Identity and Access Management

General Security Issues Identity and Access Management News Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Innovation – Why Do Many Shy Away from it?

I read an interesting piece recently where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

Of course, and as I’ve mentioned before, many of these surveys are written, or at least sponsored, by cybersecurity vendors and largish consultancies, who could potentially be seen as biased in that they are pushing their own solutions.  But keeping that in mind, there is still and underlying truth.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive.  Whilst this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

We are holding a webinar to discuss and highlight these solutions and would love to see you there:

Event Details:

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security Tools

Is Cyber Security making the grade for Small to Medium Enterprises?

I’ve touched on this subject several times in the past but was encouraged to revisit it after reading a book by Jean-Christophe Gaillard entitled The Cyber Security Spiral of Failure.  A provocative title and of course, the subject matter was aimed at the corporate sector.  But my view is the difference between the 2 sectors, in terms of solutions is often one of scale, with corporations being more complex and faced with many problems that the SME sector doesn’t.  They do however have the same threats and consequences of failure, as each other.

The author argues that for a couple of decades now, many organisations have been trapped in this spiral of failure, driven by endemic business short termism and the box-ticking culture of many executives in regard to compliance.  This really does resonate in the SME world with short termism often driven by financial necessity and especially during and since COVID, where survival was paramount, often requiring day to day management.  Of course, no SME owner or manager likes that and would love to have a solid and well-funded plan going forward, if only! 

Successful transformation takes time and often requires changing the culture of the organisation, and this at a time when many owners are struggling with the emerging business practices of a more distributed work force, following the pandemic.  Coming up with any transformative planning around IT naturally comes below that required for the business in general.  Bottom line is often that if it isn’t our core business, it can wait.  Even though of course, there are very few businesses that can continue to operate efficiently without their IT systems.

Which brings us to compliance.  For most SMEs compliance often means data protection, although there are the financial services regulations, and many do have industry standards governing IT and data, that they must comply with.  This often means that owners and managers undertake quick wins using box-ticking measures which often come a cropper sooner or later.

The book quotes from the BT Security survey released in January 2022.  One aspect which I fully agree with is the emphasis on getting security basics right and the importance of awareness development amongst employees.  Getting this right and training our employees are essential pillars of any cyber security practice, so as the book says, the question remains, why are we still banging on about it? – and everyone who reads my stuff knows I do that a lot.

There are a lot of traditional good security practices which have been pushed and re-emphasised time and time again.  Patch management, access management, anti-virus/malware, firewalls etc, and from my time working in the corporate space, I know that large enterprises have spent millions on traditional areas of cyber security over the last 2 decades.

But are we really still stuck there, entrenched in traditional thinking when our working practices are changing, technology is changing, compliance requirements are changing?

SME management is often completely left behind by these changes.  They have enough problems just keeping their businesses afloat and trying to grow, they don’t have enough time or resource to keep abreast of these many and varied issues.  Let’s face it, if corporate management is struggling with this changing landscape given their resources, what hope for the SME.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022 (stats for 2023 are starting to trickle through), up from 39% in 2020 (Vodafone Study, 2022).  As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

But now we have the ‘new normal’ with many businesses enjoying the financial bonus of having a smaller office footprint whilst many people work remotely, bringing with it an increase in security problems.  Earlier we mentioned traditional security solutions that have been around for a long time, most of which pre-date the pandemic and were based on the old bastion security methodology ie a network perimeter, protected with traditional solutions.  But that bastion model no longer exists in many places, or if it does, it only protects half the workforce in the office, whilst the other half work remotely.  What is needed is new solutions that protect your staff wherever they might be working from.

Luckily for you, we have such a solution.

Cyber Awareness Training General Security Issues Identity and Access Management Risk Analysis and Security Strategy

A Company’s Tale – From COVID to Hybrid – Part 2

In last weeks blog we talked about a company that was forced, by COVID restrictions, to move to working from home, and how that affected the organisations’ structure and ability to continue in business, and some of the difficulties they faced. 

We reached a point where they had started to get back into the office but had decided to adopt the hybrid method of working, saving money on floor space, fuel and light etc.  But this has come with problems of its own which we’ll look at now.

Hybrid working is something that many SMEs like because of the cost savings, providing of course that the business doesn’t require people on site, such as manufacturing, transport etc.  Company’s such as lawyers, financial advisors/accountants, HR facilitators, recruiters and the like, can support hybrid working quite easily, from an operational standpoint.

Last week we saw that the 2 partners are aware that they hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients.  They were also aware of the Data Protection Act 2018 and GDPR but at a very surface level and were not sure about how much this will affect them.  For example, in terms of policies, they have very little that references the DPA 2018 and/or GDPR.  Their website does not contain the necessary privacy statement or statements regarding the use of Cookies.  They don’t have an overarching security policy or a cyber security strategy in place.

