Supply Chain Security

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

MORE ABOUT MANAGED DETECTION AND RESPONSE

This subject has, in the past, been difficult to convey to SMEs.  In the corporate and major government department world, it’s a well-understood issue, more often referred to as a security operations centre, or SOC.  I’ve built several of these over the years in the UK and the Middle East, and one thing is for sure: they are expensive to run in terms of both technology and manpower, which makes them unrealistic for an SME, even if they would be of real benefit.

So why am I even bothering to explain what it is?  Simply because there are now systems on the market, very often AI-driven, that have managed to hit a price point that an SME can afford.  These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.

Why would an SME want such a system?  First and foremost, any such system or service pitched to an SME needs to make business sense.  To maximise its cost effectiveness, having additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes makes it more attractive.  The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown SOC.  Delivering it as a service reduces cost by cutting out the need for an in-house team.

Good questions for all SMEs to ask themselves are:

If an attack or scam happened tomorrow…

Would you know about it?

Would you be able to stop it in time?

Would your team recognise it for what it is?

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department.  It provides peace of mind – you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a short video which you can find on the Features Section on my LinkedIn profile.   But if you don’t want to view that, what follows is an introduction to what the service offers.

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring

For most SMEs, hiring skilled cybersecurity analysts is expensive and difficult. MDR gives access to an appropriate service level at a predictable monthly cost.

Business benefit: Reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built it.  Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

                  •               Identify outdated software, misconfigurations, and exposed services

                  •               Prioritise risks based on severity

                  •               Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen.

Business benefit: Proactive risk reduction instead of reactive damage control.

The system also offers built in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

                  •               Tests employee awareness safely

                  •               Identifies high-risk users

                  •               Reinforces learning through practical scenarios

Business benefit: Fewer successful phishing attacks and reduced likelihood of credential compromise or ransomware infection.  Such simulations are an integral part of cyber awareness training.

We also assist in building a security culture (CBEE Awareness Training Programme).  A structured awareness programme:

  • Trains staff on cyber hygiene and data protection
  • Covers password security, social engineering, safe browsing, etc.
  • Supports compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly.

Business benefit: Employees become a security asset rather than a liability.

A managed system such as this can also help with compliance & insurance requirements.  Many SMEs now face:

  • Regulatory obligations
  • Supply chain security requirements
  • Cyber insurance conditions

Having MDR, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME:  Cost Predictability & Simplicity.  As a managed service, everything is:

  • Subscription-based
  • Centralised under one provider
  • Fully supported by experts

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms you are getting executive-level risk reduction with a simple value:

  • Reduced likelihood of business interruption
  • Reduced financial exposure
  • Protection of brand and customer trust
  • Clear reporting and measurable risk reduction

All through this article I’ve talked about cost effectiveness.  So, what does this service cost?  I’ll add the BBC caveat – other systems are available!!  We charge £15 per seat per month, and you get a lot for your money.  Seems cheap and we’re happy to explain how we can get the price so low.  It’s a 30-day rolling contract, no long-term lock in, simply 30 days’ notice to quit.  We also offer a totally free 14-day trial that is fully functional so you can see the outputs from your own system, rather than look at demos with dummy data.

Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

An Increase in sophistication in cyber-attacks in 2025

Artificial Intelligence (AI) is a fascinating subject, but it’s also a controversial one. These days, we are all using it to some extent. I know I do in the solutions I provide for SMEs, as it allows for a large degree of automation, which in turn lowers costs. Lowering costs is always a priority for an SME.

So what is AI?

Artificial intelligence (AI) refers to computer systems that can perform tasks typically requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

That description was one that was put forward by NCSC, and so it’ll do for me, although I’ve no doubt, you’ll find other descriptions if you look hard enough.

Often, what is called AI isn’t all that intelligent. It’s not taking in information, analysing it and coming up with answers. Of course, some very clever versions are doing just that, but they are mostly not available to you and me. The versions we see are very good at being asked a specific question and data mining various sources at an incredible speed and then producing the answer you want, usually with several variations. And that’s pretty much what most of us want to use it for.

As I said above, I use it in the applications I use for cybersecurity managed services directed at SMEs, not least because automation reduces cost, but also because it is very efficient, meaning that the results it produces need minimal human intervention to analyse the output.

But let’s look at the downside of AI in cybersecurity, which is what the cyber criminals are using it for. Firstly, what is it that is at risk:

  1. Data Leakage. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorised access to sensitive information. A good AI-powered attack could capture huge amounts of personally identifiable information (PII) in a ridiculously short amount of time.
  2. Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but also dangerous.
  3. Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been in this game as long as there’s been a game. It’s something called Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.
  4. Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  5. Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a role in supply chain security.
  6. Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

What we saw in 2025 is an era where cyber‑attacks are AI‑powered, highly targeted, automated, supply‑chain enabled, multi‑stage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AI‑driven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

  1. Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
  2. AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.
  3. RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
  4. Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
  5. Next-gen ransomware is rolling out advanced stealth, data theft, and automated lateral movement techniques, i.e., using an initial breach to jump across to other parts of your network or that of your partners and customers.
  6. Attacks starting via third-party software or vendors allow hackers to move laterally into networks and compromise multiple organisations simultaneously.
  7. Nation-states are not just using espionage but are now partnering with ransomware gangs to conduct financially and politically motivated operations.
  8. Nation state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.
  9. Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
  10. Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.
  11. Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
  12. These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.
  13. Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
  14. Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.
  15. In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.

