UK SMEs have faced a turbulent few years. The COVID-19 pandemic altered the way many of us work forever. The conflict between Russia and the international community has raised the spectre of cyber attacks on UK businesses. And cyber threats for SMEs continue to rise.

So with all these factors in play, how are the UK’s SMEs managing? Has the rise in remote working led to a change in cybersecurity practices? How often are SMEs facing cyber threats? Most importantly, what can they do to better protect themselves?

To answer some of these questions, Gartner-owned Software Advice – a company that provides advisory services, research, and user reviews on software applications – surveyed 500 managers at UK SMEs.

And we’ve teamed up with Software Advice to bring you the results. 

What’s in the guide?

Using the data provided by Software Advice, we tackle:

• How often SMEs are being attacked
• The impact of COVID-19 on SME cybersecurity
• The biggest threats facing SMEs
• The consequences of a breach on SMEs
• What SMEs are most worried about
• How effective SMEs’ defences are
• What SMEs can do to better protect themselves

And much, much more.

Where can you get a copy?

As this is such important data for the entire cybersecurity industry, we’re offering our guide free to anyone who finds it useful. All you need to do to get your copy is download it here or hit the button below.

Each year, the Department for Culture, Media and Sport releases its Cybersecurity Breaches Survey. It’s fast become one of the most influential cybersecurity reports around, driving government policy and the National Cyber Strategy.

The Cybersecurity Breaches Survey covers everything from threats to the processes businesses use to protect themselves and takes in everything from schools to start-ups. However, it’s also a very long report, with lots of tables, graphs and references – not something that’s easily digestible during your lunch hour.

So, to save you the trouble, we’ve pulled together the key takeaways for SMEs.

1. The number of cyberattacks stays stable

It’s no secret that during the first year of the COVID-19 pandemic the number of attacks on UK businesses skyrocketed. DCMS figures from 2020 show that 46% of UK businesses reported a cyberattack, up from 32% the previous year.

However, the number declined in 2021 to 39% and it’s stayed stable at the same figure this year. That might sound like great news, but there are some caveats. First of all, 39% is still too many; that’s more than a third of all UK businesses being attacked in any given year.

On top of this, there’s a chance that the figures, while accurate, don’t tell the whole story. As the report states, the better your cyber defences, the more likely you are to detect and report an attack. This suggests that smaller organisations and those with less sophisticated defences might be underreporting attacks.

2. Phishing remains the most common type of attack 

One of the most important findings of the Cybersecurity Breaches Survey is just how common social engineering attacks, particularly phishing scams, have become. 83% of all organisations surveyed said they’d experienced some form of phishing attack in the last 12 months. And this was followed, some way behind, by impersonation-style social engineering attacks with 67%.

What does this tell us?

Well, it tells us that cybercriminals have hit upon a formula that works for targeting businesses big and small. But that’s not all. It also teaches us that security training for staff has never been more important. With most cybercriminals using some form of social engineering attack, your people need to be able to spot the signs and recognise threats when they see them.

3. Few businesses are taking the supply-chain threat seriously

We’ve covered the risk posed by supply chains at length (if you haven’t already, read this). According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself.

Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it.

Despite this, only 13% of businesses assessed the risks posed by their immediate suppliers. In fact, few considered cybersecurity an important factor in the procurement process. 

4. Getting hacked costs a lot

This might not come as surprise but a successful cyber breach can really hit your business in the pocket. The average cost of a breach across businesses of all sizes is £4,200, with a figure of £3,080 for SMEs. The news is even worse if you’re a medium or large-sized business. The average figure for firms of this size stands at an eye-watering £19,400.

It’s worth noting that only one in five businesses suffer any negative consequences as a result of a breach. But, with 31% of businesses reporting that they’re attacked at least once a week, the chances of being part of that one in five is high.

5. Most small businesses don’t have a cybersecurity strategy

To be clear, the lack of a formal cybersecurity policy isn’t just a problem for small businesses; just 23% of all businesses have one. Nevertheless, the trend is much more severe among smaller businesses. While 57% of large firms have a formal strategy, just 20% of micro firms and 37% of small firms have one.

And it’s not just an overarching strategy that’s missing. Most businesses don’t have a clear plan in place for what to do if the worst happens. Just 19% of businesses surveyed said they had a formal incident response plan. 