So, what’s are the issues arising from last paragraph?  Well, the DPA 2018, or UK GDPR as it’s becoming colloquially known, requires that data is processed and stored securely and that managers and staff are aware of the regulations regarding the safe processing and storage of information, which are quite extensive and can be daunting, but needn’t be an issue for SMEs, if not ignored.  The ICO is, in my experience, very helpful in this regard and are not there to hand out heavy fines, threatening to put you out of business. If you can demonstrate that you have done your very best to obey the law, then they will be helpful and conciliatory.  On the other hand, if you’ve been neglectful and even a little cavalier about it, then not so much.

But getting back to the case in point, these guys were now at the juncture where they had their staff working from home for about 3 days a week, and coming into the office on 2 days, unless of course they were consultants who were visiting client sites and were working on the move.  Everyone now had a company laptop, including admin staff, and data was held on the cloud.

But what didn’t they have, and how would that affect the?  Well, firstly they didn’t have a cyber security strategy in place.  So, what is a cyber security strategy?    It’s a plan that outlines an organisation’s approach to protecting its digitally held assets and information from cyber threats. This strategy typically includes policies, procedures, technologies, and practices that are designed to prevent, detect, respond to, and recover from cyber-attacks.  People, Process and Technology combined and integrated to provide protection.

This needn’t be scary, and you can pick and choose what is important to your organisation, what needs to be comprehensive, and what can be less so.  The level of risk you are prepared to take, is entirely your call.  Key components might include:

  • Risk assessment: Identifying and prioritizing potential threats and vulnerabilities to the organization’s systems and data.
  • Security controls: Implementing technical and procedural measures to protect against cyber threats, such as firewalls, encryption, access controls, and employee training.
  • Incident response plan: Establishing protocols for responding to and recovering from security incidents, including communication plans, containment strategies, and forensic analysis.
  • Continuous monitoring: Monitoring systems and networks for suspicious activity or anomalies that could indicate a security breach.
  • Compliance management: Ensuring that the organization complies with relevant laws, regulations, and industry standards related to data protection and privacy.

What the management is doing here, is laying down a framework for how things need to be developed.  It doesn’t need to happen all at once,

Not having formulated a strategy, the company didn’t have much of this in place, and what it did have wasn’t well structured and integrated.  The security products in use were stand alone, working independently of each other.  Another major flaw was that they had no cyber awareness training in place, neither did they have effective policies.  Those that they had were downloaded from the internet as a box ticking exercise.  They were in fact a cyber disaster looking for somewhere to happen.

The 2 partners were aware of these issues and yes, they took some time to get around to addressing them simply because recovering the business from the issues arising from COVID, took precedence.  But they realised that this couldn’t be put off for any longer and took action.

They engaged with us to first carry out a Cyber Maturity Assessment.  This covered:

  • Cyber Security Strategy.
  • Cyber Security and Data Protection policies.
  • Protective monitoring and vulnerability assessment.
  • Incident response and business continuity planning.
  • Access control.
  • Employee awareness training.
  • Compliance.
  • Technical Security

The strategy they needed could be very much simplified to meet their requirements, but it did cover the salient points and gave a clear indication of what was needed immediately, what could follow and what was more of a nice to have rather than a necessity.  To that end we were able to structure remediation that was phased over a number of months, covering 2 budgetary periods.

End result, they had a solution that was affordable as well as appropriate to them.  It covered staff in the office, working from home and on the move.  It kept them compliant with the relevant legislation and set them up to achieve a standard such as Cyber Essentials, which is next on their list.  If necessary, they could even go as far as ISO2700x series, although that might not be appropriate for them at their current size.

General Security Issues Identity and Access Management Ransomware, Phishing and other Malware

A Company’s Tale – From COVID to Hybrid

This is a tale that could be told regarding many organisations, especially since COVID hit.  Names have been changed and certain other details have been omitted or masked.

Hawk Engineering Ltd is a company that provides high quality environmental engineering services to its clients, and began operations on 16 July 2019, not long before COVID hit. It’s a limited company owned and operated by Norman Jones and Rupert Smith.  Mr. Jones and Mr. Smith both left their respective jobs to specialise in environmental engineering consulting to small and medium sized businesses.

The company was set up to target small to medium sized companies and government organisations within the UK.  They have managed to secure several contracts and have grown from the original 2 man team to 8 consultants/engineers and 3 support staff, housed in a serviced building where they rent 4 rooms, one for the admin staff, one for the consultants, another for the 2 partners and a small conference room.  The support staff cover finance, HR and general admin duties.  The building shares a reception area and a cleaning contract.  The cleaners operate out of hours, cleaning after everyone has left for the evening.  The consultants are provided with laptops, tablets and smart phones whilst the admin staff use desk top PCs, and all are connected to a large printer.