Let’s not make the mistake of thinking that this is all very sophisticated and requires expertise and resources to pull off. It doesn’t. Take another look at some of the bullets above, where we talk about RaaS or Ransomware as a Service. This takes me back to what we used to term the ‘script kiddie’, that was relatively unskilled and unsophisticated ‘wannabe’ hackers who would visit the dark web and buy scripts from skilled hackers, that they would then try and use to make money, often unsuccessfully.

This has now moved on to using AI, and such services as RaaS; this type of low-skilled individual is back, but this time with a greater level of success. Let me give you a real example of how AI can be used by someone relatively low on the criminal totem pole. Using Chat GPT, the question was posed:

Can you write some ransomware code for me?

So, did ChatGPT help to write Ransomware code? Well, not initially, it gave a stock answer about not being able to write code that might damage a computer system. And some tooing and froing, trying to get around this, achieved the same result. So far, so good. That’s an ethical answer I would like to see.

Coming at it obliquely, via a back-and-forth conversation, can produce different results. Give it the instruction to write some C code to encrypt a single file, and get the result:

Certainly. Here’s an example of how you can use the OpenSSL library to encrypt a single file using the AES-256-CBC encryption algorithm in C.

The next step was to ask it to modify the code to encrypt a whole directory, which it did willingly.

Obviously, this isn’t the complete answer, and there would be more work to do, more research and probably a trip to the dark web, but a relatively unskilled individual can make a good start at producing their own ransomware.

I even asked Chat GPT to give me a description of how AI can be a boon as well as a danger to society:

AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

If you’re looking for answers as to where we stand with AI, there are a multitude of opinions, I’m afraid, mostly because many of us are still trying to work that out for ourselves. However, I will continue to explore it, use it carefully and with forethought. The questions I pose will be based on my own knowledge of cybersecurity and my experience in life. Let’s hope I get it right.

Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Supply Chain Security

The Effects of Downtime on Your Business Can Be Devastating

I’ve talked in the past about what SMEs really care about when it comes to cyber security.  Do they really care about the technicalities of an attack or scam?  Do they really care about the technical aspects of a piece of protective software or hardware?  My argument is that they neither need nor want to know how this stuff works.  What they do want to know can be summed up pretty easily.

  1. How vulnerable are they to an attack and/or scam?
  2. What would be the effects if that attack or scam succeeded?
  3. What can they do about it, and how much will it cost them?

I wrote mostly about points a and c in a blog earlier in the year, https://hah2.co.uk/what-do-sme-owners-and-directors-want-from-cyber-security/, and I’ve included the link if you want to read it.  This time I’m concentrating on point b and the effects of the downtime that it creates.

Downtime following a cyberattack can have serious consequences for businesses, and individuals. We can categorise these into several key areas:

  1. Financial Costs
  • Lost Revenue: For e-commerce platforms, financial institutions, or other time-sensitive industries, downtime directly results in revenue losses.  All businesses will suffer some degree of revenue loss if they can’t carry out their business because their access to suppliers, customers and operations are seriously curtailed.
  • Operational Costs: Companies may need to pay overtime to staff to keep the business going manually without access to IT, hire external cybersecurity experts, or invest in replacement hardware or software.
  • Regulatory Fines: Non-compliance with regulations like GDPR or industry focused standards, due to downtime or data breaches can lead to significant fines.
  • Damage to Reputation
  • Loss of Customer Trust: Downtime can erode confidence, especially if sensitive customer data is exposed or if services are unavailable for extended periods.
  • Brand Damage: Affected organisations may face negative publicity, making it harder to attract and retain customers or partners.
  •  Operational Disruption
  • Service Outages: Critical systems might be offline, affecting production lines, supply chains, or essential services.
    • Loss of Productivity: Employees unable to access IT systems are effectively idle, causing delays in work and project completion.

Note:  Points d and c were what essentially led to the collapse of Knights of Old.  When they were hit with a ransomware attack which took out their IT systems, they were unable to fulfil time sensitive orders which led to the cancellation of those orders, damaging their brand and seriously impacting customer trust.  They never recovered and are now out of business.

  • Data Loss
  • Corruption or Deletion: Cyberattacks like ransomware can encrypt, leak or destroy critical data, which may take days or weeks to recover, even with backups.
  • Intellectual Property Theft: If attackers steal proprietary information, it can be sold to competitors or leaked online.
  • Security Gap
  • Exploitation of Vulnerabilities: Downtime often exposes weak points in an organisation’s infrastructure, which may need to be patched or rebuilt.
  • Increased Risk of Future Attacks: Downtime may signal to attackers that the organisation is a viable target.
  •  Legal and Regulatory Implications
  • Breach of Contract: Failure to meet service-level agreements (SLAs) due to downtime can result in legal action from customers or partners.
  • Insurance Implications: Cyber insurance claims may be denied if the company failed to follow adequate preventative measures.
  •  Psychological and Social Impact
  • Employee Stress: Staff may feel pressured to resolve issues quickly, leading to burnout.
  • Customer Frustration: Extended downtime can alienate loyal customers, particularly in industries where continuity is critical, such as healthcare or finance.
  •  Broader Economic and Societal Impacts
  • Supply Chain Disruption: Downtime in one organisation can ripple through its partners, affecting entire supply chains.
    • Critical Infrastructure Risks: Attacks on essential services like utilities or healthcare systems can have life-threatening consequences.

