Why you could be eligible for free Cyber Essentials certification

funded Cyber Essentials certification

Do you run a small charity or legal aid firm? If so, you could be eligible for funded Cyber Essentials certification to help you put basic cybersecurity measures in place. Here’s everything you need to know.

What is the funded Cyber Essentials scheme? 

Small charities and legal aid firms protect and serve some of the most vulnerable in our society. However, unfortunately, they’re also a key target for cybercriminals. The NCSC’s Cyber Breaches Survey 2022 revealed that 30% of UK charities identified a breach in the last 12 months.

The reason for this is simple. Charities and legal aid firms process large volumes of highly sensitive data but often have relatively weak defences – making them an ideal target for cybercriminals.

To counter this, the National Cyber Security Centre and IASME have launched the new Funded Cyber Essentials Programme. This offers small organisations in high-risk sectors free, practical support to help put basic cybersecurity controls in place and achieve Cyber Essentials certification. 

How does the scheme work? 

Qualifying organisations will receive up to 20 hours of remote support with a Cyber Essentials Assessor – all at no cost. Our assessors will spend this time helping you identify and implement the improvements needed to meet the 5 technical controls of Cyber Essentials. We’ll follow this up with an assessment to ensure everything is in place. 

With our guidance, you’ll be ready to take the Cyber Essentials and Cyber Essentials Plus certifications. If it’s not possible for you to complete Cyber Essentials Plus after 20 hours of support, we’ll give you clear directions on how to become assessment ready. 

Is the certification free? 

Yes. IASME has agreed to fund both Cyber Essentials and Cyber Essentials Plus certification for successful applicants to the scheme.

Who is eligible for the scheme? 

To qualify for this scheme, your organisation must be:

  • A micro or small business (1 to 49 employees) that offers legal aid services
  • A micro or small charity (1 to 49 employees) that processes personal data

No previous cybersecurity experience or certification is required. Even if you’re completely new to cybersecurity, we’ll guide you through the process.

How long is the scheme running for? 

The scheme runs until the end of March 2023. However, it’s worth noting that IASME is offering a limited number of funded packages. So it’s worth getting your application in as soon as possible. 

What is Cyber Essentials?

The Cyber Essentials scheme is a UK-government-backed cybersecurity certification that outlines the security procedures a company should have in place to secure its data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.

Cyber Essentials Plus includes all of the same technical controls but with one major difference. Whereas Cyber Essentials is a self-assessed certification, Cyber Essentials Plus includes a technical audit of your systems. This next step gives you 

complete peace of mind your cybersecurity is up to scratch. And, your clients and partners don’t have to take your word for it that you’re cyber secure – they can rely on the expertise of a professional.

Can I apply to the scheme through CyberSmart? 

Yes. As the UK’s leading provider of cybersecurity certifications, we’re proud to be taking part in this scheme. 

To apply for the scheme, head to IASME’s Funded Cyber Essentials page and fill in the form at the bottom of the page. If you’re successful in your application, IASME will pass you over to us (or another certification body) to complete the certification process.

Alternatively, if you’re one of our partners or MSPs and want to refer a customer for the scheme, get in touch. We can apply on your client’s behalf and ensure the support and certification is carried out by CyberSmart.

Want to know more about cybersecurity certifications? Check out our in-depth guide to cybersecurity certifications in the UK.

GDPR after Brexit – everything you need to know

GDPR after Brexit

Just when you thought the endless rounds of Brexit negotiations were finally drawing to a close and it was safe to tune into the news again, another problem has reared its head. What will happen to GDPR after Brexit? And will UK companies still be able to exchange data within the EU? 

To provide some clarity amongst the confusion, we’ve tried to answer both. So, join us on a whistlestop tour of all things Brexit and GDPR. 

Will GDPR apply in the UK after Brexit? 

Strap yourselves in, this one’s going to take some explaining. While GDPR will no longer apply ‘directly’ once the transition period ends on 31st December 2020, that doesn’t mean UK organisations no longer need to comply with it. 

This is because the Data Protection Act 2018 enshrines GDPR’s requirements in law. On top of the existing legislation, the UK government has issued a statutory instrument catchily titled ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’. In simple terms, this amends the original law and merges it with the requirements of GDPR. The outcome will be a new data protection framework known as the ‘UK GDPR’. 

Still with us? The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR. 

So why all the dramatic headlines about GDPR after Brexit? 

