To celebrate Cyber Security Awareness Month, we’re excited to share a series of interviews featuring the Toro team.
This week we are joined by the brilliant cyber team. Let's delve into the conversation!
What are some of the most common cybersecurity risks you're seeing today?
Andrew: A big one is software patching. It’s really common for organisations to fall behind in keeping their software and systems up to date. And that’s where vulnerabilities creep in.
Gareth: Yeah, patch management is definitely an issue, especially for larger organisations with a big IT estate. It's tough for them to keep track of everything. They might not have the right tools to monitor for patches, and many small organisations don’t have those tools either.
Can you give us a bit more detail on why software patching is such a challenge?
Andrew: Well, one of the big challenges is that many companies don’t even know what they have in terms of assets. They don’t have a proper asset registry, which is pretty fundamental. If you don’t know what’s in your system, how can you ensure it’s all up to date? It’s really about going back to basics—knowing what you have, so you can protect it properly.
Gareth: Exactly. When software patches are released, it’s usually because a vulnerability has been found in the older version. As soon as that patch is out, the whole world knows about the vulnerability, including attackers. So, if you're not keeping up, you're putting yourself at risk.
What are the other common risks you’re seeing?
Ray: Misconfiguration is another big issue, especially with default settings being left as they are straight out of the box. For example, internet-facing devices like routers aren’t always secured or hardened in line with best practices, leaving them vulnerable.
Is that down to a lack of understanding or just bad processes?
Ray: I think it’s a combination of both. Many organisations don’t have the skilled talent or resources to handle this properly. People end up being a jack of all trades, trying to manage everything without mastering any one area. Also, there’s this attitude that smaller organisations won’t be targeted. They think, "Why would anyone come after us?" But that's absolutely the wrong mindset.
Obaidullah: I agree. There’s also a lack of adherence to security best practices in many organisations. It’s not communicated well enough or prioritised as it should be.
So, it’s not just about the tools, but also the mindset and culture within organisations?
Connor: Absolutely. Many businesses don’t have a strong security culture. It’s often an afterthought—something they do because they have to, not because they really understand its importance.
Ray: The problem is that many organisations take a relaxed attitude towards cybersecurity. They think, "It won’t happen to us," but the reality is, they’re still a target. Even small businesses have assets that cybercriminals are interested in, whether it’s money, data, or access to larger networks.
Andrew: Exactly, it’s about balancing risk appetite with usability. You want people to be able to do their jobs efficiently, but you also want them to be secure. That’s a constant balancing act, like two sides of a seesaw—you have to find that sweet spot where security doesn’t get in the way, but it’s still effective.
What about cyber insurance? Is that becoming a factor in how seriously companies take their cybersecurity?
Gareth: Definitely. We’re seeing that the rising costs of cyber insurance are pushing companies to take their security more seriously. Insurers are now requiring businesses to follow best practices before they can even get insured. It’s no longer just an option; it’s a prerequisite.
Ray: Yeah, it’s forcing companies to get their act together. They won’t get coverage unless they’re doing the basics, like keeping their systems patched and secure.
Andrew: And even with things like Cyber Essentials, while some people might see it as just ticking boxes, it’s a good starting point. It helps raise awareness and sets a baseline for the minimum-security control’s organisations should have in place.
Obaidullah: True. Organisation sometimes do just enough to attain certification. Like a tick box. They want the stamp of approval without understanding what they are or are not doing correctly. It's a one-off exercise for them.
Ray: That’s why it’s so important for companies to work with reputable managed security service providers (MSSPs) who can assure best practices and provide real quality assurance. A good MSSP will drive security standards across the board, especially for organisations that don’t have the skills or resources to manage it in-house.
Gareth: And when we talk about something like Cyber Essentials, I always try to explain to clients why each control is important, not just that they need to do it. They need to understand the threats these controls are meant to counter, otherwise it just becomes another box to tick without real understanding.
If there’s one thing you think organisations should do tomorrow to improve their security, what would it be?
Obaidullah: I’d say they should get an external pen test or audit done. Having a fresh pair of eyes from a reputable source can highlight weaknesses they may not even be aware of. It provides benchmarks and gives them a clear path to achieving compliance and better security overall.
Andrew: It's even better than compliance. It's getting a second pair of eyes over what you've done to check your work. That's always a good thing.
What else should organisations do?
Ray: Change your passwords. Unique passwords for every service. You need complex passwords for every service, and the reason for that being it will prevent collateral damage in the event of one of your accounts being breached online.
Andrew: A Password manager can of course help with this.
Connor: The biggest thing I’d recommend is cybersecurity awareness training. Little and often. People are your main defenders at the end of the day, so just trying to get a culture built within the core of the company is important.
Obaidullah: And on that point, instead of annual training, more regular sessions for the entire lifecycle of the business are important.
Ray: Humans are often the weakest link. Talking about human nature and trust is important because it is a weakness for businesses.
Andrew: Humans want to help by nature, so therefore they are the weakest link. Cybersecurity culture is very important. It wraps everything up—cybersecurity culture is very, very important.
But how do you create that culture?
Connor: Start by regular training and testing, rather than slapping on a one-hour session once a year where everyone logs in and thinks, "Great, let's just get through this on a Friday afternoon." Instead, do it every couple of months or so, maybe every other month. Use it as a tool for good, and get people excited about it.
Andrew: Include their personal cybersecurity because that hits home just as much as work-based scenarios. If you say, "Hey, here's what you're doing wrong on Facebook," the first thing they'll do is get on their phones and make all the changes.
