One of the five major controls of Cyber Essentials is to configure and deploy a network firewall. Let’s delve into what that means in practice.

What’s a firewall?

A firewall is a network security system that creates a buffer zone between your company’s network and external networks. In simple terms, it creates a secure zone between your devices and the internet.

To qualify for Cyber Essentials, all your internet-connected devices should be protected with a firewall. 

Types of firewall 

There are two kinds of firewall that meet the cyber essentials firewall requirements:

1. Personal firewall
2. Boundary firewall

Personal firewall

You’ll usually find these installed on internet-connected desktops or laptops. Most operating systems come with a built-in personal firewall so you’re likely already using one.

Boundary firewall

Also known as a network firewall, boundary firewalls provide a protective buffer around your entire network of devices. In most cases, you’ll need a hardware firewall to deploy a boundary firewall.

How do firewalls work?

Firewalls restrict inbound and outbound traffic to ensure you connect safely to
to external networks like the internet. They prevent desktops, laptops, and mobile devices within your network from accessing malicious or harmful content. 

Firewalls do this by using rules to restrict the kind of traffic that gets in. These rules allow or block incoming traffic into a network depending on its source, destination, and communication protocol.

Cyber Essentials firewall requirements 

The Cyber Essentials firewall requirements are to use and configure a firewall to protect every device in your business. And, especially the ones connected to public or untrusted Wi-Fi networks. 

To comply with Cyber Essentials, you must:

• Disable permissive firewall rules once they become obsolete
• Make use of personal firewalls on devices connected to untrusted networks like public Wi-Fi or hotspots
• Block unauthenticated and untrusted inbound connections by default
• Review and update default passwords and settings according to the organisation’s security requirements
• Use strong administrative passwords with a mix of upper and lower-case characters, numbers, and symbols, or disable remote administrative access
• Set and document administrator-approved firewall rules 
• Restrict administrative access to the firewall interface. Access should be protected with:
  
  • Two-factor authentication
  • An IP whitelist with a small number of devices only

Does your firewall meet Cyber Essentials requirements?

Setting up a properly configured firewall is one of the first steps towards a Cyber Essentials certification.

If you’d like to learn more about network firewalls and how to configure them for Cyber Essentials, contact us.

Or, if you want to know more about Cyber Essentials and the benefits of certifcation to small businesses like yours, check out our guide.

Cybersecurity threats are a growing concern for businesses of all sizes. Small businesses, in particular, often underestimate their risk, thinking that cybercriminals only target larger corporations. However, this misconception can lead to vulnerabilities that are easily exploited. In this blog post, you will learn about social engineering, how to prevent attacks, respond if an attack occurs, and why practice makes perfect in maintaining your security posture.

What is Social Engineering?

Social engineering is a tactic cybercriminals use to manipulate individuals into divulging confidential information or performing actions that compromise security. Unlike technical hacking, social engineering exploits human psychology rather than software vulnerabilities.

One common form of social engineering is phishing. Phishing involves sending deceptive emails that appear to be from legitimate sources. This tricks recipients into clicking on malicious links or providing sensitive information like passwords and credit card numbers. 

Phishing attacks are by far the most common type of cyber attack experienced by UK businesses. 84% of businesses that identified any breaches or attacks in the last 12 months reported experiencing phishing attacks.

Among organisations that identified breaches or attacks, 35% reported experiencing impersonation attempts, where attackers pretended to be the business or its staff in emails or online. More alarming still, although 21% of businesses yet to experience an attack didn’t think they’d need to close in the event of one, 100% of those who have been victims said they would.

So the risk is very real for businesses of all sizes, regardless of industry. But what can you do about it? 

Prevention is better than cure

When it comes to cybersecurity, prevention is always better than cure. Implementing technical controls can help safeguard your business from cyber threats. Here are a few to get you started.

Email filtering

Whichever you use, most email platforms include filtering solutions to block phishing emails, it’s how things end up in your spam folder. But what you might not know is that you can calibrate the rules yourself. Setting strict rules for what can and can’t enter your business’s inboxes can almost completely remove the chance most phishing emails will ever reach a human. 

