Blog & Social

Cyber Security Strategies for SMEs

What is a Cyber Security Strategy

A cyber security strategy is a plan that outlines an organisation’s approach to protecting its information systems and data from cyber threats. This strategy typically includes measures such as implementing security controls, conducting regular risk assessments, training employees on security best practices, monitoring network activity for suspicious behaviour, and responding to security incidents in a timely manner. The goal of a cyber security strategy is to minimise the risk of cyber-attacks and protect the confidentiality, integrity, and availability of an organisation’s sensitive information.

Do I really need that – I’m an SME and not really a target, am I?

Well yes, you are a target and there are a ton of statistics available which shows that SMEs globally are a very real target for cyber-attacks and can in fact, be very profitable for cyber criminals. There are a lot of reasons for that but one of the top reasons is that typically, SMEs spend very little on cyber defence and generally have very weak defences. Add to this that they don’t tend to carry out cyber awareness training for their staff, have limited resources and generally don’t have a good grasp of the issues.

Not their fault. Most are focused on their core business, trying make a quid or two and are pressed for time. They tend to rely on whatever company, usually local, that supplied their network, hardware and software, generally on a retainer. The problem is that those companies don’t really have a good grasp of the issues either, concentrating on technology, and then, not necessarily the right technology.

When it comes to cybersecurity governance and management, there is no “one size fits all” approach. In today’s threat landscape we need to fully understand that cyber security is not a purely technical problem, focused on hardware and endpoint protection and on operations within the organisational perimeter. Today we are dealing with cloud storage, in office and remote working, data at rest and in transit, involving security at every point along the route.

It is critical that someone within the organisation has to take responsibility for cyber security and that person must have a seat on the Board. A Board-level response is not just appropriate; it is essential.

Secure by default and design

Now that’s an interesting title, but what does it mean? Secure by default and design means that a system or product is inherently built with security measures in place from the start. This ensures that security is a priority throughout the development process and that users can trust that their data and information will be protected. It also means that security features are enabled by default, reducing the risk of vulnerabilities or breaches. This approach helps to create a more robust and resilient system that is better equipped to withstand potential threats.

It applies as much to your network and systems as it does to software development and possibly more importantly to you, it is a legal requirement under the Data Protection Act 2018, or as it is becoming known, UK GDPR.

The first problem many people come up against is that they already have a network, probably connected to the cloud of some sort, very possibly for SMEs, MS365, but when the design was done, there wasn’t a full risk assessment undertaken which is a requirement to underpin that design. In other words what we in the cyber security industry refer to as Security Architecture Design (SAD), wasn’t a prominent consideration.

Not unusual and the common technologies were probably set up, firewalls and anti-virus, but not much else. And that is where a well thought out strategy comes into play.

What should I be considering in my Cyber Security Strategy

We’ve already said you are an SME, so do you need the sort of comprehensive cyber security strategy that we would see in a major corporate? No, but it should still cover off the major points and should continue to be reviewed alongside things like your Health and Safety policy and other industry standards that are required to be reviewed for you to stay in business, usually annually.

You need to be thinking about the key components needed to effectively protect an organisation’s digital assets and data. These components may include:

1. Risk assessment: Assessing potential cybersecurity risks and vulnerabilities to identify areas of weakness and prioritise areas for improvement.

2. Security policies and procedures: Establishing clear and enforceable policies and procedures for data protection, access control, incident response, and other security-related activities.

3. Employee training: Providing ongoing training and education to employees on cyber security best practices, such as password management, phishing awareness, and safe browsing habits.

4. Security tools and technologies: Implementing robust security tools and technologies, such as firewalls, intrusion detection systems, encryption software, security monitoring tools and data protection tools, and endpoint protection solutions.

5. Incident response plan: Developing a detailed incident response plan that outlines the steps to be taken in the event of a security breach or cyber-attack, including communication protocols, containment measures, and recovery strategies.

