Working Practices

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security Working Practices

What are the questions business owners ask when considering cyber security?

I wrote a post recently about what SMEs care about regarding Cyber Security v the continued FUD (fear, uncertainty and doubt), which many sales pitches tend to rely on, which helps foster the view that it’s all a little hyped up and not as serious as it advertised.  Well, I hope my post did a little to dispel this and show that there really is an issue out there that needs to be addressed by all businesses, not just the corporate big boys.  Let’s leave the stats and hype behind and concentrate on what SMEs need to be thinking about.

What is the cost of ignoring cyber security?

Perhaps this is the first question that they should be asking.  The financial hit of a data breach can be crippling, especially for the smaller businesses who are perhaps running on tight margins and for whom cash flow is often critical.  The average clean up for a smallish business is about £27K. this relates to system restoration, hardware replacement, and the implementation of enhanced security measures. and doesn’t include financial loss from the actual data stolen, or whatever scam was perpetrated, and any fall out from compliance failures, such as fines from the ICO.  And at least a third of organisations admit to losing customers post a data breach, highlighting reputational damage and a loss of customer trust. 

If you take all that into account, you should be able to work out what the potential cost might be for you.

So, what questions should owners, managers and board members be asking?

I think many get bogged down in the technicalities of IT and don’t consider it in business terms.  They don’t think about the business impact of cyber security, about what it is they’re trying to protect.  It’s not your IT systems, it’s your data that is the crown jewels.  IT systems can be replaced, that’s what your insurance is about, but once the data is stolen, then you are in very real trouble.

Risk Management

Talking of insurance, that’s perhaps how you should be viewing Cyber Security solutions.  Don’t think tech, think protecting the business.  First and foremost, the board members need to ask themselves if they have a good handle on their cyber risk.  Have they identified their cyber assets?  What is a cyber asset? Cyber assets are not just hardware and software, in fact those are the least of your worries.  It’s the data, where it is and how it’s protected that is important.  Have you assessed the risk to those assets?  Have you assessed the training requirements for your staff, not just the techies but all staff?  Think People, Process and then Technology.

Once you have done this, then you can consider what controls need to be put in place to reduce the risk to an acceptable level.

Below is some of the controls you will need to consider.  This list is not exhaustive

1.        User Access Control (Admin access is a whole other discussion)

 

This isn’t just about passwords.  Yes, they remain important but on their own, they are no longer sufficient.   Nonetheless weak passwords, password re-use and password sharing remain one of the leading root causes of a data breach.  123456 and, believe it or not, password, remain the most used passwords across the world! 

It is imperative that you have a strong password policy, dictating not just the length of the password, but also its construction, ensuring that there is a good mix of upper and lower case characters, numbers and symbols, that together make things very difficult for password crackers.

On their own though passwords remain a potential weak spot.  Multi factor authentication (MFA), sometimes referred to as 2FA, provides that extra layer of defence and can help to protect against brute-force attacks, phishing scams, key-logging and social engineering.  MFA can be simply implemented on most email platforms and within various apps you are using.  For those of you trying for Cyber Essentials or ISO 27K series, MFA is mandatory, so make sure it’s put in place.  

2.        Are you backing up your files? 

This seems an obvious thing to do but you’d be surprised how often when trying to restore from a backup, it fails.  This is often because the backup routine was set up back in the mists of time and has never been reviewed and even more dangerous, it’s never been tested to see if it works.  Set up your backup regime, have it reviewed regularly and tested regularly to make sure it works.  If you are backing up online, keep in mind that if a cyber-criminal gets access to your systems to, for example, carry out a ransomware attack, then they can probably get at your back up as well.  So, belt and braces, consider having an offline backup as well as an online backup.  The latter is more convenient but is vulnerable.

