Do you run a small charity or legal aid firm? If so, you could be eligible for funded Cyber Essentials certification to help you put basic cybersecurity measures in place. Here’s everything you need to know.

What is the funded Cyber Essentials scheme? 

Small charities and legal aid firms protect and serve some of the most vulnerable in our society. However, unfortunately, they’re also a key target for cybercriminals. The NCSC’s Cyber Breaches Survey 2022 revealed that 30% of UK charities identified a breach in the last 12 months.

The reason for this is simple. Charities and legal aid firms process large volumes of highly sensitive data but often have relatively weak defences – making them an ideal target for cybercriminals.

To counter this, the National Cyber Security Centre and IASME have launched the new Funded Cyber Essentials Programme. This offers small organisations in high-risk sectors free, practical support to help put basic cybersecurity controls in place and achieve Cyber Essentials certification. 

How does the scheme work? 

Qualifying organisations will receive up to 20 hours of remote support with a Cyber Essentials Assessor – all at no cost. Our assessors will spend this time helping you identify and implement the improvements needed to meet the 5 technical controls of Cyber Essentials. We’ll follow this up with an assessment to ensure everything is in place. 

With our guidance, you’ll be ready to take the Cyber Essentials and Cyber Essentials Plus certifications. If it’s not possible for you to complete Cyber Essentials Plus after 20 hours of support, we’ll give you clear directions on how to become assessment ready. 

Is the certification free? 

Yes. IASME has agreed to fund both Cyber Essentials and Cyber Essentials Plus certification for successful applicants to the scheme.

Who is eligible for the scheme? 

To qualify for this scheme, your organisation must be:

• A micro or small business (1 to 49 employees) that offers legal aid services
• A micro or small charity (1 to 49 employees) that processes personal data

No previous cybersecurity experience or certification is required. Even if you’re completely new to cybersecurity, we’ll guide you through the process.

How long is the scheme running for? 

The scheme runs until the end of March 2023. However, it’s worth noting that IASME is offering a limited number of funded packages. So it’s worth getting your application in as soon as possible. 

What is Cyber Essentials?

The Cyber Essentials scheme is a UK-government-backed cybersecurity certification that outlines the security procedures a company should have in place to secure its data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.

Cyber Essentials Plus includes all of the same technical controls but with one major difference. Whereas Cyber Essentials is a self-assessed certification, Cyber Essentials Plus includes a technical audit of your systems. This next step gives you 

complete peace of mind your cybersecurity is up to scratch. And, your clients and partners don’t have to take your word for it that you’re cyber secure – they can rely on the expertise of a professional.

Can I apply to the scheme through CyberSmart? 

Yes. As the UK’s leading provider of cybersecurity certifications, we’re proud to be taking part in this scheme. 

To apply for the scheme, head to IASME’s Funded Cyber Essentials page and fill in the form at the bottom of the page. If you’re successful in your application, IASME will pass you over to us (or another certification body) to complete the certification process.

Alternatively, if you’re one of our partners or MSPs and want to refer a customer for the scheme, get in touch. We can apply on your client’s behalf and ensure the support and certification is carried out by CyberSmart.

Want to know more about cybersecurity certifications? Check out our in-depth guide to cybersecurity certifications in the UK.

The journey to cybersecurity compliance isn’t easy. You might start at the basics of Cyber Essentials certification and progress to take on the challenge of ISO 27001 compliance. It takes effort to get certified but if you put in the work, you’ll reap the benefits. You could enjoy:

• Greater trust from customers and vendors
• The chance to bid for government contracts
• Protection from cyberattacks
• GDPR compliance

Two of the biggest challenges facing businesses are knowing where to get started and how to build knowledge, but you don’t have to navigate cybersecurity alone. We’ve put together this new, updated guide as your one-stop shop for the three most common UK cybersecurity certifications. 

What’s covered?

In this guide, we outline how to choose the right certification for your business, how to get certified, and where to go for support. 

• Cyber Essentials
  • With information on recent updates
• Cyber Essentials Plus
• ISO 27001
• How to make compliance easy
  • Advice on getting started
• Where to find support

So, if you’re unsure about whether your business needs a cybersecurity certification or which one is right for you, start by downloading our guide. It’s free and includes everything you need to know to make a decision.

