Blog & Social

The latest cyber security news for UK Businesses

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Managed Detection and Response (MDR)

What’s this all about and why would it be of any benefit to you?  The first part is easy to explain but the second is a little more problematic.  MDR is a cybersecurity service designed to help organisations, including small and medium-sized enterprises (SMEs), detect, investigate, and respond to cyber threats without needing their own large security team.  That latter bit is important for an SME simply because they don’t have the expertise or resources to do this themselves, neither can they rely upon their local IT provider to do this for them, even if only because it almost certainly won’t be in your service contract.

What does it give you:

CapabilityWhy it matters to SMEs
Around-the-clock monitoringCyber threats don’t stick to business hours – MDR providers watch systems 24/7.
Threat detection using modern toolsUses advanced analytics, machine learning, and threat intelligence that SMEs typically can’t afford or manage internally.
Rapid Incident ResponseCan remotely contain and remediate attacks before they spread.
Security expertise on demandSMEs gain access to required expertise.
Proactive threat huntingIdentifies hidden attackers or early-stage breaches.
Compliance and reportingHelps SMEs meet regulations (e.g., GDPR, Cyber Essentials, ISO 27001) with clear reports.

The above describes a full service, SMEs do have the choice of selecting a full response or an alerting service which also gives guidance on what to do i.e. helps manage a response by you.

It’s important to understand what an MDR is not:

  • Not a replacement for basic security hygiene (patching, backups, strong access controls)
  • Not just a tool, it’s a combination of technology + human expertise
  • Not “set and forget”, you still must collaborate on remediation decisions

So now we understand what MDR is, let’s look at why you might want it.  SMEs are increasingly targeted by cybercriminals due to limited in-house security resources. An MDR service provides continuous monitoring, advanced threat detection, and rapid incident response, improving cyber resilience while reducing operational burden and cost. Implementing MDR will significantly reduce the company’s cybersecurity risk and support compliance, business continuity, and customer trust.  And if you think this is all over the top let’s remember Knights of Old, they were an established trucking company who moved a lot of what you might call just in time goods, i.e. perishables.  They were hit with a ransomware attack and went under in a frighteningly short time.

So just to crystallise the problem, current security controls are designed to be preventative and are largely reactive, with no proactive elements to them.  They lack:

  • 24/7 threat monitoring
  • Real-time detection and investigation
  • Specialised expertise required for modern cyber threats
  • Rapid response capability to contain breaches

As a result, you potentially face::

  • Increased probability of a successful attack
    • Delayed breach response → attackers remain undetected for months
    • Data exfiltration and business disruption
  • Higher financial and operational impact if one occurs
  • Non-compliance with data protection obligations (e.g., GDPR, industry standards)
  • Reputational damage and loss of customer confidence
  • Insurance coverage gaps (cyber insurers increasingly mandate MDR-level monitoring)
  • Greater operational and legal fallout from incidents

The trick for many SMEs would be finding a solution that is suitable for them and just as importantly affordable.  A good fit could be:

  • Affordable subscription model with no costly infrastructure
  • Bridges the cybersecurity skills shortage
  • Improves resilience against ransomware, phishing, insider threats, and more
  • Scales as the business grows

SMEs would also need to consider whether they need a full response service or an alerting service level.  The latter is obviously cheaper and maybe more appropriate for many.  The coverage they should be looking for needs to include:

  • Endpoints (laptops, servers)
  • Cloud workloads (Microsoft 365, Azure, etc)
  • Identity services (Active Directory)
  • Network visibility
  • Email security
  • Remote workforce monitoring

I hope that this provides food for thought as I know many SMEs will not have considered this type of service or if they have, they will have dismissed it as too expensive and probably over the top.  And for many years this would have been just that.  I first got involved with this back in 2002 and built several security operations centres over the years, including staffing levels and processes. 

Generally, these have been way too expensive for an SME to consider.  But that has changed now, there are services available which are designed for SMEs, and which are affordable and appropriate.  Now I know you’ve been waiting for the pitch and here it comes.  At H2 we provide such a service which is very affordable, and we are happy to stack it up against others.  We offer a 14 day totally free trial, that covers your whole estate, i.e. not restricted to one or two systems, or departments, but your whole organisation. 

Cyber Awareness Training Data Breaches and their consequences Risk Analysis and Security Strategy Security

Innovation – Why Do Many Shy Away from it?

We are, by nature, somewhat reserved I think, and we like to trust the known and proven, rather than the unknown and as yet, unproven.  How many of us like to be the first to by the latest model of a car, or the latest ‘phone.  The same applies to our IT infrastructure and security.  Something might advertise some really great innovations, but we want to see someone else try it first, just to be sure.