I have blogged many times about the mitigation strategies you can take, that don’t need to break the bank, but the bottom line, proactive measures can significantly reduce the impact of cyberattacks and the associated downtime.  Understand your vulnerabilities and threats, base your spend on protecting against those threats, starting with the most serious, and then working down.  Don’t try and get to 100% security, it doesn’t exist, so understand what risks you find acceptable and what risks you don’t.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security Working Practices

Do CISOs have a role in the Small to Medium Enterprise?

A Chief Information Security Officer or CISO, is a post you almost never find in an SME, even those at the top end of that sector.   This has contributed to the growth of what is known as fractional appointments i.e. appointments that are not full time with the incumbents often taking roles in more than one organisation, thus the term Fractional.

 Anyone taking any role in an SME management team will need to be pragmatic, practical and bring cost effectiveness to their discipline.  The CISO role is no different and is all about managing risk, enabling the business and ensuring trust in a very cost sensitive environment.

The CISO can play a crucial role in an SME by ensuring that the organisation’s information and data assets are secure. While the CISO role in a large corporation may be more siloed or focused on strategy, in an SME the CISO often wears multiple hats, balancing strategy, operations, and hands-on technical work.

Challenges Unique to SMEs

I’ve often talked about the challenges that SMEs face, focusing as I do on cyber security.  Let’s just have a quick recap looking at where the CISO fits in with these unique challenges.

  • Limited budget and staff: This is the main reason why SMEs will not employ a full time CISO, they simply can’t afford it.  The other being that an SME probably doesn’t require a full-time resource anyway.  Because of this lack of resource the CISO may also act as a hands-on security engineer or IT lead, perhaps liaising with a contracted IT outsourcer.
  • Lack of security culture: Many SMEs don’t prioritise security until after a breach.  The CISO will be able to raise awareness and provide advice and guidance before the fact.
  • Rapid growth and change: Scaling securely is a key challenge as SMEs expand and there are often gaps left because of overlooking the need to embed security at the design stage.  The CISO can plug that gap.

Let’s take a look at the potential elements of a job description for the role of a CISO, or a Fractional CISO, in an SME.  Of course, these may not fit everyone and it’s more of a menu for SMEs to choose from:

  1. Developing and Leading the Cybersecurity Strategy
  2. Define the overall information security roadmap aligned with the SME’s business goals.
  3. Balance security with business agility, in other words making sure security does not get in the way of business and keeping in mind budget constraints typical in SMEs.
  4. Ensure the strategy addresses risk management, compliance, and data protection.
  • Risk Management and Assessment
  • Identify and assess cyber risks relevant to the SME (e.g., phishing, ransomware, insider threats).
  • Conduct regular vulnerability assessments and penetration tests.
  • Prioritise risks based on business impact and likelihood.
  • Policy and Compliance Management
  • Develop and enforce security policies, standards, and procedures.
  • Ensure compliance with relevant regulations (e.g., GDPR, PCI-DSS etc depending on industry).
  • Prepare for audits and provide documentation to demonstrate compliance.
  • Security Awareness and Training
  • Conduct regular security awareness training for employees.
  • Create a culture of security by promoting best practices (e.g., strong passwords, phishing awareness).
  • Incident Response and Business Continuity
  • Develop and maintain an incident response plan.
  • Lead the response to security breaches and minimise damage.
  • Ensure business continuity and disaster recovery plans are in place and tested.
  • Technology Oversight and Vendor Management
  • Evaluate and implement cybersecurity tools (e.g., firewalls, endpoint protection etc).
  • Manage relationships with third-party vendors, especially cloud providers and MSSPs.
  • Ensure that vendors comply with the SME’s security requirements.
  • Ensure the SME itself is not in conflict with any security requirements of larger organisations if it is in that organisations supply chain.
  • Board and Executive Communication
  • Translate technical risks into business language for senior management.
  • Report regularly on security posture, incidents, and needs.
  • Advocate for security budget and resources in line with organisational risk appetite.

I hope that gives a feel as to why an SME might want to consider a Fractional CISO or Board Advisor.  Cyber-attacks are becoming more sophisticated, faster and harder to repel.  It is no longer just the corporates who are in the firing line.  Modern, often AI driven attacks have put everyone in the sights of the modern cyber-criminal and even from those criminal organisations that are nation state funded.  It’s never been more crucial to have professional advice and guidance on tap.

Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Supply Chain Security

An Increase in sophistication in cyber-attacks in 2025

There is a lot of discussion about AI, it’s benefits to society in general and its undoubted downside.  It’s a fascinating subject and AI can really become the gift that keeps on giving, but a downside for those of us concerned with cyber security, and really that should be all of us, is that we’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be.  Will it be ransomware, denial of service or perhaps a new and more sophisticated scam?  Who knows?  And there is no doubt that AI is raising the bar.

I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this breed of wannabe criminals.  For those who maybe don’t now, a script kiddie was a low level, part skilled hacker, who downloaded scripts from the dark web, put there by the more competent hacker who hoped to sell them.  The script kiddie would use those scripts to try and attack targets.  But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard-earned cash.

What we are seeing in 2025 is an era where cyber‑attacks are AIpowered, highly targeted, automated, supplychain enabled, multistage, and geopolitically driven. These attacks exploit weaknesses across credential systems, zero‑day exploits, deepfake tools, and ransomware as a service (RaaS) platforms.

