in any way, and anything not on the whitelist is blocked from running.  If you want to know more you can contact us on the links below.

Cyber Awareness Training General Security Issues Risk Analysis and Security Strategy Security Tools

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

No unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security Tools

Is Cyber Security making the grade for Small to Medium Enterprises?

I’ve touched on this subject several times in the past but was encouraged to revisit it after reading a book by Jean-Christophe Gaillard entitled The Cyber Security Spiral of Failure.  A provocative title and of course, the subject matter was aimed at the corporate sector.  But my view is the difference between the 2 sectors, in terms of solutions is often one of scale, with corporations being more complex and faced with many problems that the SME sector doesn’t.  They do however have the same threats and consequences of failure, as each other.

The author argues that for a couple of decades now, many organisations have been trapped in this spiral of failure, driven by endemic business short termism and the box-ticking culture of many executives in regard to compliance.  This really does resonate in the SME world with short termism often driven by financial necessity and especially during and since COVID, where survival was paramount, often requiring day to day management.  Of course, no SME owner or manager likes that and would love to have a solid and well-funded plan going forward, if only! 

Successful transformation takes time and often requires changing the culture of the organisation, and this at a time when many owners are struggling with the emerging business practices of a more distributed work force, following the pandemic.  Coming up with any transformative planning around IT naturally comes below that required for the business in general.  Bottom line is often that if it isn’t our core business, it can wait.  Even though of course, there are very few businesses that can continue to operate efficiently without their IT systems.

Which brings us to compliance.  For most SMEs compliance often means data protection, although there are the financial services regulations, and many do have industry standards governing IT and data, that they must comply with.  This often means that owners and managers undertake quick wins using box-ticking measures which often come a cropper sooner or later.

The book quotes from the BT Security survey released in January 2022.  One aspect which I fully agree with is the emphasis on getting security basics right and the importance of awareness development amongst employees.  Getting this right and training our employees are essential pillars of any cyber security practice, so as the book says, the question remains, why are we still banging on about it? – and everyone who reads my stuff knows I do that a lot.

There are a lot of traditional good security practices which have been pushed and re-emphasised time and time again.  Patch management, access management, anti-virus/malware, firewalls etc, and from my time working in the corporate space, I know that large enterprises have spent millions on traditional areas of cyber security over the last 2 decades.

But are we really still stuck there, entrenched in traditional thinking when our working practices are changing, technology is changing, compliance requirements are changing?

SME management is often completely left behind by these changes.  They have enough problems just keeping their businesses afloat and trying to grow, they don’t have enough time or resource to keep abreast of these many and varied issues.  Let’s face it, if corporate management is struggling with this changing landscape given their resources, what hope for the SME.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022 (stats for 2023 are starting to trickle through), up from 39% in 2020 (Vodafone Study, 2022).  As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

But now we have the ‘new normal’ with many businesses enjoying the financial bonus of having a smaller office footprint whilst many people work remotely, bringing with it an increase in security problems.  Earlier we mentioned traditional security solutions that have been around for a long time, most of which pre-date the pandemic and were based on the old bastion security methodology ie a network perimeter, protected with traditional solutions.  But that bastion model no longer exists in many places, or if it does, it only protects half the workforce in the office, whilst the other half work remotely.  What is needed is new solutions that protect your staff wherever they might be working from.

Luckily for you, we have such a solution.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Protecting Your Business from Cyber Attacks – Part 2 – Plus some info on a Ransomware Attack

efore I begin I thought it would be appropriate first, to discuss an issue that has cropped up in the news, which I believe is extremely pertinent to SMEs, because many use MS365 and Azure in part or in whole, for storing their data and as part of their access controls.  Many IT companies that service SMEs, will claim that Azure provides excellent protections, and that it’s enough on its own.  Now, I’m not here to denigrate Microsoft, heaven forefend, but it would be remiss of me not to point out a recent breach, which might well be a state backed attack, but nonethess has created what is known as an Advanced Persistent Threat (APT), known as Storm-0558 breach.

This breach has allowed China-linked APT actors to potentially have single-hop access to the gamut of Microsoft cloud services and apps, including SharePoint, Teams, and OneDrive, among many others.  It is estimated that the breach could have given access to emails within at least 25 US government agencies and could be much further reaching and impactful than anyone anticipated, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought.

