News

General Security Issues Identity and Access Management News Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Innovation – Why Do Many Shy Away from it?

I read an interesting piece recently where the thrust was that true innovation consists of doing now what you should have done ten years ago.  Harsh, maybe, but also fair.  I’m constantly reading industry surveys which highlight the low level of cybersecurity maturity amongst large firms and, increasingly, an even lower level amongst smaller firms.  We never seem to learn.

Of course, and as I’ve mentioned before, many of these surveys are written, or at least sponsored, by cybersecurity vendors and largish consultancies, who could potentially be seen as biased in that they are pushing their own solutions.  But keeping that in mind, there is still and underlying truth.

My focus remains on SMEs, so I’ll skip more talk about the corporate world.  In conversation with people I’ve worked with for years, their anecdotal evidence supports the underlying truth of these surveys.  SMEs in particular struggle with the basics of good cybersecurity housekeeping, such as monitoring of basic network events, timely removal of user accounts, timely deployment of security patches, and revalidation of access level, particularly privileged access.  This list is far from exhaustive.  Whilst this message has been pushed over and over by cybersecurity professionals over the last 10-15 years, SMEs continue to rely on technical solutions which simply don’t stack up in many areas.  Why?  Simple, because they are relying on local IT providers to give them solutions and those IT providers continue to push the technologies that they sell.  SME owners and managers are very reluctant to relinquish that argument.  Strange when often the best solutions are procedural and as such, much much cheaper than a technology that probably doesn’t quite match up anyway.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

  • Small to medium size businesses are not worth attacking.
  • Cyber Security is an IT Issue.
  • Technology will keep me safe.
  • My policies and procedures are up to the job.
  • My staff are young and have been brought up with IT.  They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

  • Lack of awareness around the current real-world cybersecurity risks
  • False sense of security, with a heavy reliance and dependence on an external IT third-party provider
  • Lack of cybersecurity knowledge, and understanding
  • Poor cybersecurity maturity and posture within their businesses
  • Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Back to the topic in hand, innovation and how and when should we be seriously considering it.  Ideally, we should be constantly looking for innovations, not just to keep us safe, but to encourage efficiency and cost savings, and I’m sure all SME owners would love to have the time and resource to do just that.  But we live in the real world and will be cost, and resource constrained.  But that’s not an excuse to not keep a weather eye on the need to innovate.  We live in a changing world and what we in the business call the threat landscape, changes constantly.  This simply means that threats evolve all the time, often to meet new circumstances, and AI for instance, is reducing the response time of cyber criminals to new technologies and changes in working patterns, to almost what is known as the zero day threat, ie zero days from the release of something new, to a threat being created to exploit it.

When COVID hit, many SMEs had to move very quickly to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. 

In terms of equipment, cloud usage and some working practices, that situation is righting itself, sort of.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are either planning to, or have adopted a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.  That new working model has arguably had the biggest effect on working practices and in turn, cyber security as it affects SMEs, since the innovation of IT itself. 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

Of course, those 2 things are hardly innovation, unless of course, you haven’t taken any of those measures and then it becomes innovative within your company.  Real innovation perhaps comes from reviewing the technologies you have in place, and have relied on, possibly for years.  Most, if not all those technologies will be based on the old bastion model of security, ie a network perimeter with a secure gateway, protecting your assets within that perimeter.  With the new working model, relying usually on cloud connectivity, your staff could be working in the office, at home, from a coffee shop etc etc.  You now have a mobile workforce.  What is needed is real innovation that protects your data regardless of where it is, technologies which themselves are cloud based, not caring where the end point it is monitoring actually is, whilst maintaining cost effective pricing.  This is something we’ve been at great pains to research and have now come up with such solutions.

We are holding a webinar to discuss and highlight these solutions and would love to see you there:

Event Details:

General Security Issues News

Cyber Threats to SMEs

I’m not a big fan of FUD – Fear, Uncertainty and Doubt – which is often used when selling, or attempting to sell, cyber security solutions.  I’ve always considered it a little unethical and unsavoury.  However, there is a clear difference between telling people what they need to know and spreading FUD around to scare up sales opportunities.  SMEs, just like the corporate world, need, and deserve, to know the truth about what they are facing.  I’m also not a fan of the saying ‘you don’t know what you don’t know’, but it’s sadly true.  Being uninformed can lead to complacency which can, in turn, lead to some quite disastrous consequences.

It’s being reported that SMEs experienced a 37% surge in cyber security warnings in 2023.  That’s a lot, and whilst there is always a little scepticism about stats, if only because many SMEs will simply not involve themselves in gathering such stats, preferring to keep things to themselves regarding their security, you can argue that 37% is a conservative estimate given that reluctance to take part.

They go on to say that Private sector organisations were hit harder by cyber threats, receiving 18% more alerts than their public sector counterparts. As threat levels rose, IT teams also showed signs of shrinking – the mean size of each security team at the beginning of 2024 was 2.63 people, slightly down from 2.7 people in 2021.  And that’s for organisations that can afford their own in house IT whilst most rely on contracted IT management companies, often local and themselves resource challenged.