We are in an accelerating digital arms race that calls for AIdriven defence capabilities, real‑time insights, deception environments, zero‑trust architectures, and quantum‑safe cryptography.

a. AI-powered precision and scale

  • Cybercriminals are leveraging AI to automate vulnerability scans at astonishing speeds, up to 36,000 scans per second, resulting in massive volumes of stolen credentials (1.7 billion) and drastic upticks in targeted attacks.
  • AI is also generating hyper-realistic phishing messages, deepfake audio/video, and even “CEO fraud” to manipulate individuals into transferring funds, like a deepfake trick that siphoned US $25 M in Hong Kong.

b. Ransomware as a Service (RaaS) 3.0

  • RaaS platforms now enable less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.
  • Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.
  • Next-gen ransomware, e.g. LockBit 4.0, BianLian etc, is rolling out advanced stealth, data theft, and automated lateral movement techniques, ie using an initial breach to jump across to other parts of your network or that of your partners and customers.

c. Supplychain & thirdparty infiltration

  • Attacks starting via third-party software or vendors (e.g., SolarWinds-style) allow hackers to move laterally into networks and compromise multiple organisations simultaneously.

d. Statesponsored & geopolitical cyber warfare

  • Nation-states (China, Russia, Iran, North Korea) are not just using espionage but now partnering with ransomware gangs to conduct financially and politically motivated operations.
  • Iranian state-aligned hackers are conducting sophisticated credential theft, MFA bypass, lateral infiltration, DDoS, website defacements, and disinformation across geographies.

e.  Zerodays and livingofftheland

  • Exploit kits now rapidly find zero-day vulnerabilities, especially in cloud environments, to bypass patching cycles.
  • Attackers increasingly use built-in legitimate software and system tools (living off the land) to evade detection.

f.  Credential theft resurgence

  • Reported credential theft incidents rose 300% from 2023 to 2024, with 25% of malware focused on stealing login data.
  • These stolen credentials are a gateway for automated brute‑force, lateral movements, and supply‑chain infiltration.

g.  Targeting of IoT, OT & mobile platforms

  • Millions of IoT and OT systems (from manufacturing to agriculture) remain insecure and are now common targets of AI‑driven automated attacks.
  • Mobile‑specific ransomware is emerging; threat actors are developing malware to extort victims directly via their mobile devices.

h.  Rise of deception technology and defence adaptability

  • In response, organisations are deploying deception tech (honeypots, decoys) to detect lateral intrusions or zero-day exploits in real time.
  • Proactive threat intelligence, zero‑trust frameworks, AI‑driven detection, and adoption of post‑quantum cryptography are becoming critical defensive measures.

SMEs still have the mind-set that these attacks are just about the corporate sector and that they are safe because they are small and not worth targeting.  Wrong.  SMEs are considered low hanging fruit because they typically spend much less on their defences and tend not to have access to the right levels of support and advice.  SMEs make up over 90% of the UK GDP, that’s huge and it makes them worth attacking if, for example, a nation state wanted to cripple the UK economy.  AI automation makes this much easier to achieve and attackers at all levels can leverage AI to automate attacks against multiple SMEs at the same time using the same methods.  If they attack 1000 SMEs at once, and get a 50% hit rate, that is good business for them.

We are seeing AI letting attackers scan thousands of targets at once, deploy malware bots and use brute force tools.  They are automating phishing and social engineering allowing them to deepfake audio and video, using cloned voices to mimic senior personnel in companies.  Don’t be lulled into a false sense of security, AI makes this a relatively easy thing to do, doesn’t take high levels of skill, and is highly automated.

There is a real fear that traditional firewalls and spam filters used by most SMEs may fail to detect these advanced threats.

In summary AI-driven cyberattacks pose a significant and growing threat to small and medium-sized enterprises (SMEs). While larger corporations may have the resources to defend themselves, SMEs are often more vulnerable due to limited cybersecurity budgets, staffing, and expertise.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Supply Chain Security

Supply Chain Attacks

There have been a number of recent cyber-attacks that have used supply chains that many large businesses have.  These businesses rely on smaller ones to provide key components that they require in their manufacturing or other processes.  That supply chain is critical to their operations and therefore needs to be robust and secure.  An attacker is constantly looking for weak links in cyber defences, that can be exploited for financial gain.  They will look at an SME as such a weak link, expecting the SME to have a lower understanding of the threat, and lower expenditure on defence.  They will be looking to piggyback on loopholes in the suppliers defences, to attack their main target.

A cyberattack on a supply chain can have far-reaching and severe consequences, not just for the targeted organisation, but also for its partners, customers, and even national security when considering the critical national infrastructure, nuclear, transport, energy, water etc.  In short SMEs are a highrisk conduit for supply chain attacks. Even minor breaches in small firms can ripple out, causing data loss, operational shutdowns, regulatory scrutiny, and reputational damage—highlighting why third‑party cybersecurity should be a top priority for all.

What real world examples can we give, particularly in the UK.  Below are some notable UK supply chain cyberattacks that impacted SMEs and their customers, especially within third-party and vendor ecosystems

  • CTS breach — affecting dozens of UK law firms via SME IT provider

In 2023, CTS, a small IT supplier to multiple conveyancing and legal firms, was compromised. This granted attackers access to the networks of multiple SMEs in the legal sector, enabling potential data theft and operational disruption.

  • Metropolitan Police — hack via a small supplier

In 2023, hackers penetrated the Metropolitan Police by targeting a supplier responsible for police ID badges. Because the SME provider’s systems were breached, attacker access extended to personal staff data (names, ranks, photos, pay numbers), highlighting how SMEs serve as gateways for attacks on major institutions.

