Zero Trust Security is being put forward as a paradigm shift in cyber security and the future of data protection. So, what is it, and is it relevant to the SME market?

To answer the first part of that question, it is a framework for securing infrastructure to secure it against the attacks posed by modern cyber criminals’ hell bent on relieving businesses of their hard earned cash.  It uniquely addresses modern challenges such as securing remote workers, hybrid cloud environments, phishing, and ransomware attacks.

So, a primary driver for the development of Zero Trust platforms was the COVID pandemic and its aftermath, simply because the real paradigm shift was in working practices driven by the lockdowns initially, but subsequently embraced by many as a much cheaper working environment (smaller workplace = smaller costs), which many are finding hasn’t impacted their productivity.  However, it comes at a cost unseen by many in that their security was very much compromised.

As a result of this many firms have had to implement changes in their infrastructure in an attempt to shore up the somewhat reactive stance, they had to take to keep their businesses running during the lockdowns.  If this was only just changing out desk top machines for laptops and moving to much more reliance on cloud services, it has meant a sea change in their working practices.  Many more SMEs are looking for Software as a Service (SAAS) to avoid expensive infrastructure either on premise or on cloud, and others are looking towards managed services, something they simply wouldn’t have entertained before COVID.

All of this has produced a significant rise in malware threats at all levels and sizes of business.  Ransomware has become a very real threat to SMEs and it is simply a fact that many pay up simply because the criminals ask for a modest amount but then of course, they have almost always done unseen damage, such as putting in a back door to your system because they will come back to the well and second and third time, and they have almost certainly already stolen any data that might have a value.   How much better to stop them before their malware takes effect.

Let’s just go back to what is Zerto Trust and review the statement above that it is a framework for securing infrastructure.  OK great, but what does such a framework look like.

First off Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.  So that means that you have to have a security strategy, something most SMEs don’t have and don’t really know how to approach it.

Arguably (I say arguably because if you put a bunch of security consultants in a room and ask a question, the result will be a row if not a punch up), there are 3 main pillars of a zero trust strategy:

• Trusted identities. Protect user access and keep control of device identities to secure the digital journey.
• Endpoint protection.
• Network security

So, what I’m saying here is that it isn’t just one thing, one product, one system, but a combination of several factors that together, provide defence in depth and in that, whilst technology changes, the strategy hasn’t.

This is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

The problem for SMEs as always, is that they don’t have the expertise or the budgets to go down what they think of as a complex and expensive road.  Here at H2 we’ve taken that on board, and we have researched the market extensively and believe we have come up with some risk managed, zero trust solutions which are appropriate to SMEs and very affordable.

An interesting and thorny question, but one that deserves examination. Perhaps the biggest argument I can make regarding SMEs, is that without fully understanding the risks you are exposed to, how can you be sure that you are spending you limited funds in the most effective way, or in a way that is actually doing some good. I threw that last bit in because I come across situations all too often, where an SME is wasting money and resources because they don’t have a handle on security risks.

Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them.  Wrong.  Ask them some simple questions:

1. Have they fully identified your security assets? Security assets are not just   hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.
2. Have they done a risk assessment on those assets.
3. Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level. That is assuming they have spoken to you about what that acceptable risk actually is.

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement.

1. Tech

Describes the protection of networks, computers, programs, and data from unauthorized access or attack. It is a branch of cyber security which is focused on protecting computers, networks and programs from unauthorized access to data either by hackers or other malicious players. Technical security consists of tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers.

1. Business

Encompasses all aspects of protecting digital, including computer systems and networks, from unintended or unauthorized access, change or destruction. Cybersecurity includes controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack.

Cybersecurity also has a larger role in protecting organizations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.

Bottom line folks – you can outsource your IT, but you can’t outsource your responsibility.

Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. And whilst we would all like to abolish risk, that won’t happen.  There is no business without some risk, the trick being to minimise to an acceptable level.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined?  Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium, or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.

Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber-attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

Over the years I’ve had some very interesting conversations with several people from multiple different verticals, but all fitting comfortably within the SME bracket, around Cyber Security. The conversations tend to take a very familiar turn. The cry of, ‘I’m covered, my IT support company has put in a firewall and some anti-virus. They tell me all is good’. Slightly depressing but hardly surprising.