Rather than ramp up its permanent staff too quickly, they use relevant qualified consultants when necessary.  These consultants are given an email address and access to the data they need to work on projects.

The 2 partners are aware that they now hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients.  They are aware of the Data Protection Act 2018 and GDPR but are not sure about how much this will affect them.  They have a local IT management company under contract and up to the start of COVID had an onsite server which stored their data and an email server providing mailboxes to the staff and contractors.  At the outbreak of COVID, this caused an issue.

In terms of policies, they have very little that references the DPA 2018 and/or GDPR.  Their website does not contain the necessary privacy statement or statements regarding the use of Cookies.  They don’t have an overarching security policy or a cyber security strategy in place.

But everything in the garden was rosy, the company was doing well, it was in profit and had a relatively full order book, at least for the foreseeable future.  And then along came COVID and everything changed.

At first it wasn’t a problem, we all remember how the UK ramped up relatively slowly, with lockdowns coming after those in other countries, but come along they did. The full implications of not being able to work in the office only started to become apparent after the office was out of bounds.  They couldn’t claim any sort of immunity because they were simply not in an industry that required such immunity, so the office closed.  The consultants used laptops and they could continue to work, but not securely.  They didn’t have a remote access system in place as consultants worked on client site and tended to use client networks through which they could connect.  Not optimum but cheap and cheerful and cash flow was everything to a small business.  The real hit was on the admin staff as they used desktop PCs which they had left behind when they went home.

So initially the admin staff were the priority to find a solution for and the first issue was to be able to find machines they could use at home, and then connect them to the office file and mail servers, the latter applied to consultants as well.

I’m sure most reading this will remember the issues as many of you will have faced the same problems.  So long story short, the problem was to establish as near to normal operations as possible and they ignored security as firstly, they didn’t grasp the implications, and secondly, they didn’t know what to do about it.  Their IT management company wasn’t a lot of help in the latter regard simply because they were firefighting issues for all or most of their clients and didn’t have the time or resource, and frankly, didn’t really have the skill set either.

In many respects recovering an operational capability in that instance, wasn’t much different in recovering from any natural disaster and much of the planning required for a disaster recovery and business continuity situation, would have applied, with perhaps the difference that the office would continue to be out of bounds.  So, plans could be adapted, assuming of course you had a plan in the first place, and they didn’t.

What they were able to do was to set up a contract with a cloud provider and as their IT support got some bandwidth, they migrated their data from the office based server to the cloud storage and at the same time migrated their email.  Getting staff to connect to the cloud was an issue and some found it easier than others as that had to be done remotely and some were more IT savvy than others.

It didn’t solve the desktop PC problem though and staff continued to use home PCs, the same PCs their kids were gaming on, to connect to the company data.  A recipe for disaster.  Of course, this was solved by purchasing and shipping laptops which the IT support set up before shipping.  But by then their data could easily have been compromised via the home PCs.  There is no way of knowing whether or not they were compromised and if this is a problem which could come back to bite them.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers, often because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

The company has now evolved further, and expanded a little, and has adopted the hybrid method of working, saving money on floor space, fuel and light etc.  But this has come with problems of its own which we’ll look at next week.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware

A Tale of Two Company’s

These stories are fictitious but are based on real events with the company names, locations, and industry vertical either changed or obscured.

Company One

ABC Ltd is a chain of financial advisors which has seen strong growth even allowing for the hiccup of the COVID lockdowns.  It has grown from one site nearly 20 years ago, to six sites situated in rural market towns in the East of England.  As with nearly everyone else, COVID has significantly changed the way they operate as they were forced into home working and never went back to being fully office based and are now operating a more distributed hybrid working pattern, with staff working between offices and home.  This hasn’t proven to be an issue and has some financial benefits, reducing the office footprint, fuel and light and travel costs.  Their clients, consisting of local businesses mainly but with a significant department looking after individuals, have not been impacted by these changes.

John is the finance director, and he was given the additional responsibility for IT, something not unusual in SMEs, as they can rarely afford their own in house IT experts.  This has led to John outsourcing the IT to a local IT management company and so far, they have had no complaints.  Although John doesn’t profess to have any in depth IT knowledge, he discussed their requirements in detail and accepted that a move away from onsite servers and storage to a cloud based system made perfect sense and lent itself to the distributed network they now operated.