  • Synnovis ransomware — disrupting NHS clinical services

In June 2024, Synnovis, a pathology service provider for NHS hospitals, was hit by a Clop ransomware attack. Though Synnovis is not a front-line NHS body, as an essential subcontractor, the breach led to cancellations and testing disruptions in major London hospitals.

  • Blue Yonder — supply chain SaaS hack hits supermarkets & small logistics partners

In November 2024, Blue Yonder, a logistics SaaS provider, suffered a ransomware attack. Major supermarkets like Sainsbury’s and Morrisons were impacted—but crucially, many small UK warehouses and logistics SMEs that rely on the platform had to revert to manual operations, enduring days or weeks of chaos.

  • Systemic SMEs-vulnerability in UK supply chains

Research shows 77% of UK SMEs lack in-house cybersecurity, making them “soft targets” for attackers looking to pivot into larger clients. Meanwhile, 95% of larger UK companies reported experiencing negative impacts via vendor incidents.

Why SMEs are often the weak link in supply chains

  • SMEs often run with minimal cybersecurity budgets, lacking formal certifications.
  • Granted privileged access to larger clients.  Many large organisations operate a just in time supply system, requiring their suppliers to be integrated into their systems.
  • When compromised, they become easy stepping-stones into bigger networks.

Summary Table of SME related supply chain attacks

Incident & DateSME RoleImpact
CTS (2023)IT supplier to law firmsDozens of SMEs exposed
Met Police (2023)Badge/ID card vendorPolice data compromised
Synnovis (June 2024)Pathology providerHospital labs disrupted
Blue Yonder (Nov 2024)Logistics SaaS providerSME warehouses/businesses disrupted

What consequences can we expect from a supply chain attack?

  • Data Breach and Intellectual Property Theft
    • Exposure of sensitive data: Customer data, supplier contracts, or internal communications.
    • Theft of intellectual property: Designs, formulas, or proprietary technologies can be stolen and exploited.
  • Operational Disruption
    • Production halts: If a manufacturer’s software is attacked, it may stop production.
    • Delayed shipments: Logistic partners may be unable to fulfil deliveries.
    • Inventory management issues: Automated systems may become unreliable or inaccessible.
  • Financial Loss

         •       Direct losses: Ransom payments, remediation costs, and legal fees.

         •       Indirect losses: Lost sales, customer churn, and regulatory fines.

            •     Stock impact: Public companies may see a drop in share price following disclosure.

  • Ripple Effects Across the Ecosystem
    • Third-party impact: A breach in one company can compromise many others (CTS attack).
    • Supplier distrust: Loss of trust among partners can damage relationships and business opportunities.
    • Geopolitical risks: If critical infrastructure or government suppliers are hit, it can trigger national security concerns.
  • Legal and Regulatory Consequences
  • Violations of GDPR, PCI, etc.: Leading to hefty fines and legal action.
  • Breach notification requirements: Mandatory reporting can hurt brand image and cause public fallout.
  • Reputational Damage
  • Loss of customer trust: Perception of weak cybersecurity can cause long-term brand damage.
    • Negative media coverage: Public awareness of the breach can linger for years.
  • Competitive Disadvantage
  • Loss of proprietary data: Competitors may gain an edge.
  • Resource diversion: Time and money spent on recovery rather than innovation or expansion.

Protecting against a supply chain attack

This will involve a mix of technical, procedural, and strategic measures. You need to understand that technology alone will not protect you.  You must take a risk managed approach and understand that these attacks target vulnerabilities in third-party vendors, partners, or software dependencies.  They will employ social engineering techniques and phishing in all its forms.

  • Know Your Suppliers and Vendors
  • If you are managing suppliers:
  • Inventory all third parties: Maintain an up-to-date list of all external vendors, software providers, cloud services, and contractors.
  • Assess risk levels: Identify which vendors have access to critical systems or sensitive data.
  • Ensure that you suppliers are aware of your security policies and that they have agreed to abide by them.  Audit that.
  • Include security requirements in contracts (such as regular audits, breach notification timelines, etc.).
  • Ask for compliance evidence (ie, Cyber Essentials etc.).
  • If you are a supplier to a larger organisation:
  • Know and understand your customers security policies and undertake to abide by them.  Don’t pay lip service, actually do it.
  • Make sure you understand your contractual obligations in this regard.  Failure to do so could put you out of business.
  • Use Zero Trust Architecture
  • Apply least privilege access to vendors and third-party applications.
  • Isolate critical systems from less-trusted networks using segmentation.
  • Verify before trusting: Always authenticate and validate access requests, even from trusted sources.
  • Secure Your Software Supply Chain
  • Ensure your software comes from reputable sources and is regularly updated and patches applied.
  • Validate the integrity of software updates (e.g., use code signing and secure CI/CD pipelines).
  • Monitor for tampered or malicious packages.
  • Continuous Monitoring and Audit
  • Monitoring has long been considered too costly for most SMEs with systems such as SIEM not only being expensive but requiring constant analysis by a SOC analyst.  However, there is now a system which is effective, managed and within most SME budgets.  H2 can advise on this.
  • Log and audit changes to critical infrastructure or data access.
  • Use threat intelligence to stay ahead of known supply chain threats.
  • Patch Management and Updates

         •       Stay current with software and firmware updates.

         •       Use automated patch management tools where possible.

         •       Vet updates from vendors for authenticity and origin.

