Earlier this week I put a post on LinkedIn talking about why SMEs don’t take cyber security as seriously as they should and often just pay lip service to it.  I said I’d elaborate on that in the next newsletter.  Well, here it is.

When Cyber Security hits the news, and thus our consciousness, it’s nearly always in terms of breaches, regulatory fines, and business disasters, and nearly always concerning a major household name.  We don’t talk about the benefits that it can bring, particularly these days when businesses of all sizes are looking to drive efficiency through digitising their admin and operations.  Cyber-attacks on British businesses are increasing year on year.  When it comes to cybercrime, small and medium-size businesses are not exempt from the disruption that impacts large organisations. If anything, their size can make them more vulnerable as they are perceived as a softer target.

So why SMEs tend to underestimate the chances of being on the receiving end, and often play that down, is something of a mystery.  As is the mindset that it’s an IT matter, not a business matter, when nothing could be further from the truth.  Cyber security must be owned by the business owner or board and driven top down.  It cannot be left to an IT manager, or worse, a company under contract to provide IT services.

Let’s think for a moment about one potential aspect, supply chain security.  Many SMEs sit in a supply chain for a major company or companies.  In fact, for many it’s a critical part of their business, without which they could be in real trouble.  Their customer will spend money and commit resources to their own security and I’m willing to bet that somewhere in their contract with their suppliers, there will be a stipulation laying down some cyber security standards as a minimum that they must adhere to, which I’m also willing to bet that unless audited, are rarely being met.

Large organisations rely on a network of SMEs. If they operate within the EU, they are subject to the EU General Data Protection Regulation (GDPR) and if they operate only with the UK, then they are required to be in line with what has become known as UK GDPR.  The two are very similar indeed. Under both, data controllers (those that collect the data) are responsible for their own compliance as well as that of any third-party processors. Lax compliance in implementing regulations has in fact created a unique opportunity for those SMEs that make the effort to invest in cyber security. With so many damaging data breaches, large organisations are now starting to examine the security practices of any potential third party and seeking agreement with partners to ensure that secure systems are in place. It is the responsibility of the data controller to ensure that third parties within its supply chain take appropriate technical and organisational measures equal to their own.

The UK Government-backed framework Cyber Essentials Plus provides SMEs with a way to demonstrate their security credentials. By gaining Cyber Essentials Plus certification, SMEs can demonstrate that their cyber security has been verified and audited by independent experts. Auditable proof is often requested during tender bids as part of the warrants and liabilities process. Being Cyber Essentials Plus certified can leapfrog a business ahead of the competition.

Supply chains are only as strong as their weakest link and therefore require standardisation in terms of security across the whole chain. SMEs able to prove their cyber security credentials can differentiate themselves from the crowd and maximise on lucrative business opportunities. Some 65% of UK small businesses have no plans in place to deal with potential supply chain disruption, including cybercrime. Ensure your company isn’t one of them by staying ahead of the game – don’t lose business due to supply chain weaknesses.

I’ve already said that the main challenges that I come across is that SMEs do not accept that this is a business issue and continue to see it as an IT Issue.  Consider this; if an attack, say Ransomware, hits the business, who suffers?  Is it the IT department and/or the IT Support company you have under contract to supply your IT/Network?  Or is it the business that takes both a financial hit and reputational damage, perhaps losing contracts from the larger businesses they have been supplying?  You know the answer.  You can outsource your IT, but not your responsibility.

Let’s examine what stops SMEs from taking the view that it is in fact a business issue.  My experience of working with SMEs is that the two main issues are budget and resource, both of which are closely entwined.

SMEs do not budget for Cyber security.  They conflate this with their costs for IT support and will expect their IT support company to provide an adequate level of security within the services and products they supply.  I’ve talked before about this.  Most, if not all, of these companies are what is known as Value Added Resellers, or VARs.  What this means is that they sell other people’s products, firewalls, anti-virus etc. And of course, they push those products, ie the flavours of those products they sell, onto their clients.  The value added bit comes in the services they provide.  In terms of security that generally, although not always, means that their skill set is in the configuration and maintenance of the products they sell.

I’m not knocking that, it’s a perfectly acceptable business plan and has been around for as long as IT has been around.  But from a security perspective, it ignores the basics.  Whilst technology has come on in leaps and bounds, making it sometimes a nightmare to keep up with, the basic principles of security have never changed.  It is built on three towers, People, Process and then Technology.  If you haven’t got the right training and awareness in place, if your processes and policies aren’t sound, up to date and rolled out across the business, then all the technology in the world won’t protect you.  Risk management is crucial.  Understanding the threats to your business and how vulnerable you are to those threats, married to your assets (which aren’t confined to hardware and software), will inform you of the risks you face, in turn allowing you to focus your limited spend on the weakest areas first.

