Security

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Supply Chain Security

Cyber Security as Business Protection – Protect, Detect and Recover

This is another foray into cyber risk management and strategy for SMEs.  I make no apologies for covering it again because it should be a vital part of any SMEs business planning.   In a nutshell it’s the business process of identifying and addressing digital threats to protect operations, revenue, and reputation. Rather than just a technical IT task, it is a strategic function focused on ensuring business continuity and managing potential financial losses. 

A strong cybersecurity risk management strategy for SMEs should focus on reducing the highest risks first while staying practical and affordable. Most SMEs do not need enterprise-scale security programs, they need disciplined fundamentals, clear ownership, and resilience.

Core Principles

  1. Protect what matters most
  2. Customer data
  3. Financial systems
  4. Email accounts
  5. Intellectual property
  6. Operational systems
  • Assume attacks will happen
  • Focus on prevention and recovery.
  • Design for resilience, not perfect security.
  • Keep it simple and repeatable
  • Overly complex controls fail in SMEs due to limited staff and budget.

Recommended Cybersecurity Risk Management Framework

A practical SME strategy can follow five pillars inspired by the National Institute of Standards and Technology Cybersecurity Framework:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Alternatively, for those attempting or having achieved Cyber Essentials, one of the most effective ways to secure a business is to follow the UK government’s National Cyber Security Centre (NCSC) recommendations. These five steps are designed to be cost-effective and provide protection against the majority of common cyber-attacks. 

  • Secure your data with back-ups.
  • Protect with strong authentication (MFA).
  • Keep devices and software up to date.
  • Guard against malware.
  • Train staff on cyber awareness, phishing in particular.

But beware, the latest iteration of CE requires CEOs/MDs to sign a certification that they will ensure that the standard is maintained throughout the year and not just at point of achieving the standard.  That is a game changer which requires some form of monitoring to be put in place to ensure that the standard continues to be met.

No two businesses are the same.  They all have certain threats and vulnerabilities in common, and adherence to the NCSC guidelines and/or Cyber Essentials will set you on the right path, many of you will either have gone down that route or will be actively discussing it internally.  But there will still be differences, perhaps only nuances, that can drive a hole through your defences, and that is why you need a risk management strategy to ensure you have built robust defences.

Identify Your Risks

  1. The first stop is to create an Asset Inventory:

Document:

  • Devices
  • Servers
  • Cloud services
  • SaaS platforms
  • User accounts
  • Critical data
  • Vendors

Even a spreadsheet is enough initially.

  • Classify Critical Assets

Rank systems by business impact:

  • High: payroll, CRM, finance, production
  • Medium: internal collaboration
  • Low: public marketing systems
  • Identify Likely Threats

For SMEs, the biggest risks are usually:

  • Phishing
  • Business email compromise
  • Ransomware
  • Weak passwords
  • Insider mistakes
  • Third-party/vendor compromise
  • Unpatched software
  • Cloud misconfiguration

Protect the Business

  1. Multi-Factor Authentication (MFA)

This is one of the highest-value controls and you need MFA for:

  • Email
  • VPN
  • Admin accounts
  • Cloud apps
  • Banking systems

Use authenticator apps or hardware keys where possible.

  • Strong Identity & Access Management

You need to apply:

  • Least privilege access
  • Separate admin accounts
  • Role-based permissions
  • Immediate removal of leavers

Review access at least quarterly.

  • Endpoint Protection

Deploy modern endpoint security on all company devices:

  • Antivirus/EDR
  • Device encryption
  • Automatic updates
  • Screen lock policies

Focus first on laptops because they are commonly targeted.

  • Patch Management

Set strict update timelines:

  • Critical vulnerabilities: 24–72 hours
  • High-risk patches: within 1 week
  • Routine updates: monthly

Automate updates whenever possible but you will still need some form of monitoring patch management to ensure that you have this under control.

  • Email Security

Since email is the number one attack vector:

  • Anti-phishing filters
  • DMARC, DKIM, SPF (these require DNS entries and will need to be monitored)
  • Attachment sandboxing if affordable
  • User reporting button for suspicious emails
  • Backup Strategy

Use the 3-2-1 rule:

  • 3 copies of data
  • 2 different storage types
  • 1 offline/immutable copy – don’t rely on on-line backups, they may make restoring quicker, but they can be encrypted in a ransomware scenario, just like the rest of your systems.

Test restores regularly.  Recovery in a disaster or ransomware situation depends on this.

  • Secure Cloud Usage

For cloud platforms like Microsoft 365 or Google Workspace:

  • Disable legacy authentication
  • Enforce MFA
  • Monitor sharing permissions
  • Limit external access
  • Audit administrator activity

Detect Threats Early

  1. Centralised Logging

This is often a particularly difficult thing for SMEs because they don’t have any on staff cyber security personnel and often their IT support company doesn’t offer this service.  However, it is still important to collect logs from:

  • Email systems
  • Firewalls
  • Endpoints
  • Cloud platforms

A managed service is often the way forward.

