Join speakers from the Department for Science, Innovation and Technology in Manchester (The National Football Museum) & London (The Gherkin) for CyberSmart Live. Register your interest today 🚀

Protecting patient data – cybersecurity training for healthcare providers

Cybersecurity training for healthcare

Patient health records are a gold mine for cybercriminals. Just one record sells for up to £1,000 on the dark web compared to £5 for credit card details. Worse still, breaches of healthcare providers are becoming ever more common. In the past five years, 8903 incidents have been reported to the Information Commissioners Office. And, according to research from Kroll, healthcare was the most targeted sector in 2024 (accounting for nearly a quarter of all breaches).

However, there is a simple, often overlooked, thing you can do to better protect your hospital, surgery or business. 95% of breaches stem from some kind of human error, whether that's clicking on a phishing link or replying to the wrong email. So, one of the best things you can do for your organisation's cyber health is to invest in cybersecurity training.

The benefits of cybersecurity training for healthcare providers

Cybersecurity training equips your team to make better security decisions every day. From checking emails to managing passwords, every action carries potential risk. Without proper training, these become vulnerabilities.

Training strengthens your cyber health in several ways.

Compliance

Healthcare companies must comply with strict regulatory requirements under GDPR, the Data Protection Act 2018, and sector-specific frameworks like the NHS Data Security and Protection Toolkit. Proper training ensures your team understands their role in maintaining compliance.

Protecting sensitive data

Train your team how to handle data properly, so they’re always security conscious, whether they’re sharing test results or updating records. This naturally creates a barrier against unauthorised access and maintains efficiency.

Continuity of care

When systems go offline during a cyberattack, patient care suffers. Appointments get cancelled, test results are inaccessible, and treatment plans are delayed. Training helps prevent these disruptions and prepares your team to maintain essential services during security incidents.

Reputation management

Patient trust takes years to build but can disappear overnight after a data breach. Effective training minimises this risk and ensures your team can respond appropriately if an incident occurs.

Improving your cyber health – six areas for cybersecurity training for healthcare

1. Phishing awareness training

Phishing initiates 91% of all cyberattacks, with healthcare staff facing sophisticated scams designed for medical contexts. Recent examples include fake COVID-19 vaccine scheduling emails and fabricated patient record requests.

Training priorities:

  • Run simulated phishing exercises using healthcare-specific scenarios
  • Teach staff to spot indicators of fraudulent communications
  • Establish clear reporting channels for suspicious messages
  • Reinforce that legitimate organisations never request passwords via email

2. Password and authentication security

Strong authentication is crucial. Credential theft enables 61% of healthcare breaches, but proper authentication practices can block most of these attempts.

Training priorities:

  • Teach password management suitable for clinical environments
  • Implement and train staff to use password managers
  • Implement multi-factor authentication (MFA)
  • Ensure staff understand why MFA matters
  • Introduce protocols for password resets in emergencies

3. Device and endpoint security

Healthcare workers use multiple devices across various locations, and every device is a potential entry point for attackers.

Training priorities:

  • Develop clear guidelines for practice-owned and personal devices
  • Establish practical BYOD protocols for healthcare workflows
  • Schedule device updates that don't interrupt patient care

4. Incident response

Clear protocols for security incidents alongside fast response times can significantly limit damage and disruption.

Training priorities:

  • Develop streamlined incident response procedures to maintain patient care
  • Clarify what constitutes a reportable security incident
  • Establish clear communication channels during security events
  • Practice incident scenarios regularly with realistic, relevant examples

5. Network security basics

Your network is crucial for seamless communication, data sharing, and patient care, but it also expands your attack surface. A single network vulnerability can expose your entire organisation to breaches.

Training priorities:

  • Secure network access, particularly for remote access
  • Teach staff to recognise warning signs of network intrusions
  • Establish protocols for connecting medical devices to networks
  • Provide guidance on secure application use

6. Social engineering awareness

Healthcare faces unique social engineering risks, including imposters posing as patients, pharmaceutical representatives, or officials.

Training priorities:

  • Develop verification procedures that maintain patient privacy
  • Ensure identity protocols are followed before granting access
  • Train reception staff on handling unusual information requests

Delivering cybersecurity training in healthcare

The way you deliver training directly impacts its effectiveness. Here's how to ensure your investment pays off:

Delivering cybersecurity training in healthcare

The way you deliver training directly impacts its effectiveness. Here's how to ensure your investment pays off:

Keep sessions short

Micro-learning sessions are easier to digest and schedule than lengthy sessions. Keep modules short and focused to help information retention.