This makes for worrying reading. It suggests that, in those crucial first few minutes and hours after an incident, too many businesses aren’t dealing with the threat in an organised way, handing a huge advantage to the bad guys. 

6. Ransomware confusion reigns

One of the worst questions any business has to answer is what to do in the event of a successful ransomware attack. Do you pay out? Or do you play hardball with the ransomers?

Although it’s a tricky question, it’s crucial to have a policy one way or another. However, one in five businesses (19%) stated they weren’t sure what they would do. On top of this, many small businesses still believe that ransomware isn’t a threat, either because they are ‘too small’ or have ‘nothing of value’ to steal.

7. Cyber Essentials uptake is still low

Unless this is your first CyberSmart blog, you’ll know we talk about Cyber Essentials certification constantly. It’s the single most important thing a small business can do to improve its cybersecurity.

But, unfortunately, the uptake of Cyber Essentials is still very low. Only 6% of businesses have the Cyber Essentials certification and just 1% have Cyber Essentials Plus. Unfortunately, this is likely a problem of awareness. Although every business could benefit from taking the certification, too few are aware of its existence. This needs to change, and fast.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity.

If you’re at all tuned into the cybersecurity sphere, you may have noticed that 31st March was World Backup Day (we forgive you if you missed that, it’s not a red-letter day in most peoples’ calendars). In the midst of all the messages telling you that it’s important to backup data, you may have found yourself wondering, why? And more importantly, how?

It got us thinking too. So, here’s the lowdown on backups – how they work, why you need them, and what you need to do to set them up.

Why do you need backups?

The rationale behind backups is pretty simple: sometimes, bad things happen and, when they do, you want to be sure your most valuable assets are safe. In this case, we’re talking about data, whether that’s personal data, customer data, or important files.

Simple, right? However, a staggering 21% of people have never backed up their devices. This is even more surprising when you consider all the ways in which data can be lost. There’s human error, which a Stanford University study estimates accounts for 88% of all data loss. You could lose data through the simple theft of a device. And, then, there’s cybercrime.

Data is the most valuable currency to cybercriminals. It’s why ransomware attacks are so prevalent and it’s also what most cyberattacks target (even a phishing attack is ultimately after data).

Using data backups not only protects you against accidental loss, but it’s also a key weapon against many cyber attacks. Take ransomware as an example; a cybercriminal may have held your data to ransom but, with a backup of that data, your business will still be able to operate while you decide what to do next. 

Think of it in the same way you would business insurance. You pay out each month, praying you’ll never have to use it, but if the worst does happen you’re covered. 

How do data backups work? 

Data backup software is a very simple concept. You install the software on your devices and systems, it then copies and saves your data to an external source. This could be an external drive, data centre, or cloud. 

Most modern data backup tools will save to a cloud. The data is copied, encrypted, and sent to a cloud server until you need to restore it. Storing your data in this way ensures that it’s safe in the event of accidental loss or a cyberattack. 

What data should you back up?

In most modern organisations, you can find data in just about every function of the business, whether that’s marketing, finance or sales. Files, folders, images, payroll data, supplier data, customer data, third-party app data – it all needs to be backed up. 

It might sound counter-intuitive that you need to back up third-party data. However, many Software as a Service (SaaS) businesses will only backup their own platform.

How do you set up data backups?

Setting up data backups for your business isn’t a complicated process. There are countless options, from tools like Dropbox Business to Microsoft OneDrive. The option you choose will largely depend on your business, but there are a few things to bear in mind.

1. Make it cloud-based 

You don’t have to use a cloud-based service as your primary backup, an external drive or your own data centre will work just fine. But, a cloud-based option will easily scale with your business and probably save you money in the long run. Added to this, there’s the safety element. Using a cloud is by far the safest way to store your data.

2. Keep it simple

 As an SME, it’s unlikely that your business is packed with IT experts. So, whichever option you choose, ensure it’s easy to set up and use. A good test of suitability is to ask yourself whether the least technically minded person in your business would be able to use it without difficulty. 

3. Set up a redundancy option 

Although you’re never likely to need it (cloud providers lose data very, very rarely), it’s worth setting up a backup of your backup. We advise having three copies of your data: the original, one in the cloud, and one on a company-owned drive or data server. That way you’re covered, whatever happens. 