If there’s little material difference between the current GDPR and the proposed UK version, why are we seeing headlines about the switch costing UK firms £1.6bn in compliance fees?

Well, the problem lies in how the UK’s status is defined by the EU. Once the UK leaves the EU, as a non-member state it will be reclassified as a ‘third country’. And this has big ramifications for the transfer of personal data between countries. 

Under GDPR (the EU version), transferring personal data from the European Economic Area (EAA) to third countries is only permitted in one of three circumstances.

The three options

  1. If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
  2. If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
  3. If an approved ‘code of conduct’ is in place between the EEA and the third country. 

At the moment, no code of conduct has been agreed between the EEA and the UK. What’s more, the EC is yet to issue an adequacy decision.

This has led commentators, such as the New Economics Foundation (NEF) and UCL’s European Institute research hub, to suggest that in the event of a no-deal Brexit, UK businesses would have to undertake option two from the three circumstances listed above. 

The problem with this is that it could prove very costly. In fact, NEF estimates setting up extra compliance measures like SCCs could cost on average £3,000 for a micro-business, £10,000 for a small business and £19,555 for a medium-sized firm. For large firms, the figure could be as high as £162,790, with a cost of £1.6bn to the UK economy as a whole. 

How likely is this to happen?

While the last section might be a little scary, it’s important to stress that it is the worst-case scenario. The UK government has stated several times that it’s committed to securing an adequacy agreement with the EC. So it’s not beyond the realms of possibility that all this will be academic and we’ll see a relatively smooth transition process.

However, there are some doubts about the likelihood of the UK being granted adequacy status. And there are a couple of compelling reasons for this. First, the EU has long opposed some of the practices of the UK security services. This has led to several protracted court battles and a few defeats for British legislators. It’s felt that unless the UK is willing to change it’s surveillance practices – something it’s repeatedly refused to do – then this is likely to provide a blocker to the UK being granted adequacy status. 

Second, the UK government has committed to ‘liberalizing’ data laws as it leaves the EU. Its argument for doing this is that data is currently ‘inappropriately constrained’ by EU laws. The problem is that this is likely to render the UK’s data protection measures inadequate in the eyes of the EU. Again, leading to a scenario in which the UK becomes considered a third country without adequacy status. 

What should SMEs do? 

At this point, it’s natural to wonder what your business can do to ensure you’re ready for the transition. After all, with all the decisions being made at an international level, what can a single SME do but wait?

We don’t yet know the outcome of negotiations on the UK’s adequacy status. So planning for extra compliance measures like SSCs is a challenge. Nevertheless, as we mentioned earlier, it’s well worthwhile ensuring your business is compliant under the current GDPR regime. At the very least, this should help you stay on the right side of the new UK GDPR standard once it’s released.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox

Does 5G pose a cybersecurity threat to SMEs?

5G cybersecurity

The fifth generation of wireless technology, or 5G, promises many things. But beyond grandiose pledges of hyper-connected living, truly scalable virtual reality, and a new golden age for business, 5G’s rollout has been far from smooth.

Unless you’ve (wisely) been consciously ignoring the news, it’s hard to miss the furore surrounding 5G. First, came British 5G towers being pulled down and set on fire due to COVID-19 conspiracy theories. Next, the UK’s decision to ban Chinese firm Huawei from its 5G network. Then, a backlash from environmental activists lamenting 5G’s potential footprint. 

But away from the big headline stories, there’s another side to 5G. It’s a potential gamechanger for small businesses. 

What benefits does 5G offer to small businesses? 

5G provides a host of benefits to small businesses, ranging from the simple to the fantastical. 

Speed

5G networks are engineered to be fast. Really fast. The most transformative part of 5G is its ability to reduce the time (or ‘latency’ if you prefer the techy term) it takes for data to get from one point to another. 5G promises speeds up to seven times faster than the fastest 4G browsing experience. 

For small businesses, this could improve everything from communication with customers to remote working to video conferencing. 

Smart offices

The term ‘smart office’ was all the rage a couple of years ago. We were promised a world of self-booking meeting rooms, automated energy controls and desk-monitoring software. The theory went that this would usher in a new era of happy, engaged employees, optimised office spaces,  and reduced real estate costs. 

However, at the time, the technology to truly automate the office environment wasn’t quite there. With 5G, that’s all about to change. The availability of superfast internet could finally make smart offices available, for very little cost, even to small businesses. 