Multi-factor authentication 

Use multi-factor authentication (MFA) for all accounts within your organisation. MFA adds an extra layer of security by requiring multiple forms of verification before granting access to sensitive information. This means, that even if a hacker does get hold of an employee’s login credentials, it’ll be far more difficult for them to gain access to company platforms, documents, or sensitive data. 

Regular software updates

A huge number of successful breaches start with a known vulnerability. In 2023 alone, more than 50% of the high-risk vulnerabilities tracked by Qualys were used by cybercriminals to attack victims. 

Fortunately, there’s a quick and easy way to ensure your business doesn’t fall prey. Software developers regularly release patches to address vulnerabilities, usually in the form of updates. Run these updates whenever they’re released, you can even set your operating system to auto-update. 

Technology isn’t enough 

Although technology is a vital component of cyber defence, we can’t rely solely on it. As I explained at a recent talk, for technology to be successful people must want to use it and our culture must motivate us to do so.

We can start to achieve this culture through security training and awareness. Educating employees about the dangers of social engineering and how to recognise phishing attempts is crucial. Regular training sessions can help employees stay vigilant and understand the latest tactics used by cybercriminals. This understanding and realisation of the threats and possible impacts upon individuals and the businesses they work for will sow the seeds of a strong culture.

Incident Response Procedures

Despite the best preventive measures, breaches can and will still occur. Having a robust incident response procedure in place can mitigate the damage and help your business recover quickly.

Incident response procedures are predetermined protocols that outline the steps to take when a cybersecurity incident occurs. These procedures ensure an efficient and effective response, minimising any impact on your business.

An effective incident response plan should include:

Preparation –  Ensure your team is ready to handle incidents by establishing and training on policies, tools, and communication plans.

Detection and analysis – Monitor systems to quickly identify and assess incidents, determining their scope and impact.

Containment, eradication, and recovery – Implement strategies to control the incident, remove the threat, and restore affected systems and data to normal operations.

Post-incident activity – Review and document the incident and response actions, using insights to improve future response efforts and strengthen security measures.

Practise, Practise, Practise

Developing an incident response plan is not enough. You must also regularly practice it to ensure it remains effective.

Depending on your organisation’s size and resources, you must determine which incidents should be subject to a lessons learnt process. For example, all incidents with a critical or high ticket associated with them. After each relevant incident, conduct a thorough review to identify what worked well and what didn’t. Use these lessons to improve your response procedures and prevent future incidents.

Want to know more about the cybersecurity threats facing your customers? Check out the The CyberSmart MSP Survey 2024, our deep dive into the cybersecurity sector in 2024.

CyberSmart research reveals high levels of cyber confidence in MSPs, despite 87% experiencing a breach in the past 12 months.

London, UK – July 10th 2024 – New research conducted by CyberSmart, a leading provider of SME security solutions indicates that nearly all MSPS report high rates of cyber confidence across their organisations, despite the vast majority having experienced at least one data breach in the past 12 months.

The research, conducted by OnePoll in Spring 2024, polled 250 senior leaders at UK-based Managed Service Providers, found that an overwhelming majority of MSPs – 87% – had experienced at least one data breach in the past 12 months, with 16% indicating they had experienced more than 5 incidents in the same timeframe.

This track record on cybersecurity stands in contrast to the associated cyber confidence that the surveyed MSPs reported. Almost all – 97% – of the MSPs surveyed suggested that their organisation had either a ‘fair’ amount of cyber confidence or a ‘great deal’ of cyber confidence.

Another interesting aspect of the results is that this confidence appears to be projected onto MSP customers too, with respondents reporting that they believed 85% of their customers had either a fair or a great deal of cyber confidence.

What are the top threats to MSPs?

Both the customers and providers identified ransomware and malware infection as the top concern, at 55% and 57% respectively. For MSPs, inflation and spiralling costs came in second (43%) and for customers, exploitation of unpatched or undisclosed vulnerabilities was the second most concerning threat (44%).

“The associated confidence noted by MSPs is heartening but needs to reflect the reality on the ground for MSPs, and their own perception of their security posture is concerning and highlights the need for the cybersecurity to step up and work closer with Managed Service Providers,” said Jamie Akhtar, Co-Founder and CEO at CyberSmart.