A lack of authentication logging at many organizations means that the full scope of actual compromise stemming from the situation will take weeks, if not months, to determine.  This of course raises issues with authentication even amongst large enterprises and government departments.  SMEs are far more reliant on such technologies and are subsequently far more at risk.

This breach was caused by a stolen Microsoft account key which allowed the bad guys to forge authentication tokens to masquerade as authorised Azure AD users, and therefore obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.  However, it gets worse, as it turns out that the swiped MSA key could have allowed the threat actor to also forge access tokens for “multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams and One Drive.

It should be noted that Microsoft took swift action and revoked the stolen key, however despite this some Azure AD customers could potentially still be sitting ducks, given that Storm-0558 could have leveraged its access to establish persistence by issuing itself application-specific access keys, or setting up backdoors.  Further, any applications that retained copies of the Azure AD public keys prior to the revocation, and applications that rely on local certificate stores or cached keys that may not have updated, remain susceptible to token forgery.

OK, now back to the original subject.  Steps 6 to 10 in my suggested top ten list.

  1. What steps should I take to protect my business from ransomware attacks? A very good question with a multi thread answer.
  • Keep Software Updated. Regularly update your operating system, applications, and antivirus software to ensure you have the latest security patches.
  • Use Strong Passwords. Use unique and complex passwords for all your accounts and consider using a password manager to keep track of them securely.
  • Enable Two-Factor Authentication (2FA).  Add an extra layer of security by enabling 2FA whenever possible, as it helps prevent unauthorized access to your accounts.
  • Be Cautious with Email. Avoid opening attachments or clicking on links from unknown or suspicious senders. Be wary of phishing attempts.
  • Backup Your Data.  Regularly back up your important files and data to an external hard drive or a secure cloud service. This way, even if you fall victim to ransomware, you can restore your files without paying the ransom.
  • Use Reliable Security Software. Install reputable antivirus and anti-malware software to help detect and block ransomware threats.
  • Educate Yourself and Others. Stay informed about the latest ransomware threats and educate your family or colleagues about the risks and preventive measures.
  • Secure Network Connections. Use a firewall and be cautious when connecting to public Wi-Fi networks.
  • Limit User Privileges. Restrict user access privileges on your devices, granting administrative rights only when necessary.
  • Monitor for Suspicious Activity. Regularly monitor your devices and network for any unusual or suspicious activity that might indicate a potential ransomware attack.
  1. What can I do to ensure that my data is backed up in case of a cyber-attack? This is straight forward and highlights a problem whereby many SMEs think that if their data is on a cloud service, they don’t need to back it up.    You need a backup routine that separates your backed up data, from your data storage.  What I mean by that, is that if an attacker, or a piece of malware, can jump from one system to another, then having a live connection to your back up defeats the object, but it’s surprising how many people do this.  So, there are a number of methods.  The first is the good old fashioned tape backup.  Becoming less and less used nowadays but still very effective.  Another is that several cloud providers also provide a backup solution that disconnects once the backup has been done and will allow you to go back to a ‘clean’ backup if the current one has been compromised.  Check this out, but do back up your data, don’t be convinced that you don’t need to, you do.
  1. What cyber security measures should I put in place to protect my business from external threats? To protect against external cyber threats, you should consider implementing the following cybersecurity measures:
  • Strong Passwords: Encourage employees to use complex passwords and enable multi-factor authentication wherever possible.
  • Regular Updates: Keep all software, operating systems, and applications up to date to patch known vulnerabilities.
  • Firewall: Set up and maintain a firewall to control incoming and outgoing network traffic.
  • Antivirus Software: Install reputable antivirus software to detect and remove malware.
  • Employee Training: Educate your staff about cybersecurity best practices and potential threats, such as phishing and social engineering.
  • Data Encryption: Encrypt sensitive data to prevent unauthorized access if it gets intercepted.
  • Access Control: Implement role-based access control to limit users’ access to only the data and systems they need.
  • Regular Backups: Regularly backup your important data and keep the backups in a secure location.
  • Network Monitoring: Use intrusion detection and prevention systems to monitor network activity for suspicious behaviour.
  • Incident Response Plan: Develop a comprehensive incident response plan to handle cybersecurity incidents effectively.
  • Vendor Security: Ensure third-party vendors and partners also have strong security measures in place, especially if they have access to your data.
  • Physical Security: Protect physical access to servers and sensitive equipment.
  1. How can I stay up to date with the latest cyber security threats and best practices? There is a number of things you can do but a lot depends on how much time you have available to devote to this.  Probably not much and you may wish to consider having an advisor on tap, and surprise, we provide such an advisor.  But pointers that might want to consider include:
  • Subscribe to reputable cyber security news sources and blogs, like this one!
  • Attend cyber security webinars.
  • Follow cyber security experts on social media.
  • Sign up for security alerts: Many organizations and government agencies offer email alerts for the latest cyber threats.
  • Participate in cyber security training. I can’t emphasise enough the value of cyber awareness training for your staff.
  • Read official reports and advisories: Stay informed about security bulletins and advisories released by software vendors and security organizations.
  • Practice good cyber hygiene: Implement strong passwords, use multi-factor authentication, keep your software up to date, and regularly backup your data.
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