How you arrive at those risks brings us to the second point, resource.  It’s not just SMEs that don’t have the resource, but their IT support company rarely does either.  Cyber security professionals are expensive and very thin on the ground.  Perhaps buying in an advisor for a defined period every month, or on a retainer to be called off as and when required, is the way to go.

Another key plank is innovation.  Finding innovative solutions that SMEs can be sure are appropriate for their business, mitigating identified risks.  Of course, such innovations have also got to be affordable.  This is one of the reasons why many are adopting cloud services, not necessarily for security reasons, but for cost reasons ie no expensive infrastructure to buy in and maintain.  It’s also a reason why many security solutions these days are Software as a Service, SaaS, as again, no expensive infrastructure.

In summary, what I’m saying is that SMEs have to:

• Accept cyber security as a business, not an IT issue.
• Have a senior manager or preferably, board member, take responsibility for it.
• Have an adequate budget. Of course, that will be subject to what you can afford.  Take advice on what is important and what can wait.  It just might save you a lot of time, money, and angst.
• Have a defined strategy for improving your security stance, perhaps phased over budgetary periods.
• Consider a standard such as Cyber Essentials or, for the larger SME, perhaps even ISO2700x.

The last few years have been strange, to say the least. But arguably the biggest effect it has had on the way we do business has been the necessity for working from home. Many SMEs had very little experience of this and were bounced into it with very little time to prepare, or to understand many of the implications of what this meant.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

I’ve blogged about Artificial Intelligence (AI) before (click on General Security Issues and you’ll find it), in that blog I was concentrating on how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams.

The following is taken from CNN.

Jennifer DeStefano’s phone rang one afternoon as she climbed out of her car outside the dance studio where her younger daughter Aubrey had a rehearsal. The caller showed up as unknown, and she briefly contemplated not picking up.

But her older daughter, 15-year-old Brianna, was away training for a ski race and DeStefano feared it could be a medical emergency.

“Hello?” she answered on speaker phone as she locked her car and lugged her purse and laptop bag into the studio.

She was greeted by yelling and sobbing.

“Mom! I messed up!” screamed a girl’s voice.

“What did you do?!? What happened?!?” DeStefano asked.

“The voice sounded just like Brie’s, the inflection, everything,” she told CNN recently. “Then, all of a sudden, I heard a man say, ‘Lay down, put your head back.’ I’m thinking she’s being gurnied off the mountain, which is common in skiing. So I started to panic.”

As the cries for help continued in the background, a deep male voice started firing off commands: “Listen here. I have your daughter. You call the police, you call anybody, I’m gonna pop her something so full of drugs. I’m gonna have my way with her then drop her off in Mexico, and you’re never going to see her again.”

DeStefano froze. Then she ran into the dance studio, shaking and screaming for help. She felt like she was suddenly drowning.

After a chaotic, rapid-fire series of events that included a $1 million ransom demand, a 911 call and a frantic effort to reach Brianna, the “kidnapping” was exposed as a scam. A puzzled Brianna called to tell her mother that she didn’t know what the fuss was about and that everything was fine.

But DeStefano, who lives in Arizona, will never forget those four minutes of terror and confusion – and the eerie sound of that familiar voice.

“A mother knows her child,” she said later. “You can hear your child cry across the building, and you know it’s yours.”

Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people.  If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post and this time, it’s an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI.  It went something like this:

Earlier this year, a sales director in India for tech security firm Zscaler got a call that seemed to be from the company’s chief executive. 

As his cell phone displayed founder Jay Chaudhry’s picture, a familiar voice said “Hi, it’s Jay. I need you to do something for me,” before the call dropped. A follow-up text over WhatsApp explained why. “I think I’m having poor network coverage as I am traveling at the moment. Is it okay to text here in the meantime?” 

Then the caller asked for assistance moving money to a bank in Singapore. Trying to help, the salesman went to his manager, who smelled a rat and turned the matter over to internal investigators. They determined that scammers had reconstituted Chaudhry’s voice from clips of his public remarks in an attempt to steal from the company. 

Chaudhry recounted the incident last month on the sidelines of the annual RSA cybersecurity conference in San Francisco, where concerns about the revolution in artificial intelligence dominated the conversation. 