  • Monitoring & Alerts

This is another issue that is very hard for SMEs, for the same reasons as log collection.  You need to receive alerts on:

  • Failed login spikes
  • Impossible travel logins
  • Admin privilege changes
  • Large file downloads
  • Suspicious mailbox rules

A managed service is often the only way to achieve this.

  • Vulnerability Scanning

You should aim to run monthly scans internally and externally.

Prioritise:

  • Internet-facing systems
  • Critical vulnerabilities
  • Unsupported software

There are a variety of scanning tools available to purchase however you need to have someone who can interpret the results, identify critical issues and eliminate false positives.  Once again, a managed service maybe the answer for many SMEs.

Incident Response Plan

Every SME should have a documented response process which includes:

  • Who makes decisions
  • Who contacts customers
  • Legal/compliance steps
  • Cyber insurance contacts
  • IT recovery procedures
  1. Create Playbooks For:
  • Ransomware
  • Phishing compromise
  • Lost/stolen device
  • Data breach
  • Vendor compromise

Run tabletop exercises twice yearly.

Recovery & Business Continuity

  1. Define Recovery Objectives

Set:

  • RTO (Recovery Time Objective)
  • RPO (Recovery Point Objective)

Examples are below and show the amount of time the business can survive with the loss of each system, but this will be determined by business priorities:

SystemMax DowntimeMax Data Loss
Email4 hours1 hour
Payroll24 hours4 hours
CRM8 hours2 hours
  1. Business Continuity Planning

Prepare for:

  • Cloud outages
  • Cyberattacks
  • Staff unavailability
  • Power/network failures

Document manual fallback procedures to keep the business running whilst you recover from the crisis.⸻

Governance & Leadership

  1. Assign Ownership

Even small companies need accountability:

  • Security lead
  • Executive sponsor
  • Incident coordinator

Security without ownership fails.

  • Establish Policies

Minimum essential policies:

  • Acceptable use
  • Password policy
  • Data handling
  • Remote work
  • Vendor management
  • Incident reporting

Keep them concise and enforceable and importantly, rolled out so that staff know where to find them and what they contain.

Human Risk Management

Most SME breaches involve human error.

  1. Security Awareness Training

Train employees on:

  • Phishing
  • Social engineering
  • Password hygiene
  • Safe file sharing
  • AI/deepfake scams
  • Reporting suspicious activity

Short monthly sessions work better than annual training.

Phishing Simulations

Measure:

  • Click rates
  • Reporting rates
  • Repeat offenders

Use results for coaching, not punishment.

Third-Party & Supply Chain Risk

SMEs increasingly rely on vendors.

  1. Vet Critical Suppliers

Review:

  • Security certifications
  • MFA usage
  • Breach history
  • Data protection controls

Prioritise vendors with access to:

  • Financial data
  • Customer data
  • Internal systems

Compliance Considerations

Depending on industry/location, SMEs may need alignment with:

  • International Organisation for Standardization ISO 27001
  • National Cyber Security Centre Cyber Essentials
  • GDPR/Data Protection Laws
  • PCI DSS

For UK SMEs, Cyber Essentials is an excellent baseline.

Recommended SME Security Stack

A practical modern stack often includes:

  • MFA platform
  • Endpoint detection & response (EDR)
  • Password manager
  • Secure email gateway
  • Cloud backup
  • Mobile device management (MDM)
  • Firewall with IDS/IPS
  • Security awareness platform

For those considering Cyber Essentials for the first time, or for renewal, some form of monitoring is required to ensure that that standard is maintained throughout the life cycle.

Budget Prioritisation (Highest ROI First)

For SMEs budget is always limited and must be prioritised.  This is a general guide and may change dependent upon business priorities:

  • MFA everywhere
  • Backups
  • Endpoint protection
  • Email security
  • Patch management
  • Security awareness training
  • Logging/monitoring
  • Vulnerability scanning
  • Managed security services
  • Advanced zero-trust controls

In order to decide your budget, you need to work out your priorities and again, this will depend on what the company does.  A suggested 12 month roadmap, for someone starting from scratch, is:

Months 1–3

  • Asset inventory
  • MFA rollout
  • Backup improvements
  • Patch automation
  • Security policies

Months 4–6

  • Endpoint protection
  • Vulnerability scanning
  • Staff awareness training
  • Incident response planning

Months 7–9

  • Logging and monitoring
  • Vendor risk reviews
  • Phishing simulations
  • Access reviews

Months 10–12

  • Tabletop exercises
  • Business continuity testing
  • External security assessment
  • Cyber insurance review

Metrics SMEs Should Track

I talked about measuring your security stance and your compliance.  Some useful KPIs might be:

  • MFA adoption %
  • Patch compliance %
  • Phishing click rate
  • Mean time to detect/respond
  • Backup recovery success
  • Number of critical vulnerabilities
  • Security training completion

Common SME Mistakes

Turning now to some common mistakes.  I don’t want to dwell on these too much as they are self-evident, but you should avoid:

  • Treating cybersecurity as only an IT problem
  • Buying too many disconnected tools
  • Ignoring backups
  • Giving staff admin rights
  • Failing to test recovery
  • Depending entirely on one IT provider
  • No incident response process

I hope that this provides some guidance but I’m fully aware that it contains issues that will appear as a bit of a ‘black art’ to some people.  Get advice from cyber security professionals, don’t think that because someone knows about IT, they have the nuances of security covered, they often don’t.  Remember that some cyber security solutions are procedural not technical. 