6. Regular audits and testing: Conducting regular security audits and penetration testing to assess the effectiveness of existing security measures and identify any vulnerabilities that need to be addressed.

7. Collaboration with external partners: Establishing a partnership with cyber security company that understands the issues that affect SMEs and who themselves can establish a solid working relationship with the IT provider that is providing and administering your network and IT resources, will enhance your protections, significantly improve your employee and managerial awareness of the issues, and provide you with the peace of mind you need, allowing you to concentrate on your core business.

Cyber Maturity

What do we mean by cyber maturity? It’s not just about the protections you may have in place, but more about how well your organisation understands the importance of it and its place in your overall business strategy. It is after all a business issue, not a technical issue and needs to be treated as such. Modern security solutions are increasingly complicated and challenging. These complexities change all the time and with the changes in working patterns and the introduction of AI now at the hands of the cyber criminals, they require a broad understanding of cyber security. Very few SMEs possess this level of expertise and can find themselves struggling to protect themselves and rectify security risks discovered within their business. In a climate of frequent, and potentially devastating, malicious activity organisations need targeted, rapid remediation and effective solutions. In doing this they will improve specific areas of their security systems, reduce their level of exposure and minimise potential losses, which can be very significant.

Many small and mid-size businesses struggle to combat the threat that cybercrime poses. A simple piece of malware or a social engineering event, can result in the loss of sensitive company and client data, disrupt business and waste staff time. Such incidents are commonly sensationalised by the media, causing client defection and damage to hard-earned reputations, resulting in significant loss of business.

I’ve described the risk management process before, and I know it can be a bit daunting, and many would fear it’s costs and complexity. That is why we have designed and taken into use the Cyber Maturity Assessment (CMA), specifically for SMEs which will enable them to go down the risk management road at a pace and price they can afford. The CMA is designed to obtain a view of where a client sits currently in terms of their Cyber Security posture. It is obtained from the results of interview with the staff, examination of current policies and procedures, including their effectiveness, security architecture and technical controls, and observations to gain an understanding of cyber security by management and staff. It is designed to provide a report which shows a client exactly where they sit in terms of Cyber Risk in a way that is demonstrable and east to understand. It gives a client a starting point from which H2 consultants will be able to scope any problems.

What Does a Cyber Maturity Assessment Give Me?

In brief, the CMA is designed to:

Understand and define the target state of the system i.e., where does the client want to be in terms of Cyber maturity – in defining the target state there must be a clear understanding of the business drivers, future business demands and business dependencies affecting the organisational area under examination.

Understand the current level of Cyber maturity – At this point the matter of cyber maturity will be a somewhat subjective view, obtained from the results of interviews with staff and initial observations by H2 consultants. This element is not intended to replace a detailed understanding, but to provide an initial view and start point, from which H2 consultants will be able to scope the problem and recommend any remediation required, in a phased way.

We measure both the starting point and the end point using the Carnegie Melon Cyber Maturity Model. I know other consultancies will use other models for this, but this is one that we have found to be effective, both for SMEs and in the corporate world. It looks like this:

I mentioned earlier that this is something used in the corporate world and whilst that’s true it is a matter of scale and need. Most corporates would have the requirement and budget to aim high, say at around CMMI4 (5 is rarely hit). For most SMEs that’s a step too far and as a rule of thumb, when we do this, we tend to find we’re starting at around 0.8 to 1.5 with the aim to get to CMMI 2 as soon as is feasible, with the end game at CMMI 3 which is affordable for most SMEs if a phased approach is taken.

At the end of this initial process and SME is rarely able to just jump in and accept the recommendations and get on with fixing them. It can be a complex issue requiring a hard look at their staff in terms of cyber awareness training, their policies and processes and their technical solutions, all aimed at prioritising the protections required for each asset in accordance with their vulnerabilities and threats.