  • Incident Response Planning
    • Create and test a supply chain-specific incident response plan.
    • Ensure you can quickly revoke unauthorised or administrative access if needed.
    • Conduct tabletop exercises that simulate supply chain attacks.
  • Train Your Staff
  • This is often the most effective quick win any organisation can make.
  • Educate employees about phishing, social engineering, and how supply chain attacks often begin.
  • Train procurement and legal teams to evaluate vendors with security in mind.

There is a lot too this subject and you might feel that you need advice and guidance.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management News Ransomware, Phishing and other Malware Security Tools Supply Chain Security

Cyber Attacks on SMEs

We’ve posted a few pieces recently on why setting a realistic budget for cyber security is so important and we thought we’d follow that up with some real-life examples.

Small and medium-sized enterprises (SMEs) are increasingly being targeted by cybercriminals in 2025 and are facing a range of sophisticated threats that exploit limited resources and evolving technologies. Here’s a quick look at some of the most pressing cybersecurity incidents and trends that have affected SMEs so far this year:

Major Cybersecurity Incidents Impacting SMEs

  • Co-op Supermarket Chain Cyberattack (UK)

A “highly sophisticated” cyberattack disrupted Co-op’s IT systems, leading to customer data theft, contactless payment failures, and empty shelves in Scottish stores. The breach also affected other major retailers like Marks & Spencer and Harrods, with investigations pointing towards hacker groups such as Scattered Spider and Lapsus$. 

  • Lockbit Ransomware Group Breach

The notorious ransomware gang Lockbit was itself hacked, resulting in leaked communications that revealed aggressive targeting of small businesses for extortion. This breach has temporarily disrupted Lockbits operations and exposed their tactics.

  • Berkeley Research Group (BRG) Data Breach

A cyberattack on BRG compromised sensitive data related to Catholic Church sex-abuse cases. The attacker used impersonation tactics via Microsoft Teams to deploy Chaos ransomware, leading to concerns over the exposure of victims’ identities.

 Emerging Cyber Threat Trends for SMEs

  • AI-Powered Phishing and Deepfake Attacks

Cybercriminals are leveraging AI to craft convincing phishing emails and deepfake audio impersonations of executives, deceiving employees into authorising fraudulent transactions.

  • Ransomware-as-a-Service (RaaS)

The availability of RaaS platforms has lowered the barrier for launching ransomware attacks, making SMEs prime targets due to their valuable data and often limited security infrastructure.

  • Supply Chain Vulnerabilities

Attackers exploit weaknesses in third-party vendors to infiltrate SMEs’ systems, as seen in incidents involving compromised software packages on platforms like NPM.

  • Business Email Compromise (BEC)

Scammers use AI to mimic emails from corporate partners and managers, leading to fraudulent financial transactions. In Australia, BEC attacks have increased by 7% year-on-year, with SMEs being particularly vulnerable.

Proactive Measures for SMEs

To mitigate these threats, SMEs should consider the following actions:

  • Implement Multi-Factor Authentication (MFA)

Enhance account security by requiring multiple verification methods.

  • Regular Employee Training

Your staff are your first line of defence and need to be educated on recognising phishing attempts and social engineering tactics.

  • Secure Supply Chains

Vet third-party vendors for cybersecurity compliance and monitor for unusual activities.   Are you in a supply chain for a major company?  Are you facilitating a back door into their systems?

  • Invest in AI powered security tools

Utilise advanced solutions capable of detecting and responding to sophisticated threats.  H2 has a couple of suggestion here that are affordable to SMEs.

  • Protective Monitoring

How do you know that your expensive solutions are protecting you?  Do you know if you’ve suffered a stealth attack where the attacker has built a back door into your systems?  Do you know if you’re hard-earned cash is being siphoned off?  How vulnerable are you to an attack? A monitoring solution for SMEs is now available at an affordable price.

  • Data Loss Prevention

Are you sure you know exactly where all your data is?  Are you sure that documents attached to emails aren’t still sitting on your email server?  Do you know if other documents have been downloaded from your cloud storage whilst your staff work from home, and then uploaded but a copy is still sitting on their laptop?  Data proliferation over time is almost a given.  Can you encrypt your sensitive data so that even if it’s stolen, it’s useless to the thief?  An affordable solution now exists.

  • Develop an Incident response and business continuity plan

No matter how well you protect yourself, you still need to prepare for potential breaches with a clear strategy to minimise impact and recover operations swiftly.

Cyber Awareness Training General Security Issues Ransomware, Phishing and other Malware Security Supply Chain Security

FEAR, UNCERTAINTY AND DOUBT

Or as it’s known amongst cyber security sales teams, FUD.  It’s a tried and tested method of trying to hook new sales and is often used by sales teams at, shall we say, a slightly lower level than the top end enterprise sales teams who, like me, don’t like it and stay shy of it.

OK, so now I’ve established my ethical credentials, how do I let my clients and potential clients, know what the threats are and how vulnerable to them, they are.  There’s a fine line between FUD and education.  People don’t need to be scared into doing things, they need to be educated into it and they have every right to know what the threat landscape looks like, and how vulnerable they are to it.

What’s the Threat in 2025?