Policy, Process and then Technology

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Security Tools

Protecting Your Data on Public Networks

Remote working is here to stay, and whilst it’s not for everyone, many employers and employees alike, have taken to it.  There are multiple problems related to cyber security around this, working from home or on the move, and today I’m going to concentrate on the prevalence of people working from insecure sites such as coffee shops, railway and air terminals etc.   It’s a subject that I tend to jump on every so often because it’s one that people just don’t seem to get.  I dropped into a coffee shop this morning for my caffeine infusion, and there were six people with their laptops open, working away on business issues.  I could see open spreadsheets (and easy to read if you were sitting behind them), and all had their email open.  One was on a video call, and I heard all her side of the conversation, annoying enough for other café users but she wasn’t aware of the data she was releasing into the wild, at all.

Of course, this is nothing new, it’s been ‘a thing’ for years now, but is it a safe thing to be doing?  A recent survey suggests that a significant proportion of the connections to unsecured Wi-Fi networks result in hacking incidents, when from working in coffee shops, restaurants, airports, and other public places.

If you are among those Wi-Fi lovers, there’s bad news for you… your online privacy and security is at risk, if you rely on the weak to non-existent Wi-Fi security protocolsat these insecure locations.  This means that you could be exposed to various threats such as identity theft which has over 15 million cases each year, data theft/breaches, introducing malware to your business network and that of your customers/suppliers.  This list is not exhaustive.

Free or public Wi-Fi’s are hotspots for hackers and data snoopers who want to steal your private data or financial information. It is easy for cyber criminals to do that nowadays. You will be surprised to know the different ways they can compromise your device or your private information and why you shouldn’t rely on public Wi-Fi security as it comes with a lot of risk.  Using insecure public Wi-Fi exposes you to a range of cybersecurity risks because you’re sharing a network with unknown and potentially malicious persons. The core issue is that these networks often lack proper encryption and authentication, making it much easier for attackers to intercept or manipulate your data.

One of the biggest risks is data interception (packet sniffing). On an unsecured network, attackers can use simple tools to capture data packets traveling between your device and the internet. If the data isn’t encrypted (for example, websites not using HTTPS), sensitive information like passwords, emails, or credit card details can be read directly.

A closely related threat is the Man-in-the-Middle (MitM) attack. Here, an attacker secretly positions themselves between you and the service you’re accessing. Instead of communicating directly with a website, your traffic is routed through the attacker, who can monitor, alter, or inject malicious content into the communication without your knowledge.

Another common issue is rogue hotspots or “evil twin” attacks. Attackers set up fake Wi-Fi networks with names that look legitimate (e.g., “Free Airport Wi-Fi”). When you connect, all your traffic passes through their system, giving them full visibility and control over your activity.

Public Wi-Fi also increases the risk of session hijacking. Even if you log into a secure site, attackers may capture session cookies, small pieces of data that keep you logged in, and use them to impersonate you without needing your password.

There’s also the danger of malware distribution. Some attackers exploit vulnerabilities in devices connected to the same network to push malicious software. Others may trick users into downloading infected files via fake pop-ups or compromised websites.

Many public networks lack proper network segmentation, meaning devices on the same network can sometimes directly communicate with each other. This makes it easier for attackers to scan for vulnerable devices, open ports, or shared files, potentially gaining unauthorised access.

Another issue is unencrypted connections and misconfigured security protocols. Some networks use outdated encryption standards (like WEP) or even none at all, making it trivial to crack passwords or decrypt traffic.

Additionally, automatic connectivity on devices can be exploited. If your device is set to automatically connect to known networks, attackers can spoof those network names and trick your device into connecting without your explicit approval.

Finally, there’s a broader privacy concern: even if attackers don’t actively interfere, network operators themselves (or anyone monitoring the network) may log your browsing habits, device information, and other metadata.

How to reduce risk:

  • Use a VPN to encrypt your traffic
  • Only access HTTPS websites (look for the padlock icon)
  • Avoid logging into sensitive accounts on public Wi-Fi
  • Disable file sharing and use a firewall
  • Turn off automatic Wi-Fi connections
  • Verify network names with the venue before connecting
  • Only use authorised protocols to access your company network or cloud

In short, insecure public Wi-Fi removes many of the protections that normally keep your data private, making it far easier for attackers to observe, intercept, or manipulate your online activity.