Small business, smaller risk of a cyberattack? Not quite.

Small businesses are still susceptible to cybersecurity threats. Whether your business consists of a single person or a number of employees, you must be protected. 

One in five small firms say they’ve experienced a cyberattack at one point. And many don’t think they have the finances or time to set up security precautions – or in some cases – don’t realise the need to. But it doesn’t have to be this way. 

There are a few simple steps you can take to remain protected. And they could make you eligible for all-important cyber insurance cover.

Why do you need cyber insurance?

Many sophisticated cyber threats exist today. Phishing, malware, ransomware, hacking; the list could go on. Having cyber insurance in your business will help you recover faster if an incident occurs. If your business deals with sensitive customer data, does a lot of business over the internet or doesn’t have coverage from any external cybersecurity providers, cyber insurance is worth investigating.

Cyber insurance includes coverage for damage or loss of information from IT systems and networks. This includes both first-party and third-party risks, depending on your insurance plan.

• First-party risks: This includes anything that could impact your business assets. For example, a cyber-attack on your software or theft of digital assets.
• Third-party risks: This covers the assets of others, like your customers. For example, security and privacy breaches of customer data.

For a small business, cybersecurity insurance is pivotal for protecting you in worst-case scenarios. So, how can a small business obtain cybersecurity insurance?

Not sure where to start with cyber insurance? Check out our guide for everything you need to know.

How to overcome cyber insurance challenges as a small business

Just like any other type of insurance, you need to meet your providers’ criteria. 

Every cybersecurity insurance provider will have its own process, but the typical route to qualify will range from a simple questionnaire to a detailed analysis of your cybersecurity environment by your insurer.

Meeting basic cybersecurity standards will make your small business significantly more likely to qualify. 

Here’s what you can do:

1. Keep software up-to-date and protected

Keeping your software equipped with antivirus protection is a surefire way of avoiding basic cybersecurity threats. And ensuring that all your programs are regularly patched keeps your systems in line with your manufacturer’s latest cybersecurity updates. 

By taking these basic measures, insurers will see your business as more trustworthy.

2. Protect your network with a firewall

A firewall is a network security system that monitors and controls your network traffic. Its parameters are based on predetermined security rules across incoming and outgoing traffic. It creates an effective barrier between your network, and anything considered an ‘untrusted’ network – an opportune place for cybersecurity threats to creep in. 

By implementing one, insurers can recognise that you’ve reduced the chance of a cybersecurity threat occurring.

3. Implement regular security checks

Not every small business owner is expected to understand the ins and outs of cybersecurity. Instead, smart cybersecurity software can help you manage regular security checks and provide monitoring, 24/7. 

The best software can also act as an educational tool – providing greater awareness about cybersecurity training opportunities, policies you can implement, and giving your people more control of their own cybersecurity. This shows insurers that you’re taking a proactive approach to cybersecurity.

4. Regularly back up your data

Insurers want you to minimise the risk of data loss as it’s costly and impacts your reputation. 

Make sure your data is backed up using external media or a secure cloud service. Consider that you need to manage and store first-party and third-party data in different ways. 

5. Manage user access rights and permissions

User access rights are an important part of staying secure. You want to make sure only the right people have access to sensitive data, without impacting anyone’s ability to do their actual job. 

In a business, enforcing a ‘least privilege access’ policy is a common way of managing access rights. This is a policy that only allows users to have the minimum level of access or permissions needed to perform their jobs, and nothing more. It restricts access rights to only users, accounts, and processes that require certain types of data.

This creates a safer environment for your data and it helps to protect employees from causing accidental or harmful actions, thus reducing risks for insurers. 

Improve your cyber hygiene to get cyber insurance

‘Cyber hygiene’ is the steps your business can take to protect itself from cyberattacks, like the list above. 

It’s like the practice of washing your hands – but for cybersecurity. Cyber insurance providers look for businesses with good cyber hygiene practices in place, as you’re less likely to be impacted by cyber threats. 