3.        Do you train your staff in cyber awareness? 

My favourite subject – cyber awareness training.  Your first line of defence is your staff, but if not trained adequately, they can be your biggest weakness.  It’s known in the trade as the insider threat, but it is caused mainly by human error, staff members doing something they shouldn’t, not maliciously but simply because they didn’t know they shouldn’t.  It accounts for 88% of data breaches. Providing your people with training on the threats, current scams and basic cyber awareness reduces the chance of a cyber-attack. This really is the easiest and cheapest quick win any organisation can take in reducing their risk exposure.

4.        Do your employees regularly travel or work remotely? 

This brings us neatly to what Microsoft coined as the New Normal.  Essentially this means remote working shared with in office working, known as the hybrid working model, or for some, moving to a totally remote working system.  Totally remote is not as common as hybrid working but is becoming more normal with certain size businesses in certain commercial verticals.  It’ll never work for everyone, but for those who have embraced it, it saves a considerable amount of expense.  It does however require us to rethink our cyber strategy.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers, often because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

We need to break out of the old ‘bastion’ security model of a network protected by firewalls and other technologies and think about solutions that are designed to protect your assets regardless of where your employees work from.  They exist and aren’t hard to find.

 

5.        Where is all your data stored and who has access to it? 

Data tends to proliferate, especially when working remotely.  Cyber awareness training helps here, but it also helps for management to have a handle on data storage.  All organisations have this problem, but it becomes more acute for those businesses that hold large amounts of what is known as Personal Identifiable Information or PII.  This is information that can identify a living individual and compromise their privacy in some way.  Financial advisors, estate agents, solicitors etc, all share this issue.  The data protection act, becoming referred to as UK GDPR, is not a suggestion, it is law.

One of the biggest issues we find with organisations of all sizes, is that they think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue in that the new normal tempts users when working remotely, with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor not long ago who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

There are several systems on the market which will help with this but what most need now is a system that works regardless of the location of the user and continues providing that cover when the user moves from one location to another.  This is just a suggestion, but we’d be delighted to demo it to anyone who is interested.  https://hah2.co.uk/gdpr-data-protection/

6.        Disaster Recovery and Business Continuity

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organisation can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective. 

Both are critical components of a comprehensive risk management strategy and should be integrated into an organisation’s overall resilience planning efforts.

Just like backups, which are a crucial part of Disaster Recovery, these plans can become very quickly out of date and useless, unless reviewed periodically and tested to see if they work.

7.        Vulnerabilities and Threats 

A vulnerability is a flaw or weakness in an asset’s design, implementation, or operation and management that could be exploited by a threat. A threat is a potential for a cybercriminal to exploit a vulnerability.  A simple way to explain this is that a vulnerability is the inability to resist a hazard or to respond when a disaster has occurred. For instance, people who live on plains are more vulnerable to floods than people who live higher up.  The threat is the flood itself.

IT risks and vulnerabilities are the potential threats and weaknesses that can affect the performance, security and reliability of your business function and processes. They can have serious consequences for your business goals, customer satisfaction, and competitive advantage.

Identifying vulnerabilities to your cyber security assets and then identifying the threat to those assets in terms of the vulnerability being exploited, informs your risk and enables you to assign a value to it.  Financial value can be assigned to the risk score if you so wish.  You then apply controls to bring the risk down to an acceptable level, starting with the Very High risks, and then bringing them down to whatever is acceptable to you.  That acceptable level, known as the risk appetite, will vary business to business, risk to risk.

8. Supply Chain Security? 

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

An example of such an attack was published by NCSC and points out that many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk. In the past, firms dealing with high profile mergers and acquisitions have been targeted. In September 2013, several networks belonging to large data aggregators were reported as having been compromised.

A small botnet was observed exfiltrating information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public Internet. The highest profile victim was a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. While the attackers may have been after consumer and business data, fraud experts suggested that information on consumer and business habits and practices was the most valuable.

The victim was a credit bureau for numerous businesses, providing “knowledge-based authentication” for financial transaction requests. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

OK, it was over 10 years ago, but don’t think it won’t happen again.