Looking to improve cybersecurity in your business? Start by getting Cyber Essentials certified. 

Real-time communication

5G’s low latency could transform the way businesses communicate. Imagine a world in which your interactions with customers, staff and employees took place instantly, wherever they are in the world. 

No more waiting for emails to come through. Files uploaded to shared drives in seconds. And, video conferencing that doesn’t freeze every five minutes. That’s the future 5G promises. 

Remote working 

Unless you live in Sweden or have been extremely lucky, chances are you’re reading this at home. Most businesses have had to learn how to work remotely in the last six months. And, for the most part, we’ve all adapted well. 

However, we’re all familiar with the problems working from home presents. How well you’re able to work remotely largely depends on the quality of your internet connection. The additional capacity and speeds 5G offers could change this. Instead of playing the postcode lottery, employees will be able to access high speeds and low latency in even the worst internet black spots. 

IoT

The internet of things (IoT) is another term you’ll have heard a lot in the last few years. But beyond many of us using voice-controlled devices in our homes, it’s yet to really take off. 

5G’s improved connectivity will allow businesses to link up everything from printers and smartphones to office monitoring software.

The bottom line

In short, 5G will make small businesses more efficient, extending their ability to do more with fewer resources and in less time. And this won’t just save costs, it’ll also improve customer experience and boost revenue as a result. 

What risks does bring 5G bring for SMEs? 

Unfortunately, the benefits of 5G apply to cybercriminals as much as they do businesses. 

More attacks 

Although stronger, faster connections are a boon for small businesses, the same is true for cybercriminals. As businesses use 5G as a platform to innovate, so will the bad guys. 5G provides a better tool to launch sophisticated cyberattacks faster, more efficiently, and in greater numbers. 

More opportunities for cybercriminals 

5G enables greater use of IoT devices. And this will have huge benefits for small businesses.

Gartner predicts that there will be 20.4 billion IoT devices in use globally by the end of this year – just in time for the widespread launch of 5G. 

However, with more connected devices, comes more opportunities for the bad guys to break in. It only takes one poorly secured device for cybercriminals to find their way in. And, while it’s always been the case that one weak link is enough, IoT devices increase the risk simply because there are so many of them.

Decentralisation could lead to disruption 

This risk is a little more complex, so bear with us while we run through a short history lesson on network security. 

Traditionally, networks were hub and spoke designs. Essentially, everything flowing through a network eventually came back to the central hub, usually a data centre. This made practising good cyber hygiene pretty simple, as you could protect everything from this central point.

With 5G, these ‘hubs’ are decentralised to a web of digital routers throughout the network. This means that there isn’t a central point where everything can be checked and cybersecurity protocols put in place. Instead, this needs to be done throughout the network, upping the chances security will be overlooked and cybercriminals given a route in. 

What should you do to protect your business? 

Although some of the risks we’ve outlined above are the responsibility of internet service providers, you should never rely on secondhand security alone. There are plenty of things you can do to ensure your business reaps the rewards of switching to 5G, without exposing it to greater risks. 

Check the right security is in place 

Run regular checks to ensure every device used in your business is equipped with the best security capabilities. This includes any IoT devices you’re using such as voice assistants or smart printers. Tools like CyberSmart Active Protect can help automate this process, by running a scan of all devices every 15 mins. 

Make sure software is up to date

No one likes running software or operating system updates, but it is important. Often software providers will include patches to fix known vulnerabilities in updates, protecting you against new cyber threats. Ensure all software is configured to update automatically across all company devices or perform regular checks. 

Get Cyber Essentials certified 

According to a report from Lancaster University, the measures laid out by the UK government’s Cyber Essentials (CE) scheme can mitigate 98.5% of cybersecurity risks. If you’re not already CE certified, following the process will help you build a great base level of security before you make the jump to 5G. 

Maintain good password hygiene

We say it a lot, but setting up a password policy and ensuring everyone follows is a vital step. Always use complex passwords, change them regularly, and set up two-factor authentication, 

Clear security policies 

If you don’t have a security policy in place for 5G and the use of IoT, now’s the time. But it’s not enough just to have a security policy in place, your people also need to understand it. Check all security policies for workers are clear, easy to follow and stored in a central location everyone can access. 