The risk reductions above are essential but even then, don’t get complacent.  A VPN for instance, encrypts your data as it transits the internet, putting up a secure ‘tunnel’ for it to move through.  However, that data is only protected once you start sending it.  Other data on your laptop is not encrypted and remains vulnerable.  Disk encryption such as Bitlocker on Windows or File Vault on Macs, is designed to encrypt your disk as you are shutting down, so that if your machine is stolen, the data can’t be accessed.  But once you start it up and log on, the disk is unencrypted.  The safest encryption uses what is known as file level encryption which encrypts your files by sensitivity level and only allows them to be read by authorised persons on your corporate network.  That way if your machine is accessed whilst it is up and running in your coffee shop, the sensitive data can’t be read.

Stay aware and stay vigilant.  You have to be successful all the time; the criminal has to be successful just once.

Cyber Awareness Training General Security Issues Security Working Practices

Cyber Security Policies – A Must Have or a Nice to Have

I’ve written about this a couple of times now but it’s worth reminding people that policies and attendant processes are a cost-effective necessity in terms of cyber security.  How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection.  The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s often the case that technology is not the answer.  There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So, it arrives purporting to come from the boss, but it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened not so lo g ago to someone I know, and when it arrived in the accounts department it didn’t look genuine to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type.  In broad terms, and as an absolute minimum, the following are required:

  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them.  And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home.  This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important.  Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list.  It depends very much on risks that needs mitigating.  They will also be accompanied by processes to support the policy.

General Security Issues Ransomware, Phishing and other Malware Security Security Tools

ENCRYPTION

There are lots of different encryption solutions on the market, some which come with other applications and some that are stand alone.  I’m not going to attempt to put one up against another but rather have a more generic look at the subject.  I’m also not going to worry too much about the technicalities of how they work as frankly, most clients, many of which are SMEs, don’t really care about that.  It’s the effectiveness and what they are going to get for their buck, that they care about.

There are essentially two main types of encryption, whole disc encryption (WDE) and file level encryption (FLE).  WDE protects the device if the disk is offline or stolen.  It’s the type of encryption that comes with Windows (Bitlocker) and with a Mac (File Vault).  FLE on the other hand protects the data itself, even if stored on unlocked or shared systems.  It encrypts on a file-to-file basis i.e. it encrypts the files you want to protect, and leaves others unencrypted.  It generally operates as an agent-based system and often, but not always, comes as part of another application.

WDE is easy to describe. As you log off, the disc is encrypted so that if the hardware, laptop etc, is stolen, the data on the disc is protected.  However as soon as you log on, the disc is unencrypted and so the data is unprotected from an intrusion.

FLE proactively encrypts sensitive files at the file level using AES 256-bit encryption. This makes stolen data completely worthless to attackers, as it cannot be accessed or decrypted without the proper decryption key, which is managed through an agent and defined access controls. By encrypting data automatically and in real-time, FLE ensures data remains protected even if the system is compromised, which can be more effective than traditional reactive security measures that rely on detecting attacks after they occur. 

Let’s take a look in a bit more detail at the differences between WDE and FLE.

FeatureWhole-Disk Encryption (WDE)File-Level Encryption (FLE)
What gets encryptedThe entire drive (OS, apps, swap, all files)Individual files or folders
When data is decryptedAutomatically after the device boots and the user authenticates (e.g., login, pre-boot PIN, TPM key)Each encrypted file decrypts only when accessed by an authorised app/user
Protection scopeStrong against physical theft, lost devices, or disk removalStrong for protecting sensitive data, shared storage, or cloud backups
Visibility of encrypted contentDrive appears unreadable until unlockedFile names can still be visible (depends on tool), but contents are encrypted
Use casesLaptops, desktops, mobile devicesEncrypting documents, databases, specific secrets, or user-chosen data
Performance impactMinimal today, because decryption happens in bulk after unlock, and often uses hardware accelerationCan be higher if many encrypted files are accessed frequently
Granularity / controlLow (all-or-nothing)High (encrypt only what needs protection)
Key managementOne main disk key (often protected by TPM or secure hardware)Many file keys or per-user/per-file keys possible
Security if system is compromised while powered onWeak (disk is unlocked, malware can read everything)Better (files are only decrypted when opened, limiting exposure)

One question I get asked a lot is, does encryption protect against Ransomware.  The short answer is no.  WDE only protects the data when the machine is switched off.  Once booted up the data is unencrypted.  FLE protects data against data leakage or theft in that it can’t be read by unauthorised persons.  However, it can’t prevent encrypted data from being encrypted again by a ransomware attack.

A secondary aim of most ransomware attacks is to steal the data to sell on or to use for other things.  In those cases, FLE does help protect because the ransomware can’t decrypt the already encrypted data.  So, there is a level of protection using FLE that you can’t get with WDE.

