Data breaches have become increasingly commonplace for both businesses and consumers. Consumers face worries about the safety of their data, while many businesses seem to be failing to keep up with protection against cyber-attacks. A 2019 report from Bitdefender revealed that six out of ten businesses had been a victim of a data breach in the last three years. As threats continue to grow, it is becoming more and more important for businesses to ensure they prioritise funnelling their budget and resources into cybersecurity.

How worried should I be about a data breach?

Despite IT professionals working to stay on top of cybersecurity and feeling confident with the protection they provide, the reality is that businesses continue to face security breaches. Honest IT professionals have admitted that their business could be being breached without them even realising. The largest threats facing companies' cybersecurity are thought to be phishing, whaling attacks, Trojans or Ransomware. Cyber-attacks can be incredibly difficult to achieve efficient protection against, which is due to the complex and ever-evolving landscape of attackers and methods used.

As businesses grow and navigate the current economic climate, lower budgets and cuts to training can be a common occurrence. Unfortunately, this can mean inadequate training for cybersecurity teams, insufficiently educated employees, and consequently businesses that are under-protected against attack. Now more than ever, it is vital that businesses invest time and money into their cybersecurity resources, or they risk facing an attack that could be detrimental to the whole business

How can I prevent an attack?

As threats to cybersecurity continue to evolve in their sophistication and complexity, it can be tough for businesses to prepare themselves adequately from attack. There are constant improvements being made in the industry of cybersecurity, and changes in regulations that businesses are expected to comply with. A great idea to protect against a data breach is to educate your employees on cybersecurity, the potential threats and the steps that should be taken to best avoid an attack. There are many well-qualified companies that offer thorough cybersecurity training from skilled professionals.

Furthermore, the most significant step businesses can take to improve their data protection is to invest in cyber-protection software that prevents the maximum amount of attacks, meets current government standards and automatically works to ensure employee devices are compliant. Cybersmart offers a range of certification such as Cyber Essentials and Cyber Essentials Plus, as well as CyberSmart’s applications, providing you, your business and your customers with peace of mind and assurance that your data is well-protected.

CyberSmart took part in this year’s StartupGrind Eurasia Connect event, hosted in Tbilisi, Georgia. The event, part of StartupGrind,  the largest independent startup community, was aimed at bringing together world-class startups, founders and investors to look at exploring the frontier markets of Eastern Europe and Central Asia.

It was great to be invited to the event and have the opportunity to take onto the main stage to discuss CyberSmart but also to inspire the adoption of essential cybersecurity measures to secure Georgia, a country at the epicentre of trade, culture and geopolitical interest, dating all the way back to the Silk Road days. 

Aiming to inspire

At CyberSmart we continue to grow the capabilities of our technology, not only to secure businesses and their supply chains but now with the added potential to support an entire nation with the design, deployment and enforcement of information security capabilities. During the event, CyberSmart presented certOS™, our certification operating system, creating the capability for nations to design, deliver and enforce information security standards.

Our main stage session and indeed all the networking opportunities were filled with information and education surrounding how cyber threats are all around us but there are solutions to thwart them, starting from the basics of cybersecurity for consumers and businesses. 

‘We are very grateful to StartupGrind, GITA, DIT and the British embassy for providing us with the opportunity to help to make the world a safer place.’ said Thomas S. Head of partnerships at CyberSmart.

Thank you 

StartupGrind did a great job of hosting one of the largest startup events in the world. The team approached this challenge with exemplary professionalism and unparalleled hospitality. For CyberSmart this event was key to demonstrate its capability to support governments on their missions to secure their nations against global cyber threats, connect to international investors and to ultimately give back to the wider ecosystem. 

Thank you to StartupGrind, DIT and government stakeholders from both Georgia and the UK.

A new survey has revealed many small business owners are still clueless about GDPR. The results suggest small businesses could be in breach of GDPR without even realising it, as half of the participants appeared confused when answering questions surrounding data protection and privacy regulations.

A worrying 4/10 didn’t know that losing paperwork could be a data breach, or that emailing or faxing personal details could potentially be breaching data regulations also.

Are you being extra careful when sending that email?