4. Pick one that’s automated 

If you’re anything like the majority of small businesses, you probably don’t have a dedicated IT team. And, even if you do, they’re unlikely to have time between fixing printers and helping people locked out of their devices to manage backup processes.

To get around this, you’ll want a solution that backs up your data automatically, so no one in your business has to worry about it. 

5. Find out what your provider’s DRP is

Every data storage provider should have a disaster recovery plan (DRP). You need to know what your provider has in place should their servers experience an outage or be destroyed and how you can access your data. So when choosing, be sure to ask.

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Provided you’ve read any cybersecurity story in the media recently, you’ve probably come across the phrase ‘zero-day attack’ before. It’s often dropped into reports by journalists with little explanation of what it means or why you should worry about it. So, in the interest of clearing up some confusion, here’s everything you need to know. 

What does ‘zero-day’ mean?

Usually, software companies and developers will periodically fix flaws in their products. However, there are some rare instances where this doesn’t happen and a flaw goes unnoticed.

The term ‘zero-day’ refers to those security vulnerabilities that fall through the cracks. It’s neat shorthand for developers having only just discovered the flaw and limited time (zero days) to fix it.

A zero-day attack happens when the bad guys get there first and hackers exploit the flaw before the developers discover it. 

How do zero-day attacks work? 

All software, no matter how robust initially, develops vulnerabilities over time. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged since it was created.

Whatever the reason, the fix is usually simple. Developers create a patch, release it in an update to users, and the vulnerability is dealt with. Think of it as being a bit like your mum fixing your school trousers after you fell over in the playground for the umpteenth time.

Unfortunately, this doesn’t always happen and hackers get there first. And, as long as the vulnerability goes undetected, cybercriminals can write and implement code to exploit it. This could allow them to steal confidential data, launch social engineering attacks, or even release malware onto users computers. 

This can go on for as long as the vulnerability remains undetected; sometimes days or even months. What’s more, even when the flaw has been fixed and an update released, it may take some time before every user updates their device. After all, an update is only as good as the number of users who download it. 

How do you know when a zero-day attack has happened?

A zero-day attack is particularly dangerous because the only people who know about it are the cybercriminals themselves. This allows them to pick their moment, either attacking instantly or biding their time.

Because vulnerabilities come in many shapes and sizes from problems with password security to broken algorithms, they can be very hard to detect. Often, a business won’t know there’s anything wrong until the vulnerability has been identified.

Nevertheless, there are some telltale signs. You might see sudden surges in unexpected traffic, odd behaviour from software you’re using, or suspicious scanning activity. 

Are there any famous examples?

Incidents involving zero-day vulnerabilities are more common than you might think. Only days ago (early Feb 2022), it was revealed that three critical flaws in the code for a WordPress plugin threatened 30,000 websites worldwide. Fortunately, on this occasion, WordPress appear to have got there before the bad guys, but there are plenty of examples when businesses weren’t so lucky.

Zoom, 2020

In this instance, hackers found a vulnerability in the popular video conferencing platform Zoom. It allowed cybercriminals to remotely take over the computer of anyone using Zoom and running an older version of Windows.

Microsoft Word, 2017

In a horribly alarming twist, this attack used a vulnerability in Microsoft Word to steal users banking login data.  Users who opened seemingly normal Microsoft Word documents unwittingly installed malware on their device that was able to collect banking login credentials. 

Apple iOS, 2020

Apple is generally famous for its impregnable security (remember the old myth that Apple Macs couldn’t get viruses?). However, in 2020, hackers did discover a vulnerability in its iOS mobile operating system. This flaw allowed cybercriminals to remotely access and control unlucky users iPhones.

What can you do to protect your business?

Update your software regularly

The easiest way to protect your business against zero-day attacks is to regularly patch your software and operating systems. It shouldn’t take you more than a couple of minutes each month. All it requires is that you check now and then for any new updates to tools and software you use. Or, if you want an even easier solution, simply turn on auto-updates in your device’s settings, and you won’t even have to think about it.

Use a firewall and anti-malware

Firewalls and anti-malware tools are the first line of defence for most cybersecurity threats and zero-day attacks are no different. Good firewalls and anti-malware can thwart some zero-day attacks the minute they enter your system. 