5G is here. In less than four years time one billion devices will rely on it, and your business will very likely contain some of them. Of course, this brings risks. But the bad shouldn’t outweigh the good. By adopting a policy for 5G early and establishing simple, but effective security protocols you can make sure your business is primed to ride the next great wave of connectivity. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

CyberSmart to lead research on cybersecurity in the post-COVID workplace

CyberSmart Research

As lockdown measures tighten once more, many organisations are considering a future where workers may never fully return to the office. 

The COVID-19 crisis hit suddenly and with little warning. As a result, many businesses made the transition to working from home suddenly, without remote working policies and little real guidance for their employees. 

There’s no doubt these hybrid home-office workplaces bring challenges when it comes to privacy and security. But with such a rapid transition, do we understand exactly what those risks are?

The Research

CyberSmart is looking for the answer. Starting this week, we’ll be putting our expertise in SME cybersecurity to good use. We’re joining a research group examining the risks to trust, identity, privacy and security in new work environments as a result of COVID-19.

The three-month project is part of SPRITE+, a consortium funded by the Engineering and Physical Sciences Research Council. The project was one of several selected for funding through a SPRITE ‘sandpit’. It aims to bring together industry experts and academics involved in research, practice, and digital policy. 

Why is CyberSmart getting involved? 

Many SMEs are struggling to protect their people and operations in our changing world. So we’ve chosen this project because of its relevance to our customers. We hope it’ll help us better understand new risks and develop the strategies to counter them. 

As our own Ben Koppelman, CyberSmart’s Head of Research and Innovation put it:

“This is important research for CyberSmart to be involved with. We want to provide an evidence-based approach to understand what new security risks have emerged due to the dramatic shift to home working.  And we want to explore the new measures taken to manage these risks.”

We’ll also be looking at how businesses can balance the security of the company with the private lives of employees. Ben added, “We want to know if employers are placing new security demands on their employees and if these demands create tensions with employees’ privacy needs.” 

The project group, made of academics from four different universities and two industry experts, will begin with a literature review. We’ll follow this up by gathering evidence directly from organisations and their employees. To gain a picture of the whole economy, we won’t just be focusing on SMEs. We’ll try to compare how home working has affected both large and small enterprises.

The academics will take the reins on research. However, we’ll offer support as an industry partner, provide access to SMEs, and contribute to the risk analysis. 

Looking to the horizon

The project is part of our horizon scanning work. We’ve been hard at work behind the scenes to better understand how COVID-19 is impacting digital transformation. In time, this research will inform our own innovation plans. But, more importantly, it’ll help us offer new security guidance to our customers. 

Are you looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Mythbusting: is contact tracing safe?

We have a problem. Well, more of a puzzle. Like much of Europe, the UK is gradually emerging from the lockdown of the last few months – this is great for business, collective sanity and our social lives. But opening up brings risks. If a second wave of COVID-19 is inevitable, and many scientists think it is, how should we avoid the mistakes of our first run?

Imposing another nationwide lockdown like the one this spring risks economic ruin for an already ailing UK economy. But with a vaccination a long way off, ‘keeping calm and carrying on’ would be even more disastrous. 

One solution you’ve probably heard a lot about in the last few months is contact tracing. Or, more specifically, the new NHS COVID-19 app. Some have boldly declared the technology, coupled with testing, the answer to a return to normality. Meanwhile, others have raised serious cybersecurity and data privacy concerns. 

So, how does contact tracing work? Are privacy activists and cybersecurity experts right to be worried about it? And, are your privacy and cybersecurity really in peril? 

How does contact tracing work?

Although there are many different ways apps like this could work. For simplicity, let’s stick with how the NHS app works.

The app is incredibly simple. It uses Bluetooth to ‘ping’ any other phones (with the app downloaded) in your vicinity. The app then stores a record of anyone you’ve been in close contact with over a relevant time frame. For example, the 2-14 days symptoms typically take to appear in those who come into contact with the virus. 

If anyone receives a COVID-19 diagnosis, the app notifies everyone recorded within the infection range. It then sends a message asking users to self-isolate. 

What are the privacy concerns? 

At this point, you may be wondering what the problem is. The app seems intuitive, it has the crucial benefit of simplicity, and it’s easy to scale (after all, 79% of us own a smartphone). 

Most experts are broadly in agreement that the system is needed and a good idea. Where opinion differs is in the best way to design an app to accommodate it. 

This argument centres around whether we should be building centralised or decentralised apps to tackle contact tracing. A centralised app means that in the event a user flags a positive test result, the data from their phone is sent to a centralised database run by a healthcare body or the government. This central database then unlocks the identities of the infected person and anyone they’ve been near. 