Alongside the list above, a cybersecurity certification is also a great method of overcoming cyber insurance challenges and improving your cyber hygiene. It can provide all the protection you need, and more, and is created by the UK government – making it ideal for small businesses looking for industry-standard protection.

The cost of cyber insurance can vary considerably depending on several factors. For example, the size of your business, the sector it’s in and the sensitivity of the data you deal with. However, in the current cyber threat landscape, the cost to your business of not having any cyber insurance in place could be catastrophic. So, let’s take a closer look at the cost of cyber insurance, what it covers, and what may impact your premiums.

What is cyber insurance and why do you need it?

Just as you insure your car against damage and loss, cyber insurance is a contract between you and an insurer whereby they agree to pay you for any losses you incur related to your IT infrastructure or data management. It’s a relatively new kid on the block in the world of insurance, only thought to have originated in 1997. 

However, with the rapid rise of the Internet, cyber insurance has become increasingly popular. Few businesses can now hope to succeed without some online presence. And, you need to do all you can to protect yourself from cyberattacks and the damage these can do to your company.

The bottom line is that cyber threats have skyrocketed in the last few years, with the rise in hybrid and remote working increasing the vulnerability to attacks of many businesses. In fact, recent research shows that in 2021 there were 50% more cyberattacks per week on corporate networks than in 2020.

If your company is a small or medium-sized business, you could be forgiven for thinking that you’re relatively safe from such threats. After all, media reports typically focus on attacks on large organisations, but this isn’t the case. Threats such as ransomware attacks can affect any company.

For example, the 2021 Verizon Data Breach Investigations Report revealed that 61% of all small and medium-sized businesses had reported at least one cyberattack in the previous year. What’s more, 43% of all data breaches involve small and medium-sized businesses. 

According to Hiscox, a small business is hacked in the UK every 19 seconds. And cyber breaches cost the average small business £25,700 in basic ‘clear up’ costs each year. Although there are cybersecurity best practices you can adopt to decrease the likelihood of a successful attack, there’s no such thing as complete protection. So, the next best thing is to purchase cyber insurance to help mitigate the risks and possible effects of a cyberattack.

Want to protect your business but unsure where to start? Check out our free guide to cyber insurance.

What’s the cost of cyber insurance?

There are two main costs when you take out cyber insurance:

• Your insurance premium: This is the basic cost of your insurance protection, payable monthly or yearly
• Your insurance excess: This is the lump sum that you pay if you make a claim. If you choose a small excess, this will usually make your insurance premium more expensive

As with all insurance, the cost of cyber insurance to your business depends on various factors:

• The size of your business: This can be a strong influencing factor on the cost of cyber insurance. The more staff you have, the higher the risk of you falling foul of phishing and social engineering attacks. A company with a large annual turnover is normally more expensive to insure than a smaller business
• Your business sector: Certain industries are more vulnerable to cyberattacks than others. For example, a finance organisation or charity may be at higher risk than a restaurant
• The strength of your cybersecurity: If the cybersecurity measures you have in place are robust, you may be rewarded with lower insurance premiums. It, therefore, pays to employ strong security protocols and educate your staff on cyber risks
• The amount and sensitivity of the data you deal with: If your business has a small customer base, or doesn’t hold a lot of sensitive data, you may pay less for your cyber insurance. For instance, a healthcare facility that stores lots of
  
  highly sensitive personal information will usually pay more than a hairdresser
• The level of cover you choose: If you opt for a basic policy, providing limited protection, it’s likely to be less expensive than a more comprehensive policy

Picking the right type of cover

Cyber insurance falls into two main types. And it’s important to choose the right one for your business. 

• First-party cover: This protects your company against the direct results of a cyberattack
• Third-party cover: This includes the indirect consequences of a cyberattack. It also provides protection for businesses that offer professional services to other businesses. For example, if you’re being sued by another company for errors you’ve made which have resulted in damages

First-party insurance is usually less expensive than a third-party policy.  However, it doesn’t provide as much protection. Not all businesses need third-party protection, but organisations that are mostly technology-based will probably need to consider it.

What cover do you get for the cost?