Make it relevant

Avoid generic training. Use scenarios relevant to your people, like updating patient records, using appointment systems, and sharing treatment plans. This demonstrates how security applies to them and their daily activities.

Focus on practical actions

Busy healthcare professionals need actionable guidance, not theory. Focus on specific behaviours that improve security without disrupting patient care.

Test and reinforce

Regular simulations, knowledge checks, and refreshers maintain vigilance. Consider healthcare-specific phishing simulations and exercises based on real incidents.

Build a supportive culture

Move beyond compliance to foster a culture where security enhances patient care. Recognise staff who report suspicious activity, and ensure leadership demonstrates security best practices.

Launching your healthcare cybersecurity training

Here’s how you can prepare for training:

  1. Assess your current situation by examining your unique workflows, systems, and previous security concerns
  2. Survey your staff to identify knowledge gaps and existing strengths
  3. Review security incidents that have affected similar healthcare organisations

Consult specialist frameworks like NHS Digital's Data Security and Protection Toolkit

Based on this assessment, develop a focused training plan – either on your own or with a training provider – that addresses your highest-priority risks first with comprehensive coverage over time.

Building a security-first culture

Effective cybersecurity training for healthcare providers doesn't require massive budgets. Focus on healthcare-specific skills and integrate security habits into daily workflows that staff already understand.

Considering introducing cybersecurity awareness training into your business? Check out CyberSmart Learn, our cybersecurity focused learning management system.

DSIT’s Cyber Governance Code of Practice explained

Cyber Governance Code of Practice

If we’ve learned anything from the recent news cycle, it’s that large UK businesses need help. Attacks on M&S, The Co-op, and Harrods have left the country reeling and cybersecurity back at the top of the agenda. So, the release of the Department for Science, Innovation & Technology’s Cyber Governance Code of Practice for medium and large businesses feels timely.

But what is it? And should smaller businesses adopt its recommendations too? We answer these questions and more in this blog.

What is the Cyber Governance Code of Practice?

The Cyber Governance Code of Practice is a framework designed to guide boards and directors on effectively governing cyber risks. Primarily aimed at medium and large organisations, it aims to help business leaders build resilience within their organisations and defend against a wide range of cyber threats.

What does the code include?

Broadly speaking, the code sets out critical governance principles that every board (or director) should apply to their organisation. Think of it as a set of cybersecurity ‘dos’ for people in positions of authority.

More specifically, the code focuses on five fundamental principles. Much like Cyber Essentials and its five controls, these principles cover the key bases of effective cybersecurity. These principles are:

  • Risk management
  • Cyber strategy
  • People (cyber-aware culture and training)
  • Incident planning and response
  • Assurance and oversight

Each principle is supported by a set of three to five actions directors are advised to take. For example, one of the actions for People is to “Undertake training to improve your own cyber literacy.” These actions help directors and business leaders gradually build cyber confidence throughout their organisation and, ultimately, better secure it against cyber threats.

How does it integrate with other frameworks?

The Code complements other resources like the National Cyber Security Centre’s (NCSC) Cyber Security Toolkit for Boards and the Cyber Assessment Framework (CAF).

Alongside this, the code is bolstered by free cyber governance training and a cybersecurity toolkit to help boards implement its recommendations.

Is the code voluntary?

While voluntary, the Code is positioned as the minimum level of board accountability expected within UK businesses. Plus, it likely won’t be voluntary for long. The upcoming Cyber Security and Resilience Bill is widely expected to reinforce these standards and possibly even create some form of legal responsibility for boards. 

In other words, it’s well worth getting ahead of the legislation by adopting these measures now.

Why has the code been created?

Time for a brief history lesson. The code was co-designed by the NCSC and industry experts to address two things. Firstly, as we’ve seen illustrated by the attacks on some of the UK’s flagship retailers in the last few weeks, there’s a high prevalence of cyber incidents among large businesses. According to DSIT’s latest research, some 74% of large and 67% of medium-sized organisations reported cyber incidents in the past year.

Secondly, board-level responsibility for cybersecurity has seen a gradual decline since its high of 38% of UK organisations in 2021 (the figure is 25% in 2025). The code aims to put managing cyber risk back at the front and centre of boards’ thinking and give senior leaders a clear framework for how to do it.

More broadly, the frameworks fit with upcoming legislation to form a key part of the UK government's approach to improving national cyber resilience.