In a decentralised model, this same process is repeated on the phone itself, meaning the government or healthcare body never receives any identifying information about app users. Instead, any data they collect is depersonalised, for example, the number of people infected and their geographic spread.

Privacy and security campaigners worry about the centralised model because it’s open to ‘scope creep’. Or, to put it another way, just because the technology is being used for benign purposes now, doesn’t mean it couldn’t be applied for mass surveillance in the future. 

The UK had planned to use a centralised model. However, partly due to these concerns, and Apple and Google declaring they wouldn’t allow its use on their phones, it’s now switched to a decentralised model

What about security? 

The other big concern about any contact tracing app stems from whether its data is completely safe from cyber attacks. A recent report from two academics specialising in cybersecurity, reveals that contact tracing apps may have some unforeseen vulnerabilities.

We won’t delve too far into the technical reasons behind the findings. In essence, most of the models for apps we’ve seen from governments so far transmit encrypted and unencrypted data side-by-side. Security experts fear that this could mean would-be hackers have an ‘in’ to identify individual users and steal their data.

Are your cybersecurity and privacy really at risk? 

We’ve outlined some of the security and privacy concerns about contact tracing apps, but how at risk is anyone who uses one?

Privacy – Had the UK government pushed ahead with its plan to use a centralised model, this would have been a very different article. However, the move to a decentralised approach has mitigated most privacy concerns. 

A decentralised app won’t share any personal information about you. It won’t share your geographic location with any third party. And, from an inter-user standpoint, the design shouldn’t allow anyone to work out who in their recent contacts has become symptomatic. 

Security – This issue is a little thornier. The questions raised by the report we mentioned earlier haven’t gone away, but at this stage, they remain theoretical problems rather than something users are reporting. What’s more, the GCHQ National Cyber Security Centre (NCSC) is aware of the findings of the report and is working towards fixing them. 

Contact tracing apps aren’t perfect, but it’s a balancing act. As with any state-run technology, they face questions about privacy and security. On the other hand, the risks to privacy are small and security is only likely to improve as the technology does. More importantly, contact tracing has enormous potential to help us get back to something more like the pre-COVID world. So perhaps the real question is can we afford not to use it? 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Encryption explained: how does it work and why do SMEs need it?

Most of us have heard of encryption. It’s that recipe for secrecy that techy types talk about all the time. But for many of us, that’s where the knowledge ends.

However, for small businesses looking to improve cybersecurity, encryption can be a vital weapon in your arsenal- and one that isn’t so hard to understand. Here’s a simple explanation of what encryption is, why you need it, and when to use it.

What is encryption?

Although encryption, much like ‘the blockchain’, can seem like another one of those unfathomable technical terms, it’s actually pretty simple.

Encryption is most commonly used to protect data in transit and at rest. Ever sent a Facebook Messenger or WhatsApp message? That uses encryption. Or, a payment using online banking? Also encryption. How about buying something from a web store? You guessed it, encryption again.

You get the picture. Encryption is used everywhere in our daily lives, but how does it work?

In non-technical terms, encryption is a way of randomising data so that only an authorised recipient can understand the information. Encryption converts plaintext – for example, the text in an email between you and a colleague – and converts it into ciphertext, a string of random numbers and letters. To unlock the real message or data, you need an encryption key, which is a set of mathematical values that only the sender and the recipient of the message know, like so:

encryption

Photo PixelPrivacy

The principle is much the same as a password, but better (as we’ll see).

Why does your business need it?

So we’ve covered, in very simple terms, what encryption is. The next question is why should SMEs be using it? It’s easy to assume that if you’re not a huge multinational, processing reams of sensitive information, that your standard security tools such as firewalls and secure passwords are enough to protect your data. However, there are three key reasons why this isn’t the case.

Cyber attacks are on the rise

It’s likely not news to you that cybersecurity threats to SMEs are on the rise. Barely a week goes by without another news story or set of figures released to that effect. Indeed, the Federation of Small Businesses estimates that SMEs are collectively subject to almost 10,000 cyber-attacks a day.

A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year.

A big part of the problem is the ever-increasing volume and variety of malware out there. A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year. This might not sound like much, but when we’re talking about detections in the tens of millions, it soon adds up.