“MSPs, due to the levels of privileged access they will have into multiple companies, make for an appealing target for cybercriminals. This, coupled with the fact they are responsible for the IT infrastructure of companies without IT or security resources, means it is paramount that security providers work closer with them to protect the £ 5.5 million SMEs who in many cases turn to MSPs to keep them safe. Failure to do this could be existential for many of their customers.”

MSPs suggested that a focus on cybersecurity training, IT policies and fostering a more security-conscious culture would help them to achieve complete cyber confidence.

You can download your copy of the report here.

Safeguarding your business from cyber threats is crucial. By gaining the Cyber Essentials certification, you can protect your business against a wide range of cyberattacks. 

Understanding the benefits of cyber essentials can help you increase trust and safeguard your business.

What is Cyber Essentials?

Cyber Essentials is a cybersecurity certification designed by the government to give organisations a standard level of protection.

There are five security controls with criteria to address cybersecurity effectively and mitigate the risk from cyber threats: 

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Security update management

1. Improve your security processes

Once accredited, you’ll be at less risk of GDPR non-compliance. It’ll protect you against the estimated  7.78 million cybercrimes that UK businesses experienced in the last 12 months.

2. Build trust with customers

With so many high-profile cyberattacks worldwide, consumers are rightly concerned about who to share data with. They want to know that their personal data will be safe.

Having this accreditation lets customers know that you operate your business to a good standard of cybersecurity — providing the reassurance they need to buy from you with confidence. It also helps to build a good reputation for your business as time goes on.

3. Bid for government contracts

If you want to work with organisations within the MoD and bid for government contracts, you’ll need a Cyber Essentials certificate. This is a huge opportunity to work on large-scale projects and form long-lasting relationships with public sector organisations. 

4. Become a trusted supplier

For the 12 months your certificate is valid, your company’s name appears on the NCSC website. This makes it easy for potential customers to check your cybersecurity credentials and validate your business.

5. Strengthen your supply chain

Your customers, partners, suppliers, and investors need confidence in your ability to operate safely. Having a registered certification validates your processes and means they know you operate with their best interests at heart.

6. Reduced cyber insurance premiums

Obtaining Cyber Essentials certification can potentially facilitate your cyber insurance application.  Insurers recognise the certification as a sign of good cyber hygiene.  Many insurers select to insure these controlled risks and some may offer preferential treatment in underwriting.

7. Operational resilience

Cyber Essentials builds your business’s operational resilience, making you better prepared to handle cyber incidents. This means less downtime, quicker recovery, and a stronger response to potential threats

8. Competitive advantage

Demonstrating your commitment to cybersecurity can set you apart from competitors who may not have the same level of protection. This can be a huge differentiator when attracting new customers and partners, who prioritise security and reliability. 

Start meeting your business needs

Addressing the basic needs of your business will build you a foundation for success. Getting your cybersecurity in order is a must, and working towards a Cyber Essentials certification will put you on the path to better data management. 

Want to know more about cybersecurity certifications and which one is best suited to your business? Our guide has everything you need to make a decision.

CyberSmart is excited to announce the relaunch of our desktop app for Active Protect. Designed to safeguard users and devices from cybersecurity threats, it comes complete with cybersecurity awareness training, endpoint monitoring, device misconfiguration assessments and the ability to enforce compliance with company policies. 

How does Active Protect work?

Active Protect runs an unobtrusive agent in the background on your devices, checking configurations, training modules passed, and policies read and acknowledged. 

Once Active Protect has run its scans, passes and fails are reported back to the user and administrator(s) with tips for addressing any misconfigurations. Plus, the employee(s) responsible for cybersecurity in your organisation can view this information through several different dashboard views. 

For desktop users, the app can be downloaded via email once an administrator has sent out the enrollment link. And, for mobile, through the app store relevant to your device.

What’s changed? 

Radical redesign

The first thing you’ll notice upon opening the new and improved Active Protect is how it looks and feels. We’ve updated the design with the latest user experience (UX) principles in mind, making it easier to use than ever before. 