A phased approach is almost always needed, often aligned with budgets. It can look a bit like this:

The first transformation project tends to be what we term the Quick Wins Phase ie what can we do relatively easily, quickly and therefore affordably, to give the client the most urgent fixes. It often, but not always, looks like this:

This has just been a very quick cantor through the CMA process, and we need to emphasise that each client has a different set of requirements, and we can often jump into the process at a different stage. Call us if you want to know more.

Cyber Security Architecture

In many of my discussion with small to medium business owner on the subject of Cyber Security and how it may impact them, one of the things that does stand out, amongst quite a few, is the lack of understanding about security architecture. So, I thought it was worth discussing it further.

What is security architecture? Well, in a nutshell it’s the technical elements of security that are used to mitigate cyber risks. Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like. And of course, the two remain separate whilst maintaining a symbiotic relationship in that one begets the other, or it should. Security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?

All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks. But how did they arrive at the products they have purchased and taken into use. Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from. Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.

I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs. What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software. Is that a problem? That depends very much on how the requirement for a solution was arrived at. Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with? All too often it’s the latter.

I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.

How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them? It is typical, when I visit SMEs, to find that they have what is known as a flat network. That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network. Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.

Of course, these days that is often exacerbated by the increasingly popular remote working. I know not every company has embraced this, but many have and have not through the security implications.

Segmentation, remote access and remote security solutions need not be overly expensive to implement and may save a lot of money in the long run. But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need a particular solution or not. Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.

None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and ever evolving cybercriminal community.

Do You Have a Handle on Your Cyber Maturity Stance?

Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security. The conversations often tend to take a very familiar turn. The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus. They tell me all is good’. Slightly depressing but not terribly surprising.

Even though cyber security and data loss prevention have leapt to the top of many people’s agenda in recent years, it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line. So, is it an IT issue or a business issue?

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security incident of some sort. For the small business this could result in costs they could well do without, and I know of one business that has been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins. And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology. They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime. All well and dandy. A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

It is a common misconception is that IT Security is the same as Cyber Security. That surprises a lot of people, so let’s explore it a bit. There is clearly a close symbiotic relationship between the two disciplines. I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based. Such as firewalls, anti-malware, end point protection etc. Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

Within the SME world this tends to mean that there is a heavy reliance on third party IT providers. Is that a good thing? After all that’s in their area of expertise and responsibility, isn’t it? And here comes the controversial bit. Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products. Now I’ve no problem with that per se, but it comes with issues. Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell. Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task. Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs. Some common myths first:

Small to medium size businesses are not worth attacking.
Cyber Security is an IT Issue.
Technology will keep me safe.
My policies and procedures are up to the job.
My staff are young and have been brought up with IT. They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

Lack of awareness around the current real-world cybersecurity risks
False sense of security, with a heavy reliance and dependence on an external IT third-party provider
Lack of cybersecurity knowledge, and understanding
Poor cybersecurity maturity and posture within their businesses
Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs. It is a comprehensive evaluation of an organisation’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

During the assessment, we typically examine various aspects, such as:

Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.

Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.

Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.

Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.

Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.

Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.

Compliance and Regulations: Verifying the organisation’s compliance with relevant cybersecurity regulations and industry standards.

The results of the Cyber Maturity Assessment provide valuable insights to the organisation, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthens their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

H2 is currently offering a free 1-hour consultation, and if you wish, a 10% discount for a CMA.

Cyber Security is a Business Issue

This is a subject I return to quite often and it’s all about how cyber security is viewed by many SMEs, and I’ll explore why that view appears to be paramount. I am pretty much of the view that the attitude I’m about to expand on, is as much the fault of the cyber security industry, as anything else.

We tend to flood potential clients with adverts and articles, mainly focused on technology. Many of this comes from sales, rather than from the seasoned cyber security experts, that you might wish it did.

Let me give you a couple of quotes. The first comes from a renowned Harvard scientist and cyber security specialist. He says, ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.’ The second comes from Stephane Nappo, Vice President and Global Chief Information Security Officer for Groupe SEB, ‘It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.’

