It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

• Protect your business and customers from cybersecurity threats
• Reassure customers
• Enhance your reputation
• Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

1. It’s difficult to see where you should focus your efforts
2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

• Split the project into smaller, more manageable steps
• Provide clear timelines for delivery
• Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

Maslow’s hierarchy of needs outlines key motivations that dictate human behaviour. There are five categories of needs, in order of importance.

• Physiological
• Safety
• Belongingness and love
• Esteem
• Self-actualisation 

Physiological and safety needs are the most basic for humans to function – warmth, food, water, safety, etc. This can be applied to business, too. The most basic needs for a business to function include:

• Having a product or service offering
• Building an infrastructure to support sales/customers/employees, e.g. IT
• Having a place to work or sell, e.g. website, office, shop
• Protecting your business from threats like theft from physical stores or cyber attacks on systems and data

Certifications like Cyber Essentials satisfy the basic need to protect your business against threats.

Need more help finding the right cybersecurity accreditation for your business? Check out our guide.

What is Cyber Essentials?

Cyber Essentials is a cybersecurity certification designed by the government to give organisations a standardised level of protection.  

There are five security controls with criteria to address cybersecurity effectively and mitigate the risk from cyber threats:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Security update management

Businesses must meet the Cyber Essentials IT infrastructure requirements in all five areas to become accredited.

The 5 benefits of Cyber Essentials

1. Improve your security processes 

Once accredited, you’ll be less at risk of GDPR non-compliance and associated fines, and protected against 98.5% of the most common security threats.

Cyber Essentials provides a framework to improve your internal processes. The five categories of criteria act as a step-by-step guide to up your cybersecurity game. It’s easy to follow and gives you processes to follow that’ll set you up for future success. Save time, money, and stress by getting organised.

2. Build trust with customers

With so many high-profile and damaging cyber attacks worldwide, customers are rightly nervous about who to share data with and want to know their personal information will be safe. 

Having a government-backed accreditation lets customers know that you operate your business to a good standard of cybersecurity. This provides the reassurance they need to buy from you with confidence. 

Over time, you’ll build broader brand recognition and improve your reputation, too.

3. Bid for government contracts

If you want to work with organisations in the public sector and bid for contracts, you’ll need a Cyber Essentials accreditation. 

This is a huge opportunity to work on large-scale projects and form long-lasting positive relationships with public sector organisations. 

4. Be on a trusted register of suppliers

For the 12 months your certificate is valid, your company’s name will be on the NCSC website. This makes it easy for potential customers to check your cybersecurity credentials and validate your business.

5. Strengthen your supply chain

It’s not just important for your customers to trust you. Your partners, suppliers, and investors need to have confidence in your ability to operate safely, too. Having a recognised certification validates your processes and means they know you operate with their best interests at heart.

Start meeting your business needs today

Remember Maslow. Addressing all the basic needs of your business will give you a foundation for success. Getting your cybersecurity in order is a must, and working towards a Cyber Essentials certification will set you on the path to better data management. 

And when you have Cyber Essentials in place, you can think about striving for more complex certifications to fulfil needs further up the hierarchy so your business can reach its full potential.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there’s a new threat in town. ‘Smishing’.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here’s everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

“Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020. 

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC. 

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they’re unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

If your business has employees who are hybrid or remote workers, you need to ensure their devices are secure and meet the requirements of Cyber Essentials. Cyber Essentials is the UK standard for organisations to follow to remain safe and secure from cybersecurity threats, and its requirements continue to be updated. Here’s how to make sure you’re covered when working remotely.

What are the steps to achieve Cyber Essentials certification remotely?

1. Make sure your employee networks meet Cyber Essentials requirements
2. List the equipment that each remote employee is using
3. Check software and licenses are up to date

What is a network?

Any single device connected to a router can be considered a network. For the purpose of Cyber Essentials, your ‘network’ is the devices linked to share resources, exchange files, or allow communication. 

