Uncategorized

Cyber Awareness Training General Security Issues Identity and Access Management Risk Analysis and Security Strategy Uncategorized

BRING YOUR OWN DEVICE (BYOD)

This is a subject that, at one time, was pretty much confined to the larger enterprise organisations but largely because of the pandemic, it is gaining popularity within SMEs and is now getting a lot of attention from the National Cyber Security Centre.

So, what is it?  Well the idea was to allow employees to use their own devices for work purposes.  The thinking was that in this day and age, many employees have developed preferences for what they use.  So whilst many will stick to Microsoft, others may prefer an Android or Apple tablet, whilst others still may prefer a MacBook or Chromebook.  There’s a wide choice these days.

But what do we mean by work purposes?  It can mean anything from accessing your emails, which most of us do on our phones, to accessing critical services and applications.  And this makes it a potentially complex issue.

The pandemic brought with it many issues that needed swift resolutions and now, it’s not uncommon to visit companies that have allowed their staff to continue to work from home often because the cost savings in office accommodation are very beneficial, and some have allowed staff to use their own preferred devices when working, including connecting to the company network and/or cloud services, remotely. 

For just about all SMEs, this has started from a position of necessity.  But like many such events, if it seems to be working, it rapidly becomes the norm and in creeps a complacency that it’s actually all OK.

BYOD solutions need to be planned and thought through.  And pretty much the same as most things, particularly risk based assessments, what you need to do really depends on your organisation.  You need to ask some questions:

  • Is there anything that needs to be done from the office that cannot be done by home workers?
  • Are there functions which employees need to do, that requires the company to have visibility and management of, and is there anything that doesn’t?
  • What do my employees need to do?
  • How can we balance what employees do that also involves your need to protect data and their privacy (DPA2018)?  They are after all, using their own device.

Above all you need a well thought through and comprehensive strategy, which, while offering flexibility and potential cost savings, recognises and deals with several security implications that organisations must address to ensure sensitive data and systems remain secure. Below are the key concerns:

a. Data Security

  • Data Leakage: Employees’ personal devices may lack adequate protections, increasing the risk of unauthorised access or accidental data leaks.
  • Loss or Theft of Devices: Personal devices may not have encryption enabled, making sensitive corporate data vulnerable if the device is lost or stolen.
  • Uncontrolled Sharing: Employees might unknowingly share corporate data via apps or cloud services outside the organisation’s control.

b. Malware and Cyber Threats

  • Insecure Devices: Personal devices might not have up-to-date antivirus software, firewalls, or operating system patches, making them susceptible to malware or ransomware attacks.
  • Unverified Applications: Employees may install unauthorised or malicious applications that could compromise corporate networks.

c. Network Security

  • Untrusted Connections: BYOD devices may connect to public Wi-Fi networks, exposing them to man-in-the-middle (MITM) attacks that could jeopardise corporate data.
  • Device Spoofing: An attacker could mimic a BYOD device to gain unauthorised access to the network.

d. Compliance Risks

  • Regulatory Violations: BYOD policies may lead to data handling practices that violate regulations like GDPR or PCI DSS if personal devices aren’t properly managed.
  • Audit Challenges: Tracking and demonstrating compliance can become difficult with non-standardised, user-managed devices.

e. Access Control

  • Weak Authentication: Personal devices may not support strong authentication mechanisms, increasing the risk of unauthorised access.
  • Lack of Segmentation: Employees’ devices may access both corporate and personal systems, creating potential crossover risks.

f. Insufficient Visibility

  • Limited Monitoring: Organisations may lack full visibility into personal devices, making it harder to detect breaches or policy violations.
  • Shadow IT: Employees might use unauthorised apps or services that bypass official security controls.

g. Employee Turnover

  • Data Retention: When an employee leaves, ensuring the removal of corporate data from their personal devices can be challenging.
  • Device Ownership: Legal and practical issues might arise when attempting to enforce data wiping on personal devices.

Mitigation Strategies

To address these risks, organisations adopting BYOD should:

  • Implement Mobile Device Management (MDM) or Endpoint Detection and Response (EDR) solutions.
  • Enforce strong authentication, such as multi-factor authentication (MFA).
  • Require device encryption and ensure compliance through regular checks.
  • Use some form of file separation to ensure separate corporate data from personal data.
  • Deploy a zero-trust security model with conditional access controls.
  • Establish clear policies and training to educate employees on BYOD security best practices.