Who is the code for?

We mentioned earlier that the Cyber Governance Code of Practice was primarily aimed at medium to large businesses. This is because larger businesses typically have a formalised board and governance structures.

However, you shouldn’t take away the message that the framework isn’t useful if you’re a small business. Most obviously, because small businesses often do have boards or, at the very least, directors. More importantly, the framework has value for any organisation.

Regardless of your organisation’s size, adopting its recommendations will help you bolster your defences, mitigate risks, and gain cyber confidence.

Want a simple solution for meeting the Cyber Governance Code of Practice's staff training recommendation? Check out CyberSmart Learn.

From vulnerability to vigilance: developing your cybersecurity awareness and training policy

security awareness and training policy

No matter how robust your technical defences are, your company’s cybersecurity is only as strong as your least cyber-savvy employee. One careless click, one reused password or one small mistake can have significant consequences.

That’s why a cybersecurity awareness and training policy is so important.

What is a cybersecurity awareness and training policy?

A cybersecurity awareness and training policy is a formal document that outlines how your business approaches cybersecurity education. 

It defines: 

  • The type of training employees receive
  • How often they receive it
  • What's expected of them

Unlike a general security policy focusing on technical controls, a security awareness and training policy specifically addresses the human element of cybersecurity. It ensures your team has the knowledge and skills to appropriately identify and respond to threats.

Why you need a cybersecurity awareness and training policy

It’s easy to overlook the importance of formalising your approach to cybersecurity awareness training. Here’s why implementing a comprehensive policy is so important: 

  • Human error is your biggest vulnerability
  • Regulatory compliance requires it
  • It reduces your cyber insurance premium

Human error is your biggest vulnerability

50% of UK businesses have a basic cybersecurity skills gap, meaning staff lack confidence in performing fundamental security tasks like storing personal data securely or detecting malware. Given that human error accounts for most breaches, you don't want to be in the 50% of businesses with a skills gap.

It can help with regulatory compliance

While it's not explicitly required, many industry regulations and standards – including GDPR Cyber Essentials, and ISO 27001 – strongly recommend security awareness training.

It could reduce your cyber insurance premiums

Insurance providers often look more favourably on businesses with formal security awareness programmes, which can result in lower premiums.

What to include in your cybersecurity awareness and training policy

Creating an effective cybersecurity awareness and training policy isn’t complicated. Here are the essential elements to include:

1. Training modules and content

Your policy should clearly outline the topics your training programme covers. 

Here are some common weaknesses to address:

  • Password protection: best practices for creating and managing strong passwords
  • Phishing awareness: how to identify and report suspicious emails
  • Multi-factor authentication (MFA): why it's important and how to use it properly
  • Safe internet usage: guidelines for browsing safely and avoiding malicious websites
  • Data handling: procedures for handling sensitive information
  • Mobile device security: how to secure work phones and manage bring your own device (BYOD) risks 
  • Incident response and recovery: what to do when something goes wrong

2. Training frequency

Your cybersecurity awareness and training policy must specify how often employees receive training. 

Consider:

  • Initial training for new employees during onboarding
  • Annual refresher courses for all staff
  • Quarterly micro-learning sessions (10-15 minutes) on specific topics
  • Ad-hoc training when new threats emerge or after security incidents

3. Delivery methods

Not all training is created equal. Your policy should outline how training will maximise engagement and retention. 

  • Interactive e-learning: self-paced modules that employees can complete at their convenience
  • Simulated phishing exercises: practical tests that reinforce email security awareness
  • Workshop sessions: team-based exercises that encourage discussion and problem-solving
  • Video content: short, engaging videos that explain key concepts
  • Infographics and visual aids: quick-reference guides for common security scenarios

4. Assessment criteria

Your security awareness and training policy needs clear metrics to measure success, such as: 

  • Knowledge checks: share quizzes and tests to measure understanding
  • Phishing simulation results: track click rates on simulated phishing emails
  • Incident reporting: monitor the number and severity of security incidents reported
  • Compliance rates: track training completion rates 

Behavioural changes: observe improvements in security practices

Making your security awareness and training policy work for you

The most effective policy is one you actually implement. Follow these practical tips.

Make it relevant

Use examples directly related to your business instead of abstract concepts your team won’t be able to follow.

Bridge the knowledge gap

Address the disconnect between technical teams and leadership. 35% of cybersecurity leads say senior managers don't understand the cyber risks facing their organisation.