For example, think of your office printer. Rather than setting up a single printer for every employee, you’ll have a single printer that everyone can use (and you’ll argue over whose turn it is to change the toner). This is the perfect example of a network.

What does a network look like in practice?

Most offices and workplaces use a Local Area Network (LAN). A LAN is usually confined to a small geographic area, say an office in Bow or a warehouse in Bolton. A LAN allows every device within the network to use a single internet connection, share files, and access or control other devices. 

It’s possible to connect everything from printers and phones to smart TVs, speakers, and security cameras. You can even connect the office fridge. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

How to get Cyber Essentials certified when working remotely

1. Check employee networks meet Cyber Essentials requirements

We’ve just gone through what a network is. However, with remote working, networks might look a little different. 

Any device connected to a router is considered a network. With multiple remote workers, you’ll have multiple networks. 

All you need to do is ensure that each router meets the requirements of cyber essentials. For example, you should ask each employee to change the default password on their router. 

2. List your remote employee equipment 

Question A2.8 of the Cyber Essentials assessment will require you to list all of your network equipment. But don’t worry, it’s pretty simple.

All you need to do is list the equipment each employee is using, as if you were in the office. 

What might this look like in practice? Let’s imagine a company with ten staff working from home. An equipment list will look something like this:

• 2 x Sky broadband with Sky router
• 6 x BT broadband with BT hub router
• 1 x TalkTalk broadband with TalkTalk router
• 1 x Virgin Media broadband with Virgin Media router
  
  

3. Check software and licenses are up to date

Any devices that home workers use to access organisation information should be covered by Cyber Essentials. And the software and licenses you use should be too. 

Make sure that software and licenses are:

• Up to date, licensed, and supported
• Removed from devices when they become unsupported
• Set to update automatically where possible

But what about other elements of the Cyber Essentials assessment process? Fortunately, as the entire assessment can be conducted remotely, you can complete the process no matter where your staff are working from. 

Hopefully, we’ve cleared up most of the confusion surrounding networks and Cyber Essentials. However, if you have any further questions, please don’t hesitate to get in touch with our team. 

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

If you’re looking to validate your cybersecurity and data protection processes, a Cyber Essentials Plus certification could be right for you.

You might decide to go for Cyber Essential Plus accreditation because:

• You want an independent assessment of your cybersecurity measures in addition to completing your self-assessment 
• You want to show clients that data protection is a top priority
• You work in an industry with higher-than-standard cybersecurity requirements

What’s the Difference Between Cyber Essentials and Cyber Essentials Plus?

For Cyber Essentials Plus, you’ll need a Cyber Essentials certification. To do this, you’ll build IT infrastructure and staff knowledge to meet standards across five categories:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Security update management

Then, you’ll take a self-assessment to get accredited. If you pass the self-assessment, you’ll be eligible to apply for Cyber Essentials Plus. 

Cyber Essentials Plus involves an independent audit of your devices, systems, and processes for extra validation – this is the key difference between Cyber Essentials and Cyber Essentials Plus.

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

What are the Benefits of a Cyber Essentials Plus Audit?

Some businesses find Cyber Essentials Plus more suitable because an independent assessment is more credible than a self-assessment. An objective, professional opinion ensures you’re as compliant as you think. It offers more peace of mind than you get with Cyber Essentials.

The verification of compliance also makes the certification more trustworthy for prospective and existing clients as there’s some external proof that you take cybersecurity and data management seriously. 

What to Expect from the Auditor

An auditor will audit a sample of your devices on-site or virtually to check they’re configured correctly. They’ll:

• Confirm your devices
• Scan devices to identify vulnerabilities using Nessus Professional scanning software
• Observe how devices process emails with test attachments
• Observe how devices handle downloads of file attachments from test websites
• Check the installation and configuration of anti-virus software
• Test Multi-Factor Authentication on applicable cloud services
• Test how well your default browsers block malicious activity
• Confirm account separation between admin and user accounts
• Capture screenshots for evidence

How to prepare for the audit

Here are some practical ways to prepare for your audit.