Limit the number of applications you use

Most businesses already do this to some extent, software costs money after all. However, when it comes to protecting your business against zero-day threats a simple maxim applies: the less software you have, the smaller the number of potential vulnerabilities. So try to use only the software and tools your business really needs. 

Educate your team 

Most zero-day attacks capitalise on human error in some way. So educating your employees on good security practices and habits can help reduce the risk of a successful zero-day attack. For more on how to go about this, check out our blog on security training. 

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

When you sign in to an online account, you’re asked to prove your identity (a process we call authentication in the cyber world). Usually, you’ll do so via a username and password. The trouble is, it’s not a very safe way to do it. Usernames can be guessed and many of us use the same, simple passwords for everything.  

So it’s been clear for some time we need something better. Enter Multi-factor authentication (MFA). But what is it? And why should you use it?

What is multi-factor authentication?

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

You’ve probably already experienced this if you used online or signed into a Google account recently. In fact, it’s well on the way to being commonplace for most applications.

The idea behind MFA is very simple. The more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and maybe some cameras for good measure to keep the bad guys out. 

Why does your business need it?

Again, the why is delightfully simple. Using MFA can dramatically reduce the chances of a successful cyberattack on your business. 

Passwords and user credentials are important, but they’re vulnerable to brute-force attacks and can be stolen by hackers. In contrast, an MFA method like a thumbprint or one-time PIN is very difficult for even the most dedicated cybercriminal to crack. 

On top of the obvious security benefits, you’ll also need some form of MFA to complete Cyber Essentials certification. Under the new requirements, MFA should always be used for accounts that connect to cloud services. 

What types of multi-factor authentication are there? 

Broadly speaking, there are three neat categories of MFA:

• Information you know, such as a password, security question, or PIN
• Objects you possess, such as a smartphone – this is where one-time PINs come in
• Things you are, think biometrics like thumbprints or voice recognition

2FA or MFA? 

At this point, you could be forgiven for wondering whether using MFA is overkill. After all, you probably already use two-factor authentication (2FA) for things like your business banking or office suite (Microsoft 365 or Google Workspace). Do you need the extra authentication factors? 

Remember the old maxim, beloved by school teachers and parents, ‘it’s better to be safe than sorry’? Well, it really does apply when it comes to cybersecurity. 2FA is hard for cybercriminals to crack and it’s far safer than using just a password. However, it’s a no-brainer to make the risk even smaller by adding extra layers of authentication. The harder it is for cybercriminals to breach your business, the less likely they are to succeed. 

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

From Monday 24th January, the price of Cyber Essentials is changing. Here’s everything you need to know about what it means for your business.

What’s changing? 

For the first time since its creation seven years ago, the National Cyber Security Centre (NCSC) and certification body IASME have announced changes to the price of Cyber Essentials certification.

The change, which goes through on Monday 24th January 2022, includes several additions to the Cyber Essentials question set.

Why is the price of Cyber Essentials increasing? 

The world has changed dramatically since Cyber Essentials was launched seven years ago. Cloud services are now widely used, digital transformation has really taken hold and, of course, many of us are now doing some form of remote or hybrid working.

So, to help businesses better tackle these challenges, IASME and the NCSC have updated the requirements of Cyber Essentials certification. The update includes new requirements for:

• Cloud services
• Multi-factor authentication
• Password management 
• Security updates
• Working from home

We’ve outlined all of the most important changes below.

These changes add an extra layer of complexity to certification, particularly for larger organisations. And the new pricing reflects the rigour involved in assessing bigger businesses.

What does this mean for you? 

First, it’s important to state that Cyber Essentials remains one of the best-value things a business can do to improve its cybersecurity. In fact, with the inclusion of the new requirements, Cyber Essentials offers better protection to SMEs than ever before.

In other words, the new look Cyber Essentials gives you more for your money while still remaining affordable for any business.

How is CyberSmart approaching the changes?

Up until 7th March 2022, we will continue to offer Cyber Essentials to all our customers and partners for the same price as before.

In other news, after listening to feedback from our customers,  we’re also launching our new CyberSmart bundles, containing the CyberSmart Dashboard, CyberSmart Active Protect and Cyber Essentials certification in one neat package.