Criminals have been early adopters, with Zscaler citing AI as a factor in the 47 percent surge in phishing attacks it saw last year. Crooks are automating more personalized texts and scripted voice recordings while dodging alarms by going through such unmonitored channels as encrypted WhatsApp messages on personal cell phones. Translations to the target language are getting better, and disinformation is harder to spot, security researchers said. 

Scammers can and do, use every advantage, every advance in technology, to make a few quid.  It’s a nightmare trying to keep up with this and it is essential that you have some method, be it electronic (difficult), or procedural (an easier no cost option), to identify such scams.  Your staff need training but first you have to have someone on tap to keep you up to date with what’s going on.

As AI continues to develop and is taken into use more and more, we will see a clash between its proponents and the security world. That’s nothing new. Everytime there is a new development in applications, operating systems etc, there is always a lag before security catches up. This time however AI can be taken into use with low levels of skill, at a rapid pace. Cyber security needs to be on its metal, as do IT departments, CISOs, CIOs etc. Companies at all levels need to be on their guard.

I wrote a piece back in May about AI entitled ‘AI – Good or Evil? A Clear and Present Danger to Cyber Security? I’ve discussed how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams. I also quoted a story from CNN where a lady in the US received a call allegedly from her daughter, which was very scary indeed and the ‘daughter’ was yelling and sobbing that she’d been kidnapped, and other voices could be heard in the background. Of course, these were all generated by AI and turned out to be totally untrue, the daughter having called her mother and assured her she was safe. Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people. If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

Two bad examples of AI.  I’m not putting AI down or saying we shouldn’t be utilising it, but cyber security is my thing, and I can’t ignore the warning signs.  Cyber criminals are never slow in adopting new technologies and methods.  We need to be aware of that.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, is almost certainly not going to be realistic.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations: 

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation. 

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment. 

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats. 

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations. 

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches. 

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences. 

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges. 

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats. 

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  But much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

It probably won’t surprise many people that the threats to SMEs in 2023, look very much the same as the threats in 2022, and in fact, the years before that really. They can be summarised to include ransomware attacks, phishing scams, supply chain vulnerabilities, insider threats and overall inadequate security measures caused by resource constraints. And as if that wasn’t enough, we can top that off with a remaining issue around cyber awareness training, which can produce huge benefits for little cost, and which many SMEs still don’t carry out.

Insider threats have been exposed widely in the press lately with the exposure of data from 2 police forces, the most serious being PSNI, in terms of threats to police officers’ safety, and yet another has exposed confidential information regarding criminal records, court documents etc.  These things are often not because of any criminal activity, but because of lax processes, not widely published, a lack of security awareness, and in general, employees doing things they shouldn’t, because they didn’t know that they shouldn’t.  Not technical issues at all but I’ve no doubt that someone somewhere will take a simple process and complicate it, taking far too long to fix it, and costing a fortune when it could have been done effectively, relatively cheaply.

Revisiting ransomware. it continues to be a clear and present danger to UK companies, both at the Enterprise and SME level.  There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

Arguably, the biggest and most effective step an SME can take is once again, Cyber Awareness Training for staff.  It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.

An often forgotten element of Cyber security is within a company’s supply chain.  The threat has been around for a while now but is starting to become much more prevalent targeting suppliers to get to an otherwise well protected company.  Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

The goal of such an attack is to grab whatever you have that is of value to the attacker, so it can include infecting legitimate applications to distribute malware, access your IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc.  In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.  If you are in the supply chain for a major company, then consider how damaging to your reputation it would be, if they were attacked via a hole in your security.  I would be prepared to bet the damage would be so significant, that it could take an SME under.

Phishing, a subject we hear a lot about and which most SMEs do nothing about.  Protecting businesses from phishing and other malware is crucial for maintaining a secure online environment. And that brings us straight back to the subject of Cyber Awareness Training once again. Train your employees to recognize and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.

Of course, that isn’t the only thing that will protect you against Phishing.  But it goes a long way towards it at minimal cost.  Strong passwords, 2 factor authentication, keep your systems updated and patched, ensure that your security architecture is designed to match your risk and that the technical controls in place are appropriate and in the right place.  Have adequate email protection, email filters, spam blockers etc.  Good backups and a solid incident response plan.