Renamed security controls 

We felt ‘device checks’ wasn’t clear enough so we’ve renamed them ‘security controls’ to reflect their purpose better. We’ve also renamed each check to give users a more accurate picture of their status. 

Updated security controls

All Active Protect’s security controls have been updated with new logic to help them stay up-to-the-minute with changes to manufacturers’ operating systems. This dramatically reduces the risk of false positives and makes them our most accurate security controls yet. 

Improved memory usage

Memory is an important resource for any small business. So, to free up as much as possible for our customers, we’ve rebuilt our security controls to minimise CPU usage when running a check.

Consolidated reporting

You can now see every desktop version of Active Protect in your business in one place. This makes it simpler than ever to ensure everyone in your organisation has the highest protection levels. 

Legacy devices page

Manage devices on older versions of Active Protect and give them access to the latest features and security enhancements.

Vulnerable software security control

Most excitingly of all, we’ve added a brand new security control that analyses a user’s desktop for software vulnerabilities, complete with a severity rating system, so you know which fixes to prioritise first. 

Changes to security controls

As we mentioned earlier, we’ve made some changes to the names of Active Protect’s security controls. To help you avoid confusion, here’s a handy list of the changes.

How to get access

From the 24th of June 2024, all new devices will be automatically enrolled on the latest version of Active Protect. For existing devices, there are in-platform buttons and simple instructions in our Knowledge Base on how to get access to the latest version.

The Cyber Essentials scheme provides an effective framework against cyberattacks. Getting Cyber Essentials certified is a great first step to protecting your digital assets and personal data.

For those considering bidding on work such as UK Government supply chain contracts, it’s a mandatory certification. 

Like all official certifications, achieving Cyber Essentials requires preparation and investment of time, budget, and some technical awareness. Learn more on how to prepare and pass certification with our Cyber Essentials checklist.

1. Create an information security policy

The first step is to develop an information security policy. Your policy should establish the requirements and rules for cybersecurity that will help you to achieve Cyber Essentials, including:

• The requirements for handling and processing first-party and third-party data
• A password policy that describes the minimum requirements for passwords (such as length and complexity)
• A set of guidelines that define what users can and can’t do, including access controls and internet usage

Your security policy doesn’t have to be a long and complex document. Instead, it should document rules for cybersecurity in a simple, obvious way that all your employees and suppliers can understand and comply with.Consider incorporating guidelines for remote work into your Cyber Essentials checklist, including secure use of personal devices and VPN. It’s crucial to define procedures for responding to security breaches and reporting incidents in and away from the organisation.

2.     Assign a data protection officer

Although not mandatory for all organisations, appointing a single senior employee as a Data Protection Officer (DPO) can help you enforce the information security policy within your organisation.

For SMEs, assigning a DPO can be a crucial step in coordinating all security initiatives. For external parties and IT users, they’re a single point of contact for queries and concerns related to security.

Cyber Essentials requires businesses to complete and submit a self-assessment questionnaire and provide relevant evidence to support answers, to achieve certification.

Having a DPO ensures that everybody understands who is responsible for completing the questionnaire and who to go to for advice and guidance. It also encourages the DPO to conduct regular audits and risk assessments – leading to security awareness and promoting training for other employees.

3. Keep track of your digital assets

To make sure that all software and devices are protected, you should keep an inventory of digital assets. Include the details of versions and updates for both software and devices.

Knowing what and where your assets are is good practice, especially with information security assets. It helps you keep software updated, which is essential, and is the best first step to protecting your systems and data.

Knowing what devices your business has is the best way to identify unauthorised devices and to take action to remove or isolate them. Establish a clear process for securely disposing of outdated or unused assets to keep everything organised and safe. 

Tracking your digital assets helps to identify vulnerabilities and to keep a close watch on devices within your network.

4. Enforce access control

Access control ensures that only authorised personnel can see sensitive information and enforcing strong access control is an essential step for achieving Cyber Essentials certification.

Make use of a Role-based Access Control (RBAC) system ensures IT users have only the privileges that they need for their job role and access to only those systems they need to be effective and operate safely.