These bundles contain everything your business needs to improve its cybersecurity and stay secure long after certification. To find out more, please get in touch at hello@cybersmart.co.uk or click here.

The cybersecurity industry has long had a reputation for impenetrable jargon, be it tools, threats or solutions. So, in this blog, we’re demystifying another confusing term. What are ‘DDoS attacks’? Why should you be worried about them? And, most importantly of all, what can you do to stop them?

How does a DDoS attack work?

DDoS stands for Distributed Denial of Service. And it’s a very simple but potentially very disruptive premise. Cybercriminals pick a target, then flood its network with so much malicious traffic that it can’t operate as it usually would. The result is that legitimate traffic (such as shoppers or readers) grinds to a halt. 

You’ve probably seen this technique used before without necessarily putting a name to it. Google was hit with the largest attack on record in 2017. Meanwhile, Amazon Web Services fell foul of a gigantic attack in February 2020. 

How common is this kind of attack? 

DDoS attacks are more common than you might think and they’re on the rise. 2020 saw a 151% increase in the frequency of attacks in comparison to 2019. And, to make matters worse, cybercriminals are increasingly targeting small businesses with this kind of attack. 

How much damage can a DDoS attack do? 

A DDoS attack is highly disruptive for any business. But for big corporates, it’s usually something they can swallow. After all, for a multi-billion dollar business, a few days lost revenue and some disgruntled customers don’t have to spell disaster. 

However, for a small business, a DDoS attack can have serious consequences. A successful DDoS attack can take down entire websites and systems. This could mean lost revenue, breached data, reputational damage, dissatisfied customers, and a massive cleanup effort to get systems back up and running. In other words, a potentially critical situation for a small business with limited resources. 

What can you do to protect your business? 

We’ve painted a pretty scary picture so far. But that doesn’t mean small businesses are defenceless in the face of DDoS attacks. There’s plenty you can do to help your business avoid the worst-case scenario. 

Use a Web Application Firewall (WAF)

A WAF blocks suspicious traffic and prevents DDoS attacks from accessing your business’s servers. And, the best thing about a WAF is that it’s easy to customise for your business. For example, if you mostly do business in the UK, you could configure it to block all non-UK traffic. Or, you could take it a step further and blacklist traffic from markets renowned for attacks.

Of course, like all software, you need to ensure you’re patching regularly for it to be most effective. 

Learn to spot the signs

We’re always talking about the importance of security training for your staff and our advice is no different when it comes to preventing DDoS attacks. One of the key reasons that DDoS strikes are so hard to stop is so few people know how to recognise them – until it’s too late and business systems fail.

To give an example of what we mean, did you know a sudden surge in traffic – even for just a few minutes – could signal the start of an attack?

Even basic cybersecurity knowledge among staff about what the threats are, how to spot them, and what to do in the event of an attack, can help your business get a head start on cybercriminals.

For more on security training, read this. 

Be mindful of your supply chain

A huge proportion of cybersecurity attacks now begin in the supply chain. And, unfortunately, this includes DDoS attacks. Most SMEs are part of a supply chain and lack the security resources of larger partners, making them an enticing way for cybercriminals to attack more glittering prizes. 

These ‘attacks through the back door’ are becoming increasingly common. US retail giant Target was fined $18.5 million after a breach at its air conditioning partner led to the leak of millions of credit card details. 

So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. For those below you in the chain, this may mean asking for proof that their cybersecurity is in order. And for the bigger companies you service, this could mean agreeing to shared security practices and transparency in the event of a breach. 

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Awards season is in full flow and it’s already been a successful one for CyberSmart, as we scooped two awards at Computing’s Security Excellence Awards 2021.

What are the Security Excellence Awards? 

Computing’s Security Excellence Awards celebrate the achievements of the tech industry’s leading security companies, products and personalities. Or, as they put it, ‘the ones who keep the rest of the industry operating’.

This year has been a particularly tough year for anyone working in cybersecurity. Remote and hybrid working have become commonplace, nation-state and ransomware attacks are on the rise, and a society that previously gave little thought to cybersecurity has suddenly been forced to start thinking about it in a big way.

These awards are a well overdue celebration of the best of a turbulent year. 

What did CyberSmart win?