Boil that down and they are saying that this is not an IT issue, it’s a business issue. That’s not discounting technology’s role but without integrating it with PEOPLE and PROCESS, we’re only curing half the ailment. When advising a company’s leaders, we must not only identify the threats but also gauge vulnerability to these threats and ascertain the risk to the business. Only then can we craft a solution that harmoniously unites People, Process, and Technology.

Perhaps because there is a considerable amount of what we call FUD, fear, uncertainty and doubt, doing the rounds constantly, it concentrates people on thinking about specifics, instead of looking at the bigger picture. Whilst there is no doubt that phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market, this causes vendors to try and exploit the issues around that and push their technology solutions and of course, SMEs rarely, if ever, have the expertise to judge whether or not a particular product will actually give them the protection they need. We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology. They rely on their IT provider to give the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime. All well and dandy. Let’s just remind ourselves of the quote from Bruce Schneier:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

So, what does he mean? As he’s not here to ask I suggest what he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI). It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force. To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution. Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it? Taking risks is a part of business. You assess risk every day when doing business. Do you want to do this deal? What happens if it goes not as expected? Do I want to take this person on? Etc etc etc. Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding. What is an information asset? Note the word ‘information’ rather than IT. It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on. You understand your business risk, after all it is your business, but do you understand information risk? Do you have a clear idea of what information assets you have and where they are? Before you answer that think it through. Do you really know where all the data is? OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business. How much of that data has been saved onto staff workstations when they needed it to carry out some work? How much has been copied off somewhere else for what was probably a very good reason at one point? How well is your firewall functioning? Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations. I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team. That needs to be understood fully by those at the top. That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims. You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated. At H2 we tend to produce an information security and data protection handbook which can run into many pages. Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management. One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way. Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end. User education is probably the most important element of all for an SME. Ensuring that your staff are aware of the policies and why they exist. Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks. Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

SPOOFING

I’ve mentioned spoofing quite a bit in various posts and blogs, but what exactly is it? Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else, attempting to gain our confidence to get access to our systems, steal data, steal money, or spread malware. These attacks come in several forms, including:

Email spoofing
Website and/or URL spoofing
Caller ID spoofing
Text message spoofing
GPS spoofing
Man-in-the-middle attacks
Extension spoofing
IP spoofing
Facial spoofing

Cyber criminals aren’t all that original and spoofing is another con to fool us into taking some form of action that the criminal wants us to take; in other words, it’s a more technical variation on a con artists skill set. Very often, merely invoking the name of a big, trusted organisation is enough to get us to give up information or take some kind of action. For example, a spoofed email might inquire about purchases you never made. Concerned about your account, you might click the included link.

From that malicious link, scammers will send you to a web page with a malware download or a faked login page, complete with a familiar logo and spoofed link to a web page, for the purpose of harvesting your username and password.

There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on victims falling for the fake. If you never doubt the legitimacy of a website and never suspect an email of being faked, then you could become a victim of a spoofing attack at some point.

Let’s look at some types of spoofing.

Email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. An example of this is the fabled CEO attack whereby a spoofed email is sent to someone in your accounts payable department attaching an invoice from a fake supplier and purporting to come from the CEO or other senior manager, with the instruction to pay the invoice now, without delay, and sounding like the senior manager is angry about something. Of course, this is quite easy to defend against by having a rule in place that if a suspect email is received, the alleged sender should be contacted for verification. Be aware though, if you simply reply to the email, it will go back to the scammer, you must open a fresh email or make a call.

Phishing emails will typically include a combination of deceptive features:

False sender address designed to look like it’s from someone you know and trust, maybe a friend, coworker, family member, or company you do business with.
In the case of a company or organisation, the email may include familiar branding, e.g. logo, colours, font, call to action button, etc.
Spear phishing attacks target an individual or small group within a company and will include personalised language and address the recipient by name.
Typos. Email scammers can be lazy and often don’t spend much time proofreading their own work. Email spoofs often have typos, or they look like someone translated the text through Google Translate.

Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent, down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Cybercriminals use spoofed websites to capture your username and password (aka login spoofing) or drop malware onto your computer.

Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn’t. Scammers have learned that you’re more likely to answer the phone if the caller ID shows an area code the same or near your own.

Text message spoofing or SMS spoofing is sending a text message with someone else’s phone number or sender ID. If you’ve ever sent a text message from your laptop, you’ve spoofed your own phone number to send the text, because the text did not actually originate from your phone.

Man-in-the-Middle (MitM) attacks can happen when you use free Wi-Fi at your local coffee shop. Have you considered what would happen if a cybercriminal hacked the Wi-Fi or created another fraudulent Wi-Fi network in the same location?

Extension spoofing occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of “filename.txt.exe.” The criminals know file extensions are hidden by default in Windows so to the average Windows user this executable file will appear as “filename.txt.”

IP spoofing is used when someone wants to hide or disguise the location from which they’re sending or requesting data online.

Facial spoofing might be the most personal, because of the implications it carries for the future of technology and our personal lives. As it stands, facial ID technology is limited. We use our faces to unlock our mobile devices and laptops, and not much else. This is likely to spread, and the use of AI makes facial spoofing more likely. Imagine if we advance to using facial recognition to make online payments – scary stuff.

There’s a lot more to this subject, for instance, how do you spot it? How do you protect yourself against it? The best form of defence is simply cyber awareness training, something you’re probably getting fed up hearing from me. But it’s simply a fact that your staff can be your first line of defence, or your biggest threat.

Malwarebytes have published a more detailed article on this subject but even that needs some understanding and explanation.

HOW DO HACKERS HACK?

I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common. Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal. But I suppose hacker is less of a mouthful.

What is Hacking?

Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

Profiling

One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people. Favourite open sources of information include:

Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram. Do you have a social media policy in your company? Do you lay down what an employee can and cannot say about your company on their personal social media pages? Do you have a designated person in the company who handles your company’s profile on social media?

Company Website: You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published. I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.

Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.

Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently. The same issues that appertain to social media apply here.

Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

With all of these things you’re walking a bit of a tightrope. You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away. Use generic email addresses and phone numbers and limit the information you give in profiles.

Phishing and Pretexting

Another favourite is phishing and pretexting.

Phishing Emails: We all know, or at least I hope we know, what phishing is. Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity. In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company. That just requires a response showing a signature block, so the phishing email might seem very innocuous.

Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

Favourite Reconnaissance Tools

Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations. This is why it’s essential to regularly scan your network for these weaknesses. Ports can be opened for a particular reason and never closed again. It’s a common fault.

We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials. When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords. You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

Psychological Profiling

In terms of cybercrime, who’s heard of psychological profiling? Cybercriminals analyse:

Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.

Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold. Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.

Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).

Technical Probing: Use of phishing or malware to breach a target’s employer.

Conclusion

In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process. All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.

Frequency of Cyber-Attacks and their Effects

There is a lot of discussion around the number and effects of cyber-attacks in the UK and beyond. There are those who believe that the instance is under reported, often because the organisation under attack is concerned about reputational damage and this can be a contributing factor to many paying up when subject to a ransomware attack. And there are those who think the number of attacks is over estimated, especially in reports commissioned by vendors of cyber-security products, to scare up business. Personally, I can see both arguments, but I tend to come down on the side of under reported.

The exact number of UK businesses failing solely due to cyber incidents is difficult to pinpoint, research indicates that a significant percentage of businesses have been impacted by cyber-attacks, and a substantial portion of those that are targeted end up closing down. Specifically, one study showed that 60% of small businesses close within six months of a cyber-attack. Furthermore, a recent report states that more than one in four UK businesses have experienced a cyber-attack in the past year. The sources I used to put this together include:

Cyber security breaches survey 2024 – GOV.UK9 Apr 2024
Which UK
Raconteur       
Simpson Wreford LLP

Note: I did not use data from reports commissioned from Vendors.