I read an interesting piece where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

So, what are we referring to here.  In a nutshell, the creation and adoption of new technologies, strategies, and practices that improve the protection of digital systems, data, and networks from cyber threats. It goes beyond simply maintaining existing defences, it’s about staying ahead of attackers by introducing smarter, more efficient, and more resilient security methods.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive, and this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, but SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and SMEs will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

How one SME coped with the fall out of a cyber attack

We talk a lot about how to protect ourselves from cyber-attacks and the potential for how easy or difficult it is for cyber criminals to attack companies of all sizes and types, but we don’t often describe real events which could impact those companies until they actually happen, and then, we often only get the information that they want us to have.

So, we thought we’d try and do just that, albeit in a sanitised way (with permission) to protect the privacy of the company involved.

Background

The target was a small. To medium sized design agency based in the UK. They manage branding and marketing materials for a significant number of clients, many of whom share confidential product data and campaign details before public release.  And of course, the company held their own confidential data regarding their operations, finances and personnel.

For years, this agency relied on a mix of free antivirus software, shared passwords, and basic email communication. Like many SMEs, cybersecurity wasn’t seen as a priority until the day that all changed!

So, what happened?

One Friday morning, a manager noticed that all shared project files on their network drive had strange extensions and couldn’t be opened. A ransom note appeared on every folder:

“Your files have been encrypted. Pay x amount of Bitcoin to recover them.”

  • The team had been hit by ransomware.
  • Their business was paralysed, and they couldn’t access their admin and finance systems or their client work, deadlines loomed, and panic set in.

The IT contractor confirmed the bad news: a staff member had unknowingly clicked a link in a fake invoice email that mimicked a well-known supplier. The malware spread across the network overnight.

At this point many companies fall into complete disarray simply because they haven’t got a disaster recovery and business continuity plan and they have no way of operating their systems manually.  Management will be demanding to know how long they can manage without their IT systems and how long it will take to get everything up and running, without paying the ransom.   The IT company will be pressured about backups; are there any and if so when can they be restored, which is when of course they realise that without their systems, there is nothing to restore the backups to.

The IT company confirmed that they did have backups stored off-site as part of the contract but that daily backups were stored on site and that the onsite backup server was also compromised, and the off-site backups were taken once a week, which meant that as by this time it Tuesday, the off-site backups were 2 days old.  But much better than nothing.

The problem remained that they had deadlines to meet and if they didn’t want to lose clients and have their reputation in their industry shattered, they had very little time.  Reluctantly the management made the decision to pay the ransom which meant they had to go cap in hand for extra funding as they operated on tight margins and the ransom in pounds was close to £150k.

This got them back online and saved their projects and reputation but at a cost that really hurt and not just in financial terms, but in their pride as managers.  It really stung.  They knew that had to bite the bullet and take cyber security seriously.  They realised that their local IT company, although excellent in keeping their network up and running efficiently as well as providing their hardware and software, and kept strictly to the terms of the contract, was not going to protect them to the level that they needed.

The rebuild

Having got everything back up and running they were seriously worried that they might get hit again quickly, before they had a chance to sort things out.  There was no room for complacency but at the same time they had to go forward with a strategic plan.  So, they brought in a specialist cybersecurity company who guided them through a strategy to not just recover, but to protect themselves going forward.

One of the first things they learnt is that cyber security is a business issue and not a technical one.  Management must own it and understand it.  It starts with people, having the right people in the right place who understand, at least at a high level, the issues and how to take basic precautions to protect themselves and the business.  Then comes policy and process, coming down from the top, regularly reviewed and updated by management, and promulgated to all staff with regular reminders.  Once that’s in place we can look at technology.  Noone had articulated that to them before.

The first thing their new cyber partner did was to devise a high-level strategy that the company could adopt going forward.  They explained that it needn’t be complicated and in fact, the simpler and easier to understand, the better.  Keep tech jargon out of it and use plain English.  They came up with a plan which identified some quick wins to protect them quickly, before coming up with more detailed projects that could be phased in over time.

The quick wins were:

  1. Cyber awareness training for all staff including management.  Let’s make sure no one ever clicks a link they shouldn’t.  The training should be done at induction and then refreshed regularly throughout the year.  It can be run by the HR staff or a HR company under contract if that is the case.
  • Produce policies starting with a high-level policy signed off by the CEO which clearly outlines everyones responsibility for cyber security and who is responsible for the detailed polices which will underpin this top-level policy.
  • Enforced multi factor authentication (MFA) for all logins and a password manager to replace the spreadsheets they were using.