Regularly review and update user permissions when changes occur in roles or employment status, using access control software that provides detailed logs and alerts for unauthorized access attempts. 

5. Make use of the right tools and configurations

A firewall and antivirus are essential security tools required for Cyber Essentials.

Your security system helps protect devices on a network from external threats such as those from the internet.

Your antivirus software protects your systems from viruses and other malware that leads to corruption and theft of personal or proprietary data.

You should ensure your firewalls are properly configured to disallow access to malicious content. Making use of a firewall and antivirus will help your business prevent the most common types of cyberattacks.

6.     Conduct regular security reviews

To ensure that your digital assets remain safe and protected, it is vital to document, track, and review the effectiveness of the cybersecurity measures you have taken. Put a security team in place to oversee and act on any findings, so you can use them to improve future security policies and procedures.

Knowing the strengths and weaknesses of your network can help you fine-tune cybersecurity, especially as you grow. You should conduct regular security reviews to:

7. Introduce employee training programs

Interactive training modules on how to recognise phishing scams will provide employees with up-to-date resources and guidelines on best practice. Encourage a culture of cybersecurity awareness through regular, updated training materials that detail the latest threats and optimal procedures. 

Use the assessment results to identify gaps in knowledge, tailor training to everyone, and provide more efficient feedback. 

8. Use multi-factor authentication (MFA)

Implement multi-factor authentication (MFA) that goes beyond traditional passwords. MFA provides two or more verification factors to gain access, such as a temporary code sent to a mobile device or email account. 

Look to integrate multi-factor authentication for all security-critical systems, including cloud services, email, administrative accounts and more. This is especially important when employees are working remotely, where there is a risk of external threats. 

Start your Cyber Essentials checklist

If you’re a small or medium scale business, getting started with cybersecurity can seem daunting — especially if you have no technical IT skills. However, achieving a Cyber Essentials certification is a great way to begin, and for a small investment of time and effort, it can significantly reduce risk. Follow the Cyber Essentials checklist outlined above, and you will be well-prepared to pass the certification.

CyberSmart is an automated platform to help businesses stay secure with recognised certification standards including Cyber Essentials. Businesses can gain certification as individual companies or can join the many organisations that have achieved Cyber Essentials by partnering with us today. If you have any questions, whether it is preparing for Cyber Essentials, or how to protect your company systems and data, please reach out to learn more.

The emergence of Qilin ransomware as a formidable cyber threat requires robust cybersecurity measures. In this blog, we’ll look at how CyberSmart is helping organisations defend against this sophistacted malware.

What is Qilin ransomware?

Qilin ransomware is distinguished by its advanced encryption techniques. It uses a blend of AES (symmetric) and RSA (asymmetric) encryption to secure data. This makes decryption very difficult without the corresponding keys.

Qilin ransomware is adept at exploiting unpatched vulnerabilities, allowing it to infiltrate and persist within systems undetected.

How does it get in?

Given it’s sophistication, you might expect Qilin ransomware to require an eqaully refined delivery method. But that’s not the case. Most Qilin attacks are launched via common phishing scams. Once in, it exploits vulnerabilities to spread quickly across systems.

Qilin’s Operational Tactics

Qilin’s operational tactics are what make it so tricky to deal with. For example, it can customise its payload to avoid detection or change its approach to exploit the target’s weaknesses.

It also uses lateral movement techniques to spread accross networks, encrypting valuable data and altering file extensions. This makes file recovery extremely difficult.

Global Impact

Qilin primarily targets sectors where data access is critical. These include industries like healthcare and manufacturing which offer criminals the chance for maximum disruption.

All this demonstrates the importance of an adaptive approach to cybersecurity to counter the threat – which is where CyberSmart comes in.

CyberSmart’s defensive strategies

CyberSmart’s comprehensive suite of tools can significantly mitigate the risks posed by threats like Qilin. Here’s how.

1. Endpoint monitoring and compliance assurance

CyberSmart Active Protect continuously monitors endpoints. This ensures that every system in your business complies with the latest security standards. In addition, it quickly identifies vulnerabilities and provides simple instructions for mitigating them – depriving Qilin of gaps to exploit.