There’s a lot there, which brings us finally to the lack of adequate security measures because of resource constraint.  SMEs simply can’t afford cyber security professionals on staff.  They will often rely on their suppliers, local IT providers, to give them the protections they require.  This can be a very real risk, simply because the local IT provider doesn’t employ cyber security professionals either, but rather staff that are skilled in the products that they supply.  A cyber security professional takes a much more holistic view and will spend time marrying the business requirements to the protections required.  Considering the policies and processes required, awareness training requirements, as well as technical controls.  People, Process and Technology, in that order.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

The EU is the world’s largest single market area and is the largest economy in the world, whether some people agree or not. Many may attribute that market size to large organizations and multi-national companies. While these are important contributors to the overall EU economy, the Small Medium Enterprise (SME) businesses form the backbone of the EU’s economy. This is also true of the UK where the DTI estimates that SMEs make up 95% of the UKs GDP. A huge percentage and one that might surprise you.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022).

So, what can you do to better protect your business?

In today’s digital landscape, cyber security is a non-negotiable aspect of business success. The threats are real, and SMEs are not immune. In fact, they’re often the most vulnerable to cyber-attacks.

Solutions need not be complicated or expensive, yet many SME owners still act reactively, not proactively, to cyber threats.

The result? Huge costs to put things right and a massive hit on the company’s reputation and trust with their customers.

That’s why I’m excited to share a valuable (FREE) resource that we’ve been working on to help guide SME business owners in the right direction and provide valuable actions to fortify their company’s cyber security.

You can download your copy here: https://bit.ly/3qTCYkW

The common underlying issue common to all SMEs appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of the cybersecurity practices. Six categories of major challenges for SMEs have been identified:

• Low cybersecurity awareness of the personnel.
• Inadequate protection of critical and sensitive information.
• Lack of budget.
• Lack of ICT cybersecurity specialists.
• Lack of suitable cybersecurity guidelines specific to SMEs.
• Low management support.

Some of you who are amongst my regular readers, will be quite aware of my mantra in regard to Cyber Awareness Training for staff and managers.  A big misconception is that because cyber security can be an issue connected to technical measures, it lies squarely within the realm of IT.  Wrong.  Cyber security needs to be part of the culture of the organisation, second nature to all.  Staff need a basic awareness and how their attitude and actions can have a damaging effect on the business.  A report for ENISA, the EU security agency, suggests that 84% of Cyber attacks rely on some form of social engineering, and that the number of phishing attacks within the EU continues to grow.  This is echoed in the UK.

Budgets remain a problem.  Many SMEs are low margin organisations, heavily reliant on cash flow, and therefore reluctant to spend on things that are not connected to their core business.  But they must get used to asking themselves, ‘Is IT part of my core business?’, and ‘how long could I continue to operate my business if I lost my IT systems?’.  Cyber security needs to be factored into budgets. Cyber security is an iterative process, it isn’t something that needs to be done once and then forgotten about.  The criminals are constantly evolving, and defences must evolve with them.

Cyber security expertise is something that isn’t cheap and easy to obtain.  Many IT companies will talk about their expertise in this area but if you delve into that, it is generally focused on products, mainly firewalls and anti-malware.  Cyber security expertise goes much much deeper than that and is as much procedural as it is technical.  It starts with risk management, understanding the risks you face, which in turn is derived from threat and vulnerability analysis, matched to your cyber security assets.  Those latter are not necessarily hardware and software but can be much wider ranging than that.  Typically, the type of person who can legitimately call themselves experts in this field, can command salaries north of £80K.  I doubt there are many SMEs prepared to pay that, or indeed, many of the smaller IT companies.

It can also be advantageous to follow a standard.  By far the most comprehensive is the International Standard for Cyber Security, ISO27000 series.  However, this might be seen as a little heavy for many SMEs, although at the higher end, they may want to follow it, rather than seek certification.  At the lower end the UK Cyber Essentials scheme, mandated for anyone wishing to do business with the public sector, is very suitable, inexpensive, and obtainable.

More and more SMEs are now moving to a cloud environment.  Be it MS365, Amazon Web Services, Digital Ocean, amongst others.  I usually recommend that SMEs take this approach as it can solve a lot of problems, particular with home working still very much in vogue.  However, it is not the panacea that most think it is and still has some security issues, usually but not always at the user end, that need to be addressed.

Here at H2 we use our long experience of providing cyber security solutions to the large enterprises, to craft solutions for the SME community, having first identified the issues that the business faces.  We take an approach that looks at things from the business point of view, managing risk and coming up with cost effective solutions which can be brought in in a phased way, for a subscription price.  No large bills to damage that all important cash flow.