Gareth: It’s got to be driven from the top as well. If people see senior leaders taking part in cyber training, it goes a long way. We’ve all worked at places where the senior people don’t bother with that stuff. It’s about making sure security is part of everything you do. For example, when you're implementing a new system, you should always ask, "How do we make it secure?" It has to be a mindset.
Andrew: People are also afraid of saying "no." If they have a technical control in place that stops them from bypassing security, they're safer. They can simply say, "Sorry, I can't do that."
Gareth: Yes, and you can introduce things like multi-factor authentication (MFA). The system won’t allow someone to change their password unless they provide a verification code. If they’ve lost their phone, that’s tough luck—they’ll have to go through their line manager. That kind of rigid approach might be frustrating to some staff at times, but it goes a long way to mitigating the risk of a social engineering attack.
How has ransomware evolved, and what should companies be doing to protect themselves?
Ray Burke: Ransomware has evolved in sophistication. It’s no longer just about encrypting your data. Now, it’s about exfiltrating data and threatening to leak it if the ransom isn’t paid. This affects the reputation of the business. That’s become the norm now. Ransomware dates back to 1989, but it’s evolved a lot since the early days. Now it’s automated, can be remotely executed, and the ransom demands are higher than ever before.
Andrew: Some ransomware gangs even have helpdesks to guide victims through paying the ransom.
Ray: And you can procure ransomware as a service. Anyone, even without technical skills, can launch an attack by paying a service provider.
Gareth: It’s not just ransomware. Attackers are now operating like businesses—they have helpdesks and customer service, making the entire operation more professional.
But surely, if companies have adequate backups, they can just recover and avoid paying the ransom, right?
Ray: Attackers have adapted. Now, they exfiltrate the data and threaten to leak it. Backups won’t help if your sensitive information is out there for sale or blackmail. The legal ramifications alone are serious.
Obaidullah: There are legal considerations, too.
Ray: Exactly. This evolution in ransomware tactics happened because companies got better at backing up their data. So, attackers shifted to exfiltration. They steal the data and then try to sell it or blackmail the organisation with it.
Andrew: And restoring from backups isn’t always a quick process. Some organisations can be offline for weeks or months, which damages their reputation and bottom line.
How can employers recognise a phishing attack, or more interestingly, how have phishing attacks evolved?
Ray: What’s changed in phishing attacks is the use of AI to produce more sophisticated messages that are harder to detect. Attackers are using AI to create more convincing emails and even voice phishing attacks.
Gareth: And phishing isn’t limited to emails anymore. It happens via text, phone calls, and social media. The focus has also shifted toward credential harvesting. With the big shift away from on-prem to cloud services that there’s been over the last decade, you can often access their data from anywhere in the world if you have their login credentials. So phishing is often more focused on stealing those credentials than delivering malware.
Andrew: Phishing is also becoming more targeted. Attackers do research on a company or individual to make the phishing email look as realistic as possible. It's not just casting a wide net anymore; it's more spear phishing, going after specific targets with tailored attacks.
Ray: Attackers are doing their homework, so it’s harder for people to spot phishing attempts. The key to defence is continuous education and phishing simulations, where employees are sent fake phishing emails to see how they respond.
Andrew: The feedback loop is crucial. If employees fall for a phishing simulation, you can’t just leave it at that. You need to explain what gave the phishing attempt away and teach them what to look for next time.
Obaidullah: And it’s important to integrate this into the company culture. It has to be a mindset that leadership supports and reinforces regularly, not just a one-time thing.
Ray: Exactly. It’s about building a security-conscious culture. Leadership has to set an example and be part of the training to show its importance.
Connor: Right, and if the training is continuous and engaging, it becomes second nature. People stop seeing it as a chore and start seeing it as a part of their role.
Andrew: And phishing isn’t the only challenge—there’s also voice phishing and AI-based attacks. Attackers can use AI to mimic someone’s voice, making a call seem legitimate.
Ray: Organisations need to have strong processes in place. For example, if someone gets a request for sensitive information, they should verify it independently. Multi-factor authentication is another key defence.
Gareth: People should feel empowered to question anything suspicious. And technology should support that by making it easy to verify requests.
Obaidullah: AI can help detect phishing attempts, but it's a double-edged sword. Attackers are using it too. So, it's a constant race to stay ahead of them.
Andrew: AI is a tool, but it doesn’t replace human vigilance. You still need a security-conscious workforce.
Ray: Credential harvesting has become more sophisticated because multi-factor
authentication (MFA) is widely adopted. Attackers now focus on obtaining credentials to
then have to bypass MFA, and with the right techniques, they can even defeat these controls through MFA persistence and brute force, and in poorly orchestrated MFA, through intercepting the likes of SMS messaging.
What should someone do if they suspect they've fallen victim to a phishing attack?
Gareth: The first step is to immediately inform someone—whether that's a line manager or the IT team. It's essential to foster a security culture where staff feel comfortable reporting potential issues without fear of punishment. The sooner it's flagged, the sooner action can be taken.
Looking ahead, what should companies focus on?
Connor: Legislation is a big one. As the cybersecurity landscape evolves, so does the need for businesses to stay compliant with changing laws.
Ray: If companies don’t have the resources to handle cybersecurity in-house, they should consider partnering with external experts who can provide the necessary talent and support.
Obaidullah: Align security with business objectives. Rather than seeing security as a hindrance, it should be viewed as an enabler to help achieve broader business goals.
Ray: Take a holistic view. Think of physical and cyber security as one entity and distribute your budget in a balanced way to maximize overall protection.
Andrew: Don’t focus solely on one aspect. Security needs to cover technical, physical, and human elements to create a comprehensive defence strategy.
If you would like to speak to any of the team about any points raised please get in touch.