FLR can help a little (but still not enough):

It can slow or limit ransomware only if:

  • Keys are stored in a separate secure environment (HSM, smart card, enclave, etc.)
  • Decryption requires per-file user interaction ransomware cannot mimic
  • The storage supports immutable or version-protected encrypted blobs

Even in those cases:

  • Ransomware can still delete files, encrypt them again, or lock the device
  • It usually cannot be used as a full defence strategy

What it does not prevent

  • Files being encrypted again by ransomware
  • Files being deleted or corrupted
  • The system being locked or made unusable

What it can still be good for

         •       Preventing data theft if files are exfiltrated

         •       Limiting extortion via stolen data leaks

  •       Protecting backups stored in cloud/shared drives from being read by attackers

My focus as always is on the SME community and therefore I always aim to keep costs down to a level that makes sense to them.  I am much more a fan of FLE than WDE however, as WDE comes from with both Windows and Mac, then let’s use it.  Many corporate organisations use both as a belt and braces protection.  But remember, on its own it’s not a total solution and should be implemented as part of a more holistic cyber defence.

I hope this has given an insight into the subject and answered some basic questions.  If you would like to understand more about this then please give me a call or an email, I’d be delighted to chat it over.

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy Security

Innovation – Why Do Many Shy Away from it?

We are, by nature, somewhat reserved I think, and we like to trust the known and proven, rather than the unknown and as yet, unproven.  How many of us like to be the first to by the latest model of a car, or the latest ‘phone.  The same applies to our IT infrastructure and security.  Something might advertise some really great innovations, but we want to see someone else try it first, just to be sure.

I read an interesting piece where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

So, what are we referring to here.  In a nutshell, the creation and adoption of new technologies, strategies, and practices that improve the protection of digital systems, data, and networks from cyber threats. It goes beyond simply maintaining existing defences, it’s about staying ahead of attackers by introducing smarter, more efficient, and more resilient security methods.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive, and this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, but SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and SMEs will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Security Security Tools

      PROACTIVE CYBER SECURITY

      Proactive security, protective monitoring, security operations – all pretty much means the same thing in terms of cyber, at least in the corporate world and the larger, more sensitive Government organisations.  I’ve been involved with the design and commissioning of security operations centres for a long time.  I designed the first for the FCO, under contract to HP, ran the security team for the Identity and Passport Service which included a security operations centre, amongst others.  But the one thing I knew, was that it was too complex and expensive for an SME, even though it would bring them great benefits.

      I’ve been talking and posting a lot recently about this subject because I think it’s extremely important and hasn’t, in the past, resonated with SME owners and management simply because it was considered by many to be purely in the province of the corporate world and was way too expensive for an SME to even consider.  Well, that cost issue is no longer the case and there is a system, which we use to provide a managed service for SMEs, that is very affordable.  So that leaves us to consider whether it is something that an SME would consider as an essential element of their cyber defences, now that it is affordable.

      Typically, an SME would generally want such a solution that balances strong security coverage with affordability, simplicity, and minimal disruption to daily operations.  Here’s what I think they would like to include if they could afford it.

      1. Comprehensive Threat Visibility
      • Log collection from key systems (servers, endpoints, cloud services, firewalls, applications).
      • Real-time monitoring for suspicious activities (e.g., failed logins, privilege escalation, data exfiltration).
      • Ability to spot both external attacks (phishing, malware) and insider threats.
      • Actionable Alerts, Not Noise
      • Intelligent alert prioritisation to avoid alert fatigue.
        • Context-rich notifications so the SME knows what happened, why it matters, and what to do next.
        • Possibly AI-driven correlation of events to detect patterns.
      •  Ease of Use & Low Overhead
      • Simple dashboards that non-experts can navigate, or more likely, a managed service as an SME will have little or no resource to give to this.
      • Minimal in-house expertise required to operate.
      • Fast onboarding and configuration.
      •  Reporting
      • Reports that are east to read, management focused and not full of jargon.
      • Audit trails for investigations.
      • Incident Response Integration
      • Clear escalation paths (automated and manual).
      • Integration with existing tools (ticketing systems, email, Slack/Teams).
      • Ability to block malicious IPs or disable compromised accounts quickly.
      • Affordability & Scalability
      • Pricing that fits SME budgets (no enterprise-only costs).
      • Scales up with business growth without a full rip-and-replace.
      • Easy and flexible deployment.
      • Coverage regardless of where your staff work, in the office, remote or on the move.
      • Resilience & Reliability
      • Works even if parts of the infrastructure are down.
      • Secure storage and backup of monitoring data.
      • Regular updates to threat detection rules.

      In short: An SME doesn’t just want raw data — they want reassurance, clarity, and quick guidance so they can protect their systems without hiring a large security team.  And that’s what we are offering, assurance.  There’s no such thing as 100% security, so if you’re looking for that, then we can’t help you.  Using this system our managed service plays the percentages by monitoring your defences, telling you in no uncertain terms where your defences aren’t up to the job, alerting you to problems and providing advice and guidance on how to fix stuff.

