Security

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Security Tools

How Can We See a Return on Investment from our Cyber Security Spend?

How are businesses improved through good cyber security?  It’s a question just about every customer, or prospective customer, of ours asks themselves.  They need to see a return on investment, after all, if you don’t see anything tangible for your money, you’re unlikely to keep going down that road.

When my business partner and I set up H2 after we returned from the Middle East where we’d been working for the HP division that was busy merging itself with CSC (been there done that, didn’t fancy returning to it), the whole question of how we could offer something that gave that return on investment, occupied much of our thinking.  What services could we offer at a price that businesses were prepared to pay, and what tangible benefits could we offer?

At first, we were purely a services company, proudly product agnostic, recommending the right products for the right solutions for the right customer.  Not at all altruistic, but rather we felt that was the right thing to do be doing.  Like many people we didn’t see COVID coming around the corner like a freight train.  The pandemic didn’t just change how we would be delivering our services, it changed the whole market, it changed working practices, which are still evolving.  That meant that we had to change or die.  A stark choice but not one that could be avoided or put off.  Like many businesses we had to reengineer the business from the ground up whilst still providing services that customers wanted and could see a need for.

An interesting google search is finding out what businesses are researching online.  I was quite surprised to find that the question ‘what is a cyber-attack?’, is the most searched phrase, by a long shot.  This suggests that many are still confused as to what a cyber-attack actually is.  Breaking that down, its probably not all that surprising because of all the various types of cyber-attack that are constantly being rammed down peoples’ throats and I think the cyber security industry needs to take responsibility for that.  There’s a big difference between education and propaganda.  FUD (fear, uncertainty and doubt) is a common method used by many to sell security.  Personally, I’m not in favour of doing that.  I like to educate, not scare.

Other subjects being searched for are ransomware, phishing, spoofing, cyber threats, insider threats and cyber awareness (there are more but they’re a long way down the list).

What people want to know hasn’t changed all that much, neither has the types of threats.  What has changed is how those threats present themselves, how the methodologies have changed in order to match new technologies and working practices, particularly the move to remote or home working and the additional threats that this poses.  AI is making a big impact already and that impact is going to get bigger as time goes on.  Email spoofing for example, that is faking an email purporting to come someone legitimate in order to get someone to take some action that is in some way fraudulent, is now being done over the phone with AI being used to fake someones voice.  It’s a scary development and there are now several well reported instances of this happening in the US.  If it’s happening there, it’s only a matter of time for it to happen in the UK and across Europe.

One of the first services we offered was the Cyber Maturity Assessment and our very first client took that service.  Our brief was to examine their Cyber Security and Data Protection posture, including policies, processes and technical configuration and controls. They were pleased that our assessment was very comprehensive in discovering the threats and vulnerabilities to their systems and that we described them in terms of business risk.  We developed comprehensive policies and processes that were all encompassing and designed to fit in with the style and presentation of their employee handbook.  All good but it required us to attend their site for a couple of days which was, at one time, normal and acceptable but in terms of the ‘new normal’, not so much.

Whilst we still offer that service, remote services are much more popular and much more in keeping with how businesses are now operating.  It doesn’t much matter where their staff are working, home, office or on the move.  What matters is that their protections are maintained regardless.

As we developed our new offerings we researched and came up with solutions that do just that.  We adopted Software as a Service (SaaS) and found some very innovative solutions that we can use to provide a managed security service to our clients at a very affordable price. 

Returning to our first paragraph, how do we show a return on investment?  Using our SaaS platform, we offer a 14 day free trial during which we can show a client where they currently stand and then carry out some quick remediations to show how that can be improved, so that the client can see the value of what they are going to get, using their own data.  It works and I commend it to you.

Check it out – https://hah2.co.uk/

General Security Issues Risk Analysis and Security Strategy Security

RELATIONSHIP MANAGEMENT

Some introspection is good for the soul they say, and I can’t help but try and apply that to how we, ie so called cyber security professionals, approach prospective clients, or indeed, converse with existing clients.  Is there a certain smugness involved where we believe we know best and whether we do or not, try and push what we think a client should have, rather than what a client needs.  Does this attitude, no matter how hard we try to suppress it, make prospective clients wary of what we have to say?

Of course we have our methodologies, particularly regarding risk management, and I am a great exponent of getting that right, but how many of us take the time and make the effort, to understand the clients situation.  It’s what we used to call situational awareness.  It didn’t just refer to a client understanding their own situation, but us appreciating that situation as well.  After all, not all clients, even those in the same vertical and the same size of business, has exactly the same problems.