We’re delighted to have won two awards, one for CyberSmart as a business, and the other for our SME-focused product, CyberSmart Active Protect. Here’s a little explanation of each award: 

Security Vendor of the Year – SMEs

“SMEs are often forced to make do with ageing infrastructure and legacy systems, and may be unable to defend themselves against new threats. This prize will go to the company that can best aid SMEs in their constant battle to avoid becoming the ‘low-hanging fruit’ of cybersecurity.”

SME Security Solution Award

“SMEs are prime targets to malicious agents, with small teams and often similar budgets. The cost of large and expensive security offerings can make SMEs feel priced out of the market, so in this category, we’re looking at affordable services that still offer the range and scope of security coverage any larger organisation typically enjoys.”

What does this mean for CyberSmart? 

First of all, we’re thrilled to have won these two awards, particularly as both focus on SMEs. Since our founding, we’ve made it our mission to make cybersecurity simpler and more affordable for SMEs. So, to be recognised at an awards ceremony for doing exactly that is proof we’re on the right track.

However, our work is far from done. SMEs are being targeted like never before and there are still too many without adequate protection. While welcome, these awards only add fuel to our fire for 2022 and beyond.

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Black Friday, Cyber Monday, the January and Boxing Day sales. The busiest retail period of the year is almost upon us. But while the holiday season often brings with it bumper sales figures for retailers and bargains for consumers, it also comes with a heightened risk of cyber threats. 

For example, November 2020 saw an 80% increase in the number of common email phishing scams reported. Meanwhile, the UK’s National Cybersecurity Centre (NCSC) has been gearing up for the period by releasing updated guidance for consumers on how to shop online safely. 

However, what’s often less widely discussed is the impact this can have on small businesses. Even if your business has nothing to do with retail, you’re still at risk. Here’s why and what to do about it. 

What risks does the holiday season bring? 

Before we look at the risks themselves, it’s important to note that the festive season doesn’t necessarily mean more targeted attacks on SMEs themselves. 

However, who among us hasn’t done the odd bit of lunchtime shopping on company devices or personal devices used for work? And it’s this clandestine bargain hunting that poses the problem. It gives cybercriminals a route into your business. 

Phishing scams

Phishing scams are a year-round problem. But during major retail events like Black Friday, the chances of a successful attack grow exponentially. With so many of us frantically shopping around for the best deals, our ability to spot the telltale signs of a scam often diminishes as quickly as our bank balances. 

It’s a simple but potentially disastrous equation. If you’re in a bit of a rush, you’re not in the best frame of mind for considered judgements. And, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Fake online retailers 

Black Friday often comes with a deluge of fake websites claiming to sell this year’s must-have products at bargain prices. Unfortunately, most of these are simply fronts for cybercriminals to acquire consumers’ data or launch attacks. Like phishing scams, these can be hard to spot in the hurly-burly of major retail events, making a successful attack much more likely. 

Outdated software 

Again, this is a problem 365 days of the year. But the festive season provides the perfect cover for hackers to test out the vulnerabilities of popular software. 

Firstly, because technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. Secondly, because many consumers will suddenly be using apps they haven’t used or updated in months, often on devices with access to your business data. 

Public and home networks

You probably have decent network protection in your physical workplace, but do your staff working from home? And does the cafe around the corner with the free WiFi that everyone uses?

Unsecure public and home networks don’t stop being a problem for the rest of the year, but during busy retail periods, when people are much more likely to shop online, the risk is heightened. It gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

You’ll hear us talking about the importance of strong passwords a lot. It’s the simplest thing you can change to improve your cybersecurity. However, passwords become doubly important in busy retail periods due to the amount of traffic on popular sites. It’s the perfect setting for cybercriminals to try out large-scale brute-force attacks and find out whose passwords aren’t strong enough. 

What can you do to protect your business? 

1. Educate your team about the risks

A huge proportion of successful cyber attacks stem from human error (95% according to some) so helping your team understand the risks is crucial to avoiding them.

You should approach this in two ways: immediate education and long-term training. In the short term, educate your people on the risks outlined in this piece. It doesn’t have to be more than a short email sent out before the festive season really kicks off.

However, a quick nudge to your staff to be mindful of the risks is no substitute for long-term behavioural change. For this, you need security training. How you approach this will largely depend on your business and the cybersecurity knowledge within it but, to get you started, we’ve put together a short blog on the subject. 