An interesting article by the cyber security consultancy Savanti, was brought to my attention yesterday. It was focused on UK companies and their struggle to address the growing cyber security threats. This is especially pertinent to SMEs. In 2022, global cyberattacks saw a 38 per cent increase compared to the previous year. The rise in cybercrime is not sparing UK businesses, with a total of 2.4 million instances of cybercrime reported within the last 12 months across various industries. The financial impact of cybercrime is also significant. According to Cybersecurity Ventures, the cost of cybercrime to businesses could reach £8.4trillion annually by 2025, positioning it as the third-largest global economy after the US and China. Many boards appear to be struggling to understand the intricacies of cyber risks. Fifty-nine per cent of directors admitted that their boards are not effective in comprehending the drivers and impacts of cyber risks on their organisations.

Savanti have highlighted a compelling correlation between effective cybersecurity measures and business success. Companies with digitally-savvy, cyber-engaged executive teams experienced higher revenue growth, increased valuations, and improved net margins.

Furthermore, effective cybersecurity practices led to higher success rates when competing for new clients, enhanced data insights, increased investor confidence, and preserved shareholder value during mergers and acquisitions.

There are several measures all companies can take but the issue with SMEs remains a lack of resources and expertise in the field of cyber security.  They are very reliant on outside support and often attempt to get that support from the local IT company that provides their hardware and software, often managing their network. Managed Security Service Providers (MSSP) have long ignored this sector primarily because of cost.  The services they provide traditionally have simply been too expensive.

A good cyber security strategy has always been founded upon strength in depth.  Sound security architecture, good cyber awareness training, solid access control and identity management, and the ability to protectively monitor your estate for threats, vulnerabilities, and risks.  And this latter is what we’re looking at today.

What is Protective Monitoring, and how would be it benefit you?  After all you’re an SME and this all sounds just a bit over the top.

Well, it’s central to the identification and detection of threats to your IT systems. It acts as your eyes and ears when detecting and recovering from security incidents and it enables you to ensure that devices are used in accordance with your organisational policies.

Effective monitoring relies on proportionate, reliable logging and device management practices. This guidance is designed to give system and network admins advice on the logging and monitoring options available on modern platforms.

What use is it to me, I hear you ask?  Well, many incidents have been shown to target individual hosts, from which attackers will attempt to further strengthen their access through lateral movement techniques such as credential theft, account impersonation, use of legitimate network tools or known exploits in outdated versions of network protocols to propagate and compromise additional devices to access additional data and services.

In a cloud environment some of these techniques may be less effective or not apply, however your users still have to access these cloud services and monitoring device activity, health and configuration are still important, perhaps more so, when deciding whether or not to permit access to organisational services and data.

The key to making this affordable and appropriate for SMEs, is automation, which is becoming more and more possible using AI enhancements.  I’ve highlighted before that here at H2 we are constantly on the lookout for innovative solutions that allow us to provide appropriate and effective services to our clients, at a price that is affordable.  And we think we’ve found another gem.

This is yet another SaaS service, so no expensive infrastructure costs and no additional software required to run it.  The agents required to scan the data can be installed remotely and within minutes, without your users knowing it’s happening.

We leverage:

• Generative AI, phishing simulation emails are crafted on the fly based on custom inputs, targeting groups of employees, and reporting on pass/fail status.
• Automatically receive real-time alerts when a threat is verified, or action is required.
• Respond swiftly to cyber events with one-click remediation and powerful integrations.
• Generate a report summarizing your risk across their digital footprint, with just a single click.
• Demonstrate ROI by reflecting the value of this services using language that resonates at a business level.
• Provides continuous vulnerability assessments.

The following services are provided as standard:

• External Risk Assessment
• Phishing simulation
• Identity theft protection
• Secure browsing
• Cloud apps security
• Email security
• Device protection
• Cyber Awareness programme
• Automated remediation
• Continuous threat detection

And as bonus, if you wish, a cyber insurance policy starting at around £400 annually, which is priced according to the risks identified within the product, i.e., the more the risk is reduced, the more the premium is reduced.

This whole package is offered as a managed service so that the risk, risk reduction, reporting and monitoring is all carried out by us, within the incredibly low price shown above.

In the coming days we will be offering a demonstration of the product, followed by an introductory offer of a 7 day free trial and a service priced at a fixed price of £10 per month per user, plus VAT.  No fixed term contract, terminate on 30 days’ notice.