In this environment, it’s getting harder and harder to stay ahead of the threat. However, adopting encryption can act as a strong second line of defence. For instance, someone in your organisation accidentally clicks on a malware link in an email (something we’ve all done at least once), potentially exposing your data to an attacker. Using encryption means that they won’t be able to read whatever they find without a key, meaning your data is safe.

You’re using a cloud service

Cloud computing is now a vital part of the daily operations of most SMEs. And if you’re doing business entirely in the cloud, and don’t store any sensitive data on employees’ devices, you’re safe, right? After all, the likes of Amazon, Google, and Microsoft spend billions of dollars a year on the security of their cloud services.

Unfortunately, this is only partly true. Obviously storing your data in a cloud is far better than having everything on vulnerable systems, but that doesn’t mean it’s entirely safe.

To give an example, let’s say you use a cloud-based platform like Office 365 for your everyday operations. A would-be hacker can still intercept your data as it moves between your device and the cloud. As we’ve already mentioned, this is unlikely if you’re working with a reputable cloud provider, but it’s not impossible or even that uncommon. Using strong encryption can help protect you against this by adding another layer of defence.

Passwords aren’t the be-all and end-all

Now, you may be thinking ‘but my business has a clear password protection policy and we regularly change our passwords for laptops and devices, surely that’s enough?’
Not quite. While it’s true that a strong security policy can help protect your business against regular theft and even less sophisticated cyberattacks, it’s not enough to protect you from the really harmful stuff.

Hackers are always finding a way around even the strictest security policies and new methods for cracking passwords appear all the time. To be totally sure, you need an a solution that allows you to completely encode everything on your device. This means that even in the event someone does manage to break in, all they’ll be able to extract is random gobbledegook that’s little use to anyone without the right encryption key.

How do you use encryption?

Finally, let’s take a look at how you can use encryption to protect your business. Encryption can take many forms. How you use it will depend on what you need it for, but some common uses include:

End-to-end encryption – This guarantees data sent between two parties cannot be viewed by anyone else. Most of the internal communication tools such as Slack or Google Hangouts will come with this as standard, but it’s worth checking whichever messaging tool you use.

Cloud storage encryption – A service offered by cloud storage providers that transforms your data or text using an algorithm and stores it safely in the cloud.

Encryption as a Service (EaaS) – EaaS represents the next step up from cloud storage encryption. It’s the perfect tool for small businesses who want to use encryption but lack the resources to do manage it themselves. EaaS subscription models typically include full-disk, database, and file encryption.

Of course, these are far from the only uses of encryption. You can also use it to protect certain fields on your website, encrypt everything leaving or entering your web server and a hundred other things besides. The above are just the most common applications for SMEs.

Data is more important than ever to SMEs. In fact, in our data-driven economy, it’s often the most valuable asset a business possesses. Basic cyber-hygiene such as encryption can go a long way towards helping you protect it.

Show your customers you value their data by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Get started

Our Head of Engineering talks managing a global remote-only team

Meet Rob Minford our Head of Engineering at CyberSmart. Even though we’re all working from home these days, Rob’s team has always been fully remote and is scattered across the globe.

In this interview with The Remoter Project, Rob talks about the benefits and challenges of working in a remote hybrid company (with some of us in an office and his distributed engineering team).

The Remoter Project is a venture that showcases the human side of remote working and explores how to successfully build and scale remote teams.

Interested in joining our growing team at CyberSmart? Check out our careers page.

Is your remote team making these security mistakes?

Summer days are here. As people begin to gather in the parks again and shops re-open, it’s beginning to feel like life is going back to normal. But for many of us, that normal won’t include going back to the office.

Consulting company Global Workplace Analytics estimates that after the pandemic, 30 percent of the entire workforce will continue to work from home regularly. Armed with Zoom and our Slack channels, we’ve succeeded in proving that a team doesn’t need to be in an office together everyday to get things done.

But while a new remote world is great news for the weary commuter of 2019, it’s also great news for the cyber criminal. Over the past few months, cyber crime increased as hackers take advantage of employees who are used to relying on their offices and IT staff to protect them.

It can be hard to convince staff of the importance of digital security. After all, most people outside of IT tend to think of cyber crime as something planned and targeted- a mastermind hacker out to get critical information from the government or cause trouble for a big corporation.

What would they want with my little business? I’m too insignificant to be targeted for cyber crime. This is the wrong way to think about it. Most cyber criminals are just opportunistic. They didn’t choose to rob your house because they knew you had a stash of cash under the bed (or all your passwords on your desktop). They chose it because you left the door open.