By proactively addressing these risks, organisations can leverage the benefits of BYOD while maintaining robust security.

Data Breaches and their consequences General Security Issues News Risk Analysis and Security Strategy Security Tools Supply Chain Security Uncategorized

Are we failing in our cyber resilience?

The fallout from the CloudStrike sensor failure, which caused severe outages throughout the globe, is still being felt and will be felt for some time to come.  The emphasis has been on recovery but that will start to change, as we focus more on why it happened, and what can be done to mitigate further failures of this kind.  I’ve said already, in a piece I wrote last week (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/ ), that we appear to be becoming too reliant on our IT providers, particularly managed services, to ensure that we remain safe and our services can continue, and we aren’t looking too hard at ensuring resilience is built into our systems.  It begs the question, is business continuity planning no longer in fashion.

Alexander Rogan of Abatis also wrote a piece that’s worth reading (https://www.linkedin.com/pulse/billions-lost-chaos-lessons-from-crowdstrike-microsoft-rogan-abxde/}.  In his article Alexander emphasises the importance of zero trust architecture and processes.  What this essentially means is that we cannot afford to trust anyone other than ourselves.  Suppliers are there to help and as such they should ensure that their own processes are robust and include thorough pre-production testing, controlled roll outs and good baseline security measures.  Where CrowdStrike falls in this regard, will I’m sure, get thoroughly tested in the not too distant future.

The UK Government is also questioning the resilience of business in the UK to cyber threats (https://amp.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister), and in this case a cyber threat is not necessarily confined to security, it can also mean a crash due to a technical or process failure.

In the cyber security industry, there has long been a running war between those that sell products and those of us concerned more with services.  Having been in the industry for 30 years, I have seen this time and again and the product sales nearly always win.  Why?  Simply because services are a hard sell with a long timeline whereas product sales are easier and quicker to achieve.  Why would that be?  Again, simple, people like to be able to quickly demonstrate a return on investment.  They like to see a product, doing its stuff, even when often, they don’t realise how it’s doing what it’s doing, or if it’s the right product in the right place at the right time.

The risk managed approach is the way to go every time.  That has not changed at all in the 30 years I’ve been plugging away at it.  It’s all about People, Process and then Technology.  I often quote Bruce Schneier, a US scientist on the Harvard Faculty, and a thought leader in this space.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.  Breaking this down, what he’s getting at is that first and foremost, you must understand the risks that you face and to do that, you have to identify your cyber assets.  By that we don’t mean hardware and even software, what we are talking about is your data and the ability to keep your systems online and accessing what your staff and/or customers need to access, when they need to access it.  Once you identify your assets, you then need to identify the threats to those assets and how vulnerable you are too those threats.  Threat and vulnerability = risk.  And by that we mean the risk to the business if it all goes pear shaped.

Once that’s done, we can then allocate a risk score to each asset with the aim of managing that risk down to an acceptable level, known as the risk appetite.  That will change business to business, even asset to asset.  You wouldn’t for example allocate the same level of risk [to the business], to a revenue earning system, as you would to perhaps a purely admin system that contains no personal data.

This all sounds terribly difficult and expensive, and that’s why many companies simply don’t do it, or maybe they do a subset of it.  But unless you do, then it can be very difficult to know for sure that you are spending your limited budget on the right protections, in the right place.  In the long run, it can save you a lot of money. This same assessment applies equally to the CrowdStrike problem, or for that matter, any other company that you have in your supply chain.  You need to assess what damage they could do to you if they fail, and what you can do to mitigate that damage.  It’s very well and good reaching for the nearest lawyer when it’s all gone to hell, how much better to stop it, or mitigate it, before you get there.

Uncategorized

Cyber Security Defence and Data Protection Solution At An Affordable Price

Proactive Cyber Security Defence (https://hah2.co.uk/protective-monitoring)

Protective Monitoring (which we now refer to as Proactive Cyber Security Defence), a phrase well known in the corporate world which gets immediate understanding of what it is, and what it entails.  But in the SME world, not so much.  Basically, it focuses on the growing cyber security threats and how companies can protect themselves.  We’ve found it’s a very poorly understood subject outside of the corporate world and we have therefore re-designed and re-priced it, specifically for the SME market.