They report that:

  • Two in five SMEs were taken offline – 41% of SMEs had to take systems and applications offline due to an incident over the last year. For one in seven of those (14%), the outage lasted more than a day.
  • Data loss hit almost two in five – 39% of SMEs lost data due to a cyber-attack in 2023, a 13% jump since 2021. Nearly a third (30%) of SMEs also lost data due to user error in the last 12 months and 27% lost data due to disgruntled employees.
  • One in five fell victim to ransomware – 20% SMEs fell victim to a ransomware attack – although the pace of attack has remained consistent over the last three years.
  • 34% paid out after a ransomware attack, with the average pay-out standing at £139,368. And, one in five were subjected to a regulatory fine as a result.
  • Nearly a quarter experienced an email attack – 23% of SMEs suffered from an employee opening a suspicious or malicious email that led to a serious attack.

Perhaps one of the most concerning issues for SMEs, is that it was reported that those employing some form of cyber security expertise were requiring their staff to work out of hours regularly in order to keep up with the issues, with 38% having been called at night and 34% having their holiday interrupted.  Not hugely surprising as cyber criminals don’t keep regular hours.  And of course, as I said earlier, most SMEs don’t employ their own in house staff but rely on IT management company’s and it would perhaps pay SMEs to re-visit their Ts & Cs to see if they have any out of hours coverage, and what it entails.

At least 70% of SMEs are struggling with the plethora of security solutions being sold to them, especially as most of these don’t inter operate with each other and instead, work independently and often overlap.  It’s essential that any solutions that are in place complement each other and where they do overlap, it’s for a good and useful purpose, providing belt and braces, requiring some form of reporting that allows us to see that these solutions are doing what we think they are doing.  All too often that’s not the case.

Getting advice and guidance, ensuring that you ask the right questions to get your knowledge to the point where you can realistically start to assess where you stand in regard to cyber security, is essential.  To that end we are holding a webinar on the 8th of May where we’ll explore some strategies you can adopt to protect your information from cyber threats, providing practical tips and best practices to secure your data effectively, and provide you with a tailored solution specially designed and priced for SMEs. This session is an excellent opportunity to enhance your digital security and protect the data you hold within your network that is critical to the operation of your business and your fiscal security.

You can register via Eventbrite:

https://www.eventbrite.com/e/protect-your-digital-assets-before-they-become-digital-liabilities-tickets-880741630927

Data Breaches and their consequences News Security

Data Breaches – How bad could it be?

“Fujitsu Hacked – Attackers Stolen Personal Information”

Fujitsu confirmed a cyberattack that led hackers to steal personal data and customer information.

Now there’s a headline to put fear into their customers, both current and potential.  Not a great look for one of our premier IT system integrators and manufacturers.

But what’s that got to do with me you say?  I don’t have any Fujitsu kit and I’m way too small to feature on the radar of a hacker or team of hackers, that would target someone like this.  OK, maybe true, maybe not so true.

Did you know that since 2005 the Information Commissioners Office (ICO) has ruled on 13,500 freedom of information and environmental information cases. Many of these would be classed as SMEs and small government departments, particularly local government.  Last year alone, 86 enforcement actions were taken which included 37 reprimands, 24 enforcement notices, 23 monetary penalties and 2 prosecutions.  Fines of around 80K are not uncommon, and a fine of that size would be a severe blow to an SME.  The ICO has issued fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities.

Fines and enforcement notices cannot be hidden, they are published on the ICO website for all to see, which can have an impact on the reputations of companies, adding to the pain of any fine caused by a unwanted marketing calls or data breaches.

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

It is, for most SMEs, about doing what is reasonable to prevent a data breach.  That will include having the right policies and procedures, known to all staff, and rolled out.  Don’t play lip service to this, you will be found out.  It is important to be aware of the threat and take the necessary actions to prevent breaches.

Lack of adequate data security is an important basis for imposing fines.  Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need? 

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.  Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch.  For example, financial data which under other legislation, they must keep for 7 years.  I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set.  This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it.  Then they upload it again when they’ve finished but forget to delete their copy.  That’s just one instance but it is vital to understand where all this data is.  What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why.  I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person.  But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it.  There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP.  These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment. 

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed.  Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost.  If you don’t like it, we take it away.

Defend Your Business Against The Latest Cyber Threats

Please get in touch and a member of our team will be in touch with you soon to discuss your requirements.
CHAT WITH OUR TEAM
Phone

0845 5443742 / 0845 5443730

EMail

hello@hah2.co.uk

Address

57 High St
Somersham
Huntingdon
PE28 3JB

Privacy Policy
All rights reserved H2 CRAS 2023

Facebook-f Twitter Linkedin Envelope
Scroll to top