Check your software

• Update software on all devices, including servers
• Download and install the 7-day trial of Nessus Professional, if you don’t have it already. This means the auditor can complete a Credentialed Patch Scan. If you have an alternative PCI-approved scanning tool already, please speak to your auditor
• If you use the 7-day trial, create an account and download plugins to complete installation.
• Remove software you don’t use regularly from every device, e.g., old browsers like Firefox
  
  

If you run Windows:

• Enable file and print sharing. You can find this option in advanced sharing settings

If you run Windows 10:

• Set the Windows service “RemoteRegistry” start-up type to “manual”. Access this by typing “services” in the home screen search bar

Create a new registry value:

• Type “regedit” in the home screen search bar
• Hive and key path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
• On System, right click and select New –> DWORD (32-bit) Value / REG_DWORD
• Value name: LocalAccountTokenFilterPolicy
• Value data: 1 (decimal)

If you run macOS:

• Enable file sharing and remote login. You’ll find these options in System Preferences –> Sharing
• Update AV engines and signature files. If you use an enterprise management dashboard to do this, even better
• Activate and update AV plugins for every browser

The auditor will ask you for:

• Administrator-level domain access. Create a new admin account for the audit or ensure an admin is there to help
• A list of all in-scope devices and operating systems. If you use Windows 10, run a registry edit so the auditor can complete a scan
• User email addresses for the email/web tests
• A signed consent form

Need More Support?

If you’re not ready for a Cyber Essentials Plus audit or need some advice on which accreditation is right for you, there’s plenty of help available. Don’t rush into it. It’s important to pick based on your industry, goals, size, and the benefits you’ll experience from getting certified. It’s always good to prove your cybersecurity credentials, but that doesn’t always mean going for the most advanced accreditation.

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

It started as a normal day at work. You send a few emails, drink some coffee, and attend a few meetings. But then things take a turn for the worse. Your flustered finance colleague tells you they aren’t able to access your customer database and a strange message is displaying on the screen. It’s happened. You’ve been ransomware attacked.

But what do you do next? There’s plenty of information out there on how to prevent ransomware attacks from happening, but less on what to do if the worst does happen. So, here are our top tips for what to do next.

1. Take a deep breath and assess the damage 

This might sound obvious or slightly patronising, but it can be very difficult to stay cool and collected in the event of a breach. Many victims rush into paying the ransom straight away, giving them no wiggle room for negotiations with the attacker. 

So, first things first, take a moment to collect yourself, the hard work starts here. Once you’re ready, start assessing the damage. Has an attack definitely happened? Do you know which systems or files have been compromised? How far have the hackers got? These are all questions you’ll need to know the answer to.

Your next course of action will likely go in one of two directions. If your organisation has an incident response plan, follow that. If it doesn’t, don’t worry, you can follow the next steps on this list. 

2. Collect evidence 

This step shouldn’t take more than a few seconds, but it’s very important. You should immediately take a photo of the ransomware note. It doesn’t matter how you do it, a screenshot or a photo on your smartphone will work, but the key thing is to document the breach. This will help you in contacting your insurers and filing a police report.

3. Isolate the breach

Once it’s in, ransomware is designed to spread like wildfire across a network. To stop it from infecting every system in your business, you need to isolate the breach. 

That might sound complicated or techy, but it’s actually very simple. The easiest thing to do is disconnect the infected system(s) from your network so the ransomware can’t spread anywhere else. Doing this can stop a relatively minor breach from becoming business-threatening. 

4. Disconnect backups 

We’ve written at length on the importance of data backups before. And a successful ransomware attack is where they really come into their own. In the best-case scenario, it could save you from having to pay a ransom at all.