NCSC also cited what is known as a watering hole attack, which works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

The malware may be delivered and installed without the target realising it (called a ‘drive by’ attack) but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

If you are in someones supply chain, then you need to make doubly sure that your security protects your customer as well as yourself.  And conversely, if you are connected electronically to someone who supplies you, are you sure that you are protected from any vulnerability they may have.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Please feel free to give us a call or email.

Alternatively, you can book a slot using our Calendly link, https://bit.ly/3yoT0qi

T: 0800 4947478

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

Cyber Awareness Training General Security Issues Working Practices

Policies and Processes – a topic that can quickly lead to feelings of despair

When discussing cyber security, many envision suspicious figures hunched over screens in dimly lit rooms, perhaps with the scent of Jamaican Woodbines lingering in the air. Unfortunately, this image is misleading; cyber security is often quite routine, especially for those of us focused on defence rather than offence. It fundamentally revolves around People, Process, and Technology.

I published a blog recently about how hackers hack (https://hah2.co.uk/how-do-hackers-hack/). In this article, I delve into how hackers profile individuals and organisations through various methods, frequently utilising what is known as social engineering. This technique is primarily non-technical and hinges on a cybercriminals ability to infiltrate the defences of your employees to extract information. Defending against this threat relies heavily on the first two components of cyber risk management: People and Policy.

For regular readers, it’s clear how much I value cyber awareness training. I consistently emphasise that your staff can be both your most significant asset and your greatest vulnerability. Cyber awareness training is essential and should include educating employees about your organisations structure and operations. They should know whom to contact if they have concerns regarding cyber security or suspect social engineering attempts. This information needs to be embedded in the policy, potentially accompanied by a related process that connects People with Process.

In addition to cyber security policies, we also have data protection policies, which are separate but certainly overlap. While nearly every organisation requires security policies, the necessity and comprehensiveness of data protection policies vary based on the type of business. For instance, you might not immediately think of Estate Agents as data holders, yet they manage substantial amounts of Personally Identifiable Information (PII)—data that can identify an individual. Not long ago, a London estate agent faced an £80,000 fine from the Information Commissioner’s Office (ICO) for leaving the personal data of over 18,000 customers exposed for almost two years due to a failure in their data sharing practices.

It’s astonishing how much PII estate agents possess. Consider all the information they request when buying a house! In this case, compromised details included bank statements, salary information, copies of passports, birth dates, and addresses for both tenants and landlords.

Moreover, individuals have the right to sue companies that mishandle their data. Today, law firms even promote “no win no fee” agreements for these cases. Remember that data breaches typically involve numerous individuals—often hundreds or thousands of records.

To solidify the connection between cyber security and data protection, it’s important to note that the Data Protection Act 2018—often referred to as UK GDPR—mandates that personal data must be secured by ‘default and design’. This implies that cyber security measures must be integrated into your data protection processes, potentially increasing the number of policies and procedures necessary to ensure safety and compliance with legal requirements.

Let’s explore what you might need for cyber security. First and foremost, you require a comprehensive policy approved at the board level or by company ownership if there isn’t a formal structure in place. This policy serves to demonstrate the company’s commitment to cyber security and establishes a foundation for what we term an Information Security Management System (ISMS). While you don’t need to adopt formal terminology, it essentially outlines the framework detailing necessary policies, assigns responsibility for keeping them current and relevant, and ensures dissemination among all staff. Essential policies may include but aren’t limited to:

– Top-level policy issued by the board

– Starters and Leavers Policy

– Access Control Policy

– Magnetic Media Policy

– Mobile Working Policy

– Password Policy

– Email Policy

– Acceptable Use Policy

As mentioned earlier, data protection closely aligns with cyber security. Below is a potential list of policies you may need to comply with legal standards. Again, this list is not exhaustive and may seem excessive for some businesses but provides insight into what may be required:

– Data Protection – Overarching Policy

– Data Protection Training

– Data Protection – Consent

– Consent Withdrawal

– Subject Access Request

– Data Protection Complaints

– Retention of Records

– Data Breach Notification (note there is an electronic version of this on the ICO website)

– Data Protection Impact Assessment Procedure

– Security & Control of data protection documentation

– Policy Management Review Procedure

– Internal Data Protection Breach Register

– Retention & Disposal of Records Register

– Data Protection Officer (DPO) Responsibilities

– Required records to be maintained

Most policies are readily available online; however, knowing what you truly need versus what you can do without can be challenging. Too often people download templates only to modify them superficially while hoping for satisfactory results.