Scarily, 45% of businesses did not know that the ICO (Information Commissioner's Office) needed to be informed when data was breached and individuals' rights were affected. It also showed they were unaware and failing to ensure confidential paperwork such as signing in and visitor’s books were kept in a protected environment.

It’s essential as a business owner you stay well informed and aware of GDPR and data protection to ensure you continue to create trust in your employees and consumers. By staying up to date with the changing data laws, you will show that you are consistent in protecting personal and private information.

Breaking GDPR is easily done within a business - it's as simple as storing files with personal data outside of a defined structure. Many SMEs are digitally renovating their businesses with more intricate technology, however, this essential move is increasing their exposure and vulnerability for cyber-attacks.

The fact that new threats are constantly evolving and developing - and 43% of cyber-attacks are aimed at SMEs - highlights the lack of knowledge surrounding GDPR. Small businesses now need to look at investing more time in digital security. This will not only prevent any future attacks but show that you are being proactive with your digital approach.

What can you do?

By maintaining your security and safeguarding your business, you are able to protect your organisation long term. Utilising Cyber Essentials, Cyber Essentials Plus and IASME GDPR Readiness certifications, which are compliant with the Data Protection Act (2012), you can ensure that you are prioritising your business and data while giving your employees and consumers that added assurance.

Safeguarding your data should be your priority. Considering crisis incidents such as extortion, cyber attacks, and industrial espionage are just a click away, it is critical that SMEs assess their ability to survive a cyberattack, and there are steps to take to prevent and manage this if the worst were to happen.

How confident are you that your business is fully compliant?

Social media and the internet has managed to infiltrate every household, school and SME within modern society. The internet has indeed changed many aspects of our lives for the better, with commercial benefits such as providing opportunities, enabling growth and development, and increasing financial gain.

Many SMEs are digitally renovating their business processes to avoid lagging behind their competitors. This essential move into increasingly more intricate technology can cause a parallel in their exposure and vulnerability.

Here are three reasons why SMEs should invest in cybersecurity in 2019:

1. Protects your business and customers

A solitary successful attack could not only damage your business but affect how consumers view your company and ultimately direct them to choose an alternative one with greater reliability and credibility. Cyber attacks can ultimately destroy your business’ reputation. All businesses hold a range of data, which can include sensitive information which can easily be accessed if you do not have Cyber Essentials. Businesses that fail to manage a customer’s personal data in accordance with GDPR could experience regulatory sanctions.

2. Keep up to date with new threats

Safeguarding your valuable data should be a priority within your business because failing to comply with modern cyber-security and data privacy laws (GDPR, IASME) can put your clients at massive risk.

Even if you feel that your business is safeguarded, compliant and protected, cyber-attacks are increasing every year and are becoming more sophisticated with the ability to attack the most advanced security systems. Ensuring you get Cyber Essentials Plus or Cyber Essentials certified can ensure you stay on top of advanced threats and keep your business secure.

3. Cyber-attacks are preventable

By maintaining security hygiene and safeguarding within your organisation, and following some principle steps to better protect yourself, you are creating a more secure and trustworthy business for clients. By being Cyber Essentials or Cyber Essentials Plus certified, both of which are compliant with the Data Protection Act (2018), you can be confident that you are protecting your business and data, and will give your customers added assurance.

Cyber-crime will continue to evolve, with new threats developing every year. As such, your business should be prioritising taking action against potential cybersecurity breaches. However, today the velocity of cyber-attack evolution is far outpacing the level of security that businesses have deployed, so cybersecurity has never been more valuable to SMEs. Remember, a cyber-attack is more a question of ‘when’ not ’if’.

The Information Commissioner’s Office (ICO) has published new guidance on how and why special category data needs to be handled more carefully.

Some types of personal data are extremely sensitive , and therefore, data controllers must take extra measures to ensure their protection. This is known as special category data and it relates to data that:

• reveals racial or ethnic origin;
• reveals political opinions;
• reveals religious or philosophical beliefs;
• reveals trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning an individual's health;
• data concerning a person’s sex life; or
• their sexual orientation.

Leaks of this type of personal data can be extremely damaging and dangerous, just imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them. 