2. Education to combat phishing

According to a study from IBM, 95% of all cyberattacks are caused by human error. And, this is especially true of ransomware attacks. CyberSmart Academy focuses on reducing human error. It does this through targeted training to help employees recognise and avoid phishing attempts and other social engineering tactics.

3. Proactive vulnerability management

Routine vulnerability scans are critical in preempting attacks. They help to identify and address the security loopholes threats like Qilin try to wriggle through.

4. Data recovery and continuity planning 

With our partners’ support, we encourage all businesses to implement data recovery and backup plans. This approach minimises the downtime and operational impact caused by a breach. So, even if the worst-case scenario happens, you’ll recover quickly.

5. Install and maintain anti-malware solutions

Although CyberSmart doesn’t directly handle malware detection, it ensures that anti-malware solutions are installed and configured correctly. Again, this provides confidence that your whole network is adequately protected.

The need for layered cybersecurity strategies

The threat Qilin poses highlights the need for a layered cybersecurity strategy. What do we mean by that?

Well, in short, protection against sophisticated ransomware is about more than anti-malware tools. Organisations must maintain rigorous update protocols, regularly monitor systems and enhance employee awareness to properly mitigate risk.

By integrating CyberSmart’s advanced security solutions, businesses can strengthen their defences and ensure greater resilience against cyber threats.

Jamie Akhtar, CEO at CyberSmart, adds:

“In an era where cyber threats are increasingly sophisticated, it’s vital that our defences not only match but exceed the level of threat we face. Sectors like healthcare, previously considered off-limits, are now actively targeted due to legacy systems, interconnectedness, and the necessity to restore services quickly. CyberSmart is committed to collaborating with our extensive partner network to deliver complete cyber confidence for organisations against complex threats like the Qilin ransomware. This commitment is crucial for maintaining the trust and safety of the digital systems that power our everyday lives.”

Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber threats. Achieving Cyber Essentials certification demonstrates a commitment to cybersecurity. Unlike GDPR, Cyber Essentials isn’t mandatory for UK businesses. 

The Cyber Essentials scheme isn’t covered by binding regulation. Instead, it provides impartial guidance to help businesses improve their cyber posture, built around five security controls: firewalls, secure configuration, user access control, malware protection, and security update management. It’s a great way for any business to improve its cyber credentials, and in some cases it’s mandatory. Learn more about the conditions under which certification can be necessary in this blog post.

Government Contracts

Cyber Essentials is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials, you will not be able to bid for such contracts at all. These contracts involve the handling of personal information or delivering certain IT products and services.

For example:

• Handling the personal information of any UK citizens; e.g., bank details or home addresses
• Handling the personal information of any government employees, ministers, or advisors; e.g., payroll or expenses information
• Delivering IT products or services designed to store, process, or transfer data

Cyber Essentials certification is mandated for businesses entering into these contracts and demonstrates that they have achieved the standards and meet the technical requirements defined in by the scheme.

For all businesses looking to bid for government contracts that involve one of the above characteristics, it makes sense to achieve Cyber Essential certification first.

Ministry of Defence Contracts

The UK Ministry of Defence (MoD) requires all its suppliers to comply with Cyber Essentials.The MoD has previously stated that this requirement must flow down to the supply chain. It mandates that both organisations directly conducting business with the MoD, and organisations delivering to the MoD supply chain must be Cyber Essentials certified.

Importance of Cyber Essentials

Should your business get a Cyber Essentials certification even if it isn’t mandatory? 

Yes. Even if you’re not bidding for government or MoD contracts, you could benefit from having Cyber Essentials.

For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity. Most SMEs lack adequate cybersecurity measures because they mistakenly feel that they’re not a target. This is a misconception:

• 90% of businesses and 94% of charities who experienced at least one type of cyber crime
• 1.5 million UK businesses hit by cybercrime in 2023

Taking the steps to Cyber Essentials

Considering Cyber Essentials for your business but not sure where to start? We’ve got a guide for that. Our guide to certifications in the UK has everything you need to know about Cyber Essentials and who needs it. Read it here.