Cyber insurance will cover you for a range of cyber risks, including:

• Malware, including ransomware attacks
• Denial-of-service attacks
• Social engineering attacks, including phishing
• Data privacy breaches

Although it’s difficult to estimate exactly what your cyber insurance costs might be (every business is different), it should cover you for:

• Loss of income
• Repair costs and damage control
• Fines and legal action, such as GDPR violation charges
• Ransom costs, if someone holds your data hostage
• Public relations support, to regain damaged trust
• Data breach measures, including investigative proceedings and customer support

Is the cost worth it for small businesses?

Despite the benefits of having cyber insurance, it’s still underused. The DCMS’ Cyber Security Breaches Survey 2022 found that only 43% of businesses have a cyber insurance policy. For many businesses, this is down to cost. Prices rose in the UK by 102% in the first quarter of 2022 alone.

So, is it worth it?

At the end of the day, an insurance policy won’t protect you from a cyberattack happening. Only strong cybersecurity can do this. But, given the speed and sophistication of cyberattacks, being hit as a small business isn’t a question of if it will happen, but when.

So, cyber insurance can be invaluable, as it will help to put you back into the state you were in before an attack took place. Your insurer can also provide skills and expertise, such as ransomware negotiation, PR cover, and data recovery skills that you might not have in-house.

The cyber insurance market is changing

Protecting your business on a budget can certainly be tricky, but new products are now disrupting the insurance space and offering more cost-effective solutions. Cyber insurance is evolving and CyberSmart is at the forefront of this revolution. 

The traditional, standalone cyber insurance model, without protection or monitoring, is fast becoming obsolete and driving substantial premium increases. Providing insurance before managing the risk is fundamentally flawed, leading to suboptimal outcomes for the insurer and the insured. However, CyberSmart takes a more holistic view of risk, not just looking at technology, but also at processes and people to reduce the level of cyber risk as a whole. 

With CyberSmart Active Protect, you can proactively manage risk 24/7. It identifies risks and provides simple, jargon-free instructions for fixing vulnerabilities. Our user-friendly platform ensures everyone in your business is working safely, with visibility of every device in your organisation.

In addition, we also offer £25k worth of enhanced cyber insurance for free with Cyber Essentials certification completed. So you can minimise your risk of cyberattacks, gain peace of mind, and cover yourself with affordable insurance, in case the worst should happen.

If you’re considering cyber insurance or just curious as to what it’s all about, check out our guide, Cyber Insurance Trends 2023. It’s a great introduction to the industry and you can download it, for free, here.

Cyber insurance. It’s not just another business expense to add to your never-ending checklist. In reality, it’s an important type of coverage for damage or loss of information from IT systems, networks, and data.  

Think about it – you wouldn’t drive a car without insurance. So why let your important IT systems and data, which underpin all of your essential business processes, go uncovered?

Cyber insurance makes sure that you’re protected in case anything impacts your IT.

Why do you need cyber insurance?

Every business is responsible for its cybersecurity. If something malicious or unfortunate happens to your IT systems, for example, a data breach or cyberattack, you want to make sure you’re protected. 

In 2022 alone, 39% of businesses identified a cyberattack in their organisation. And these threats could have serious financial and reputational repercussions. But sometimes they’re unavoidable, and cyber insurance provides crucial support exactly when you need it.

Considering cyber insurance for your business? Don’t make a decision without reading our guide.

What does cyber insurance cover?

Cyber risks fall into two categories. First-party and third-party risks. Your chosen cyber insurance will need to cover what’s relevant to you.

First-party insurance 

First-party insurance covers your own assets. This includes:

• Loss and damage to data or software programmes
• Network downtime that causes interruption to your business
• Cyber extortion – third parties asking for money at the expense of your data
• The cost of sending customer notifications, which is a legal requirement in response to a cyber attack
• Theft of digital assets, equipment, money, or electronic theft

Third-party insurance 

Third-party insurance covers the assets of others, like your customers. This includes:

• Security and privacy breaches
• Defence costs and the civil damages associated with them
• Loss of third-party data – compensation payments for your customers 
• Investigation costs
• Costs associated with liability, breach of privacy, and negligence

Don’t rely on cyber insurance alone to protect your business

Cyber insurance is a great way to stay covered in case an incident occurs in your organisation. But you shouldn’t rely on it alone to protect your business. 