This is then followed by more detailed projects phased in over time.  The phasing helps to ensure that there is not too much disruption to the business operations and that staff can be carried along with it, ensuring their buy in.  It also helps to make sure that it fits in with the company budget and doesn’t hit the bottom line all at once.  It included:

  1. An examination of the contract with the IT company and making any revisions that might be necessary.  For example, the back-up regime.
  • Migrated to a cloud-based file system with built-in versioning and encryption (in this case MS365 was chosen which is a favourite go to for SMEs and was offered by their IT support company).
  • Every employee completed simulated phishing exercises as part of the awareness training.
  • A detailed incident response plan was produced which clearly detailed who was responsible for what, who to contact and what to do, in a prioritised order.  It also outlined a business continuity plan written by departmental heads, showing how the company would continue to operate whilst systems are recovered.
  • Identification of assets, i.e. databases, client information, HR data, financial data, project plans etc, to prioritise what data needs to be protected to what level.
  • Identity and access management review with a view to moving to a zero-trust access control system.
  • Consider applying for cyber essentials certification.

The Outcome

Within six months, they were back on track and stronger, much more resilient. They were, like most companies, hit with phishing attempts all the time but their employees were trained to recognise them instantly and knew who to report it to. No one clicked the link.

Clients noticed the change, too. The company started to include a short “data protection and security” statement in their contracts, which won them new business. Larger clients trusted them more because they could prove their cyber resilience.  They were now committed to Cyber Essentials and would include that logo on their website and advertising as soon as they qualified.

The big lesson

Their experience shows that cybersecurity isn’t just an IT issue — it’s a business survival issue.  Even small steps, awareness, MFA, and secure backups, can transform an SME from a target into a resilient organisation.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Working Practices

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals.  There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences.  Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault.  Most are focused on their core business, trying make a quid or two and are pressed for time.  They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer.  The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach.  In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter.  Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean?  Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design.  In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else.  And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate?  No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

      2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

      3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

      4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

      5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

      6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

      7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

      Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Risk Analysis and Security Strategy Working Practices

      Cyber Maturity

      What do we mean by cyber maturity?  It’s not just about the protections you may have in place, but more about how well your organisation understands the importance of it and its place in your overall business strategy.  It is after all a business issue, not a technical issue and needs to be treated as such. Modern security solutions are increasingly complicated and challenging. These complexities change all the time and with the changes in working patterns and the introduction of AI now at the hands of the cyber criminals, they require a broad understanding of cyber security. Very few SMEs possess this level of expertise and can find themselves struggling to protect themselves and rectify security risks discovered within their business. In a climate of frequent, and potentially devastating, malicious activity organisations need targeted, rapid remediation and effective solutions. In doing this they will improve specific areas of their security systems, reduce their level of exposure and minimise potential losses, which can be very significant.

      Many small and mid-size businesses struggle to combat the threat that cybercrime poses. A simple piece of malware or a social engineering event, can result in the loss of sensitive company and client data, disrupt business and waste staff time. Such incidents are commonly sensationalised by the media, causing client defection and damage to hard-earned reputations, resulting in significant loss of business.

      I’ve described the risk management process before, and I know it can be a bit daunting, and many would fear it’s costs and complexity.  That is why we have designed and taken into use the Cyber Maturity Assessment (CMA), specifically for SMEs which will enable them to go down the risk management road at a pace and price they can afford.  The CMA is designed to obtain a view of where a client sits currently in terms of their Cyber Security posture. It is obtained from the results of interview with the staff, examination of current policies and procedures, including their effectiveness, security architecture and technical controls, and observations to gain an understanding of cyber security by management and staff. It is designed to provide a report which shows a client exactly where they sit in terms of Cyber Risk in a way that is demonstrable and east to understand. It gives a client a starting point from which H2 consultants will be able to scope any problems.

      What Does a Cyber Maturity Assessment Give Me?

      In brief, the CMA is designed to:

      • Understand and define the target state of the system i.e., where does the client want to be in terms of Cyber maturity – in defining the target state there must be a clear understanding of the business drivers, future business demands and business dependencies affecting the organisational area under examination.
      • Understand the current level of Cyber maturity – At this point the matter of cyber maturity will be a somewhat subjective view, obtained from the results of interviews with staff and initial observations by H2 consultants. This element is not intended to replace a detailed understanding, but to provide an initial view and start point, from which H2 consultants will be able to scope the problem and recommend any remediation required, in a phased way.