This is going to depend on several factors, such as the business you are in.  Many organisations must adhere to a variety of standards within their area of business and of course, many use a variety of International Standards such as ISO9000 series.  On top of this there are legal frameworks that you also must adhere to, amongst those are UK GDPR and financial services regulations.  Not an exhaustive list.  It can be a minefield.

It is somewhat surprising to me, that many SMEs that I visit don’t know what data is subject to these regulations and what isn’t, and where that data is actually stored, how it is processed and protected.  They will argue that they do know most of this, at least at a high level, but that they outsource to their local IT provider.  That won’t help you if a regulator comes after you.  You can outsource your IT, but not your responsibility.  Take advice, get guidance, there are some great protections and audit tools out there which don’t have to cost a fortune.  Check them out.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Protecting your business from cyber attacks – Part 1

Protecting your business from cyber attacks and scams is a challenge, and I get it, it can be expensive, especially when the most effective solutions are aimed at enterprise businesses with big budgets that SMEs simply can’t match. And that of course, is why they are so tempting to the cyber criminal. Cybersecurity is an ongoing effort. It’s important, no matter how difficult you may think it is, to stay informed about the latest threats and continuously adapt your security measures to address emerging risks. SMEs and local IT company’s simple can’t afford professional cyber security advice and skills, so consider consulting with cybersecurity professionals for additional guidance tailored to your specific business needs.

There are a number of protections that you need to consider.  I’ve picked the top 5, at least in my opinion, but that’s far from exhaustive.