It is expected that in 2025, organisations can expect to face a variety of cyber threats, including AI-powered attacks (see https://hah2.co.uk/?s=Artificial+Intelligence), ransomware with complex extortion tactics (https://hah2.co.uk/?s=Ransomware), supply chain attacks (https://hah2.co.uk/?s=Supply+Chain), vulnerabilities in IoT and 5G networks, and the rise of deepfake technology. Cybercriminals are leveraging AI to automate attacks, develop advanced malware, and bypass traditional security measures. Additionally, ransomware attacks are becoming more sophisticated, with some now stealing data alongside encryption, increasing the pressure on victims to pay. Supply chain vulnerabilities are also a major concern, as attackers can target third-party vendors to gain access to larger networks. The increasing number of IoT devices (see https://hah2.co.uk/?s=IOT) many of which lack robust security, also presents a significant challenge, as they can be easily exploited for attacks that disrupt critical infrastructure. Deepfake technology is also becoming more accessible, making it easier for attackers to create realistic fake content for various malicious purposes. 

How Does This Impact SMEs?

So where do SMEs sit in this space?  There is still the perception amongst them that they are too small to be worth attacking, that the rewards for the cybercriminals aren’t enough and they won’t bother.  Well, let’s debunk that.  SMEs are seen as low hanging fruit.  They will have much smaller budgets than the bigger players, they will almost certainly outsource their IT and as I’ve said often, you can outsource your IT, but not your responsibility.  There is a dearth of cyber security expertise, not just within the SMEs themselves, but also amongst the IT outsourcers they use.

In 2025, it is anticipated that SMEs will face evolving cyber threats, including AI-powered phishing, ransomware, and supply chain vulnerabilities, along with insider threats and IoT exploits. AI is going to have a very real impact on the attacks designed against SMEs.  Why?  Because AI provides automation, and automation is the key to making real money when attacking SMEs.  Think it through.  If a criminal organisation can attack hundreds, if not thousands of targets using one automated attack, with an expectation of say 50% success, with extremely little effort using AI, then that’s good business for them.  AI-driven attacks are predicted to be a top concern, with sophisticated phishing campaigns and deepfake fraud attempts on the rise. Ransomware continues to pose a significant risk, especially for SMEs with limited cybersecurity resources. 

Supply Chain Security

Supply chain vulnerabilities are also a growing concern, as hackers can exploit connections with external vendors to breach multiple businesses.  This latter should be a very real concern for any SME that is in the supply chain of a major organisation.  Just imagine the consequences for that SME if their customer is attacked, losing money and reputation, and can pinpoint the attack as coming via the SME.  How would that impact the SME?  Well, the financial and reputational consequences would probably kill their business.

Ramsac, in their 2025 SME threat report, tells us that a mid-sized UK logistics company fell victim to a ransomware attack in June 2023. They infiltrated the company’s network and left a note on screens: “If you’re reading this, it means the internal infrastructure of your company is fully or partially dead.” The attackers had encrypted the firm’s files and threatened to leak confidential data, essentially holding the business hostage.  They also reported that a large retail breach occurred when attackers compromised a small HVAC subcontractor (with far weaker IT security) and used those credentials to penetrate the larger corporate network. That attack led to the theft of millions of customer card details and tens of millions of dollars in damages – all traced back to a third-party SME vendor being hacked via a phishing email.

In Summary

We published a piece recently about cyber security and the SME and rather than repeat it here, we’ll simply give you the link – https://hah2.co.uk/cyber-security-and-the-sme/.  It reiterates some of my hobby horses, chief amongst them being cyber awareness training.  I’ve said before, but it bears repeating, that your staff are your first line of defence and are either your greatest asset, or your greatest risk.  The actions you take as an owner/director/manager, will decide which.

SMEs are facing increased pressures on their resources and the temptation to park cyber security until times are better, increases alongside those pressures, but avoid complacency, let’s discuss what you might be able to do procedurally and at low cost. If you have invested in tech, is it the right tech and is it doing what you think it’s doing? That’s never a given.

General Security Issues Risk Analysis and Security Strategy Security Supply Chain Security Working Practices

Cyber Resilience – What Does It Entail?

The Cyber Security and Resilience Bill

Following the fallout last year, from the CloudStrike sensor failure that led to significant outages worldwide, we wrote a piece questioning whether we are truly addressing Cyber challenges. Subsequently, the UK introduced The Cyber Security and Resilience Bill, which was debated in Parliament in 2025. This legislation seeks to enhance the UK’s cyber defences and bolster resilience across essential services, infrastructure, and digital offerings. It will revise current cyber security regulations, including the NIS Regulations, and broaden the scope of protected digital services and supply chains.

The primary goal of this bill is to safeguard the UK’s digital economy, positioning it as one of the most secure in the world while protecting services, supply chains, and citizens. Additionally, it aims to enhance our cyber resilience and stimulate growth and prosperity. With an expanded scope, it encompasses a wider array of essential digital services beyond those currently covered by the NIS regulations and builds upon them. The bill includes mandatory reporting requirements and emphasises the UK’s Critical National Infrastructure (CNI).


Ministerial Policy Statement


You can read more about it here: https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement.

Relationship with EU Regulations


Although the UK’s Cyber Security and Resilience Bill is tailored for the UK, it draws inspiration from the EU’s Cyber Resilience Act (CRA) and the NIS2 Directive. The CRA emphasises cybersecurity for products with digital elements, whereas the UK’s legislation focuses on fostering overall resilience within its digital ecosystem. Furthermore, it aims to align with principles found in the NIS2 Directive adopted by the EU in 2024.

How will SMEs navigate this?

In the cybersecurity sector, there has long been a divide between product vendors and those of us focused on services. After three decades in this industry, I’ve repeatedly observed that product sales often prevail. Why? Because selling services is more challenging with a longer sales cycle compared to quicker product sales. People prefer to see a quick if not immediate return, on their investment; they like tangible products doing their job even if they don’t fully grasp how they function or whether they’re suited for their needs.