      We measure both the starting point and the end point using the Carnegie Melon Cyber Maturity Model.  I know other consultancies will use other models for this, but this is one that we have found to be effective, both for SMEs and in the corporate world.  It looks like this:

      I mentioned earlier that this is something used in the corporate world and whilst that’s true it is a matter of scale and need.  Most corporates would have the requirement and budget to aim high, say at around CMMI4 (5 is rarely hit).  For most SMEs that’s a step too far and as a rule of thumb, when we do this, we tend to find we’re starting at around 0.8 to 1.5 with the aim to get to CMMI 2 as soon as is feasible, with the end game at CMMI 3 which is affordable for most SMEs if a phased approach is taken.

      At the end of this initial process and SME is rarely able to just jump in and accept the recommendations and get on with fixing them.  It can be a complex issue requiring a hard look at their staff in terms of cyber awareness training, their policies and processes and their technical solutions, all aimed at prioritising the protections required for each asset in accordance with their vulnerabilities and threats.

      A phased approach is almost always needed, often aligned with budgets.  It can look a bit like this:

      The first transformation project tends to be what we term the Quick Wins Phase ie what can we do relatively easily, quickly and therefore affordably, to give the client the most urgent fixes.  It often, but not always, looks like this:

      This has just been a very quick cantor through the CMA process, and we need to emphasise that each client has a different set of requirements, and we can often jump into the process at a different stage. Call us if you want to know more.

      General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

      Cyber Security Architecture

      In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture.  So, I thought it was worth discussing it further.

      What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should.  Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

      All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

      I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.

      I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

      How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

      Of course, these days that is often exacerbated by the increasingly popular remote working.  I know not every company has embraced this, but many have and have not through the security implications.

      Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

      None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Risk Analysis and Security Strategy Security Tools

      Do You Have a Handle on Your Cyber Maturity Stance?

      Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security.  The conversations often tend to take a very familiar turn.  The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus.  They tell me all is good’.  Slightly depressing but not terribly surprising.

      Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue? 

      The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort.  For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

      As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

      If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

      It is a common misconception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

      Within the SME world this tends to mean that there is a heavy reliance on third party IT providers.  Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

      Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

      • Small to medium size businesses are not worth attacking.
      • Cyber Security is an IT Issue.
      • Technology will keep me safe.
      • My policies and procedures are up to the job.
      • My staff are young and have been brought up with IT.  They know the score.

      Now let’s look at some of the more common issues that we see often amongst SMEs:

      • Lack of awareness around the current real-world cybersecurity risks
      • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
      • Lack of cybersecurity knowledge, and understanding
      • Poor cybersecurity maturity and posture within their businesses
      • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

      Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

      During the assessment, we typically examine various aspects, such as:

      • Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.
      • Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.
      • Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.
      • Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.
      • Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.
      • Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.
      • Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

      The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

      H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

      Cyber Awareness Training Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Working Practices

      Cyber Security is a Business Issue

      This is a subject I return to quite often and it’s all about how cyber security is viewed by many SMEs, and I’ll explore why that view appears to be paramount.  I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

      We tend to flood potential clients with adverts and articles, mainly focused on technology.  Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

      Let me give you a couple of quotes.  The first comes from a renowned Harvard scientist and cyber security specialist.  He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’  The second comes from Stephane Nappo, Vice President and Global Chief Information Security Officer for Groupe SEB, ‘It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.’

      Boil that down and they are saying that this is not an IT issue, it’s a business issue.  That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

      Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture.  Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

      As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to give the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  Let’s just remind ourselves of the quote from Bruce Schneier:

      If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

      So, what does he mean?  As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

      It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

      But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

      Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

      The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

      You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

      Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

      Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

      Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware

      SPOOFING

      I’ve mentioned spoofing quite a bit in various posts and blogs, but what exactly is it?  Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else, attempting to gain our confidence to get access to our systems, steal data, steal money, or spread malware. These attacks come in several forms, including:

      • Email spoofing
      • Website and/or URL spoofing
      • Caller ID spoofing
      • Text message spoofing
      • GPS spoofing
      • Man-in-the-middle attacks
      • Extension spoofing
      • IP spoofing
      • Facial spoofing

      Cyber criminals aren’t all that original and spoofing is another con to fool us into taking some form of action that the criminal wants us to take; in other words, it’s a more technical variation on a con artists skill set.  Very often, merely invoking the name of a big, trusted organisation is enough to get us to give up information or take some kind of action. For example, a spoofed email might inquire about purchases you never made. Concerned about your account, you might click the included link.