2. Patch your software

The importance of updating your software can’t be overstated. Without regular updates, you leave plenty of little holes in your software for cybercriminals to exploit. So, ensure everyone in your business is constantly installing updates and patches for the software on their devices – even if it’s an app or tool they rarely use. 

It’s a simple thing and won’t take you more than a few minutes each month. But, it can also work wonders for improving your cybersecurity. 

3. Provide staff with clear cybersecurity policies 

We say this a lot but it never gets any less true. If your people don’t know what security behaviours are expected of them at work, they’ll keep getting it wrong.

Clear, well-crafted company policies on cybersecurity and data protection can go a long way to removing confusion around the subject. And, most importantly, help diminish the risk of a successful attack. 

A good cybersecurity policy should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. For more on how to build one, read this.

4. Practice good password hygiene 

Like patching, this is a simple fix that can immediately improve your cybersecurity. So what does good password hygiene look like? Well, we recommend four steps:

• Use complex passwords that make it difficult for cybercriminals to guess or brute force their way in. The NCSC’s ‘three random words’ is a great approach to this
• Change passwords regularly
• Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
• Use two-factor authentication (2FA) wherever possible

And, once you’ve undertaken these four steps, roll it out to your business. Create a password policy and make sure everyone follows it.

5. Use a VPN 

Last, use a Virtual Private Network (VPN) for all remote work, even those trips to the local coffee shop. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware.

A VPN can help you counter this by creating a secure connection to business systems and data, from wherever your staff choose to work. 

Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.

We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like ransomware or malware. 

However, cybercriminals don’t always use the latest malware and cyberattacks don’t have to be highly technologically advanced. There’s a whole other class of threats that harness the most powerful weapon of all – our brains.

These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself? 

What is social engineering? 

The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.

For more on how cybercriminals do this, we highly recommend our blog on how the internet encourages cybercrime. 

What does a social engineering attack look like? 

Now we know what a social engineering attack is, let’s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under. 

1. Phishing 

You’ve almost certainly heard of phishing attacks. They’re by far the most common form of social engineering, but that doesn’t make them less dangerous.

Most phishing attacks seek to do three things:

• Steal personal information such as names, addresses and banking details
• Redirect victims to malicious websites that contain phishing landing pages or malware
• Use threats, fear or a sense of urgency to manipulate the victim into acting quickly 

A lot of phishing attacks are poorly executed and easy to ignore. We’ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed.

For example, in May 2021 US fuel supplier Colonial Pipeline was subject to one of the largest ransomware attacks in history, triggering a fuel crisis in the process. It’s believed the attack began with a simple email phishing scam that managed to extract an employee password. 

So, even though they might be limited and often badly done, it’s unwise to underestimate the humble phishing scam. 

2. Piggybacking 

Also known as ‘tailgating’, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area. 

Here’s an example of how it might work:

1. The attacker waits outside the company’s office, posing as a delivery driver or plumber.
2. An employee enters using their keycard or other security accreditation.
3. The attacker asks the employee to hold the door.
4. They do, and suddenly the attacker has access to the building.

Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business’s systems.

This might sound a bit ‘low-budget spy thriller’ but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.

3. Pretexting

Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims. 

A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack. 

To give a real-world example, between 2013 and 2015 Facebook and Google were conned out of $100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.

Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants’ staff. 

The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else. 

4. Quid pro quo 

Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service. 

For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data. 

What can you do to protect your business?

Education, education, education 

There’s a well-worn statistic that 95% of cybersecurity breaches are down to human error. But when it comes to social engineering attacks, that figure is much closer to 100%.

The best way to counter this is through security training. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services. 

As we’ve said before, where many social engineering attacks fail is attention to detail – there’s usually something that isn’t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.

Create clear cybersecurity policies

If your people don’t know which behaviours are harmful, they can’t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there’s little point in an important policy document that spends its life languishing in a corner of the shared company drive. 

For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Foster a positive cybersecurity culture 

If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. 

All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them. 

Check your cybersecurity measures

Alongside training your staff, it’s also worth checking (or implementing) your technological cybersecurity measures. These include firewalls, antivirus and anti-malware, patching and access management policies.

By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.