Unfortunately, cybercriminals know this. So most modern ransomware strains are coded to go after any backups you have. This means it’s important to secure your backups by disconnecting them from the rest of your network. And to be extra safe, we recommend locking down access to your backups until the infection has passed. 

5. Notify insurers and your IT provider

This step will be different for everyone, depending on whether you have cyber insurance or outsource any element of your IT to a third party. However, if you do have either, now’s the time to report the breach. You’ve completed the vital first steps to contain the threat and it’s time to bring in some help.

Your insurer needs to know for obvious reasons but both should be able to help you with the next steps. Many insurers are happy to put you in touch with experts and your IT provider should also be able to lend a hand.

At this point, it’s also worth notifying law enforcement and the ICO. Your insurers may require a police report to proceed and it can also help save other organisations from the same fate.

6. Identify the strain of ransomware

Unless you’re extremely unlucky, it’s unlikely your business is the first to be hit with whatever strain it’s been infected with. And this means it should be fairly easy to identify.

Free services like ID Ransomware allow you to upload a sample of your encrypted file(s), the ransom note, and the hacker’s contact info. They’ll then analyse this information and identify who or what has attacked you.

This is important for two reasons. First, who you’re dealing with will help inform your decision on whether to pay. Second, knowing what you’re dealing with is vital when you come to attempt to decrypt your files.

7. Try decrypting your files

Once you know the type of ransomware you’ve been infected with, it’s time to have a go at decrypting your files. This might be easier with the help of a cyber expert, but it’s not too difficult to do yourself. 

There are plenty of decryption tools available online. No More Ransom has a great selection of tools to decrypt most types of ransomware. All you need to do is find the strain you’ve been hit with from the list, download it and follow the installation process. The site is updated regularly, so even if you have been struck by a newer form of ransomware there should be something to help. 

Of course, this won’t always work. Ransomware is ever-evolving, with the bad guys constantly adding extra features. But it’s always worth a try.  

8. Reset passwords

You might have already done this step earlier on in the process. If so, give yourself a hearty pat on the back. If not, it’s time to reset all your business’s passwords. This is something you should be doing regularly anyway, but it can stop hackers from gaining access to other non-infected systems and attacking those too.

And, once the infection is completely removed, don’t forget to change them again.

9. Decide whether to pay or not 

Finally, we come to the trickiest part. Should you pay the ransom?

Sadly, there’s no absolute answer either way. Whether or not you decide to pay is completely conditional depending on the scenario you find yourself in. If you’ve managed to decrypt your files and the data the hackers have isn’t sensitive, you probably don’t need to pay.

Likewise, your insurer may instruct you not to pay. Cyber insurers are currently split upon ransomware best practices after years of near unanimity.

In other cases, paying might be the best option. For example, when the hackers have access to sensitive customer or financial data.

10. One last thing…

You may have noticed we haven’t mentioned communications to partners or customers. We’ve left this until last because, like paying the ransom, the decision is situation based.

If customer data has been stolen, then you need to inform clients and partners so they can secure their accounts. However, if the breach has only affected internal data, you may not need to communicate that to clients. 

Like the incident response plan we mentioned earlier, it’s well worth having an emergency communications plan ready to go in case you do get attacked.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

Another week, another good news story at CyberSmart. We’ve joined Kickstart’s new accelerator. Here’s what it all means.

What is Kickstart? 

Kickstart is one of Europe’s largest innovation platforms. It helps start-ups in a variety of sectors from FinTech to food and retail to innovate and scale sustainably. 

Since its founding in 2015, Kickstart has helped create over 220 commercial partnerships and supported 323 start-ups. 

What does the accelerator involve? 

Companies selected for the accelerator take part in a ten-week programme. It’s designed to breed commercial partnerships and encourage collaboration between start-ups and Kickstart’s partners. Its partners include AXA, Co-op, Swisscom, La Mobilière, PostFinance, Sanitas, The City of Zurich, Canton de Vaud, Credit Suisse, Galenica, CSS Insurance and others.