      From that malicious link, scammers will send you to a web page with a malware download or a faked login page, complete with a familiar logo and spoofed link to a web page, for the purpose of harvesting your username and password.

      There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on victims falling for the fake. If you never doubt the legitimacy of a website and never suspect an email of being faked, then you could become a victim of a spoofing attack at some point.

      Let’s look at some types of spoofing.

      Email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. An example of this is the fabled CEO attack whereby a spoofed email is sent to someone in your accounts payable department attaching an invoice from a fake supplier and purporting to come from the CEO or other senior manager, with the instruction to pay the invoice now, without delay, and sounding like the senior manager is angry about something.  Of course, this is quite easy to defend against by having a rule in place that if a suspect email is received, the alleged sender should be contacted for verification.  Be aware though, if you simply reply to the email, it will go back to the scammer, you must open a fresh email or make a call.

      Phishing emails will typically include a combination of deceptive features:

      • False sender address designed to look like it’s from someone you know and trust, maybe a friend, coworker, family member, or company you do business with. 
      • In the case of a company or organisation, the email may include familiar branding, e.g. logo, colours, font, call to action button, etc.
      • Spear phishing attacks target an individual or small group within a company and will include personalised language and address the recipient by name.
      • Typos. Email scammers can be lazy and often don’t spend much time proofreading their own work. Email spoofs often have typos, or they look like someone translated the text through Google Translate.

      Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent, down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Cybercriminals use spoofed websites to capture your username and password (aka login spoofing) or drop malware onto your computer.

      Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn’t. Scammers have learned that you’re more likely to answer the phone if the caller ID shows an area code the same or near your own.

      Text message spoofing or SMS spoofing is sending a text message with someone else’s phone number or sender ID. If you’ve ever sent a text message from your laptop, you’ve spoofed your own phone number to send the text, because the text did not actually originate from your phone.

      Man-in-the-Middle (MitM) attacks can happen when you use free Wi-Fi at your local coffee shop. Have you considered what would happen if a cybercriminal hacked the Wi-Fi or created another fraudulent Wi-Fi network in the same location?

      Extension spoofing occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of “filename.txt.exe.” The criminals know file extensions are hidden by default in Windows so to the average Windows user this executable file will appear as “filename.txt.”

      IP spoofing is used when someone wants to hide or disguise the location from which they’re sending or requesting data online.

      Facial spoofing might be the most personal, because of the implications it carries for the future of technology and our personal lives. As it stands, facial ID technology is limited. We use our faces to unlock our mobile devices and laptops, and not much else. This is likely to spread, and the use of AI makes facial spoofing more likely.  Imagine if we advance to using facial recognition to make online payments – scary stuff.

      There’s a lot more to this subject, for instance, how do you spot it?  How do you protect yourself against it?  The best form of defence is simply cyber awareness training, something you’re probably getting fed up hearing from me.  But it’s simply a fact that your staff can be your first line of defence, or your biggest threat.

      Malwarebytes have published a more detailed article on this subject but even that needs some understanding and explanation.

      Cyber Awareness Training Data Breaches and their consequences Ransomware, Phishing and other Malware Security Tools

      HOW DO HACKERS HACK?

      I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common.  Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal.  But I suppose hacker is less of a mouthful.

      What is Hacking?

      Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

      Profiling

      One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people.  Favourite open sources of information include:

      • Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram.  Do you have a social media policy in your company?  Do you lay down what an employee can and cannot say about your company on their personal social media pages?  Do you have a designated person in the company who handles your company’s profile on social media?
      • Company Website:  You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published.  I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.
      • Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.
      • Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently.  The same issues that appertain to social media apply here. 
      • Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

      With all of these things you’re walking a bit of a tightrope.  You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away.  Use generic email addresses and phone numbers and limit the information you give in profiles.

      Phishing and Pretexting

      Another favourite is phishing and pretexting.

      • Phishing Emails: We all know, or at least I hope we know, what phishing is.  Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity.  In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company.  That just requires a response showing a signature block, so the phishing email might seem very innocuous.
      • Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

      Favourite Reconnaissance Tools

      Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations.  This is why it’s essential to regularly scan your network for these weaknesses.  Ports can be opened for a particular reason and never closed again.  It’s a common fault.

      We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where  operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

      Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials.  When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords.  You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

      Psychological Profiling

      In terms of cybercrime, who’s heard of psychological profiling?  Cybercriminals analyse:

      • Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.
      • Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

      I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold.  Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

      • LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.
      • Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).
      • Technical Probing: Use of phishing or malware to breach a target’s employer.

      Conclusion

      In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process.  All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

      Scroll to top