Even though cyber security and data protection have leapt to the top of many people’s agenda in recent years it is still common amongst many SMEs to believe that it is an IT problem, a technical problem rather than a business issue, even when recognising that the risk of a cyber intrusion or a data breach, impacts the business, the bottom line.  So, is it an IT issue or a business issue?

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach.  For the small business this could result in costs of around £1400, for the medium business, considerably more.  One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

It is a common misperception is that IT Security is the same as Cyber Security.  That surprises a lot of people, so let’s explore it a bit.  There is clearly a close symbiotic relationship between the two disciplines.  I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based.  Such as firewalls, anti-malware, end point protection etc etc.  Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical, following the principles of People, Process and Technology.

Within the SME world this tends to mean that there is an almost total reliance on third party IT providers.  Is that a good thing, after all that’s in their area of expertise and responsibility, isn’t it?  And here comes the controversial bit.  Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other company’s products.  Now I’ve no problem with that per se, but it comes with issues.    Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell.  Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether they are best in class, or more importantly, whether they are the most appropriate for the task.  Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.

Before we go any further, let’s briefly explore some issues that are common amongst SMEs.  Some common myths first:

• Small to medium size businesses are not worth attacking.
• Cyber Security is an IT Issue.
• Technology will keep me safe.
• My policies and procedures are up to the job.
• My staff are young and have been brought up with IT. They know the score.

Now let’s look at some of the more common issues that we see often amongst SMEs:

• Lack of awareness around the current real-world cybersecurity risks
• False sense of security, with a heavy reliance and dependence on an external IT third-party provider
• Lack of cybersecurity knowledge, and understanding
• Poor cybersecurity maturity and posture within their businesses
• Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility.

Here at H2 we offer a cyber maturity assessment that is designed specifically at SMEs.  It is a comprehensive evaluation of an organization’s cybersecurity capabilities and readiness to effectively mitigate and respond to cyber threats. It involves a detailed analysis of the organisation’s cybersecurity policies, procedures, technologies, and practices. The assessment aims to identify potential vulnerabilities, weaknesses, and areas for improvement in the organisation’s cybersecurity posture.

During the assessment, cybersecurity experts typically examine various aspects, such as:

• Governance and Management: Reviewing the organisation’s cybersecurity policies, risk management frameworks, and leadership’s commitment to cybersecurity.

• Security Awareness and Training: Evaluating the level of cybersecurity awareness among employees and the effectiveness of training programs.

• Technical Controls: Assessing the implementation and effectiveness of security technologies, such as firewalls, intrusion detection systems, antivirus software, and encryption mechanisms.

• Incident Response and Recovery: Analysing the organisation’s incident response plan, including procedures for detecting, reporting, and responding to cyber incidents.

• Security Risk Management: Evaluating how the organisation identifies, assesses, and manages cybersecurity risks.

• Third-Party Risk Management: Assessing the organisation’s approach to managing cybersecurity risks associated with third-party vendors and partners.

• Compliance and Regulations: Verifying the organization’s compliance with relevant cybersecurity regulations and industry standards.

The results of the Cyber Maturity Assessment provide valuable insights to the organization, enabling them to enhance their cybersecurity defences and establish a more robust and resilient security posture. It helps organisations prioritise their investments in cybersecurity, address vulnerabilities, and strengthen their overall cyber resilience and provides a road map to reach a standard agreed with the management, taking full account of that managements risk appetite.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” Joe Longo Now, SMEs of course don’t generally have to worry about enforcement action regarding their cyber security, but the effects of not taking ownership fully, can be quite devastating. Cyber is a risk, just like any other regarding running a business and needs to be treated accordingly.

Cyber security can be both a business and an IT issue.  It’s a business issue because breaches can have a significant financial and reputational impacts.  It’s also an IT issue because it involves implementing technical measures to protect systems and data.  Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

That said it has to business led as the IT and cyber security strategy must reflect the overall business strategy that all elements of the business must adhere to.  You can outsource your IT, but you can’t outsource your responsibility.