Every spring the Department for Science Innovation & Technology (DSIT) releases its Cyber Security Breaches Survey. Always hotly anticipated throughout the cybersecurity sector, it acts as a ‘temperature check’ of security and resilience within UK cyberspace. 

Although the report primarily intends to inform UK government policy, that doesn’t mean it isn’t useful to small businesses. In fact, the report is a bit of a lodestar for anyone interested in cybersecurity. It gives us an idea of the threats we face, how businesses are dealing with them, and what we can do to improve our collective security. 

With that in mind, here are our key takeaways from the Cyber Security Breaches Survey 2024.

1. Breaches remain common 

This won’t be particularly surprising to anyone but successful cybersecurity breaches remained commonplace in the last 12 months. According to DSIT’s research, half of businesses (50%) and just under a third of charities (32%) reported experiencing some form of breach.

These figures are highest for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). However, this isn’t to say small (10-49 employees) and micro (1-9) businesses are immune. 47% of micro-businesses and 58% of small businesses were hit with a breach in the last year. 

2. The cost of a breach remains low, but constant 

This one is a mixed bag. One positive is that DSIT reports the average cost of a single breach across all businesses surveyed was £1,205. That’s considerably lower than figures released in reports like IBM’s Cost of a Data Breach 2023, even when we consider that the average rises to £10,830 for large and medium businesses.

Unfortunately, this isn’t the whole story. Although the headline figure for the cost of a breach is low, companies are being attacked with frightening regularity. Over half of businesses (53%) and just under half of charities (45%) reported that this happens once a month or more often. Grimmer still, a third of businesses and a fifth of charities say that they were attacked at least once a week.

This means that even if the cost of a single breach is low, many businesses are being hit multiple times a year, making the cumulative impact of attacks far higher. What’s more, while larger organisations may be able to swallow these recurring costs, their impact could be ruinous for SMEs. 

3. Phishing scams are still the number one threat

By this point, most of us have first-hand experience of a phishing scam. They come in many forms, from speculative email campaigns to more targeted attacks through social media platforms like Facebook Messenger and spear phishing.

So it’s no surprise to see phishing scams at the top of DSIT’s list of most common threats. 84% of businesses and 83% of charities reported being targeted by one in the last 12 months. 

However, more interesting is that the second most common threat was ‘others impersonating organisations in emails or online’ (35% of businesses and 37% of charities). This demonstrates that cybercriminals are leaning on social engineering techniques to launch attacks, rather than more technological approaches like malware and ransomware.

There are a couple of possible reasons for this. Firstly, social engineering attacks use our human nature against us, making them more difficult to defend against. Second, social engineering doesn’t require any specialist tools or tech knowledge, just a familiarity with the techniques, meaning the barrier to entry is lower for would-be scammers.

4. Does Cyber Essentials certification have an awareness problem? 

Cyber Essentials certification turns ten this June. And, although the scheme has helped thousands of businesses improve their cybersecurity, it appears to have an awareness problem. 

Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. These figures are roughly consistent with 2023 but represent a decline over the last 2-3 years. This decline is also more pronounced among smaller businesses with medium businesses (43%) and large businesses (59%) more aware.

More worrying still, only 3% of businesses and charities report adhering to Cyber Essentials. However, this does come with a caveat that a higher proportion of them (22% of businesses and 14% of charities) report having technical controls in all five areas covered by Cyber Essentials.

5. Businesses aren’t prepared for supply chain risks

Although the report reveals organisations have broadly improved when it comes to cyber risk management, there’s still one glaring omission – supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). Given that supply chain attacks are predicted to cost the global economy $138 billion by 2031 this is an area that needs urgent attention in the coming years. 

6. Formal incident response plans aren’t widespread

Despite many businesses stating that they’d take action following a cyber incident, very few have anything concrete in place to establish what those steps are. Just 22% of businesses and 19% of charities have a formal incident response plan. Once again, these figures are largely being driven by SMEs; 73% of large businesses have one. 

What this suggests is that small businesses are ill-prepared for the worst-case scenario. Creating an incident response plan or security policy can be time-consuming and tricky if you don’t know where to start. SMEs need help, through tools like templates and policy management to better prepare themselves. 