Over time, our approach has evolved alongside legislative changes both here and in Europe as well as shifts in working practices. We’ve dedicated countless hours researching solutions tailored to meet requirements that adapt into systems suitable for all business types—not only affordable but also compliant with standards like Cyber Essentials if needed. Flexibility has become crucial due to new working paradigms; traditional security systems where everyone operates within secure boundaries protected by firewalls are outdated. Today’s protective systems must function seamlessly whether you’re at home, on the move, or in the office, and your policies must reflect that.

When we first engage with prospective clients, we offer a free trial to assess their needs, we frequently discover they lack clarity on what data they hold or its location. They might have a vague understanding—perhaps it’s stored on cloud servers, with laptops or desktops accessing data on the cloud. However, once we implement our software for discovery purposes, we often find numerous copies stored on laptops/desktops alongside cloud servers. How does this happen? Over time—and particularly with many adopting hybrid work models—employees log onto cloud services remotely using unstable internet connections; they download necessary files to work offline then neglect to delete them after re-uploading. Or they may share files via email without realising it leaves sensitive information attached to their email server.

Audit trails present another issue: If the ICO investigates, having clear records indicating who created/copied/deleted/forwarded data is crucial. Additionally, individuals are entitled to submit Data Subject Access Requests (DSARs), compelling you to disclose any held data regarding them—a legal obligation you cannot refuse. I know of a financial firm that took almost three weeks just to fulfil a DSAR request which diverted an employee from billing tasks during that time.

Our solution addresses today’s requirements effectively—it even includes an encryption system—all under one monthly fee. You can trial it at no cost; we’d be surprised if after seeing its capabilities along with our incredibly low managed service rates you didn’t want to keep it!

Cyber Awareness Training Working Practices

Work v Life Balance

A little change this week from my usual promotion of cyber security issues, prompted, at least in part, by the changes affecting SMEs by the budget, and also because I do tend to interact a lot with HR and recruitment company’s largely because of the amounts of personal identifiable information that they hold and their concern about those budget changes.

There are going to be different views about those changes, driven by lots of things ranging from political views to how they will impact individuals and I’m not going to pore oil on those differing views.  That’s not the focus of this piece.

My first 30 years employment, from age 15 to age 40, was spent in the public sector, 25 years in the Army and 5 years in the NHS.  I then left and spent 2 years in a UK company before moving on to a major US corporation, followed by 2 more major US corporations.  By that time I’d had enough and wanted to run my own business my own way.  A challenge which never stops but has its rewards.  The contrast between the attitudes in the UK and in the US are stark, even given that the UK has attitudes to employment and laws, which are much more onerous than they are in Western Europe.

One of the first things that hits you in a US corporation is the expectation that you will work as long as they want you to, go where they want you to, and do what they want you to, all within the same salary.  Some managers are harsher than others of course, but the stock price will win every argument, and I well remember the Chairman of my first company openly admitting that they used staffing levels to control the stock price.  That meant that they would cut staff to keep the markets happy, without a second thought and absolutely hated that they couldn’t do that in Europe because of the employment laws.  The US employees had no such protection.

There were many examples of how employees were often impacted by the attitude of the senior management across the pond.  One such sticks out when I was running a team in the middle east.  Our weekends were Friday and Saturday, we worked Sundays.  One Friday the team had hired a boat, privately between us, and we were anchored offshore with the team diving off the boat into some very warm waters and having a good time.  My mobile phone rang, and I was told that I needed to get online and produce some stats that were needed immediately.  All the European teams were doing this.  I told him we couldn’t get to the office and even sent him some photos that I took with my phone to show him where we were and reminded him it was our weekend. 