Let’s take a closer look:

Prevalence of cyber-attacks:  More than 25% of UK businesses have reported being hit by a cyber-attack in the past year.

Impact on small businesses:  A concerning 60% of small businesses fail within six months of experiencing a cyber-attack.

Factors contributing to business failure:  Cyber-attacks can lead to financial losses, reputational damage, data breaches, and operational disruptions, all of which can severely impact a business’s ability to survive, especially small businesses.

Business impact:  The survey we mentioned highlighted that nearly three-quarters of business leaders believe a cybersecurity incident will disrupt their business in the next 12 to 24 months.

Specific examples:  In the past few months, major UK retailers like Marks and Spencer, the Co-operative Group, and Harrods have been targeted by cyberattacks as well as businesses that have now ceased trading, such as Knights of Old.

While these statistics highlight the severity of the issue, it’s important to note that cyber-attacks can be a contributing factor to business failure, rather than the sole cause. Other factors like poor management, economic downturns, or market competition can also play a role. However, the increasing sophistication and frequency of cyber threats make it crucial for businesses of all sizes to prioritise cybersecurity measures to mitigate risks and protect their operations.

With my focus remaining with SMEs, it concerns me that SMEs of all sizes still do not prioritise cyber security other than putting a tick in the box, by, for example, obtaining certifications like cyber essentials. Whilst this is a good thing and not to be dismissed, they are often doing this for marketing purposes rather than any commitment to cyber security which can mean that once the certification is obtained for a 12 month period, standards can then be let slip and I base this on obtaining the certification for a client, returning 12 months later, and finding many of the same issues recurring that we dealt with the year previous.

Cyber criminals target SMEs, don’t think that because an SME has smaller revenue and therefore smaller reward for the criminal, that they are immune. SMEs are often targeted because they will have spent much less in terms of money and effort in protecting themselves against attacks. They lack good advice and guidance, they can’t afford a full-time cyber security professionals and in fact, probably don’t need one full time, but they do not seek that vital guidance. SMEs must understand that they are seen a low hanging fruit.

I’ve made this final point many times, and that is cyber awareness training. Most cyber-attacks begin with some form of social engineering. Your company will be profiled, and the attacker will obtain information from open sources such as companies house, your website and marketing, simple phone calls to obtain names and phone numbers etc. Then comes the emails phishing for information or to plant malware on your systems. The first line of defence here is always your employees, the more they know, the more they can protect your business. Cyber Awareness training is not a nice to have, it’s essential and is the cheapest and quickest win you can make in your cyber defences.

The Effects of Downtime on Your Business Can Be Devastating

I’ve talked in the past about what SMEs really care about when it comes to cyber security. Do they really care about the technicalities of an attack or scam? Do they really care about the technical aspects of a piece of protective software or hardware? My argument is that they neither need nor want to know how this stuff works. What they do want to know can be summed up pretty easily.

How vulnerable are they to an attack and/or scam?
What would be the effects if that attack or scam succeeded?
What can they do about it, and how much will it cost them?

I wrote mostly about points a and c in a blog earlier in the year, https://hah2.co.uk/what-do-sme-owners-and-directors-want-from-cyber-security/, and I’ve included the link if you want to read it. This time I’m concentrating on point b and the effects of the downtime that it creates.

Downtime following a cyberattack can have serious consequences for businesses, and individuals. We can categorise these into several key areas:

Financial Costs

Lost Revenue: For e-commerce platforms, financial institutions, or other time-sensitive industries, downtime directly results in revenue losses. All businesses will suffer some degree of revenue loss if they can’t carry out their business because their access to suppliers, customers and operations are seriously curtailed.
Operational Costs: Companies may need to pay overtime to staff to keep the business going manually without access to IT, hire external cybersecurity experts, or invest in replacement hardware or software.
Regulatory Fines: Non-compliance with regulations like GDPR or industry focused standards, due to downtime or data breaches can lead to significant fines.