However, he had some concerns around cyber security.  He read a lot and what he read worried him, particularly about things such as ransomware, phishing, social engineering and scamming.  He knew that they held considerable amounts of personally identifiable information (PII) as defined by the Data Protection Act or UK GDPR as it is becoming known, and he had heard horror stories of company’s being fined a lot of cash for losing that data.  So, John decided to bring to bring this up at a board meeting and was met with some resistance from the CEO and other board members.  They asked what advice he was getting from their IT providers, and he said not a lot.  They seemed to be happy with the defences in place, which relied on firewalls in the office, and personal firewalls on remote laptops and desktops, anti-virus software and secure channels for sending data to and from the cloud storage.  The cloud provider operated under Ts&Cs which seemed to ensure that they took responsibility for the secure storage of their data.  He was concerned that not all their data was stored on the cloud, even though it was supposed to be.  He knew that staff working from home downloaded data onto their laptops, worked on it, and then uploaded it.  He was sure they ever deleted the copy they had on their laptops and had no way of checking.  He was also sure that data was attached to emails and sent around, so there would be copies on the email server, and on email clients.  But he was told to forget about it as it wasn’t a priority for funding. 

Jumping forward a couple of months and staff were panicking, and his phone was ringing off the hook as IT user after user was seeing a red text box sporting a skull and crossbones and the message that their data was encrypted, and if they wanted to unencrypt it, it would cost £50,000.  The CEO convened an emergency board meeting, and the IT provider was dragged in.  It didn’t take long to ascertain that this was a sophisticated attack and when they attempted to access their cloud storage, they found that the data held there, was also affected.

The CEO asked the IT provider how long this would take to fix, if indeed it was fixable.  He replied that they did have two sources of backups of the data, online and offline.  The problem was that the online data could also be affected and so the safest recourse was the offline backup, but that was only done weekly and therefore they would lose at least 3 days’ worth of data.  The CEO was not pleased.  Added to this, John wasn’t happy with just fixing the immediate issue, he wanted to get to the bottom of how this happened and how can they stop it in the future.  He contacted a specialist cyber security company that was fairly local to them.  Modesty forbids me to mention their name.

Once onsite they identified that there needs to be two strands to this.  First and foremost, the company needs to be gotten up and running, which means restoring from backup.  But there is no point doing that if the ransomware is still sitting on their systems because it would merely encrypt the backup.  It’s never that easy.  How did the ransomware get on the systems, how deeply is it embedded, how did it get on the cloud storage etc.  How it got there was quite easily detected.  It was simple email scam sent to around half of their workforce, at least two of whom clicked on it.  Once that was done it spread itself around the system, infecting all connected machines, and easily jumped to the cloud storage and even the online backup, which was connected to the cloud storage itself.

From then it was a simple but painful exercise which took best part of a week to sort out.  In order to be safe and thorough, all machines were wiped, including the operating systems, and then the OS reinstalled, along with all the applications.  Meanwhile they worked with the cloud storage provider, who was cooperative, to clean up their servers.  The data was then installed from the offline backup.

It was estimated that they lost money well into 6 figures, including fixing the problem, and lost business whilst it was all sorted out.  Trying to get back the 3 days’ worth of data lost, was embarrassing.  But at least they didn’t cave in to extortion as some might have, as we’ll see below.  Luckily there was no indication of a data breach which sometimes accompanies ransomware attacks, so no involvement of the Information Commissioner and the embarrassment of having to contact clients about their personal information.  It could have been worse.

Recommendations asked for by the board included:

  • Cyber Security Awareness training for all staff, including induction and 6 monthly refreshers.
  • Revisit the anti-virus/malware in use to see if there is a better solution for ransomware.
  • Revisit protections for the data itself.  Do they know where it all is?  Can it be audited?  What about encrypting it themselves before anyone else can?  It might not protect against ransomware, but if a data breach happens, it will avoid ICO fines.
  • Revisit the backup routines.
  • Have a solid disaster recovery and business continuity plan to avoid ad hoc and inevitable knee jerk responses.
  • The ransomware code required privileged access to do the real damage.  It got it easily.  Revisit the privileged access management system in place.  Is it up to scratch?
  • Consider annual cyber security health checks.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.

Company Two

Company Two was a transportation and storage company which operated from one site and its core business was transporting and storing produce before it was moved on to the consumer chain ie supermarkets and the like.  As such they had 3 large cold stores which were of course temperature controlled and any prolonged period without temperature control could cost the business thousands in a relatively short space of time.

The problem was that their security architecture was still based on the old bastion model of having a secure perimeter, protected by firewalls, but once inside, there was no segmentation, ie once in, the world was your oyster and the temperature control systems were on the same network as the other IT systems, with nothing separating them.

At this point the same thing happened to them, as happened to Company One.  They received the ransomware message which was even more damaging because it not only encrypted their data, but it knocked out the temperature control systems.  This meant a more sophisticated attack than just embedding malware in an email, the attackers must have gotten into the system and identified a serious weakness that they could exploit.