We’ve seen global cyberattacks increase by 38 per cent compared to the previous years. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries.

What is it? (https://hah2.co.uk/protective-monitoring)

So, what is protective monitoring?  It refers to the process of continuously monitoring an organization’s systems and networks for potential security threats and incidents. This includes analysing logs, monitoring network traffic, and identifying and responding to any suspicious activity. For small and medium-sized enterprises (SMEs), protective monitoring is essential to protect their sensitive data and prevent cyber-attacks. Many SMEs may not have the resources or expertise to implement comprehensive cybersecurity measures, making them more vulnerable to cyber threats.

Detect and Respond

By implementing protective monitoring practices, SMEs can detect and respond to security incidents in a timely manner, reducing the impact of potential breaches. This can help prevent data loss, financial losses, and damage to their reputation. Additionally, protective monitoring can help SMEs comply with regulations such as GDPR and other data protection laws, which require organisations to have measures in place to protect personal data. Overall, protective monitoring is a critical component of a comprehensive cybersecurity strategy for SMEs, helping them to mitigate risks and protect their valuable assets from cyber threats.

It’s Like Cyber Insurance

Protective monitoring can be like insurance for your data – you might not think you need it until disaster strikes. Cost is always an issue for SMEs and traditionally protective monitoring has been a bit pricey, but then so is insurance and can you put a price on peace of mind? Plus, it’s probably cheaper than dealing with a data breach down the line. Wouldn’t it be nice if there was a solution on the market that looks not just at the protective monitoring piece, but also at your data protection needs (https://hah2.co.uk/gdpr-data-protection), all at a price that an SME can afford, whether you are at the S end or the M end, perhaps hovering just below the corporate market, of the SME market.

Awareness and Resource

Many Boards appear to be struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.  Why would that be?  Well often it’s simply a lack of awareness of the issues involved.  A big issue with SMEs, as well as poor awareness, remains a lack of resources and expertise in the field of cyber security.  They are very reliant on outside support and often attempt to get that support from the local IT company that provides their hardware and software, often managing those resources. This is coupled with Managed Security Service Providers (MSSP) ignoring the SME sector primarily because of cost.  The services they provide traditionally have simply been too expensive. 

Solution – https://hah2.co.uk/

But what if there was a system designed and managed on behalf of SMEs, which addressed the issues that they face daily, at a price they can afford.  What if you can see those issues, highlighted in front of you, using your own data, rather than a demo using dummy data, how much better to help you understand what is happening on your network.  We are offering that opportunity, a FREE trial to try this out.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks.  And this latter is what we’re looking at today.

To make this doubly effective and doubly affordable, we have combined a protective monitoring solution with a data protection solution and titled it the Cyber Security Defence and Data Protection Service.  OK, not very catchy but it does nicely encapsulate what it is.  And I can hear your scepticism from here, you’re thinking that sounds pricey.  Well, it is priced at £24 per seat per month, so if you have 20 IT users, then the price is £480 per month.

It’s a cloud based system that requires no expensive infrastructure, and it requires no presence on your site.  It is managed remotely by us and monitors your end points regardless of where they may be.  So, with today’s mobile workforce, it doesn’t matter where your employees are, in the office, at home or on the move, their endpoints are still being monitored.

The key to making this affordable and appropriate for SMEs, is automation, which is becoming more and more possible using AI enhancements.  I’ve highlighted before that here at H2 we are constantly on the lookout for innovative solutions that allow us to provide appropriate and effective services to our clients, at a price that is affordable.  And we think we’ve found another gem.

What’s Covered?

The following services are provided as standard:

  • External and Insider Threat Detection.
  • Ransomware Protection.
  • Data Leakage Protection.
  • Data Privacy and Compliance.
  • Built in Encryption Capability.
  • Automated Cyber Awareness Training.
  • Phishing Simulation. 

Cyber Security Insurance

And as bonus, if you wish, a cyber insurance policy starting at around £400 annually, which is priced according to the risks identified within the service, i.e., the more the risk is reduced, the more the premium is reduced.

We Can Manage This for You

This whole package is offered as a managed service so that the risk, risk reduction, reporting and monitoring is all carried out by us, within the incredibly low price shown above.  And as we’ve already highlighted, we are offering a free demo and a free trial.

Scroll to top