Lead by example

Ensure management follows security practices – when leaders demonstrate good security habits, teams are more likely to follow suit.

Keep it current

Review and update your policy at least once a year.

Achieve your personnel best

A well-structured cybersecurity awareness and training policy strengthens your business from within. Clear guidance, ongoing education, and practical training puts the power in the hands of your people.

Considering introducing cybersecurity awareness training into your business? Check out CyberSmart Learn, our cybersecurity focused learning management system.

Dodging the phishing net – why phishing awareness training matters

Phishing awareness training

We've all received those suspicious emails asking us to "verify" our account details or claiming we've won an improbable prize. While some attempts appear comically obvious, others are sophisticated enough to trick even the most vigilant employees.

So much so, that 91% of all cyberattacks begin with a phishing email. 

The good news? With the right training, your team can become your strongest line of defence.

What is phishing awareness training?

Phishing awareness training teaches employees how to identify and respond to phishing attempts. It covers everything from recognising suspicious emails and text messages to understanding the psychological tactics cybercriminals use to manipulate recipients.

Unlike technical security measures, like firewalls, that work silently in the background, phishing awareness training actively engages your team. Over several sessions, it transforms them from potential vulnerabilities into valuable protectors of your company's digital assets.

How does phishing awareness training work?

Effective phishing awareness training is an ongoing commitment. It typically includes:

  • Educational content – Interactive modules, videos, and reading materials that explain phishing tactics and prevention strategies
  • Simulated attacks – Controlled phishing simulations test employee vigilance in real-world scenarios
  • Regular updates – Training content that evolves as new phishing techniques emerge
  • Performance tracking – Individual and team metrics that measure improvement, helping you identify employees who might need additional support

The best training combines these elements into a cohesive learning experience that builds confidence and vigilance.

What are phishing attack simulators, and why do you need them?

Phishing simulators test your employees with realistic but harmless phishing attempts. They help your team develop an instinct for spotting hooks in seemingly innocent messages.

These simulators:

  • Create realistic phishing scenarios tailored to your industry
  • Track who ‘takes the bait’ by clicking links or submitting information
  • Provide immediate feedback and educational resources
  • Generate reports to measure improvement over time

Businesses of all sizes benefit from simulators. For smaller organisations especially, where a single security incident could have devastating consequences, these tools provide cost-effective training that turns theoretical knowledge into practical skills.

Why is phishing awareness training important?

1. It strengthens your defences

When your team knows what to look for, they’re more likely to spot suspicious communications. This proactive approach prevents successful attacks before they happen.

With proper training, employees learn to scrutinise:

  • Sender details and email domains
  • Unusual requests or urgent language
  • Suspicious links and attachments
  • Grammatical errors and inconsistent formatting

2. It minimises human error

We're all human, and humans make mistakes. A momentary lapse in judgement, a hurried click, or simple curiosity can have devastating consequences.

Research shows that human error causes 85% of cyber breaches. Phishing awareness training addresses both skills-based errors (not knowing how to identify threats) and decision-based errors (when security protocols are unintentionally bypassed).

By building knowledge and good habits, you turn potential weak points into security strengths. And with the right tools, you can track employee progress, set training deadlines, and ensure your team stays up to date with the latest threats. CyberSmart Learn, for instance, offers customisable training reports that help you identify knowledge gaps and measure improvement over time.

3. It aids compliance

Beyond the practical security benefits, phishing awareness training helps meet regulatory requirements. Many compliance frameworks – including GDPR, HIPAA, and SOC 2 – specifically require security awareness training.

Even in industries without explicit requirements, documented training programmes demonstrate due diligence and can:

  • Reduce liability in case of a breach
  • Lower cyber insurance premiums
  • Reassure customers and partners about your security posture

Outsmarting phishers

Phishing attacks succeed because they exploit human psychology. While firewalls and antivirus software are essential, they can't protect against an employee accidentally compromising sensitive information.

By investing in phishing awareness training, your team can become the most effective countermeasure in your arsenal against cybercrime.

Considering phishing awareness training for your business? CyberSmart Phish allows your business to run tailored phishing simulations, educate employees in real time, and track behavioural insights. And, it's included as part of CyberSmart Learn our cybersecurity awareness training platform, designed for small businesses and managed service providers.

Beyond digital defences: what is a human firewall in cybersecurity?

what is a human firewall in cybersecurity

Firewalls, antivirus software, and intrusion detection systems are all essential components of a strong cybersecurity strategy. But what if the most effective defence against cyber threats isn’t digital at all?