This has led the ICO to publish new guidance to support organisations in ensuring they stay GDPR compliant and protect the data they control. 

What does the new guidance say about how organisations should approach processing special category data?

Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for the processing and potentially an associated DPA 2018 Schedule 1 condition. Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing. 

There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase your customers’ confidence in you. 

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

Cyber attacks happen virtually every day, and the impacts data breaches can have on SMEs can be catastrophic. Falling foul of GDPR legislation  can result in fines, loss of trust in your company and ultimately loss of revenue – so it pays to be compliant. 

However, what about the other organisations in your supply chain? Do they require access to your data or systems? Could your security become compromised as a result? While you might have the right cyber essentials in place, can you say the same about your suppliers? These are just a handful of questions all company decision-makers should be asking. 

Supply chain attacks: a history 

Supply chain attacks are nothing new. In fact, one of the largest data breaches in history (when the US-based retailer Target had the credit/debit card information of up to 40 million customers stolen) happened when the firm’s POS system had been infiltrated via malware that came via a supplier. In 2013, attackers used the “trusted” connection between the supplier and Target’s system to gain easy access. 

Putting appropriate controls in place 

All SMEs should understand the risks suppliers may pose and should ensure the supply chain is subject to the appropriate security controls. A good starting point would be to request all suppliers show evidence of having attained “Cyber Essentials” certification – the UK’s recommended security standard. However, this might even be insufficient for high-risk suppliers, who need to go one further and get “Cyber Essentials Plus” accredited.

Mitigating against risk 

As a company, you need to decide which controls you insist upon your suppliers having before you decide to continue doing business with them. If suppliers are unwilling or otherwise unable to comply with these requests, you need to consider whether you can put procedures in place to protect your data that allow you to continue forging a working relationship with them. 

Cybersecurity is one of the biggest threats faced by SMEs in the UK today, and its impacts on every entity within a supply chain, from top to bottom, are far-reaching. It’s therefore imperative for all elements of the supply chain to work together to maintain the strictest possible security measures. 

Find out more 

If you’d like to know more about Cyber Essentials certification or are concerned that your business might not be adequately protected against supply chain cyber-attacks, why not contact Cybersmart today? A member of our team will be happy to discuss your requirements or arrange a security audit of your current systems. 

An upsurge in incidents or cybersecurity crackdown? 

Data breach victims and negligent companies aside, how have everyday companies fared with the new GDPR regulations? The most comprehensive review on the impact of the May 2018 change is the ICO’s annual report. The report has revealed a 29% increase in reported security incidents and data breaches. With the requirement for companies to report significant incidents, within 72 hours of being made aware that there has been a data breach, has greatly increased the number of breach reports. Although on the surface it may look as though incidents have increased exponentially in the last 2 years, the new GDPR rules have actually resulted in a cybersecurity crackdown instead. 

Great news for compliant companies 

The ICO's conducted analysis shows that there is further good news for companies who are happy to comply with the new regulations. Despite £875,000 of fines being issued between July and September 2018, a closer look at the statistics shows that the data breaches here were mostly caused by individuals or companies with inadequate policies, with fewer successful cyberattacks overall. The NCSC has played a pivotal part in raising the awareness of GDPR compliance, and this has resulted in many businesses finding it easier to follow the regulations laid out in the new laws. This has meant that more companies are GDPR compliant, as a result, are less likely to be involved in a situation where fines might be issued.

Because the GDPR regulations have caused companies to put more effort into data collection as well as data protection, there is far more data available. With improved security comes a more knowledgeable taskforce, with companies beginning to rely on the increased data-opportunities for future planning. This is an incredible boom for companies who are ready to use the new data. It can improve long and short term planning, as well as the analysis of previous years. 

Cost-saving security 

Best of all, companies are starting to report the positive impact that improved security has had on their bottom lines. Fewer data-breaches means fewer fines, fewer compensation claims, less costly mop-up operations and more trust from their customers.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

Many small and medium businesses avoid thinking about their cybersecurity. This may be for a number of reasons, including fear, financial constraints and human resource issues. Predominately, however, many businesses do not focus on their cybersecurity as they believe cyber threats are only real for large businesses. Unfortunately, small to medium-sized businesses are often the target of malicious cybercriminals due to their weak cybersecurity. Below we look at some commonly overlooked threats in SME cybersecurity.