Using unsecured networks, not keeping software up to date, reusing passwords- there are a lot of ways to open the door. Luckily, many of these risks follow similar patterns and can be avoided through a few fundamental security practices. The most effective thing businesses can do right now to protect their data, their employees, and their customers is to educate their workforce on what these are and why they are important.

Here are some of the biggest (but pretty simple) mistakes your remote team might be making:

People having access to data they don’t need
According to data by the UK’s Information Commissioner’s Office, employee error continues to be a leading cause of data breaches. They might fall for a phishing attack or just accidentally send an email with a sensitive attachment to the wrong person.

One way to easily reduce the harm caused by data breaches, is to only give employees access to information they need to do their job. It might be easier to make a folder on Google Drive accessible to everyone in the company, but it also means you’re opening a lot more doors to that data than you need to.

Unsecure networks

While people can be generally pretty savvy in terms of updating their own machines ( laptops etc) they generally forget about their routers after they set them up at home. When you first get a router, it’s important to login to change your usernames and passwords (which can be easy for hackers to find online) and to turn on Wireless Network Encryption.

Employees can also use a VPN (Virtual Private Network) to change their IP address, so hackers can’t see the actual location of their device. It could also allow employees to access company information from personal devices. As a business, encourage employees to follow the same protocols you had in your office in terms of accessing company data.

Out of date software and devices

It’s extremely important to keep all hardware up-to-date – from laptops, routers, servers or the increasing number of IoT devices in the home to protect against things like ransomware attack. Ransomware attacks are among the fastest growing cyber threats (one report projected that in 2021, companies will fall victim to an attack every 11 seconds). Software patches are released all the time to protect against known vulnerabilities but they don’t work if the system is outdated. Making sure you are using up-to-date operating systems and that software is running on the latest version is a critical part of cyber hygiene.

Not taking security seriously

Most people outside of IT have been guilty of this at some point. It’s just simpler to have one password for everything! And my wife’s birthday is the easy to remember! (most of the time). But these little things can have big consequences- particularly when employees are using personal devices for work. A personal phone that has access to the company Slack channel, needs to be just as a secure as a PC in the office.

The majority of breaches are made through simple human error. We weren’t paying attention and accidentally sent an email we shouldn’t have. It’s critical that employees know what data in your business is sensitive and the consequences of a breach.

Lack of education

Sometimes data breaches happen because people just don’t know how to see them coming. For example, as phishing scams become increasingly sophisticated, employees need to know how to spot a suspicious email and how to report it.

Recent reports show that employees aren’t big fans of security. 42% of staff state that their company’s security policies (like having to have an IT admin install new software) make it more difficult to do their job. This is why education is so important.

We launched a page specifically designed to offer resources for small businesses who are transitioning to a remote work environment. These include company policies and a security checklist for employees.

The reality is that in this unstable economic environment, businesses are less likely to invest in their cyber security. But cyber security doesn’t have to be expensive or confusing. This kind of basic cyber hygiene can go a long way in preventing the threats we’re seeing increase on a daily basis.

The dream of working from anywhere in the world may finally be materialising for many. Let’s make sure it happens safely.

Show your customers you value their data by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Inside CyberSmart Active Protect: what’s monitored and what’s not

This month, we made the decision to include our CyberSmart Active Protect with all of our certification options. We did this because we know real security can’t be achieved through a certification audit once a year; it requires continuous assessment of compliance.

We also know that up to 98.5% of cyber attacks can be prevented by following the controls that our software monitors. That’s why we encourage businesses and their employees to install the app on any device that might be used for work purposes.

And that’s where things get sticky. A work app on my personal phone? That monitors me?

We get it. It all sounds a bit Big Brother. So we’re here to clear up exactly what we ‘monitor’ with our CyberSmart Active Protect and why it’s good for employees as well as businesses.