Needless to say, I was reprimanded for this and told that I wasn’t being loyal.  I was a manager who insisted on looking after my guys (and gals) but that wasn’t universally appreciated by those above.

So, what is senior management often missing when they treat staff poorly, when they are demanding and even sometimes, demeaning.  Managers are looking for productivity, of course they are, without that the company goes under, but is a happy staff more productive than an unhappy one.  If we are paying a low wage and making staff claim UC to make it up, does that demean the staff member as well as putting the burden on the taxpayer.  Going back to my time in the Army in the late seventies, I remember being a Lance Corporal and qualifying for supplementary benefit, which I found demeaning.  Mind you it got worse, I was promoted to Corporal and no longer qualified and lost about a tenner a week – a lot of dosh back then.

Let’s now look at what a good work-life balance is going to give us.  Is it essential for maintaining overall well-being and improving not just the personal aspects of life, but also does it improve those professional aspects that increase productivity?  I’m not declaring myself one way or another and would prefer others to come to their own conclusions.

a. Improved Mental Health

  • Reduces stress and anxiety.
  • Helps prevent burnout by creating time for rest and self-care.
  • Encourages a clearer mind, enhancing focus and decision-making.

b. Enhanced Physical Health

  • Allows for regular exercise and proper sleep.
  • Reduces the risk of stress-related illnesses, such as heart disease and high blood pressure, reducing time off for illness.

c. Increased Productivity

  • Balancing personal and professional priorities leads to greater focus and efficiency at work.
  • Employees who are well-rested and satisfied with their personal lives tend to be more motivated.

d. Stronger Relationships

  • Allocating time for family and friends strengthens personal bonds and social support networks.
  • Improves communication and connection with families.

e. Greater Job Satisfaction

  • Employees who maintain balance are more likely to enjoy their work, feel fulfilled, and remain engaged.
  • Reduces turnover rates by creating a supportive work environment.

f. Personal Growth and Fulfilment

  • Provides opportunities to pursue hobbies, interests, and personal goals.
  • Encourages learning and development outside of work, leading to a more well-rounded life.

g. Better Work Culture

  • Promotes a positive workplace where employees feel respected and valued.
  • Encourages teamwork and collaboration by reducing tension and conflict.

h. Increased Creativity and Innovation

  • Taking breaks and engaging in diverse activities fosters creative thinking and problem-solving.

We can argue that a poor work-life balance on the other hand, can have wide-ranging effects, impacting mental, physical, and social well-being as well as professional performance. Here’s a breakdown:

a. Physical Health Issues

  • Increased stress levels: Chronic stress can lead to headaches, fatigue, muscle tension, and weakened immunity.
  • Higher risk of chronic illnesses: Conditions such as heart disease, obesity, and diabetes can result from prolonged stress and lack of physical activity.
  • Sleep problems: Difficulty in disconnecting from work may lead to insomnia or poor-quality sleep.

b. Mental Health Challenges

  • Burnout: Persistent overwork can result in emotional exhaustion, reduced productivity, and detachment from work.
  • Anxiety and depression: Long hours and the pressure to perform can exacerbate mental health issues.
  • Reduced focus and creativity: Mental fatigue from a poor balance impairs cognitive functioning and decision-making.

c. Professional Consequences

  • Decreased productivity: Overworking may initially boost

So, what do I personally, conclude from this and why do I care?  Well firstly I’m a human being and so should care and secondly, I’m a business owner and want my staff focused, productive, great for clients to interact with, responsive and who look forward to coming in every day, or at least most days, every day is probably a stretch.  I will also readily admit that some of these points aren’t my own, I have cribbed from some research I did into this area.

What is your take?  I would expect differing views and that’s OK, we all face issues every day in business, some we have in common, and some are unique to a particular business.  I’m not looking for an argument, just some mature reflection.

Scroll to top