Damage to Reputation

Loss of Customer Trust: Downtime can erode confidence, especially if sensitive customer data is exposed or if services are unavailable for extended periods.
Brand Damage: Affected organisations may face negative publicity, making it harder to attract and retain customers or partners.

Operational Disruption

Service Outages: Critical systems might be offline, affecting production lines, supply chains, or essential services.
- Loss of Productivity: Employees unable to access IT systems are effectively idle, causing delays in work and project completion.

Note: Points d and c were what essentially led to the collapse of Knights of Old. When they were hit with a ransomware attack which took out their IT systems, they were unable to fulfil time sensitive orders which led to the cancellation of those orders, damaging their brand and seriously impacting customer trust. They never recovered and are now out of business.

Data Loss

Corruption or Deletion: Cyberattacks like ransomware can encrypt, leak or destroy critical data, which may take days or weeks to recover, even with backups.
Intellectual Property Theft: If attackers steal proprietary information, it can be sold to competitors or leaked online.

Security Gap

Exploitation of Vulnerabilities: Downtime often exposes weak points in an organisation’s infrastructure, which may need to be patched or rebuilt.
Increased Risk of Future Attacks: Downtime may signal to attackers that the organisation is a viable target.

Legal and Regulatory Implications

Breach of Contract: Failure to meet service-level agreements (SLAs) due to downtime can result in legal action from customers or partners.
Insurance Implications: Cyber insurance claims may be denied if the company failed to follow adequate preventative measures.

Psychological and Social Impact

Employee Stress: Staff may feel pressured to resolve issues quickly, leading to burnout.
Customer Frustration: Extended downtime can alienate loyal customers, particularly in industries where continuity is critical, such as healthcare or finance.

Broader Economic and Societal Impacts

Supply Chain Disruption: Downtime in one organisation can ripple through its partners, affecting entire supply chains.
- Critical Infrastructure Risks: Attacks on essential services like utilities or healthcare systems can have life-threatening consequences.

I have blogged many times about the mitigation strategies you can take, that don’t need to break the bank, but the bottom line, proactive measures can significantly reduce the impact of cyberattacks and the associated downtime. Understand your vulnerabilities and threats, base your spend on protecting against those threats, starting with the most serious, and then working down. Don’t try and get to 100% security, it doesn’t exist, so understand what risks you find acceptable and what risks you don’t.

PROACTIVE CYBER SECURITY

Proactive security, protective monitoring, security operations – all pretty much means the same thing in terms of cyber, at least in the corporate world and the larger, more sensitive Government organisations. I’ve been involved with the design and commissioning of security operations centres for a long time. I designed the first for the FCO, under contract to HP, ran the security team for the Identity and Passport Service which included a security operations centre, amongst others. But the one thing I knew, was that it was too complex and expensive for an SME, even though it would bring them great benefits.

I’ve been talking and posting a lot recently about this subject because I think it’s extremely important and hasn’t, in the past, resonated with SME owners and management simply because it was considered by many to be purely in the province of the corporate world and was way too expensive for an SME to even consider. Well, that cost issue is no longer the case and there is a system, which we use to provide a managed service for SMEs, that is very affordable. So that leaves us to consider whether it is something that an SME would consider as an essential element of their cyber defences, now that it is affordable.

Typically, an SME would generally want such a solution that balances strong security coverage with affordability, simplicity, and minimal disruption to daily operations. Here’s what I think they would like to include if they could afford it.

Comprehensive Threat Visibility

Log collection from key systems (servers, endpoints, cloud services, firewalls, applications).
Real-time monitoring for suspicious activities (e.g., failed logins, privilege escalation, data exfiltration).
Ability to spot both external attacks (phishing, malware) and insider threats.