What if you had a human firewall? A security layer built from awareness, vigilance, and smart decision-making, not code.

Understanding the human firewall

If you’re wondering, “What is a human firewall in cybersecurity?”, it’s simply employees who actively follow cybersecurity best practices. 

Just like a traditional firewall that blocks malicious traffic, a human firewall prevents cyber threats by identifying suspicious activity, avoiding social engineering attacks, and adhering to security policies.

Why you need a human firewall

Cyber threats that target people, not systems, are increasing. In fact, 42% of organisations experienced a successful social engineering attack in the past year. 

Hackers exploit basic human nature like wanting to be helpful, responding to authority, and acting quickly under pressure. 

Common social engineering threats include: 

These tactics are markedly more convincing with the rise of AI. Where suspicious emails once contained obvious spelling errors or unusual phrasing, AI-generated content now appears more polished and professional. Voice cloning can mimic your CEO on the phone, and deepfakes create convincing video impersonations of colleagues, meaning it's now easier than ever to fool people.

The benefits of a strong human firewall

When you have a strong human firewall, the advantages extend far beyond just withstanding breaches, they include: 

  • Faster threat detection 
  • Improved customer confidence 
  • Streamlined regulatory compliance 
  • Enhanced business resilience

Faster threat detection

Employees who know what to look for spot unusual or suspicious activities faster. This significantly cuts the average lifecycle of cyberattacks, reducing their impact.

Improved customer confidence

When clients know your team follows best practice, trust grows. 83% of consumers remain loyal to businesses they believe handle their data responsibly.

Streamlined regulatory compliance

Meeting GDPR and other regulatory requirements is easier when your whole team understands their data protection responsibilities, helping you avoid hefty fines.

Enhanced business resilience

Operations bounce back faster after security incidents when teams know exactly what to do. Businesses with well-trained employees recover faster, minimising downtime and financial losses.

How to build a human firewall in cybersecurity

Building a human firewall in cybersecurity happens step by step – or should we say brick by brick?

1. Conduct regular cybersecurity training

Regular cybersecurity training programmes educate your team on the latest threats, attack techniques, and prevention methods.

2. Establish a clear cybersecurity policy

Share a cybersecurity policy that outlines best practices, acceptable use of company resources, and protocols for reporting security incidents. Ensure your team reviews these policies regularly to stay in the loop.

3. Encourage a security-first culture

Create a culture where you recognise and reward employees for proactive security behaviours.

4. Implement access controls

Limit access to sensitive data based on job roles. This ensures your team can only access information that’s necessary for their work.

5. Run simulations

Simulate social engineering attacks to spot-check your team’s understanding and see how they perform under pressure.

6. Enforce strong authentication practices

Use multi-factor authentication (MFA) and enforce strong password hygiene.

Put your people at the centre of your cybersecurity

Effective cybersecurity has less to do with your tech and more to do with your team. Building a strong human firewall means fostering a culture of shared responsibility, where every individual plays an important role in protecting your business from potential threats.

Considering introducing cybersecurity awareness training into your business? Check out CyberSmart Learn, our cybersecurity focused learning management system.

8 key takeaways from DSIT’s Cyber Security Breaches Survey 2025

Cyber Security Breaches Survey 2025

Spring has sprung, and Easter has just passed. That can only mean one thing: the Department for Science, Innovation & Technology’s (DSIT) Cyber Security Breaches Survey 2025 has arrived.

If you’re unfamiliar with it, the annual report acts as a barometer of the UK’s cyber resilience. It outlines what UK organisations are doing to protect themselves, levels of cyber knowledge, common threats, the costs of breaches, and much more besides. However, it is also a very long report. So, as in previous years, we’ve pulled together the key takeaways for you.

1. Cyber breaches fall 

Let’s begin with some good news. Just over four in ten businesses (43%) and around a third of charities (30%) reported having experienced any kind of cybersecurity breach or attack in the last 12 months. This works out at around 612,000 businesses and 61,000 charities.

This represents a fall from the 2024 edition, where 50% (or 718,000) of businesses experienced a breach or attack. The figures are still higher than 2022 (39%), but it’s the first time in a few years that we’ve seen a decline rather than an increase.

The decrease is primarily driven by fewer micro and small businesses identifying phishing attacks (35% of micro businesses down from 40% in 2024 and 42% of small businesses down from 49% in 2024). However, breaches in medium and large businesses remain very high (67% medium and 74% large) with little change from 2024.