What does this mean for CyberSmart?

We’re delighted to be picked for the accelerator’s InsurTech cohort. Not only did we beat some strong competition, with applications coming from 58 countries, but we’re also set to work alongside some of the biggest names in the FinTech and InsurTech industries. 

This represents a massive opportunity for us. We’ll learn from and collaborate with some of the best. And, it’ll help us generate new ideas, refine our current products, and reach more small businesses than ever before.

All in all, it’s another step in our journey to protect every small business from cyber threats. Stay tuned for what comes next.

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

According to security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – Managed Service Providers (MSPs) are increasingly at risk of cyberattacks. But why? What makes MSPs such an enticing target for the bad guys? And, more importantly, what can MSPs do to protect themselves and their customers? 

Why are MSPs being targeted? 

Upon first hearing, it might sound odd that cybercriminals are targeting, and often successfully attacking, MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although it’s true that many MSPs do have pretty robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security. 

In short, MSPs are being targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s whole customer base.

In other words, it’s a huge win for the bad guys. And cybercriminals are very obviously aware of that fact. According to new research by N-able, 90% of MSPs suffered a successful attack in the last 18 months. The study also found that the number of attacks prevented by MSPs almost doubled during the same period.

What are the consequences of a breach?

The impact of a successful attack on an MSP can be severe. The best way to think about it is to split the consequences into two categories – direct and indirect. Let’s deal with direct first.

Perhaps the most obvious impact of a breach is the disruption it could cause an MSP. Your business could be hit with a lengthy clean-up operation, systems downtime, and a big dent in staff morale. What’s more, depending on the kind of attack, there may be a financial aspect to the disruption.

A ransomware attack could lead to your business having to make a hefty payout. Meanwhile, a serious malware attack, with a long period of systems outage, could lead to you haemorrhaging revenue.

Likewise, the reputational damage to any MSP successfully breached could be grave. Most MSPs pride themselves on their strong security and market themselves thus to customers. So the news of an attack could seriously weaken customer trust, leading to a PR nightmare and potential loss of revenue.

We’ve dealt with the direct consequences, let’s move on to indirect. As we mentioned earlier, the major reason why cybercriminals are targeting MSPs is due to their customer base. And it’s your customers who could be the most affected by an attack.

A real-world example of this is the REvil ransomware attack on Kaseya, the MSP software provider. The breach spread to dozens of MSPs and over 1,500 of their customers, illustrating just how fast an attack could get out of control.

What can MSPs do to protect themselves and their customers? 

We’ve painted a pretty terrifying portrait so far. However, just because the consequences can be dire, it doesn’t mean there aren’t things you can do to protect your business and customers. Here are a few of the most important.

Set up multi-factor authentication (MFA)

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

MFA is also a sure-fire way to protect your business against cyberattacks. Passwords alone are vulnerable to data leaks and brute-force attacks. MFA, on the other hand, is very tricky for even the most sophisticated hackers to crack. 

Back up your systems and data

Backing up your systems and data can provide you with a vital failsafe after an attack. In some cases, it can even help you avoid having to pay a ransom. And, when it comes to what to back up, use this simple rule of thumb: ‘anything you don’t want to lose, back up’.

For more on how to do it, read this.

Segregate networks 

Both you and your customers should segment networks and systems as much as possible. What do we mean by segment? Well, one example is to never use admin credentials across multiple customers or systems.

Another is to ensure that no one has access or privileges beyond what they need to do their job. That might sound harsh but, in the event of an attack, it’ll allow you to isolate affected systems, customers, or accounts.

Train staff

At CyberSmart, we’re constantly pushing the importance of training. After all, if your staff don’t know which security behaviours are harmful or don’t know the warning signs of an attack, they’ll struggle to protect themselves or your business.