There are a few simple steps you can take to reduce the chances of an incident happening in the first place. Ultimately, you need the correct cybersecurity credentials across all the main aspects of your business to remain protected. 

Ask yourself these questions:

• What cybersecurity accreditations have we implemented across our people, technology, and operational processes?
• Are our accreditations up to scratch with industry standards, or backed by the government?
• Are the correct measures in place to prevent an incident from occurring?

If your answer no to any of these questions, it could be beneficial to look into a Cyber Essentials security accreditation to keep your business safe. 

It’s an easy, fast method of making sure you’re following the correct measures in your business, so an incident is significantly less likely to happen. Simply being certified can reduce your cyber risk by up to 98.5%. 

Think about it. Relying on insurance, before managing your risk, is fundamentally flawed. Ensuring you’ve implemented both measures – a certification and insurance – is the ultimate safeguard for your business.

If you’re considering cyber insurance or just curious as to what it’s all about, check out our guide, Cyber Insurance Trends 2023. It’s a great introduction to the industry and you can download it, for free, here.

Cloud computing is everywhere. You probably don’t think about it all that much, but most of the platforms and software you use will be hosted in the cloud. However, while cloud-based platforms are generally the safest around, there are extra steps you can take to protect your business. Here are our top 5 tips for improving your cloud security.

1. Use Multi-factor authentication 

Multi-factor authentication (MFA) is an authentication tool that requires you to provide two or more verification methods to sign into an application. Rather than just asking for a username and password, MFA adds some extras. For example,  a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information only you know.

You’ve probably already used MFA plenty in your day-to-day life. Many applications now require it and we’re well on the way to it being a near-universal security tool.

This is happening for a very good reason. Strong passwords are important, but they aren’t infallible. A well-orchestrated brute force attack could still find a way through. In contrast, MFA is incredibly difficult for a cybercriminal to crack without access to your phone, fingerprints or deeply personal information.

Moreover, under the new Cyber Essentials requirements, MFA should always be used for accounts connecting to cloud services. 

Want to know more about the cyber threats small businesses face? Check out our guide.

2. Manage user access carefully

It’s likely you’re already doing this with some of the cloud-based software you use. After all, who pays for licences they don’t need? However, as a general rule, it’s important to give your staff access to all the resources and data necessary for their roles, and no more.

There are two key reasons for this. Firstly, it reduces the risk of someone editing or deleting important information by accident. But, more importantly, it protects you from hackers who have stolen an employee’s credentials.

Practising proper segregation of user accounts limits the damage any successful breach can cause. To learn more about how to do that, check out our blog on admin users. 

3. Create a comprehensive off-boarding process

It’s never nice when a colleague leaves, especially if it’s not on good terms. But however staff leave, you need to make sure they no longer have access to cloud platforms, systems, data and customer information.

Of course, it’s unusual for employee off-boarding to go dramatically wrong, but that doesn’t mean you shouldn’t take precautions. Too many businesses leave the process weeks or even months after an employee has left, or forget altogether. 

This is a big security risk. By failing to cull access permissions for former employees, you’re losing control over who can access your systems and data, and potentially giving cybercriminals an easy route into your business.

To prevent the worst, you’ll need a systematic process for ensuring all access rights are revoked. This can be tricky as most employees will have access to a range of applications and platforms. So, to make it a simpler process, keep an up-to-date list of who has access to what. And, if you don’t have the bandwidth to do so in-house, there are plenty of tools available to automate the process.

4. Consider a cloud-to-cloud backup service

As we’ve mentioned, a direct breach of any cloud platform you use is unlikely (though not impossible). Nevertheless, the risk to your data from human error is high. Some 90% of all breaches start with some form of human error.

The problem is, should a cybercriminal corrupt your data or an employee delete something, most cloud platforms will only keep backups of deleted data for a specific period. This can range from days to months. So as well as checking with the provider what its policy is, it could be worth having a reserve option.

Many providers offer regular cloud-to-cloud backup services. And, it’s an option well worth considering for particularly important or sensitive data. 