This wasn’t as difficult as it seemed.  There were several weaknesses in their defences.  First, they had changed broadband provider, but the old broadband connection was still active and connected to their network.  Second, they had security cameras which were remotely maintained.  These cameras were also on the main network and therefore there was a remote backdoor into the system.  There were other weaknesses, but these will do as explanations as to what happened.

As the gravity of the situation dawned on everyone, the decision was made to pay up and prevent a potential disaster in regard to the cold stores.  Understandable I suppose but ultimately not a good solution.  They did get back online within half a day.  So far so good.  But they wanted to make sure that this couldn’t happen again and so they called in some cyber experts to look things over.  What was discovered was quite horrifying.  Firstly, the attackers left a back door into the system which was discovered and closed down.  This would have allowed the attackers easy access to do it all again.  The issue with clicking on a dodgy link was also raised.  But the real problem was that it was discovered that the ransomware attack was used to also disguise the theft of data.  Missing was a considerable amount of financial information, including bank account details not just for them, but for their customers and suppliers, and PII relating to their customers and suppliers, but nothing too damaging other than business email and postal addresses.  Luckily their HR and payroll was outsourced and so they held very little about their staff.  Nevertheless, it was estimated that the cost of this breach would eventually reach 5 figures.

Lessons included very much the same as Company One but with the addition of having a security architecture review with the aim of tightening things up and introducing network segmentation.

Summary

  • Cyber security is a business issue not an IT issue.  It’s the business that suffers, not the IT support. 
  • Cyber Awareness training is the biggest and cheapest quick win that any company can take to protect itself.
  • Make sure your backups are adequate and up to date.
  • Make sure you have a disaster plan to recover from an attack.
  • Make sure you have a business continuity plan to continue working whist you recover from a disaster.
  • Make sure you privileged access management is adequate.
  • Make sure your anti-malware solution is the best available to protect against modern threats.
  • Don’t be complacent.  Just because your cloud provider is popular, doesn’t necessarily mean it’s up to par.
  • Don’t rely on firewalls alone, the bastion model of security is well out of date now.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.
Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security

Artificial Intelligence – It’s here to stay

Artificial Intelligence is coming more and more to the front in the news, in just about all spheres of IT, no matter the vertical it serves. 

What exactly is AI?

Artificial intelligence (AI) describes computer systems which can perform tasks usually requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

Of course, that’s not the only description you’ll find if you use your best research tool, Google, but it’s one used by the National Cyber Security Centre, so it’ll do for me.

I’m willing to bet that many of you, most of you, have some form of AI app downloaded on your devices.  ChatGPT is arguably the most popular amongst the general populace but it’s not the only game in town.  These apps are becoming more and more available and popular. ChatGPT is an artificial intelligence chatbot developed by OpenAI, a US tech startup. It’s based on GPT-3, a language model released in 2020 that uses deep learning to produce human-like text.  It has an underlying technology that has been around much longer, but this blog isn’t about the technicalities of AI, but more about how it affects SMEs as they go about their business.

I’ve been arguing that perhaps the biggest potential threat in terms of proliferation, ie the number of attacks waged at a relatively low level, aimed at quick wins in terms of scamming money, is the re-emergence of the script kiddie.  I wrote, some time ago, about how code could be written to be inserted into a Ransomware attack, quite easily, using AI. 

Script Kiddie

A script kiddie was what we called someone of relatively low skill levels who would go online to the dark web, and purchase scripts written by more advanced criminals that they had put up for sale.   The script kiddie would then use these scripts to mount an attack on a company or organisation.  These often failed because the script kiddie wasn’t all that bright, but just occasionally, they were harmful and even devastating.

Another scam, reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

Double Edged Sword

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, will seemingly be too costly for them.  But as many defences use AI themselves now, it’s actually quite affordable.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Key Considerations

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations:

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation.

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment.

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats.

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations.

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches.

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges.

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats.

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Next Steps & Relevance

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  And much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

The argument then is that AI might encourage a proliferation of low level attacks, largely aimed at SMEs who generally have the lowest defences.  Quite low level criminals can utilise AI to carry out attacks that heretofore would have been beyond their skill level.  Common Cyber sense can go a long way to mitigating these attacks.  Technology evolves, attacks evolve, but the basic understanding of threat + vulnerability = risk, has never gone away.  Understand that and you stand a good chance of staying safe.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Risk Analysis and Security Strategy

What Are The Chances of a Cyber Attack Affecting You?

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Aviva, not of course a cyber security company but who nonetheless do sell insurance, carried out some research reported in December 2023, which seems, on the fact of it, to be a little more realistic.  They have said that one in five UK businesses have experienced a cyber-attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents.  But even this has some problems in that it depends on how many businesses reported such an attack or incident.  There is other research that suggests that many businesses, especially SMEs, keep such things well under wraps.