A lot depends on who you are and who you work for.  The larger IT system integrators and consultancies do take the time to try and understand their clients.  In fact, going back to the early 2000s, working for a multinational IT product and services giant, we never actually outright tried to sell anything.  Our salespeople at the enterprise level, were very much relationship managers, they built relationships with their clients, got to know their businesses and made suggestions that the client might be interested in.  The mantra was that people buy from people, not from brands.  Brands are great in the marketing context, building awareness and a market presence, but they never seal the deal. 

Of course, at the start of a sales year some bright young thing sporting an MBA and a burning ambition would move the salespeople around, ruining years of relationship building and vertical knowledge, because ‘it needs shaking up’.  The end result is hacked off employees who look elsewhere and hacked off clients who think, well, if I have to start with someone else, I’d might as well see what else is out there.  But that’s a whole other story.

Research your client, understand their business, make sure you’re building a relationship with the right person.  Understand the industry, their pain points and needs.  Only then can you really start to craft a value proposition and call to action that the client can relate to.  Foster that relationship, make sure that not every call you make is about your products and/or services, make it more personal.  Above all, be genuine, it pays off in the end.

I guess what I’m getting at is that it really is all about building relationships with people.  You can have a deep understanding of your subject, fantastic product knowledge and a sparkling personality, but if you talk down to a prospective client, come across as in anyway condescending or patronising, you’ve lost the game.  You have to listen, ask intelligent questions, show that you are really interested in understanding the issues that face this prospective client, and make suggestions that might be suitable to solve the pain points being put in front of you.

We decided a couple of years ago, to offer a service which we entitle Board Advisor (https://hah2.co.uk/why-use-an-independent-board-advisor).  The point was not to try and sell solutions, not to try and sell any particular product, but to work with our clients to identify the issues they really do face and work through those issues to identify potential solutions that will help them in their business by protecting those critical assets that would cripple the business if they were not available or were corrupted in some way.  It’s all about putting appropriate measures in place before disaster strikes and preventing the vastly higher costs of recovery post-breach, from immediate financial impacts to lasting reputational damage.

The security threat landscape is becoming both more sophisticated and easier to exploit by the less sophisticated.  This seems to be at odds but such things as artificial intelligence (AI) is transforming nearly every industry, including cybersecurity. Whilst AI enables enhanced threat detection and response, this powerful technology can also be weaponised by cyber criminals. As AI-driven cyber-attacks grow more advanced, organisations must act quickly to implement robust defences.  Trying to keep abreast of this whilst running a business and focusing on your core requirements, is daunting and frankly, you’re not going to succeed.

If you’d like to discuss the art of the possible, give us call.

Data Breaches and their consequences News Security

Data Breaches – How bad could it be?

“Fujitsu Hacked – Attackers Stolen Personal Information”

Fujitsu confirmed a cyberattack that led hackers to steal personal data and customer information.

Now there’s a headline to put fear into their customers, both current and potential.  Not a great look for one of our premier IT system integrators and manufacturers.

But what’s that got to do with me you say?  I don’t have any Fujitsu kit and I’m way too small to feature on the radar of a hacker or team of hackers, that would target someone like this.  OK, maybe true, maybe not so true.

Did you know that since 2005 the Information Commissioners Office (ICO) has ruled on 13,500 freedom of information and environmental information cases. Many of these would be classed as SMEs and small government departments, particularly local government.  Last year alone, 86 enforcement actions were taken which included 37 reprimands, 24 enforcement notices, 23 monetary penalties and 2 prosecutions.  Fines of around 80K are not uncommon, and a fine of that size would be a severe blow to an SME.  The ICO has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.

Fines and enforcement notices cannot be hidden, they are published on the ICO website for all to see, which can have an impact on the reputations of companies, adding to the pain of any fine caused by a unwanted marketing calls or data breaches.

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

It is, for most SMEs, about doing what is reasonable to prevent a data breach.  That will include having the right policies and procedures, known to all staff, and rolled out.  Don’t play lip service to this, you will be found out.  It is important to be aware of the threat and take the necessary actions to prevent breaches.

Lack of adequate data security is an important basis for imposing fines.  Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need? 

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.  Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch.  For example, financial data which under other legislation, they must keep for 7 years.  I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it.  There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP.  These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment. 

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed.  Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost.  If you don’t like it, we take it away.

General Security Issues Risk Analysis and Security Strategy Security

More about Risk Management

I’ve decided I haven’t bored you all enough about risk management yet, as it pertains to cyber security.  Try not to stretch your jaw too much as you yawn and stay with me because it is extremely important and will become more so as cyber-attacks get more sophisticated and more importantly, ever more common as AI makes them much easier to implement and enables hitherto less skilled criminals, to become more capable. 