5. Provide regular security training for employees

If you’ve read any of our blogs before, you’ll know we really hammer home the importance of staff training. Cloud platforms typically have very good defences, meaning the most likely way a hacker will bypass them is by stealing employees’ login credentials. This will usually happen through a social engineering attack, such as phishing.

The best way to counter this is with regular security training. That way, your people will be able to recognise potential threats and avoid them. There’s no such thing as one-size-fits-all security training. What the training looks like will depend on your staff and their knowledge gaps. 

However you do it, keep it regular, useful, and engaging. For more on how to get started, we recommend reading our blog on security training.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

Business email compromise (or BEC) attacks are a threat to organisations of any size. Here’s everything you need to know to protect your business.

How does a business email compromise attack work? 

A BEC scam is a form of social engineering attack. It usually involves an attacker impersonating the top dog (such as the CEO or founder) in a business to defraud the company and its employees, partners and customers. 

The bad guys achieve this by creating an email account with a very similar address to the real thing. For example, say your CEO’s email address is ‘john.smith@cybersmart.co.uk’, the hacker’s impersonation might be something like ‘js@cybersmart.gmail.com’. 

It’s just plausible enough that, were you in a hurry or unfamiliar with the real email address, you might share sensitive information or fulfil a request without giving it too much thought.

Like all social engineering scams, BEC attacks rely on creating a sense of urgency and implied trust in an email that comes from a seemingly legitimate source. A sense of urgency because employees are likely to hop to it pretty quickly if a CEO requests something. And, trust because of the assumed gravitas an email from an important person within a company carries.

What do business email compromise attacks seek to gain?

Cybercriminals use BEC attacks for all sorts of nefarious ends. It might be that they want to steal sensitive data, gain access to company systems, set up a ransomware attack or dupe the victim into paying for something. 

Sadly, BEC attacks lend themselves to just about any purpose, making them a highly versatile weapon for cybercriminals. 

Want to know more about the cyber threats small businesses face? Check out our guide.

Are there any famous examples?

As they often lead to huge losses for the victim, you’ve likely seen the results of successful BEC scams in the media – even if they weren’t necessarily reported using the term. 

Facebook and Google

Undoubtedly the most famous of all time was the Facebook and Google scam, carried out between 2013 and 2015. A Lithuanian cybercriminal called Evaldas Rimasauskas set up a spoof company named ‘Quanta Computer’ (which also happened to be the name of a real supplier).

Rimasauskas then emailed convincing fake invoices to both tech giants. Both duly paid, again, again and again, until they’d been defrauded out of $121 million. Rimasauskas was eventually caught in 2019 and sentenced to 5 years in prison for wire fraud. 

Toyota Boshoku Corporation

In 2019, cybercriminals contacted the finance department of a company in Toyota’s supply chain posing as a legitimate business partner. They used the classic social engineering tactic of creating a sense of urgency, claiming that the transaction needed to be paid quickly to avoid slowing the manufacturing process. 

Unfortunately, someone at the company took the bait. The subsidiary transferred more than $37 million in parts orders to the fake company. It remains one of the biggest losses to a BEC scam ever recorded. 

Reading these examples, it’s easy to form the impression that BEC scams are usually targeted at large companies. However, this isn’t the case.

Although Cybercriminals’ final target is often a big corporate, they’ve become more and more inventive about how they get there. As with many other forms of attack, many BEC scams now originate in the supply chain. Even if you’re a smaller business, it’s no guarantee that cybercriminals won’t try to use you as a backdoor into a larger organisation in your supply chain.

So, how can your business protect itself?

How can you protect your business?

Secure your supply chain

As we mentioned earlier, a large proportion of BEC attacks begin in the supply chain. So the best form of defence is to secure the links in your supply chain. 

How that looks in practice will depend on your business and who it works with. However, a great place to start is by ensuring your cybersecurity is up to scratch. Once that’s the case, talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. Many a breach could’ve been avoided with better communication across a supply chain.

Finally, aim to work with businesses that have Cyber Essentials certification as a minimum. This will give you confidence the suppliers and partners you work with take cybersecurity just as seriously as you.

To find out more about securing your supply chain, check out this blog.