USB sticks 

Due to their small size, USB sticks are portable which makes them incredibly useful. However, USB sticks are therefore also very easy to steal and manipulate if they are not kept in a safe place. Harmful bugs and virus software can be installed on USB sticks so it is essential that you never plug a USB stick into your computer if it has been out of your possession, e.g. if you have been given one for free or if your missing USB stick is miraculously returned to you. It is also important to make sure your USB stick is encrypted and password protected. 

Zombie accounts 

In 2019, GDPR was undoubtedly a dominant topic, and the new regulations forced businesses to consider how they find and store their data more than ever before. Even if a business is compliant with GDPR, they still need to consider the risk of zombie accounts. Zombie accounts are online accounts closed by their user and then re-opened again by a third party, without the original user's consent. Business owners should also be aware that zombie accounts can also be the accounts of previous employees, giving hackers access to your website and private business information. Identifying, deactivating and deleting any potential zombie accounts is essential to ensure the safety of your business. Cybersecurity services, such as Cyber Smart, can help you do this. 

Data security 

To ensure you can maintain the legally required GDPR compliance, storing your client's data safely is essential.  Many businesses find data storage overwhelming and feel they don't have the time or resources to properly understand or manage their data. There are, however, easy steps you can make to ensure your client’s data is protected. 

• Implementing strong passwords is essential to protect your self from a security breach. Using a combination of capital and lower-case letters, numbers and symbols and make it 8 to 12 characters long will make your password hard to crack. 
• Install a firewall - In order to have a properly protected network, firewalls are a must. A firewall protects your network by controlling internet traffic coming into and flowing out of your business. 
• Making sure your computer is properly patched and updated is a necessary step towards being fully protected. Updating your programs keeps you up-to-date on any recent issues or holes that programmers have fixed. 

Cyber Smart can help your business earn Cyber Essentials Plus certification, the highest level of this government-backed certification, helping you ensure your company is safe against the most common threats. In achieving this certification, you can be confident you are protecting your business, data and give your customers the added assurance.

If your business is hit by a cyber-attack, not only could you stand to lose a lot financially, you will also lose the trust of your clients, something that is almost impossible to regain. To ensure you avoid such a problem, contact CyberSmart today and a member of our expert team will help improve your cybersecurity.

There's no doubt we live in a digital world, and most businesses realise the danger they face if they fail to get on board with the latest trends. After all, few companies, if any, lack an online presence. That means much of small businesses’ data is stored on hard drives in local computers and servers in the cloud. Therefore, it's time you took measures to ascertain the integrity and security of your company’s data because as most organisations are starting to realise, cybersecurity is the key to fast business growth in the digital era. How? 

It helps you outsmart the competition 

Hackers are opportunists. The recent ransomware attacks we have seen plaguing national and international companies and institutions such as the NHS are a menace, with cybercriminals looking for any means possible to gain access to sensitive data. Considering that most companies have a digital presence, this means attacks are simply growing as hacking software becomes more sophisticated. As such, clients are increasingly looking for this reassurance from companies they do business with, meaning that offering robust cybersecurity is increasingly being used to outsmart the competition while safeguarding your data. 

It makes threats less likely 

Most companies are turning to cloud technology because it has been deemed the most secure, and it enables collaboration on a global scale. In the cloud, companies can access their data from anywhere in the world and share it with key stakeholders. However, to appreciate the power of cloud technology, it’s essential to plan carefully and invest in professionals who can optimise the technology for utmost security. Without these resources, your company stands to receive threats like denial of service, data breaches, management of remote identities, or insecure external applications, which can damage your company's reputation and hamper its success. 

It demonstrates compliance 

Following best practice and industry standards for cybersecurity is essential if your company is to be trusted by current and prospective clients, and if you are to hold a commanding position in your market. Failure to comply with modern cybersecurity and data privacy standards like Cyber Essentials and IASME GDPR Readiness doesn't just place your business and your client data at risk, it also means you could be landed with a heavy penalty for any breaches that could stunt your company's development. These regulations have been established to protect and prolong the existence of SMEs like yours, as well as their stakeholders, so remaining compliant is critical. 