Alongside this, when a breach does happen, external reporting of it is uncommon. Just over a third of businesses (34%) and charities (37%) reported a breach outside their organisation. Even then, this wasn’t usually to the National Cyber Security Centre (NCSC) or Information Commissioners Office (ICO), but to their managed service provider or IT supplier. This indicates that vast swathes of cybercrime are still going unreported.

7. Basic cyber hygiene is improving 

Finally, let’s end with a real positive. Cyber hygiene – by which we mean basic cyber controls – is on the up across all businesses. Most cyber threats are relatively unsophisticated so organisations can go a long way towards protecting themselves by simply adopting some simple measures. 

The good news is that a majority of businesses and charities have a broad range of these measures in place. These include: 

• using up-to-date malware protection (up from 76% to 83%)
• restricting admin rights (up from 67% to 73%)
• network firewalls (up from 66% to 75%)
• agreed processes for phishing emails (up from 48% to 54%)

And, even more promising, these trends are a reversal of the decline in cyber hygiene we’ve seen over the past few years. This shift is being driven by micro and small businesses, demonstrating that despite the worrying trends in awareness surrounding Cyber Essentials, basic security recommendations are having some cut through. 

Want to know more about the threats facing small businesses? Download our latest report on SMEs and the cost of living crisis. 

The move will streamline and simplify Essential Eight assessment for Australian SMEs and MSPs

Wednesday 08 May 2024 – London, UK: CyberSmart, the UK’s leading provider of complete cyber confidence to UK SMEs is excited to announce its partnership with Australian technology distributor, HAT Distribution. The partnership will provide businesses in Australia with fast, hassle-free Essential Eight assessment and year-round assurance.

CyberSmart is the world’s first complete SME solution, offering all-in-one cybersecurity monitoring, optimisation and training, proven to defend against cyber threats. With its user-friendly platform, simplified progression framework, year-round protection and unlimited support, implementing Essential Eight controls has never been easier for Australian businesses.

As cybercrime escalates in Australia, with 94,000 incidents reported in 2023* alone (equivalent to one report every 6 minutes!), completing Essential Eight – the recognised Australian government standard for cybersecurity – is not just advantageous but also crucial in certain industries. CyberSmart’s solutions are specifically designed to help businesses implement these strategies effectively so they can attain and maintain a government-approved standard of cybersecurity, reducing cyber risk.

The platform is tailored for MSPs and SMEs, who represent a critical segment in the economy but often face challenges with maintaining robust cyber defences due to limited resources and expertise. With CyberSmart, MSPs can enhance their service offerings by delivering comprehensive and cost-effective solutions to their clients, while SMBs gain access to straightforward Essential Eight assessment, without the need for extensive resources. 

Australian SMEs will also gain access to CyberSmart Active Protect,  a powerful on-device agent that delivers comprehensive endpoint monitoring, risk management, policy enforcement, and cybersecurity awareness training. Active Protect regularly monitors and reports the status of a device by running through a series of security controls, identifying any vulnerabilities and providing simple step-by-step walkthroughs on how to fix them. 

Jamie Ahktar, CEO at CyberSmart said, “We’re excited to expand into the Australian market with HAT Distribution. Cybercrime is a worldwide business, and the interconnected nature of global commerce in 2024 means that the more geographies we are able to offer SMBs complete cyber confidence in, the better. Almost half of Australians reported experiencing cybercrime in 2023, and we believe that the comprehensive protection we’re bringing to the Australian market will be able to limit both the success and impact of these incidents moving forward.”

Josh Gammer, General Manager of HAT Distribution said, “Amidst the ever-evolving cyber threat landscape, we are thrilled to partner with CyberSmart, a leader in cybersecurity innovation, to help more Australian businesses comply with the government’s endorsed Essential Eight framework. 

“With CyberSmart, even smaller players gain access to the tools required for assessment, and for MSPs, the partnership is a consultative business opportunity to guide their clients on a transformative journey toward stronger cyber defences.”

For more information about CyberSmart’s cybersecurity solution for Australia, please visit https://www.cybersmart.com/au