      So, what exactly are we offering.  Well, it’s a 24/7 service which provides a manned interface between you and us, on the end of the phone or by email in working hours, and an automated response service in silent hours.  Doing it that way you don’t have to pay for expensive night shifts.  The staff on duty don’t just monitor your systems but provide advice and guidance as well, giving you a cyber security resource on tap.

      Specifically, we are covering off:

      Email Security – Stay ahead of potential email threats with our user-friendly, API-based active protection.

      Endpoint Security – Safeguard laptops and desktops against cyber threats like malware and ransomware.

      Cloud Data – Enable cloud data protection for secure collaboration with external users.

      Secure Browsing – Keep your browser secure with a provided extension, protecting you from viruses and malicious sites.

      Awareness Training – Empower employees to be the first line of defence against the ever-evolving landscape of cyber threats.

      Phishing Simulation – Regularly simulate cyber-attacks, including phishing emails, to identify vulnerabilities and educate staff to the dangers of Phishing.

      External Risk – Obtain actionable insights on external threats by scanning your digital footprint and exposed vulnerabilities. This includes regular scanning of the dark web looking for compromised email addresses and credentials.

      Insurance – Mitigate the cyber risk associated with evolving threats through tailored coverage at the right price (optional; aligning your premiums with your security posture can lower those costs).

      Here are some questions to ask yourself and if you answer yes to most of them, then you might be a fit for this service:

      • Do you employ around 1-250 staff members?
      • Does falling victim to cybercrime worry you?
      • Could you continue to operate your business without your IT systems?
      • Is a recent cyber scan of your public domain on your radar?
      • Are you aware of the constantly evolving cyber threats and tactics?
      • Does your business need protection against these advancing cyber threats?
      • Are you looking for coverage under a cyber insurance policy?

      Keep your eye out for a webinar that we will shortly be doing which will provide a full demo of the system, or if you prefer, contact us and we will give you a one-to-one demo, with no obligation.  You can follow this with a totally free 14-day trial covering your whole estate, again with no obligation.

      If you wanted this system, you might still think it’s too expensive for you, well, it’s only £14 per user per month, so if you only have 10 IT users amongst your staff, that would be £140 per month on a rolling 30-day contract i.e. you can quit with just 30 days’ notice.

      Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security

      Protective Monitoring for SMEs

      Security operations is a complex subject and there is no doubt that it can be expensive and difficult, even for corporate organisations who generally have the resource, both financial and technical, to run a security operations centre (SOC), or at least can afford to outsource.  I saw an RFP from a housing society for a SOC and I would be very interested to see if that contract gets let once the organisation gets the quotes, because I would be shocked if they could afford it.

      Their RFP based its premise on the introduction of a Security Information and Event Management system (SIEM), which.in itself, might suggest that they don’t really know what they are asking for, or indeed, what they want.  I base this on having designed, built and operated several such operations centres in the past.

      Now before the SIEM vendors and resellers pile on, let’s be clear, SIEM systems have their place and are very useful in a SOC, although I would argue that they are most certainly not the end all and be all.  My focus these days is on SMEs and for an SME there are several reasons why a SOC and an SIEM may be over the top and a cost too far.

      Whilst an SIEM system is a valuable tool for cybersecurity, it comes with several drawbacks, including:

      a. High Cost

      • Expensive Implementation – SIEM systems require significant upfront costs for software, hardware, and licensing.
      • Ongoing Costs – Maintenance, updates, and skilled personnel add to long-term expenses.

      b. Complex Deployment and Management

      • Difficult Configuration – Setting up a SIEM system to work effectively requires extensive tuning and integration with various security tools.
      • Frequent Fine-Tuning – To avoid false positives and negatives, organisations must continuously refine alert rules and correlation policies.

      c. High Volume of Alerts and False Positives

      • Alert Fatigue – SIEM systems generate numerous alerts, many of which are false positives, overwhelming security teams.
      • Difficult Prioritisation – It can be challenging to distinguish between critical threats and routine events without proper tuning.

      d. Scalability Issues

      • Performance Bottlenecks – As an organisation grows, more logs and data sources can slow down the system.
      • Expensive Scaling – Scaling a SIEM to handle increasing data volumes often requires costly upgrades.

      e. Need for Skilled Personnel

      • Expertise Required – SIEM systems need cybersecurity professionals to manage, analyse, and fine-tune them effectively.
      • Shortage of Talent – Finding skilled SIEM analysts can be challenging and expensive.

      f. Storage and Compliance Challenges

      • Log Retention Costs – Storing large volumes of logs for compliance can be expensive.
      • Regulatory Complexity – Ensuring compliance with data protection laws (e.g., GDPR) requires careful log management.

      h. Limited Threat Detection Without AI/Automation

      • Reactive Approach – Many traditional SIEMs rely on pre-set rules, making them less effective against new or sophisticated threats.
      • Lack of Automation – Without AI-driven analytics, manual investigation can be time-consuming.

      Having debunked the usefulness of an SIEM system for an SME, let’s look at what an SME could do to mitigate their cyber risks.

      A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks. 