That’s a really good question and one that’s very difficult to pin down.  There are studies galore, mostly from the cyber security industry, and you might feel a little sceptical about those, but also from Governmental sources, which you might consider hold more weight.  Fear, Uncertainty and Doubt, known as FUD, permeates the airwaves about this and it can be a bit of a nightmare separating fact from exaggeration.  And I get that, I really do.

Small Business Cyber Attack Statistics 2024 (And What You Can Do About Them) says that SMEs account for 43% of cyber-attacks annually, of which 46% were SMEs with 1,000 or fewer employees.

In the 2023 Not (Cyber) Safe for Work Report, there are some alarming statistics.  A staggering 97% of executives use personal devices to access work accounts, and 74% frequently send work-related emails and texts from these devices.  Behaviour which significantly increases the vulnerability of SMEs to cyber-attacks, putting not just operations at risk but also sensitive employee and customer data.

SMEs are often repositories of a considerable amount of personal and financial information, making them lucrative targets for cyber criminals.  The report further indicates that one in three respondents has fallen victim to data theft via scams.  A single can result in identify theft, financial loss, and severe reputational damage.

This is a suggested list of the top 10 Cybersecurity Threats:

  • Social Engineering (often a precursor to Phishing).
  • Third-Party Exposure.
  • Configuration Mistakes.
  • Poor Cyber Awareness and Practice.
  • Cloud Vulnerabilities.
  • Mobile Device Vulnerabilities.
  • Internet of Things.
  • Ransomware.

Given that many SMEs have now adopted the hybrid working style since COVID, these are not particularly surprising.  Working remotely isolates employees who can be much more easily panicked into doing things that are unsafe, than if they have someone on hand, in the office, they can turn to for advice.  For example, Phishing.  Should I click this, does look a bit iffy?  I’ll ask Fred and see what he thinks.  As opposed to sitting at home, working to a deadline, and getting pressured by well-crafted Phishing emails, and thinking, I’ll just do it, what’s the worst that can happen?

One of the major problems facing all sizes of business is the lack of cyber security skills available for hire, either as an FTE or a contractor.  Shockingly, In September 2023, 50% of all UK businesses had a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap. These figures are consistent with those from 2022 and 2021, highlighting the persistent skills gap issue.

We talked a little bit above, about people using their devices.  This isn’t necessary a major issue, providing the individual is prepared to adhere to some security controls being placed on that device, if it is to be used for work.  It’s a bit of a balancing act.  It is reported that 80% of employees are uncomfortable with the idea of their personal devices being monitored by their companies, yet 73% would consent to having cyber security software installed on their devices.  So, a balanced approach is needed, which respects individual privacy while ensure collective security.  Not easy.

Here are 5 actionable steps we are recommending SMEs take:

  • Employee cyber awareness training.  Probably the biggest and cheapest quick win any SME can and should be taking.
  • Strong access control using multi factor authentication.  This should be a no brainer.
  • Cyber Security audits and monitoring.  Not easy for many SMEs who will be put off by thinking about costs.  However, this has become much more affordable, and all SMEs should be having conversations around this.
  • Encryption.  Again, becoming much more affordable and easier to use.  If your sensitive data is encrypted, the chances of falling foul of data protection becomes much less of an issue.
  • Supply chain security.  Many SMEs are in the supply chains of the bigger companies, often utilising online processes, connecting direct to the customer.  What would happen if a cyber-criminal gained access to a customer of yours, through your systems?

There is no silver bullet for this.  First and foremost, it must be recognised as a business issue, not an IT issue.  It must be owned from the top, and dealt with by the board, as they would any other business issue.  You can outsource your IT management, but you can’t outsource your responsibility.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools

Protecting Your Business from Cyber Attacks – Part 2 – Plus some info on a Ransomware Attack

efore I begin I thought it would be appropriate first, to discuss an issue that has cropped up in the news, which I believe is extremely pertinent to SMEs, because many use MS365 and Azure in part or in whole, for storing their data and as part of their access controls.  Many IT companies that service SMEs, will claim that Azure provides excellent protections, and that it’s enough on its own.  Now, I’m not here to denigrate Microsoft, heaven forefend, but it would be remiss of me not to point out a recent breach, which might well be a state backed attack, but nonethess has created what is known as an Advanced Persistent Threat (APT), known as Storm-0558 breach.

This breach has allowed China-linked APT actors to potentially have single-hop access to the gamut of Microsoft cloud services and apps, including SharePoint, Teams, and OneDrive, among many others.  It is estimated that the breach could have given access to emails within at least 25 US government agencies and could be much further reaching and impactful than anyone anticipated, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought.

A lack of authentication logging at many organizations means that the full scope of actual compromise stemming from the situation will take weeks, if not months, to determine.  This of course raises issues with authentication even amongst large enterprises and government departments.  SMEs are far more reliant on such technologies and are subsequently far more at risk.