It’s hard to know what to make of this. On the one hand, it’s entirely possible that SMEs are simply bothering to report phishing attacks less often (as they’re so common), rather than a real decline in attacks. But, on the other hand, it could be an early indication that cybercriminals have redoubled their attacks on larger businesses.

2. Phishing remains the most common (and disruptive) cyber threat

Phishing scams have been by far the most common cyber threat faced by UK organisations for several years now. Unsurprisingly, 2025 is no different. 85% of businesses and 86% of charities experienced at least one phishing attack in the last year.

Phishing scams are seen by organisations as the most disruptive because of the time needed to investigate and address them, due to the sheer volume of attacks. And, more interestingly, because most businesses recognised the importance of employee training to combat the threat.

The interviews cited in the report also reveal that businesses of all sizes are increasingly worried about the growing sophistication of phishing attacks. In particular, many organisations mentioned AI impersonation as a threat they felt fearful of.

3. Ransomware attacks on the rise?

DSIT reports a significant growth in ransomware incidents in the last year. Just over 1% of businesses experienced an attack, compared to less than 0.5% in the 2024 edition of the survey. What’s interesting is that, despite the increase in ransomware attacks, several sources are reporting a global decline in the prevalence of ransomware payments.

For example, CyberEdge Group’s 2025 Cyberthreat Defense Report reveals that only 41% of targeted organisations chose to pay out last year, a drastic fall from 63% three years ago. Likewise, the Data Security Incident Response Report from US law firm Baker-Hostetle suggests fewer attacks and lower ransom payments than in previous years.

Could we be seeing the last days of ransomware’s prevalence as a cybercrime tactic, as more and more organisations refuse to pay and governments (including the UK) actively discourage it?

4. Small businesses get serious about supply chains

Although the proportion of businesses conducting supplier risk assessments (29%) has remained relatively flat (31% in 2024), we’ve seen a significant increase among SMEs.48% of small businesses carried out a risk assessment covering cybersecurity, up 7% from 2024. While, in an ideal world, the figure could be higher, this represents real progress in small businesses’ awareness of supply chain threats.

5. Small businesses’ cyber hygiene is improving

Most encouragingly, there’s evidence of real improvements in the cyber readiness and hygiene of the UK’s small businesses. All of the following areas saw significant increases in this year’s survey: 

  • Cyber security risk assessments (48%, up from 41%)
  • Cyber insurance coverage (62%, up from 49%)
  • Formal cyber security policies (59%, up from 51%)
  • Business continuity plans addressing cyber risks (53%, up from 44%)

This appears to indicate a real sea change in small businesses’ perceptions of cyber risk and what they need to do to manage it. In previous years, small businesses have typically been weak on measures like cyber insurance and formal policies and continuity plans. However, these figures demonstrate that SMEs are beginning to take cybersecurity much more seriously.

6. The financial impact of cyber breaches increases

Although it’s not a marked change, the average total cost of a business’s most disruptive breach increased this year. Among those businesses that were breached but with no outcome, the figure for this year is £1,600 (up from £1,205 in 2024). 

It’s a similar, if slightly more expensive, story for those businesses that experienced a breach with an outcome. For these businesses, the average cost was £8,260, up from £6,940 last year. 

It’s hard to gauge exactly what’s behind this rise. The costs are self-reported, so it’s possible that they’re within the normal range of difference we’d expect to see year-to-year. However, it’s also possible that it demonstrates a larger trend of breaches growing more disruptive.

7. Most businesses have the basics in place

Another real point of encouragement in this year’s survey is the widespread adoption of basic technical controls. Most businesses and charities have implemented basic cyber controls, including:

  • Network firewalls (72% of businesses and 49% of charities)
  • Backing up data securely via a cloud service (71% of businesses and 58% of charities) 
  • Restricted admin rights (68% of businesses and 68% of charities)
  • Updated malware protection (77% of businesses and 64% of charities)
  • Password policies (73% of businesses and 57% of charities)

However, there’s definitely room for improvement. The adoption of more advanced controls like multi-factor authentication (40% of businesses and 35% of charities), a virtual private network for staff connecting remotely (31% of businesses and 20% of charities), and user monitoring (30% of businesses and 31% of charities) remains low.

Likewise, although cybersecurity training and awareness activities are pretty widespread in large businesses (76%), few medium, small and micro businesses are offering it to staff. Just 19% of all businesses have some sort of training or awareness programme in place.