      If you are not monitoring the effectiveness of the protections, you have spent good money on, how do you know it’s money well spent?  Are those protections doing what you think they are.  Monitoring is central to the identification and detection of threats to your business. It acts as your eyes and ears when detecting and recovering from security incidents and it enables you to ensure that devices are used in accordance with your organisational policies.

      Many small to medium-sized businesses struggle with stretched resources, lean budgets, and a critical technical expertise gap. This fight against sophisticated cyber threats and outdated systems turns them into easy targets for cybercriminals. Exposed and at risk, these businesses stagger on the edge of significant disruption, financial loss, and reputational damage.  Although on the surface an SIEM system might seem to be what an SME needs, it would not fit the profile of most SMEs, being too resource intensive and costly.

      We have been researching the market, looking for a way of providing a security managed service that would serve an SME, at an affordable price.  And we think we’ve found it – no, we are SURE we have found it.  Simplicity is at its core, employing enterprise-grade technology to simplify and streamline the day-to-day work. Our unified platform and onboarding process, seamlessly detects, prevents, and responds to cyber threats in the most holistic, hassle-free, and cost-effective way.

      We are offering a 14 day free trial and will cover:

      1. Email security.
      2. Cloud data.
      3. Automated cyber awareness training.
      4. External risk.
      5. Endpoint security.
      6. Secure browsing.
      7. Phishing simulation.
      8. And as an added bonus we can provide cyber insurance at a price which is directly linked to your risk score within or system.  The lower your risk, the cheaper the insurance.

      This system is deliberately aimed at 1-250 IT users in your business.  Most SMEs come in around 10 to 15 IT users, but we’re not precious about it.  It is a managed service, and we have our eyes on the glass and can mitigate your risks in concert with our clients providing advice, guidance and remediation as part of the service.  All this for a mere £12 per user per month.

      Check it out at the link below.

      Cyber Security: why do I need protective monitoring?
      Data Breaches and their consequences General Security Issues News Security

      Data Protection – A Timely Reminder

      Data Protection is a somewhat dry subject that many companies, particularly SMEs, and many think they can get away from by simply paying a bit of lip service.  The Data Protection Act 2018, or as it has become known, UK GDPR, is far from a toothless beast and can cause businesses to find themselves in all sorts of problems if they’re not careful.

      As M&S has discovered and now, the Ministry of Justice.   The cyber-attack was on the Legal Aid Agency and appears to have accessed a ‘significant amount’ of applicants’ personal data, to which the government admitted.  ‘This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers [national insurance], criminal history, employment status and financial data such as contribution amounts, debts and payments,’ the MoJ said.

      …….. ‘it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down. We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time’.  Serious indeed.

      Initial findings suggest that this is the result of systemic issues within the organisation which they have failed to correct, over many years.

      What are the possible fall outs from this?

      That very much depends on how the Information Commissioner views it.  If this is seen as negligence, then the potential fine could be very significant indeed.  If, on the other hand, it is deemed that the MOJ took all reasonable precautions that they could to protect the data, then that is a good mitigation which will reduce the potential punishment. 

      But that’s not the end of it.  The reputational damage that this does is incalculable and the cost of fixing the issues will be high.  Then there is the potential for legal action by anyone whose data was compromised, that could easily be the biggest issues that the MOJ faces.

      Only time and a thorough investigation will determine the outcome.

      Data Protection and the SME

      My subscribers wi8ll know that my focus is the SME, large and small.  So how does data protection impact them.  Not so long ago a London estate agent was fined £80,000 by the Information Commissioner’s Office (ICO), after leaving the personal data of more than 18,000 customers exposed for almost two years.

      The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data.

      It’s surprising just how much PII estate agents hold.  Just think about what they ask for when you’re buying a house.  In this case the exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

      Then, as above, that might not be the end of it.  Individuals can sue companies that release data into the wild.  In fact, there are now law firms advertising no win no fee when representing these cases.  Remember that data breaches almost always involve multiple people, sometimes hundreds if not thousands of records.

      What size does a business need to be for the regulations to apply?

      The regulations apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten an individuals’ rights.  Just exposing PII can threaten an individual’s right to privacy.

      Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as prejudicial to an individual’s rights.  Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.

      Do I need written policies and processes?

      Yes – What this means is that a significant number of policies and processes will need to be written and taken into use by the organisation.  It is not unusual for many to visit the web and download templates to cover their requirements.  However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.

      How is UK GDPR effected by cyber security?

      The Act requires personal data to be secured by ‘default and design’.  This means that cyber security requirements must be designed into your protections.  This could mean at least another 6 or 7 policies and procedures.

      How can I keep track of all my PII holdings and keep it secure?

      When we are first approached by a prospective client and we begin our offer of a 30 day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is.  Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy.  And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s).  How does that happen?  Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine.  Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.

      Then comes the issue with audit trails.  If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, is essential.  And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person.  The law insists on it, and you can’t refuse it.  I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.

      Are there solutions suitable and affordable for SMEs?