  1. What are the best practices for keeping my business secure from cyber threats? A sound strategy is a mixture of process, procedure and technical controls, coupled with sound security awareness training.  Here are some of the highlights:
  • Strong Passwords: Enforce the use of complex, unique passwords for all accounts, and consider implementing multi-factor authentication (MFA) for an extra layer of security.
  • Regular Updates: Keep all software, operating systems, and applications up to date with the latest patches and security updates to address known vulnerabilities.
  • Employee Education: Train employees on cybersecurity awareness, including recognising phishing attempts, social engineering, and safe browsing habits. Regularly remind them about the importance of maintaining security practices.
  • Network Security: Use firewalls, intrusion detection and prevention systems, and virtual private networks (VPNs) to safeguard your network against unauthorised access.
  • Data Encryption: Encrypt sensitive data both in transit and at rest. This helps protect data if it is intercepted or stolen.
  • Backup and Recovery: Regularly back up critical data and test the restoration process. This ensures that important information can be recovered in the event of a cyber incident.
  • Access Controls: Implement a least privilege approach, granting employees access only to the resources they need for their job roles. Regularly review and revoke access for former employees or those who no longer require it.
  • Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in case of a cybersecurity incident. This helps minimize damage and facilitates a swift recovery.
  • Vendor Management: Assess the security practices of third-party vendors and partners to ensure they meet your standards. Establish clear security requirements and monitor compliance.
  • Periodic security assessments, remember nothing stays the same and new vulnerabilities and threats emerge all the time.
  1. How can I protect my business from phishing, malware, and other online attacks?
  • Employee Education: Train your employees to recognise and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.
  • Strong Passwords: Enforce the use of strong, unique passwords for all business accounts. Consider implementing two-factor authentication (2FA) for an extra layer of security.
  • Regular Updates and Patches: Keep all software and operating systems up to date with the latest security patches. Regularly update antivirus and anti-malware software as well.
  • Secure Network: Implement robust network security measures, including firewalls, intrusion detection systems, and secure Wi-Fi networks. Regularly monitor and audit network activity for any anomalies.
  • Email Protection: Deploy email filters and spam blockers to prevent malicious emails from reaching employees’ inboxes. Consider using email authentication protocols such as SPF, DKIM, and DMARC.
  • Web Browsing Security: Advise employees to exercise caution when visiting websites, especially those with suspicious or unknown origins. Encourage the use of secure browsing practices, such as avoiding clicking on unfamiliar links.
  • Data Backups: Regularly back up all critical business data to secure, off-site locations. This ensures that even if malware or ransomware attacks occur, you can restore your data without paying a ransom.
  • Incident Response Plan: Develop a comprehensive incident response plan outlining the steps to be taken in case of a security breach. This plan should include communication protocols, containment measures, and recovery procedures.
  • Ongoing Security Awareness: Maintain a culture of security awareness within your organisation. Regularly remind employees about the importance of staying vigilant and following security best practices.
  1. What type of cyber security training should I provide for my employees? It’s important to cover several key topics.  Here are some suggestions:
  • Phishing Awareness: Teach employees how to recognise and report phishing emails, suspicious links, and potential scams.
  • Password Security: Educate employees on creating strong passwords, using password managers, and avoiding password reuse.
  • Social Engineering: Raise awareness about social engineering techniques, such as pretexting and tailgating, and provide guidelines for handling suspicious requests.
  • Data Protection: Train employees on handling sensitive data, including proper data classification, encryption, and secure file transfer methods.
  • Malware Defence: Teach employees about malware threats, safe browsing habits, and the importance of keeping their devices and software up to date.
  • Mobile Security: Highlight best practices for securing mobile devices, such as using secure Wi-Fi networks, enabling device encryption, and being cautious about downloading apps.
  • Incident Reporting: Establish clear procedures for reporting security incidents, so employees know how to promptly and effectively respond to potential breaches.
  • Remote Work Security: Provide guidelines on securing home networks, using VPNs, and maintaining the security of devices when working remotely.
  • Physical Security: Emphasise the importance of physical security measures, such as locking screens, securing work areas, and preventing unauthorized access to sensitive areas.
  • Ongoing Training and Updates: Keep employees informed about emerging threats, new attack techniques, and evolving security practices through regular training sessions, newsletters, or online resources.

Remember to tailor the training to your organisation’s specific needs and provide practical examples to reinforce the concepts. Training should reflect the policies and processes that you have put in place.  Additionally, consider conducting periodic security assessments and simulations to test employees’ knowledge and readiness.

  1. How can I secure my customer data, and what regulations and best practices should I follow?

To a large extent, this is going to depend on what regulations and requirements the industry that you work in, require of you.  However, there are some things that remain common.  For instance, UK GDPR, the Computer Misuse Act, Financial regulations requiring you to maintain records for 7 years, which, for some industries (financial services, legal etc), can require a considerable effort.  One of the first requirements will be finding out where all your data actually is.  I know many will say well, I know where it is, it’s on my cloud and/or network storage.  But is it?  How many records containing personal identifiable information (PII), has been copied from one directory to another, usually for sound working reasons, or perhaps attached to email and not removed thus leaving a copy of it residing on your email server, etc.  Once you know where it is, then you can start to assess the risk.

  1. How can I quickly and effectively respond to a cyber security incident?

This is a procedural issue.  Do you have a sound incident response plan, which ideally is linked to a business continuity plan?  Are these the same thing?  An incident response plan is just what it says, it’s how you respond and technically recover from a security incident.  Whilst business continuity is about how you continue to work and service your customers whilst recovering from the incident.  Deeply related but not the same thing.

Next week I’ll take a look at the next 5 steps on my list, which are:

  1. What steps should I take to protect my business from ransomware attacks?
  1. What can I do to ensure that my data is backed up in case of a cyber attack?
  1. What cyber security measures should I put in place to protect my business from external threats?
  1. How can I stay up-to-date with the latest cyber security threats and best practices?
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Security Tools

Is Anti-virus to cure all that many SMEs seem to think it is?

In the SME world there is an instilled view that anti-virus, along with a firewall or two, is the knight in shining armour, constantly battling malicious threats. But is it always the hero we think it is? Let’s talk about duality – the good and the not-so-good side of anti-virus software. On the bright side, it’s an essential tool for digital safety. It stands as our frontline defence, identifying and eliminating potential threats like viruses, malware, and phishing attempts. It’s a relentless protector, working round-the-clock to safeguard our valuable data. So far so good.