What we see

What an employer sees on devices that have the CyberSmart Active Protect installed:

  • Whether your device is complying with the five controls of Cyber Essentials
  • Which software you have installed on your computer and if it is up-to-date
  • The make, model, and year of your device
  • Your operating system (like Microsoft Windows or Apple’s macOS) and which version you are running

What we don’t

An employer can’t see anything but what’s listed above but here are a few points for clarification:

  • Which websites you visit
  • Which apps you have installed on your mobile device (these are different from software. Your employer has no way to see if you downloaded CandyCrush again after you so admirably recovered from your addiction)
  • Your physical location with the device
  • When you are online or how much you are using different software on your devices

Checking your vitals

One of our engineers described CyberSmart Active Protect as an ‘ongoing health check.’ This is a good way to think about it. We’re taking your vital signs but we don’t get into any more detail than we need to. Is your firewall still up? Is a piece of software out of date that could leave a door open for attack? If it is, you’ll get a notification and clear instructions on how to fix it.

It’s good for employees too

When a device is hacked, criminals aren’t just looking for business data on customers. They will take any useful piece of information they can. With the CyberSmart Active Protect installed, employees will enjoy the benefits of protecting their personal data as well as the company’s on their personal devices.

Take the first step to protecting your business and your employees today. If you got your Cyber Essentials certification through CyberSmart, you can now access one free license to CyberSmart Active Protect via your dashboard.

Don’t take the bait: tips for avoiding a phishing attack

Phishing scams

We’ve all gotten those emails before. Congratulations! You’ve won a £100,000 voucher from Argos. Click here in the next three hours to claim your reward!  We want to believe them. They just might be real. And that is exactly the mentality cybercriminals are taking advantage of. 

These kinds of scam emails are known as phishing attacks- and they are everywhere. According to Verizon’s 2020 Data Breach Investigations Report released this week, they made up nearly a quarter (22%) of all cyber breaches this year. 

We’ve seen an even greater rise in these over the past three months as hackers preyed on widespread anxiety by impersonating official sources like the US Center for Disease Control, the World Health Organisation, and various government offices offering ‘updates’ and ‘alerts’ around the virus.

Phishing attacks fall into two broad categories. They are usually trying to persuade you to click on a link that will lead to a spoof site and require you to enter personal data (credit card details, personal or bank information, etc), or to download malware onto your device (either through a link or an attachment).

Many of these phishing emails can be extremely convincing. Even EasyJet fell victim this week. So how can you protect your business, your employees, and ultimately your customers against them?

Training employees how to recognise the warning signs of phishing emails is the best way to prevent these kinds of attacks and might be the best solution for smaller businesses.

While there are a few great pieces of anti-phishing software out there that use email filtering to detect and flag suspicious email addresses and malicious links or attachments, the most convincing phishing attacks often slip through the net of even sophisticated software.

Something smells fishy here: spotting the signs of a scam

Read carefully

Copywriters at big companies spend a lot of time crafting emails and there’s often a noticeable lack of quality with phishing scams. A few tell-tale signs include:

  • Generic greetings – Dear user..
  • Urgent deadlines and calls to action – Click now or your home insurance will expire!!
  • Grammatical mistakes and spelling errors – Plese download the attached file to keep Your Account open. If it doesn’t seem professional, it probably isn’t.
  • News that is too good to be true – We’ve found a cure for the coronavirus. Click here to order your safety kit.

Check the email address

Be sure to check the email address as well as the name of the sender. Although phishing scams often use the name of someone you know or a company you work with, the email address won’t match up. If it’s from @gmail.com address, for example, it’s probably not a legitimate organisation.

A recent phishing attempt. Note the sender’s email address – @pinkcontract.com

Question their professionalism

Remember that real brands will never ask you for personal details over email or force you to their website.

Think before you act

Above all, just take a moment to pause before you interact with any email. Before you click or download anything, reflect for a second by asking: do I know this person? Have I actually ever bought anything from this brand? How does the World Health Organisation have my work email address? Why can’t Karen from Accounting spell correctly?

An ounce of prevention is worth a pound of cure

As attacks become more sophisticated, it’s almost inevitable that you or someone you know will fall victim at some point. But following basic cyber hygiene can help reduce the harm of these attacks. 

A simple way to mitigate against phishing attacks that steal credentials is to enable two-factor authentication on your accounts right now. Two-factor authentication means that when you log in you need both a password and a second form of confirmation (like a text to your mobile, for example).

Having this extra layer of security means that even with your username and password, the hacker will not be able to access employee accounts.

If an employee or business realises they have been breached, they should immediately take action by changing their personal password or disconnecting their device from the network and alerting employees in the rest of the company.

People can help prevent the spread of these large-scale attacks by immediately reporting suspicious messages to Suspicious Email Reporting Service (SERS): report@phishing.gov.uk which support’s the government’s Active Cyber Defence programme.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button