8. Governance and certifications are a mixed bag

The good news is that cybersecurity is a high priority for the majority of organisations (72% of businesses, 68% of charities), much the same as in previous years. However, a trend is emerging in who is responsible for cybersecurity. Board-level responsibility for cybersecurity seems to be on a gradual decline since its high of 38% of organisations in 2021 (it’s 27% in 2025).

This could mean that organisations are increasingly hiring specialists to manage security. Alternatively,  it could be that boards are increasingly delegating the responsibility to subordinates who’ve gained greater cyber knowledge. At this point, we don’t know for sure, but it’s certainly a trend worth watching.

Finally, while businesses appear to be prioritising cybersecurity like never before, awareness of NCSC campaigns and accreditations like Cyber Essentials is declining.

For example, the NCSC’s Cyber Aware Campaign has declined from 2021(when 34% of businesses and 38% of charities were aware of it). Likewise, just 12% of businesses and 15% of charities are aware of Cyber Essentials.

What can we do in 2025?

It’s clear that, while there are plenty of positives to take from this year’s Cyber Security and Breaches Survey, we in the cybersecurity community have some work to do. So, what should we prioritise in 2025? Here are our suggestions for Managed Service Providers, resellers, cybersecurity specialists or anyone involved in the sector

  • Enhance our outreach and education for micro and small businesses, in particular, focusing on the importance of phishing awareness, security training, and advanced technical controls like MFA
  • Develop our own solutions and threat awareness resources to counter the rise of malicious AI use
  • Encourage organisations to formalise cybersecurity responsibilities at the board level
  • Promote the integration of cyber risk considerations in software procurement
  • Highlight the importance and accessibility of Cyber Essentials and government guidelines to improve baseline cybersecurity practices

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.





The importance of cybersecurity awareness training for employees

cybersecurity awareness training for employees

The cybersecurity skills gap doesn’t just affect large corporations. With 58% of organisations citing insufficient skills as the primary cause of breaches, cybersecurity awareness training is essential for businesses of all sizes.

What is cybersecurity awareness training?

Cybersecurity awareness training equips your employees with the knowledge and skills to identify, avoid, and respond to cyber threats. It covers everything from identifying phishing attempts to understanding password hygiene and safe device usage.

Unlike technical security measures that work in the background, awareness training directly empowers your team to make security-conscious decisions.

Your business runs on data – customer information, intellectual property, financial records, and operational details. The consequences of neglecting this data are far from virtual. 

Why is cybersecurity awareness training important?

Protects sensitive data

A data breach compromises more than just information, it severely impacts customer trust. Among businesses that have experienced a cyber-attack, 47% report greater difficulty attracting new customers, while 43% say they've lost existing customers entirely.

Cybersecurity awareness training teaches employees to recognise which information is sensitive, how to handle it safely, and identify unsafe practices that could put your business at risk.

Minimises human error

Human error accounts for a staggering 85% of cyber breaches. From clicking malicious links to using weak passwords or falling for social engineering tactics, simple mistakes can have catastrophic consequences.

Training significantly reduces these errors by building security awareness into everyday activities. When employees recognise threat patterns, understand the importance of security protocols, and develop good security habits, they go from your biggest vulnerability to your greatest defence.

Improves incident response

Even with the best preventative measures, security incidents still occur. When they do, the speed and effectiveness of your response is key to reducing the damage.

Formal incident response plans aren't as common as they should be. 36% of medium and large organisations don’t have a one. This is alarming, considering that quick action minimises "dwell time" – the period when cybercriminals have free access to your systems.

Cybersecurity awareness training provides employees with clear steps to follow when they spot something suspicious, reducing the window of opportunity for hackers to cause harm.

Helps you comply with regulations

Regulatory compliance isn't optional, and non-compliance can result in severe penalties. GDPR infringements, for example, could cost your business up to €20 million (around £18 million) or 4% of global annual revenue, whichever is higher. 

Effective training ensures your team understands their responsibilities under these regulations and how to meet them.

Secures the remote workforce

Remote work has created new security challenges that traditional office-based defences can't address. When employees work from home, public venues, or on the move, your security perimeter extends to every location and device they use.

Threats include: 

  • Unsecured home networks that lack enterprise-grade protection
  • Unauthorised usage of personal devices for work purposes
  • Public Wi-Fi vulnerabilities that expose sensitive data 

Cybersecurity awareness training tailored to remote work scenarios helps employees recognise these risks and mitigate them. It ensures your security travels with your team, whether they're working from the kitchen table or a beachside café.