However, no knight is without its flaws. Anti-virus software can sometimes be overzealous, flagging innocent files as harmful. This ‘false positive’ can disrupt our workflow, especially when essential files are blocked. Moreover, no anti-virus software provides 100% protection. Complacency can be our undoing, leading us to believe we’re invincible behind our digital shield. So, what’s the bottom line? Well, anti-virus software is a necessity in today’s world, but it’s not a fool proof solution.

So why do SMEs think it is?  Well, there’s probably several reasons for that and chief amongst them will be the constant companion of an SME, cost.  If you can convince yourself that a solution solves all, or most, of your problems in one hit, then that’s going to be a winner in your mind.  There is also an issue with the larger IT and Cyber Security companies, that they have largely ignored SMEs because they don’t produce the financial rewards that their bigger clients do. So, they have been happy to pass off software sales, like AV, to their sales channel, and allow their re-sellers to push those products on their behalf.  Sounds good except that often those re-sellers simply don’t have any more in house cyber skills than the SMEs themselves, so there is no guarantee that what they are selling is what the SME needs.

Now, I’m not knocking your local IT support company, they do what they do and generally do it well.  Generally, they like to stick to the tried and tested products that they have been selling for years and tend not to buy in to innovation easily.  Can’t blame them, they are as beholden to the bottom line as the rest of us.  And the various flavours of AV fall into that category.

This is where we part company with such companies.  We are very much involved with innovation, looking at new ways of solving old problems, and new ones as they crop up.  The only way an SME is going to get the protection they need and deserve, at a cost they can afford, is via such innovation.  We have been working with Platinum High Intensity Technologies, or Platinum-HIT.  This is a new PROACTIVE Managed Security Service Solution for Endpoint in the class of Anti-virus, anti-malware, anti-ransomware.

So, what’s different about it?  Surely, it’s just another version of AV?  Well, no it isn’t, it’s a new approach to an old and continuing problem, that solves a several problems along with way, using what is known as a Hard-Disk-Firewall or HDF.  So, what I hear you cry.  I have a personal firewall on my laptop.  Why do I need another one?  Perhaps the word firewall is a little misleading.  Read on and you’ll see what I mean.

The HDF concept is a simple one. On any computer system, data is stored either as non-runnable information data or runnable application programs. Malware is a type of runnable program with undesirable behaviours. HDF prevents malware infection by stopping malware program files from being stored and run on a computer. HDF functions as part of the Microsoft® operating system.

From the perspective of the computer operating systems, malware or viruses are simply another form of application program. From a human’s perspective, malware is existential threat that we do not want to run on our systems. HDF works by stopping any additional program from saving on a fully working and virus free computer unless the system administrator/owner allows a certain specific program to install.

The approach is to deny write access of runnable program files to any storage devices irrespective of the user’s right and privilege on the computer. For example, the control is so absolute that administrator/user cannot bypass, intentionally or by mistake.

Other than blocking install of malware, the computer functions as normal, and HDF operates to- tally transparently to end users. For example, running applications, opening, reading, saving, and deleting non-runnable data is not affected.

Device independent – effective on all storage devices supported by the underlying operating systems, e.g., hard disk, USB token device, tape drive, optical writers (CD or DVD writer) and any future device which relies on the operating system to provide read and write functionality.

Data location independent – works identical on local and remote storage devices including write access from wired and wireless networks, infrared and blue tooth etc. No hardware component. Implemented as a component fully integrated into the operating system, effectively becomes part of the operating system and not a separate application. Making the operating system immutable.

HDF does not require any prior knowledge of file and data contents. The system just stops any data to be saved that can be run on a computer, including all known or future malware. This indiscriminately stops polymorphic viruses, ransomware, zero-day threat and renaming any data file back to runnable programs.

HDF does not rely on Microsoft security operating system patches and in of itself no regular updating is required.

HDF security capability has NOT degraded since commercial deployment in 2008. There has never been a CVE attributed to the HDF solution.

So yes, whilst this system has been around the defence and nuclear space for some time, it’s very new to the SME market, and in fact, to the enterprise market for that matter.

Is your AV due for renewal soon?  Before you just push the button and renew, have a word with us first.  We just might have what you are missing, and you might be surprised at how affordable it is, considering it’s managed for you at no additional cost.

Scroll to top