Investing in cybersecurity is essential to the growth of your business. By neglecting it, you not only hinder the development of your company but also place it at risk of irreparable damage. 

What's more, investing in cybersecurity now can give your company the leverage it needs to innovate for the future. 

If you’re an SME looking to get Cyber Essentials accredited, a strong IT infrastructure, well-trained staff, and a thorough plan will help you to meet certification requirements.

Once you’ve met the requirements you’ll be:

• Protecting your digital assets against 98.5% of the most common cyberattacks
• Able to win new business by displaying your cybersecurity credentials
• Put on the public certification register

Before you start your application, it’s important to know exactly what’s expected of you and to prepare accordingly. In January this year, the Cyber Essentials requirements changed to better reflect current cybersecurity challenges. 

You can read the full documentation from NCSC, but this article covers what you need to know about the technical controls used to assess your application.

Cyber Essentials requirements for compliant IT infrastructure

There are five categories of criteria you need to meet. Working through each will help you on your way to safer, smarter, and more sustainable data management. 

The 5 Cyber Essentials categories are:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Security update management

1. Firewalls

Every device connecting to your network must have a boundary firewall. This will restrict the flow of network traffic and protect against cyber attacks. You must:

• Have a strong administrative password and change it regularly
• Have two-factor authentication or an IP whitelist to access admin controls
• Block unauthenticated connections by default
• Document and approve inbound connections
• Be able to enable/disable functions
• Use a software firewall to protect devices on untrusted networks like public Wi-Fi

Cut through the noise of cybersecurity certifications with our quick and easy guide. Learn how to choose the right certification for you, and how to get certified.

2. Secure configuration

You must configure all computer and network devices to reduce vulnerabilities and restrict functionality based on job role fulfilment. To comply with Cyber Essentials, secure configuration has to go beyond out-of-the-box solutions. You must be able to:

• Change passwords 
• Remove or deactivate user accounts
• Remove unused or unnecessary software and applications 
• Disable auto-run features that don’t need authorisation
• Authenticate users before they access sensitive data
• Introduce device locking controls for users on-site

The National Cyber Security Centre includes the following in their definition of a device. You’ll need to include all that apply to you in your preparation for the self-assessment.

• Hosts
• Networking equipment
• Servers
• Networks
• Desktop computers
• Laptop computers
• Thin clients
• Tablets
• Physical and digital mobile phones

3. User access control

Businesses must have controls in place to manage user access to applications, devices, and sensitive business data. Employees should only have access to what they need. Administrator-level users must manage and monitor access.   

You must be able to:

• Approve user account creation and remove or disable accounts
• Authenticate users before granting additional access
• Use multi-factor authentication for all cloud services and, where possible, for other services. 
• Restrict use of administrative accounts 
• Revoke or disable additional access privileges 

4. Malware protection

Anti-malware software protects against attacks on networks and users by restricting untrusted software from accessing sensitive data. 

Malware protection must allow you to:

• Keep all software up to date and safe
• Regularly scan to ensure the network is safe
• Automatically scan browsers and online applications
• Block and prevent connections to malicious websites
• Whitelist applications following a full approval process

5. Security update management

Security update management helps to keep existing software up to date and reduces the business risk of security flaws or gaps in protection. You must:

• Keep all software licensed and supported
• Remove unsupported software from devices 
• Enable automatic updates if possible
• Update within 14 days of release where automatic updates are not available

Improving your cybersecurity

You might feel ready to take the next step in your cybersecurity journey and complete the self-assessment to get certified. But if you’re just getting started or feel unsure, you’re not alone and support is available if you need it. You can partner with an expert who’ll show you how to prepare and help you pass first time.

When you’ve got a Cyber Essentials certification, you can strengthen your cybersecurity by applying for certifications like Cyber Essentials Plus or ISO 27001. The standards you should uphold all depend on the industry you operate in and what will protect and benefit your business and customers.

Discover which cybersecurity certification is right for your business in our certification guide.