We are still, in the SME market, suffering from a misunderstanding about what cyber security is all about.  I know I bang on about this, but it can’t be overstressed.  Without fully understanding the risks you are exposed to, how can you be sure that you are spending your limited budget in the most effective way, and in a way that is doing some good.  I threw that last bit in because I come across situations all too often, where an SME is wasting money and resources because they don’t have a handle on their security risks.

Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them.  Wrong.  Ask them some simple questions: 

·      Have they fully identified your security assets?  Security assets are not just   hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.

·      Have they done a risk assessment on those assets.

·      Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level.  That is assuming they have spoken to you about what that acceptable risk is. 

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement. 

·      Tech 

Describes the protection of networks, computers, programs, and data. It is a branch of cyber security which is focused on preventing intrusion and therefore theft or manipulation of your systems, from both internal and external sources. Technical security consists of tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers. 

Technical security needs to work within a defined and business focused security strategy.

·      Business 

Encompasses all aspects of protecting digital assets, including computer systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack. It is focused on People, Process and then Technology.

Cybersecurity has a larger role in protecting organizations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats. 

Bottom line folks – you can outsource your IT, but you can’t outsource your responsibility. 

Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis. 

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated. 

There is no business without risk and an acceptable residual risk in one company, will not be acceptable in another.  That’s a business decision.  Risk must be recognised and then managed in some way or other, classified in some way. And whilst we would all like to abolish risk, that won’t happen.  

Whilst working for major providers servicing the big company’s, banks and major government departments, we would recommend that at least 15% of their annual IT budget should be allocated to cyber security.  That means not just tech but also reviewing cyber security policies and processes, cyber awareness training for staff and managers, reviewing the threats and vulnerabilities and then revisiting the risk to their assets.  It’s interesting to note that the figure of approx. 15% has crept up over the years.  About 20 years ago we were saying 5% then 10 and now it’s a minimum of 15% and some company’s are allocating even higher percentages as threats increase year on year.  That figure could easily sky rocket once AI becomes prevalent amongst the criminal fraternity. 

Just keep in mind that cyber security is a business issue and not an IT issue and that cyber risk must be evaluated and dealt with in the same way that you would any other risk to your livelihood.

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security

Artificial Intelligence – It’s here to stay

Artificial Intelligence is coming more and more to the front in the news, in just about all spheres of IT, no matter the vertical it serves. 

What exactly is AI?

Artificial intelligence (AI) describes computer systems which can perform tasks usually requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

Of course, that’s not the only description you’ll find if you use your best research tool, Google, but it’s one used by the National Cyber Security Centre, so it’ll do for me.

I’m willing to bet that many of you, most of you, have some form of AI app downloaded on your devices.  ChatGPT is arguably the most popular amongst the general populace but it’s not the only game in town.  These apps are becoming more and more available and popular. ChatGPT is an artificial intelligence chatbot developed by OpenAI, a US tech startup. It’s based on GPT-3, a language model released in 2020 that uses deep learning to produce human-like text.  It has an underlying technology that has been around much longer, but this blog isn’t about the technicalities of AI, but more about how it affects SMEs as they go about their business.

I’ve been arguing that perhaps the biggest potential threat in terms of proliferation, ie the number of attacks waged at a relatively low level, aimed at quick wins in terms of scamming money, is the re-emergence of the script kiddie.  I wrote, some time ago, about how code could be written to be inserted into a Ransomware attack, quite easily, using AI. 

Script Kiddie

A script kiddie was what we called someone of relatively low skill levels who would go online to the dark web, and purchase scripts written by more advanced criminals that they had put up for sale.   The script kiddie would then use these scripts to mount an attack on a company or organisation.  These often failed because the script kiddie wasn’t all that bright, but just occasionally, they were harmful and even devastating.

Another scam, reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

Double Edged Sword

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, will seemingly be too costly for them.  But as many defences use AI themselves now, it’s actually quite affordable.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Key Considerations

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations:

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation.

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment.

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats.

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations.

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches.

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges.

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats.

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Next Steps & Relevance

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  And much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

The argument then is that AI might encourage a proliferation of low level attacks, largely aimed at SMEs who generally have the lowest defences.  Quite low level criminals can utilise AI to carry out attacks that heretofore would have been beyond their skill level.  Common Cyber sense can go a long way to mitigating these attacks.  Technology evolves, attacks evolve, but the basic understanding of threat + vulnerability = risk, has never gone away.  Understand that and you stand a good chance of staying safe.

Scroll to top