Phishing, ransomware, and other scams have certainly concentrated the mind somewhat, and these attacks are most definitely not confined to the large enterprise businesses, but have been attacking, with a lot of success, the small to medium business market.  We now must add into the mix AI and its capacity for increasing cyber-attacks at all levels, making the production of code, so much easier and making it available to those perhaps less skilled than heretofore.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022). So, what can you do to better protect your business? Well, here are some quick wins you can implement straight away: Ensure that you and your employees are using some form of password management software. Implement strong access controls to ensure that only authorised individuals can access critical systems and data. Invest in employee training and awareness programs. But this is just the tip of the iceberg when it comes to cybersecurity.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

It’s also necessary to have some form of measuring the effectiveness of your solutions through a protective monitoring solution.  Such solutions for SMEs have long been considered too expensive to even consider, even though it provides a set of cybersecurity practices and measures aimed at safeguarding an SMEs digital assets and sensitive information. H2 is making that affordable and appropriate for SMEs at a price of £10 per seat and offering a 14 day free trial of the solution.

But first and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so.

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees, and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly, that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

I’ve talked a lot in the past about targeting your spend to ensure that you’re money goes on protecting what is really important to you, ensuring that the protections you have spent money on are in the right place, configured to protect what really needs protecting, are maintained correctly and are of course, effective.  So how do you do that?  Do you just take a good guess at what is needed?  Of course not, but it’s still a valid question.  Did whoever built your network install a firewall, did they set up an effective anti malware regime ie one that is constantly updated using a process whereby users can’t stop it if it becomes inconvenient? That happens, believe me.  Is all of this necessary?  Almost certainly.

A lot of these questions can be relatively easily answered.  To start with you need to:

• Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head).
• Run through each Data Asset (or group of them) against the Controls and Procedures in accordance with your security policies (if you haven’t got security policies then that’s a whole other discussion), to determine which should apply and how they are currently being applied. It’s very useful to use a standard such as ISO27001 for this, even if you have no intention of applying for certification.

But now the difficult part, assessing the risks and what controls would be adequate to remediate those risks, thus ensuring you are placing the right controls, be they procedural or technical, in the right places and not wasting time, money and effort, putting in controls that aren’t actually needed, or are in the wrong place.

If you have a system to help you with this, then that really is the way to go.  Here at H2 we have partnered with Secure Business Data to enable us to use, and where appropriate, to sell 27K1 ISMS.  A risk assessment tool that is specifically targeted at SMEs and is therefore very competitively priced. It can come with an annual or a monthly fee, however you prefer.  We have adopted this system for use with our Risk Assessment Service which is carried out in three phases:

• Phase 1 – H2 conducts an assessment reviewing your existing information security, data protection protocols, technical security controls, and processes and procedures to determine their effectiveness and appropriateness, using 24K1 ISMS.

• Phase 2 – Working to your timescale and budget, H2 implements the findings from the risk assessment process which has used 24K1 ISMS. This could include introducing simple changes to your processes, all the way through to implementing technical solutions that provide effective protection from threats.

• Phase 3 – Education, ongoing security management, review and maintenance.

Okay in a conversation I was having last week about the new EU and UK data protection regulations and legislation, someone said to me; “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”?

Good question I thought… And could only come back to something I believe to be the core foundation stone for anything related to whatever sexy label you want to put on it –  The application of sound Information Risk Management (IRM) techniques are central to ensuring all aspects of keeping information safe, whether that be any one or a combination of vectors related to the people, process and technological aspect of collecting, using, communicating or storing information in any form.  Without this, you simply will never be as secure as you should be.

Oh yes, and I hear you say… there’s no such thing as 100% security. Whatever percentages you care to bandy about, the highest levels will only be achievable if you use IRM techniques to understand the risks you face and identify the most appropriate, affordable and accreditable secure solution.

Understand what value your information has to you.  Every bit of information your business holds falls into at least three categories, highly sensitive, confidential or public and as a result has a value that can have both positive or a negative financial impact on the business.  It is therefore important that you understand what the “value at risk” is to the business should you find that information has been compromised – stolen or no longer available to you.

There is always a direct and indirect value at risk.  Actual cost impacts and consequential or collateral cost impacts.  Understanding these costs informs your decisions on risk reduction controls, which may be “organisational” or “technological”. More importantly, this knowledge with make sure you don’t spend too much time, effort and cash on inappropriate “all singing and dancing” bits of technology, when simple people, process and procedural controls will be sufficient – and of course the opposite.

So, to answer the direct question, “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”.  Simples… use a good information risk management technique, like the H2 methodology and you will have succeeded in meeting the requirements of the DPA 2018 and GDPR in terms of both Privacy by Design and Default and taking a Risk Based Approach to data protection.

We at H2 have a great deal of experience in helping companies understand that Value at Risk. We would be delighted to discuss our methods with you and even demonstrate how we conduct our IRM reviews.