Training can fix this. And it’s probably the single most important thing you can do as a business. Find out more, here. 

Develop incident response plans

A successful attack on your business isn’t inevitable. Nevertheless, statistically, it is likely. So you need a coherent, easy-to-action response plan, in case the worst does happen.

You’ll also need to encourage or help your customers to develop their own. Currently, just 4% of MSPs report that all their clients have an incident response plan. And, this means thousands of weak links across the IT sector. 

Regularly patch software

Patching or updating any software you use, so that it doesn’t have easily exploited weak points, is incredibly simple but very important. Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. Applying patches released by the software provider can fix this.

Think of it as being like fixing a puncture. You apply the patch so no air can leak out. Updating your software effectively does the same thing, giving you air-tight cybersecurity. 

The best part? It won’t take you anywhere near as long as fixing a puncture, just a couple of minutes each month. 

Map your supply chain risks

Last of all, understand your supply chain risks. Assuming you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk. Alongside this, talk to your customers and partners about their cybersecurity. The best defence against threats is a unified approach and common strategy.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

We love an awards ceremony at CyberSmart. It’s a chance to wear long-neglected formal wear, snaffle a free dinner, and meet up with the people that make cybersecurity such a great industry to work in.

However, what we love even more than the glitz and glamour is winning. So imagine our delight when we were nominated for the 2022 SC Awards Europe and CompTIA Spotlight Awards and took home a gong at each. 

What were the awards?

The SC Awards Europe, run by SC Media UK, is one of the most prestigious events in the cybersecurity industry’s calendar. It aims to recognise and reward products and services that continue to stand out from the crowd, exceeding customer expectations to help defeat imminent threats and cybersecurity attacks.

The nominees and winners of these awards usually, read like a who’s who of the cybersecurity sector. So we were very happy to be nominated, particularly as we narrowly missed out on an award last year.

The Computing Technology Industry Association (CompTIA) is a global leader in the training and upskilling of IT professionals. And, it’s one of the leading voices in our sector. Perhaps unsurprisingly, this makes the organisation’s annual awards ceremony a must-attend within the cybersecurity industry. 

What did we win? 

We won both the CompTIA UK Innovative Vendor Spotlight Award and SC Awards Europe’s Best SME Security Solution award.

We’re incredibly proud to win two such prestigious awards, especially amongst such impressive competition. We’d also like to say congratulations to all the other nominees and winners.

What comes next? 

Although we’re always thrilled to win awards, our work is far from done. We won’t stop until every small business has the knowledge and protection to keep themselves safe from cyberattacks.

As we write this, SMEs are being targeted like never before and there are still too many without adequate protection. And these awards, while proving we’re on the right track, only spur us on to help more small businesses.

To find out more about what drives us, read our latest guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

UK SMEs have faced a turbulent few years. The COVID-19 pandemic altered the way many of us work forever. The conflict between Russia and the international community has raised the spectre of cyber attacks on UK businesses. And cyber threats for SMEs continue to rise.

So with all these factors in play, how are the UK’s SMEs managing? Has the rise in remote working led to a change in cybersecurity practices? How often are SMEs facing cyber threats? Most importantly, what can they do to better protect themselves?

To answer some of these questions, Gartner-owned Software Advice – a company that provides advisory services, research, and user reviews on software applications – surveyed 500 managers at UK SMEs.

And we’ve teamed up with Software Advice to bring you the results. 

What’s in the guide?

Using the data provided by Software Advice, we tackle:

• How often SMEs are being attacked
• The impact of COVID-19 on SME cybersecurity
• The biggest threats facing SMEs
• The consequences of a breach on SMEs
• What SMEs are most worried about
• How effective SMEs’ defences are
• What SMEs can do to better protect themselves

And much, much more.

Where can you get a copy?

As this is such important data for the entire cybersecurity industry, we’re offering our guide free to anyone who finds it useful. All you need to do to get your copy is download it here or hit the button below.