Actionable Alerts, Not Noise

Intelligent alert prioritisation to avoid alert fatigue.
- Context-rich notifications so the SME knows what happened, why it matters, and what to do next.
- Possibly AI-driven correlation of events to detect patterns.

Ease of Use & Low Overhead

Simple dashboards that non-experts can navigate, or more likely, a managed service as an SME will have little or no resource to give to this.
Minimal in-house expertise required to operate.
Fast onboarding and configuration.
Reporting

Reports that are east to read, management focused and not full of jargon.
Audit trails for investigations.

Incident Response Integration

Clear escalation paths (automated and manual).
Integration with existing tools (ticketing systems, email, Slack/Teams).
Ability to block malicious IPs or disable compromised accounts quickly.

Affordability & Scalability

Pricing that fits SME budgets (no enterprise-only costs).
Scales up with business growth without a full rip-and-replace.
Easy and flexible deployment.
Coverage regardless of where your staff work, in the office, remote or on the move.

Resilience & Reliability

Works even if parts of the infrastructure are down.
Secure storage and backup of monitoring data.
Regular updates to threat detection rules.

In short: An SME doesn’t just want raw data — they want reassurance, clarity, and quick guidance so they can protect their systems without hiring a large security team. And that’s what we are offering, assurance. There’s no such thing as 100% security, so if you’re looking for that, then we can’t help you. Using this system our managed service plays the percentages by monitoring your defences, telling you in no uncertain terms where your defences aren’t up to the job, alerting you to problems and providing advice and guidance on how to fix stuff.

So, what exactly are we offering. Well, it’s a 24/7 service which provides a manned interface between you and us, on the end of the phone or by email in working hours, and an automated response service in silent hours. Doing it that way you don’t have to pay for expensive night shifts. The staff on duty don’t just monitor your systems but provide advice and guidance as well, giving you a cyber security resource on tap.

Specifically, we are covering off:

Email Security – Stay ahead of potential email threats with our user-friendly, API-based active protection.

Endpoint Security – Safeguard laptops and desktops against cyber threats like malware and ransomware.

Cloud Data – Enable cloud data protection for secure collaboration with external users.

Secure Browsing – Keep your browser secure with a provided extension, protecting you from viruses and malicious sites.

Awareness Training – Empower employees to be the first line of defence against the ever-evolving landscape of cyber threats.

Phishing Simulation – Regularly simulate cyber-attacks, including phishing emails, to identify vulnerabilities and educate staff to the dangers of Phishing.

External Risk – Obtain actionable insights on external threats by scanning your digital footprint and exposed vulnerabilities. This includes regular scanning of the dark web looking for compromised email addresses and credentials.

Insurance – Mitigate the cyber risk associated with evolving threats through tailored coverage at the right price (optional; aligning your premiums with your security posture can lower those costs).

Here are some questions to ask yourself and if you answer yes to most of them, then you might be a fit for this service:

Do you employ around 1-250 staff members?
Does falling victim to cybercrime worry you?
Could you continue to operate your business without your IT systems?
Is a recent cyber scan of your public domain on your radar?
Are you aware of the constantly evolving cyber threats and tactics?
Does your business need protection against these advancing cyber threats?
Are you looking for coverage under a cyber insurance policy?

Keep your eye out for a webinar that we will shortly be doing which will provide a full demo of the system, or if you prefer, contact us and we will give you a one-to-one demo, with no obligation. You can follow this with a totally free 14-day trial covering your whole estate, again with no obligation.

If you wanted this system, you might still think it’s too expensive for you, well, it’s only £14 per user per month, so if you only have 10 IT users amongst your staff, that would be £140 per month on a rolling 30-day contract i.e. you can quit with just 30 days’ notice.

The latest cyber security news for UK Businesses