Risk Management

A risk managed approach remains vital. This principle hasn’t changed over my 30 years in the field. However, this bill makes it even more critical due to potential penalties for non-compliance. The focus should be on People, Process, and then Technology. I often reference Bruce Schneier, a Harvard scientist and thought leader in cybersecurity. He states, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Essentially, understanding your risks begins with identifying your cyber assets, not just hardware or software but your data and your ability to maintain system access for staff and customers when needed.

Once you recognise your assets, you must identify potential threats to them and assess how vulnerable you are to those threats. Threats combined with vulnerabilities equal risk, the risk to your business if things go awry.

Having completed this assessment you can assign a risk score to each asset aiming to manage that risk down to an acceptable level, known as risk appetite. This will vary from business to business or even asset to asset; for instance, you wouldn’t assign the same risk level to a revenue-generating system as you would to an admin-only system lacking personal data.

This may sound daunting and costly; hence many businesses avoid it or only partially implement it. However, without a comprehensive assessment, it’s challenging to ensure that you are allocating your limited budget toward appropriate protections in key areas. You need to determine potential damage from failures and explore ways to mitigate that damage. While consulting a lawyer after a crisis is one option, wouldn’t it be wiser to prevent or reduce issues before they escalate?

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

More on budgets

I’ve been talking recently about the relationship between IT and cyber security budgets for SMEs and I mentioned that at one time, the recommendation was that 5% of IT budgets be put aside for security.  Well, that figure has gone up year on year and is now about 15%.  Of course, these percentages work well in the corporate market where IT budgets can run into the millions, but in the SME world, where budgets are tiny in comparison, the percentages don’t work quite as well.  After 15% of very little, is very little.

So where does that leave us?  We still have to budget, failing to plan is planning to fail – how’s that for a nice bit colloquialism.  Budgets are necessary.  IT whether hardware or software, doesn’t stand still, it moves forward rapidly and the hardware you bought two years ago will often struggle to run some of the software upgrades, and those upgrades themselves come thick and fast.

Cyber security is no different.  We have to contend not only with those software implementations, many with vulnerabilities already present, but with cyber criminals who are always pushing the boundaries.  We play catch up.  We always have and probably always will.

So what are we budgeting for?  SMEs face several challenges in implementing adequate cybersecurity defences. These challenges arise due to resource constraints, lack of expertise, and evolving threats. Some of the biggest issues are:

  • Cybersecurity tools, training, and infrastructure
  • Inadequate funding for the above.  SMEs will naturally prioritise business growth and operations over cybersecurity investments.
  • Lack of Expertise
  • SMEs often lack dedicated cybersecurity personnel or in-house IT teams.  Limited access to experienced professionals makes it difficult to implement and maintain robust security measures.
  • In adequate or lack of cyber awareness and training
  • Employees may lack awareness of cybersecurity risks and become easy targets for phishing or social engineering attacks.
    • Insufficient training on best practices, like identifying suspicious emails or handling sensitive data securely.
  • Underestimation of Risks
  • Many SMEs believe they are too small to be targeted, making them complacent.
    • Attackers often target SMEs precisely because they assume SMEs are less secure than larger companies.
  • Rapidly Evolving Threat Landscape
  • Cyber threats like ransomware, phishing, and zero-day exploits are constantly evolving.
    • SMEs struggle to stay updated with new technologies and threats.
  • Outdated Technology
  • Reliance on legacy systems or software that lacks regular updates or patches.
    • Limited investment in modern security tools, such as firewalls, endpoint protection, or intrusion detection systems.
  • Third-Party Risks
  • SMEs often rely on third-party vendors or service providers, which can introduce vulnerabilities.  Don’t assume that your IT vendor has a grip on security – they are often as ill-informed as you are.
    • A breach in one partner’s system can cascade down to the SME.
  • Compliance Challenges
  • SMEs may not have the resources to understand or comply with cybersecurity regulations (e.g., GDPR, CCPA, PCI DSS).
    • Non-compliance can result in fines or penalties, exacerbating financial pressures.
  • Insufficient Incident Response Plans
  • SMEs often lack a formal incident response plan to handle breaches or attacks.
    • Without predefined protocols, responses to incidents are slower and less effective.
  • Shadow IT
  • Employees may use unauthorised software or devices without IT approval, creating vulnerabilities.
    • Shadow IT can bypass existing security measures.
  • Supply Chain Attacks
  • Cybercriminals target SMEs as an entry point to larger companies in their supply chain.
    • SMEs often lack robust controls to mitigate supply chain risks.
  • Difficulty in Accessing Cyber Insurance
  • Obtaining cybersecurity insurance can be difficult or expensive for SMEs, especially if they lack basic protections.
    • Insurers often require proof of a certain level of security maturity.

These days addressing these challenges requires SMEs to adopt a combination of cost-effective solutions, such as managed security services, regular training, and leveraging cloud-based security tools.  Effective cyber security is a business issue, not an IT issue and requires a thorough understanding of the risks, vulnerabilities and threats, that a business faces.  It requires a professional approach from a security professional that most SMEs can’t afford to employ, so the next best thing is to partner up with such an organisation.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services designed specifically for SMEs; at a price they can afford.  Our advice and guidance takes a unique look at the problems facing SMEs whilst calling on our vast experience working for the larger organisations and government departments.

Scroll to top