This breach was caused by a stolen Microsoft account key which allowed the bad guys to forge authentication tokens to masquerade as authorised Azure AD users, and therefore obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.  However, it gets worse, as it turns out that the swiped MSA key could have allowed the threat actor to also forge access tokens for “multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams and One Drive.

It should be noted that Microsoft took swift action and revoked the stolen key, however despite this some Azure AD customers could potentially still be sitting ducks, given that Storm-0558 could have leveraged its access to establish persistence by issuing itself application-specific access keys, or setting up backdoors.  Further, any applications that retained copies of the Azure AD public keys prior to the revocation, and applications that rely on local certificate stores or cached keys that may not have updated, remain susceptible to token forgery.

OK, now back to the original subject.  Steps 6 to 10 in my suggested top ten list.

  1. What steps should I take to protect my business from ransomware attacks? A very good question with a multi thread answer.
  • Keep Software Updated. Regularly update your operating system, applications, and antivirus software to ensure you have the latest security patches.
  • Use Strong Passwords. Use unique and complex passwords for all your accounts and consider using a password manager to keep track of them securely.
  • Enable Two-Factor Authentication (2FA).  Add an extra layer of security by enabling 2FA whenever possible, as it helps prevent unauthorized access to your accounts.
  • Be Cautious with Email. Avoid opening attachments or clicking on links from unknown or suspicious senders. Be wary of phishing attempts.
  • Backup Your Data.  Regularly back up your important files and data to an external hard drive or a secure cloud service. This way, even if you fall victim to ransomware, you can restore your files without paying the ransom.
  • Use Reliable Security Software. Install reputable antivirus and anti-malware software to help detect and block ransomware threats.
  • Educate Yourself and Others. Stay informed about the latest ransomware threats and educate your family or colleagues about the risks and preventive measures.
  • Secure Network Connections. Use a firewall and be cautious when connecting to public Wi-Fi networks.
  • Limit User Privileges. Restrict user access privileges on your devices, granting administrative rights only when necessary.
  • Monitor for Suspicious Activity. Regularly monitor your devices and network for any unusual or suspicious activity that might indicate a potential ransomware attack.
  1. What can I do to ensure that my data is backed up in case of a cyber-attack? This is straight forward and highlights a problem whereby many SMEs think that if their data is on a cloud service, they don’t need to back it up.    You need a backup routine that separates your backed up data, from your data storage.  What I mean by that, is that if an attacker, or a piece of malware, can jump from one system to another, then having a live connection to your back up defeats the object, but it’s surprising how many people do this.  So, there are a number of methods.  The first is the good old fashioned tape backup.  Becoming less and less used nowadays but still very effective.  Another is that several cloud providers also provide a backup solution that disconnects once the backup has been done and will allow you to go back to a ‘clean’ backup if the current one has been compromised.  Check this out, but do back up your data, don’t be convinced that you don’t need to, you do.
  1. What cyber security measures should I put in place to protect my business from external threats? To protect against external cyber threats, you should consider implementing the following cybersecurity measures:
  • Strong Passwords: Encourage employees to use complex passwords and enable multi-factor authentication wherever possible.
  • Regular Updates: Keep all software, operating systems, and applications up to date to patch known vulnerabilities.
  • Firewall: Set up and maintain a firewall to control incoming and outgoing network traffic.
  • Antivirus Software: Install reputable antivirus software to detect and remove malware.
  • Employee Training: Educate your staff about cybersecurity best practices and potential threats, such as phishing and social engineering.
  • Data Encryption: Encrypt sensitive data to prevent unauthorized access if it gets intercepted.
  • Access Control: Implement role-based access control to limit users’ access to only the data and systems they need.
  • Regular Backups: Regularly backup your important data and keep the backups in a secure location.
  • Network Monitoring: Use intrusion detection and prevention systems to monitor network activity for suspicious behaviour.
  • Incident Response Plan: Develop a comprehensive incident response plan to handle cybersecurity incidents effectively.
  • Vendor Security: Ensure third-party vendors and partners also have strong security measures in place, especially if they have access to your data.
  • Physical Security: Protect physical access to servers and sensitive equipment.
  1. How can I stay up to date with the latest cyber security threats and best practices? There is a number of things you can do but a lot depends on how much time you have available to devote to this.  Probably not much and you may wish to consider having an advisor on tap, and surprise, we provide such an advisor.  But pointers that might want to consider include:
  • Subscribe to reputable cyber security news sources and blogs, like this one!
  • Attend cyber security webinars.
  • Follow cyber security experts on social media.
  • Sign up for security alerts: Many organizations and government agencies offer email alerts for the latest cyber threats.
  • Participate in cyber security training. I can’t emphasise enough the value of cyber awareness training for your staff.
  • Read official reports and advisories: Stay informed about security bulletins and advisories released by software vendors and security organizations.
  • Practice good cyber hygiene: Implement strong passwords, use multi-factor authentication, keep your software up to date, and regularly backup your data.
  1. What steps should I take to ensure my business is compliant with relevant regulations and industry standards?