Educate your staff

Like all social engineering attacks, BEC scams rely on human error. If your people can recognise the signs of a BEC scam, your business is less likely to be breached. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in BEC attacks such as posing as a supplier, creating a sense of urgency, or requesting suspiciously large amounts of money. The most important way to counter a BEC scam is simply pausing to think about the request and whether it’s legitimate, Training can help this become a habit. 

Create clear cybersecurity policies

To ensure your people know what good cybersecurity practices look like,  you need a clear, easy-to-follow cybersecurity policy. And make sure they know where to find it. A cybersecurity policy is only as effective as the number of staff who’ve read and followed it. 

Create a positive cybersecurity culture

The most formidable opponent of good cybersecurity isn’t the bad guys, it’s poor communication. Your employees need to feel comfortable raising concerns or reporting anything that doesn’t seem right. Without such a culture in place, you risk security threats being raised or discovered far too late. 

Encourage everyone in your organisation to ask questions, report anything that concerns them and learn as they go.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

• Protect your business and customers from cybersecurity threats
• Reassure customers
• Enhance your reputation
• Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

1. It’s difficult to see where you should focus your efforts
2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

• Split the project into smaller, more manageable steps
• Provide clear timelines for delivery
• Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

Maslow’s hierarchy of needs outlines key motivations that dictate human behaviour. There are five categories of needs, in order of importance.

• Physiological
• Safety
• Belongingness and love
• Esteem
• Self-actualisation 

Physiological and safety needs are the most basic for humans to function – warmth, food, water, safety, etc. This can be applied to business, too. The most basic needs for a business to function include:

• Having a product or service offering
• Building an infrastructure to support sales/customers/employees, e.g. IT
• Having a place to work or sell, e.g. website, office, shop
• Protecting your business from threats like theft from physical stores or cyber attacks on systems and data

Certifications like Cyber Essentials satisfy the basic need to protect your business against threats.

Need more help finding the right cybersecurity accreditation for your business? Check out our guide.

What is Cyber Essentials?

Cyber Essentials is a cybersecurity certification designed by the government to give organisations a standardised level of protection.  

There are five security controls with criteria to address cybersecurity effectively and mitigate the risk from cyber threats:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Security update management

Businesses must meet the Cyber Essentials IT infrastructure requirements in all five areas to become accredited.

The 5 benefits of Cyber Essentials

1. Improve your security processes 

Once accredited, you’ll be less at risk of GDPR non-compliance and associated fines, and protected against 98.5% of the most common security threats.

Cyber Essentials provides a framework to improve your internal processes. The five categories of criteria act as a step-by-step guide to up your cybersecurity game. It’s easy to follow and gives you processes to follow that’ll set you up for future success. Save time, money, and stress by getting organised.

2. Build trust with customers

With so many high-profile and damaging cyber attacks worldwide, customers are rightly nervous about who to share data with and want to know their personal information will be safe. 

Having a government-backed accreditation lets customers know that you operate your business to a good standard of cybersecurity. This provides the reassurance they need to buy from you with confidence. 

Over time, you’ll build broader brand recognition and improve your reputation, too.

3. Bid for government contracts

If you want to work with organisations in the public sector and bid for contracts, you’ll need a Cyber Essentials accreditation. 

This is a huge opportunity to work on large-scale projects and form long-lasting positive relationships with public sector organisations. 

4. Be on a trusted register of suppliers

For the 12 months your certificate is valid, your company’s name will be on the NCSC website. This makes it easy for potential customers to check your cybersecurity credentials and validate your business.

5. Strengthen your supply chain

It’s not just important for your customers to trust you. Your partners, suppliers, and investors need to have confidence in your ability to operate safely, too. Having a recognised certification validates your processes and means they know you operate with their best interests at heart.

Start meeting your business needs today

Remember Maslow. Addressing all the basic needs of your business will give you a foundation for success. Getting your cybersecurity in order is a must, and working towards a Cyber Essentials certification will set you on the path to better data management. 

And when you have Cyber Essentials in place, you can think about striving for more complex certifications to fulfil needs further up the hierarchy so your business can reach its full potential.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there’s a new threat in town. ‘Smishing’.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here’s everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

“Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020. 

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC. 

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they’re unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.