      We have a solution that meets the requirements and not only that, has a built in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the ridiculously low monthly charge for the managed service, you don’t want to keep it.

      Cyber Awareness Training General Security Issues Ransomware, Phishing and other Malware Security Supply Chain Security

      FEAR, UNCERTAINTY AND DOUBT

      Or as it’s known amongst cyber security sales teams, FUD.  It’s a tried and tested method of trying to hook new sales and is often used by sales teams at, shall we say, a slightly lower level than the top end enterprise sales teams who, like me, don’t like it and stay shy of it.

      OK, so now I’ve established my ethical credentials, how do I let my clients and potential clients, know what the threats are and how vulnerable to them, they are.  There’s a fine line between FUD and education.  People don’t need to be scared into doing things, they need to be educated into it and they have every right to know what the threat landscape looks like, and how vulnerable they are to it.

      What’s the Threat in 2025?

      It is expected that in 2025, organisations can expect to face a variety of cyber threats, including AI-powered attacks (see https://hah2.co.uk/?s=Artificial+Intelligence), ransomware with complex extortion tactics (https://hah2.co.uk/?s=Ransomware), supply chain attacks (https://hah2.co.uk/?s=Supply+Chain), vulnerabilities in IoT and 5G networks, and the rise of deepfake technology. Cybercriminals are leveraging AI to automate attacks, develop advanced malware, and bypass traditional security measures. Additionally, ransomware attacks are becoming more sophisticated, with some now stealing data alongside encryption, increasing the pressure on victims to pay. Supply chain vulnerabilities are also a major concern, as attackers can target third-party vendors to gain access to larger networks. The increasing number of IoT devices (see https://hah2.co.uk/?s=IOT) many of which lack robust security, also presents a significant challenge, as they can be easily exploited for attacks that disrupt critical infrastructure. Deepfake technology is also becoming more accessible, making it easier for attackers to create realistic fake content for various malicious purposes. 

      How Does This Impact SMEs?

      So where do SMEs sit in this space?  There is still the perception amongst them that they are too small to be worth attacking, that the rewards for the cybercriminals aren’t enough and they won’t bother.  Well, let’s debunk that.  SMEs are seen as low hanging fruit.  They will have much smaller budgets than the bigger players, they will almost certainly outsource their IT and as I’ve said often, you can outsource your IT, but not your responsibility.  There is a dearth of cyber security expertise, not just within the SMEs themselves, but also amongst the IT outsourcers they use.

      In 2025, it is anticipated that SMEs will face evolving cyber threats, including AI-powered phishing, ransomware, and supply chain vulnerabilities, along with insider threats and IoT exploits. AI is going to have a very real impact on the attacks designed against SMEs.  Why?  Because AI provides automation, and automation is the key to making real money when attacking SMEs.  Think it through.  If a criminal organisation can attack hundreds, if not thousands of targets using one automated attack, with an expectation of say 50% success, with extremely little effort using AI, then that’s good business for them.  AI-driven attacks are predicted to be a top concern, with sophisticated phishing campaigns and deepfake fraud attempts on the rise. Ransomware continues to pose a significant risk, especially for SMEs with limited cybersecurity resources. 

      Supply Chain Security

      Supply chain vulnerabilities are also a growing concern, as hackers can exploit connections with external vendors to breach multiple businesses.  This latter should be a very real concern for any SME that is in the supply chain of a major organisation.  Just imagine the consequences for that SME if their customer is attacked, losing money and reputation, and can pinpoint the attack as coming via the SME.  How would that impact the SME?  Well, the financial and reputational consequences would probably kill their business.

      Ramsac, in their 2025 SME threat report, tells us that a mid-sized UK logistics company fell victim to a ransomware attack in June 2023. They infiltrated the company’s network and left a note on screens: “If you’re reading this, it means the internal infrastructure of your company is fully or partially dead.” The attackers had encrypted the firm’s files and threatened to leak confidential data, essentially holding the business hostage.  They also reported that a large retail breach occurred when attackers compromised a small HVAC subcontractor (with far weaker IT security) and used those credentials to penetrate the larger corporate network. That attack led to the theft of millions of customer card details and tens of millions of dollars in damages – all traced back to a third-party SME vendor being hacked via a phishing email.

      In Summary

      We published a piece recently about cyber security and the SME and rather than repeat it here, we’ll simply give you the link – https://hah2.co.uk/cyber-security-and-the-sme/.  It reiterates some of my hobby horses, chief amongst them being cyber awareness training.  I’ve said before, but it bears repeating, that your staff are your first line of defence and are either your greatest asset, or your greatest risk.  The actions you take as an owner/director/manager, will decide which.

      SMEs are facing increased pressures on their resources and the temptation to park cyber security until times are better, increases alongside those pressures, but avoid complacency, let’s discuss what you might be able to do procedurally and at low cost. If you have invested in tech, is it the right tech and is it doing what you think it’s doing? That’s never a given.

      Scroll to top