BOTS have been around for a long time now, and most people now have at least a basic idea of what they are.  For those that aren’t sure, a bot is a software application that is programmed to do certain tasks. Bots are automated, which means they run according to their instructions without a human user needing to manually start them up every time. Bots often imitate or replace a human user’s behaviour. Typically, they do repetitive tasks, and they can do them much faster than human users could.

Sound benign don’t they, and to be fair, there are many that are benign, carrying out functions that lend themselves to automation.  But they are used for other purposes that aren’t so great.  There are many examples of malicious BOTS that scrape content, spread spam content, or carry out credential stuffing attacks.

Malicious BOTS often work in what is known as a Botnet, short for robot network, which refers to an assembly of computers than malware has compromised.  Such infected machines, individually known as BOTS, are remotely controlled by an attacker.  These networks can and do run synchronised, large scale attacks on targeted systems or networks.

That is one reason why attacks such as ransomware, perpetrated on SMEs, are profitable for cyber criminals.  By using a Botnet, they can send such attacks to hundreds of targets at the same time, which requires only a percentage to pay up, to produce a return on a very small investment.

Bot activity is expected to increase even further this year, the researchers claimed, due to the arrival of generative AI tools like OpenAI’s ChatGPT and Google’s Bard.

“Bots have evolved rapidly since 2013, but with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years,” said Karl Triebes, a senior vice president at Imperva.

“Cyber criminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years.”

This is something I have talked about before.  AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

We have nothing to fear from ethical AI development which integrates ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.  Sadly, we are already seeing signs of AI being used in cyber-attacks.  Some of you may remember that at one time we had what was known as the ‘script kiddy.  These were budding criminals who did not have a deep skill level but were downloading, often purchasing, scripts on the dark web, written by skilled hackers who made a good living selling them online.  The script kiddy would then attempt to use these scripts to hack, also taking all the risk.

The script kiddy has all but disappeared of recent years, but AI is allowing them to make a comeback – in spades.  They can now use AI to create code that allow them to produce their own malware, which is, in turn, creating an upsurge in cyber-attacks and threats.

So don’t be complacent, 2024 could become even more of a problem than 2023, in terms of cyber-attacks.  Time to take some action now, to protect yourself.

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach.  For the small business this could result in costs of around £1400, for the medium business, considerably more.  One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a back up regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So what does he mean?

As he’s not here to ask I suggest that he’s saying that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are in order to ensure that your solution to those risks, vulnerabilities and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

What is the risk? How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate in order to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

There’s a lot being said in various quarters about the Internet of Things (IOT) but whenever it comes up in conversation with senior people in the SME world, even those businesses that are definitely in the Medium bracket, with 25m upwards turnover,  it raises a titter or two.

Why would that be?  All the usual light hearted comments about being hacked by your kettle, or held to ransom by your toaster, come out in the conversation.  And I suppose, there can be some amusement to be had.   But there is a serious side to this.   The graphic below, which I have unashamedly stolen from The Joy of Tech, whilst lighthearted, gives clues to potential disasters.

Whilst we are some way away from having smart appliances in most SME work places that could be used jump onto the more serious elements of a network, we are already at a place where some functions, perceived as routine, even mundane, can already be used to jump onto other network devices.  For instance, most have security cameras and alarm systems.  Many of these are IP based and are connected via the LAN.  OK, but many also are remotely maintained by a variety of suppliers.  I have found it not uncommon for these suppliers to arrange for their own backdoor into the system to maintain these systems, often without the client actually knowing how that is done.  This provides a very neat circuit around the router and firewall and, when most SME networks are flat, access onward to all parts of the network.

This of course is not the only example but it shows how poor security architecture, often times by local network providers, can have a quite seriously detrimental effect.  So what I am saying is that as many more devices become ‘smart’ and interconnected via the LAN, security architecture becomes just as important for the SME as it does for the larger enterprise.  The problem is that the awareness and support within the SME community and their suppliers, tends to be lacking.