This is going to depend on several factors, such as the business you are in.  Many organisations must adhere to a variety of standards within their area of business and of course, many use a variety of International Standards such as ISO9000 series.  On top of this there are legal frameworks that you also must adhere to, amongst those are UK GDPR and financial services regulations.  Not an exhaustive list.  It can be a minefield.

It is somewhat surprising to me, that many SMEs that I visit don’t know what data is subject to these regulations and what isn’t, and where that data is actually stored, how it is processed and protected.  They will argue that they do know most of this, at least at a high level, but that they outsource to their local IT provider.  That won’t help you if a regulator comes after you.  You can outsource your IT, but not your responsibility.  Take advice, get guidance, there are some great protections and audit tools out there which don’t have to cost a fortune.  Check them out.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Identity and Access Management

IDENTITY AND ACCESS MANAGEMENT

Today I’m suffering from what is known in the UK, as a stinking cold. I feel like death warmed up, so this week I’ve decided to rehash a piece I did last year, on identity and access management. Those of you who have managed to plough your way through some of my earlier stuff, will know that I am very big on user awareness training for staff at all levels, believing as I do, that it is arguably one of the biggest wins that an SME can gain, to protect themselves against cybercrime. There is however a very close second, and that is identity and access management.

There is mounting evidence that the message is getting through that, although passwords are very important, they most certainly aren’t the panacea that many think they are.  We can see many organisations moving to 2 factor authentication as a norm now.  A charity I volunteer for has recently done just that and not before time, considering the amount of personal data they are holding.  But is that enough?

Compromised credentials are very high on the list of cybercrime related incidents that we see and have to deal with.  Protecting these identities can be a very technical issue and advice and guidance will be needed to ensure that you are adequately covered.  However it needn’t be overly expensive, neither need it be overly complicated.  In fact, I’m a great believer in that the simplest solution is often the best solution.  I’m an adherent of the KISS principle – Keep It Simple Stupid.

Questions to ask yourself include:

  1. Are your user accounts configured with the minimum level of privilege they need to do their job?
  2. If an employee needs additional privilege to carry out a one off job, how do you ensure that once it’s completed, the privilege is revoked?
  3. What is a privileged account? Typically it’s someone who needs additional privileges as part of their daily tasks, such as adding/removing users, auditing actions, access to more secure areas of the network (finance, management data etc), etc etc.  Are you limiting by policy the roles within your organisation that need privileged accounts, and are you specifying explicitly what those privileges are, by role?
  4. Are your privileged accounts subject to greater levels of auditing and scrutiny?
  5. Do you have a joiners and leavers process to manage active accounts?
  6. Do you have a movers process ie employees that change roles and require different levels of access to carry out their new role, either adding or removing privilege?

Another issue that you may need to consider is any accounts that exist on your network that may be used by third party suppliers.  Many companies use ‘just in time’ supply management which can require third parties to have access to their network.  Another example is people like me who, when carrying out things like vulnerability assessments, may be given privileges to scan the network.  Is that revoked at the end of the scan?  And of course, there is the IT company you may have under contract who actively have access to your network to carry out maintenance and might actually also have a contract for controlling user privilege.  Or perhaps the company you have under contract maintaining your alarms and security cameras which you didn’t know were actually using your network to connect to each other and their control room.

What about logging?  What is logging?  Every system has a set of logs which can be switched on or off.  I often come across networks where logging has been switched off or never activated because its consider to be an overhead you can live without.  Well, I disagree with that, quite vehemently.  Logging helps you to determine what normal looks like.  For example user profiles carry out certain functions within their role.  If a user is stepping outside of that profile, you need to find out why.  Is it a user who is doing something they simply didn’t realise they shouldn’t, or is it something more serious?  Is it an identity that has been created or hi-jacked by a cybercriminal who has managed to gain access?  Examination of these logs will help you understand that.  There is of course software on the market that will be of great help with this.

And of course, what do you do if you are suspicious of an activity or action by a user?

Defend Your Business Against The Latest Cyber Threats

Please get in touch and a member of our team will be in touch with you soon to discuss your requirements.
CHAT WITH OUR TEAM
Phone

0845 5443742 / 0845 5443730

EMail

hello@hah2.co.uk

Address

57 High St
Somersham
Huntingdon
PE28 3JB

Privacy Policy
All rights reserved H2 CRAS 2023

Facebook-f Twitter Linkedin Envelope
Scroll to top