Should I get a cybersecurity certification?

Alongside training, certifications are a great way to take your security posture to the next level. Cyber Essentials provides a framework to improve your overall security and demonstrate your commitment to protecting data.

A certification helps you:

  • Show customers and partners that you take security seriously
  • Meet compliance requirements
  • Follow proven security frameworks rather than ad-hoc approaches
  • Win new business, such as government contracts and private sector opportunities, which require certification

Build a culture of cybersecurity awareness

The importance of cybersecurity awareness training for employees can’t be overstated. When security becomes part of your company's culture, employees naturally bring it into their daily routines and decision-making. And ultimately, this is what reduces cyber risk, and improves cyber resilience.

Considering introducing cybersecurity awareness training into your business? Check out CyberSmart Learn, our cybersecurity focused learning management system.

Debunking mobile device security risk myths

mobile device security risk myth

Misinformation about mobile device security spreads faster than a viral meme. These misconceptions tend to create a false sense of security, which is precisely what cybercriminals rely on. 

So, it’s time to separate fact from fiction. Let’s debunk some of the most common mobile device security risk myths.

Myth 1: Mobile phones are more secure than desktops

Spurred by the outdated belief that most breaches occur within Windows systems, most people assume that mobile devices are innately safer than desktops. 

Despite built-in security features such as biometric authentication, encryption, and sandboxing, mobile devices are just as vulnerable to cybersecurity risks as computers. 

Their portable nature, the rise in mobile phishing, and side-loaded apps are just some of the reasons for this.  

On the whole, no device is more secure than any other, and each has unique vulnerabilities.

Myth 2: No one can track my phone if location services are off

Disabling location services helps but doesn’t make your device completely invisible. Whether you use an iOS or Android phone, there are ways to track it without GPS. 

Proximity-based tracking is an alternative that uses signal strength, access points, and device interactions to infer locations. Examples include:

Cell tower triangulation

First developed to help emergency services locate callers, cell tower triangulation measures the time delay a signal takes to travel back to multiple towers from your phone. Then, it translates the delay into a distance that gives an estimated device location.

Wi-Fi tracking

Wi-Fi tracking detects unique identifiers, like the media access control (MAC) address of devices that connect to or pass near Wi-Fi access points. Tracking these identifiers as the device moves allows systems to gather location data without an active network connection.

Bluetooth tracking

Bluetooth tracking relies on signals emitted by Bluetooth-enabled devices when they are within range of sensors or beacons. 

Beacons are often present in:

  • Airports
  • Retail shops 
  • Smart buildings 
  • Museums

Want to know more about the mobile threats facing small businesses? Check out our latest research report

Myth 3: I’ll know if my phone’s been hacked

It’s easy to assume you’ll be able to tell if your phone’s been hacked. Unfortunately, that’s not always the case. Estimates suggest that over 70% of malware employs stealth-oriented techniques to minimise visibility and evade detection. 

Stealth malware operates quietly in the background without the signs we’ve come to associate with comprised devices, such as: 

  • Freezing 
  • Strange pop-ups
  • Overheating 
  • Poor battery life 
  • Unexplained account activity 

Its primary purpose is to silently collect sensitive data, including passwords, messages, and banking information.

Myth 4: Only high-profile individuals need to worry about mobile security

While celebrities, executives, and politicians are prime targets for cybercriminals, most cyberattacks target ordinary people. 

The majority of cyberattacks are automated and launched at scale – an approach that will only increase with the rise of AI-powered cybercrime. 

The ‘spray and pray’ method targets a large number of individuals through mass, automated attacks. Even if a small fraction of the attacks succeed, hackers can still acquire vast amounts of confidential information.

Myth 5: I can’t be hacked twice

If you’ve ever heard the saying that lightning never strikes the same place twice, you’ll know it’s neither true for lightning nor cyberattacks. 

In reality, being hacked once makes you more vulnerable to future attacks, not less. Let’s look at why.  

  • Exposed personal information: hackers may have access to sensitive data like passwords or security questions. They can sell this information on the dark web. 
  • Credential stuffing: once your login details are exposed, cybercriminals are likely to use them to try and access other accounts and platforms.
  • Copycat attacks: if a company experiences a breach, and it’s covered in the media, other hackers might take notice and attempt similar attacks.

Myth 6: iPhones are immune to viruses

Apple devices have historically been more secure than Android devices due to iOS's closed nature and built-in security features. 

However, it’s a mobile security risk myth that they don’t get viruses. They’re rare but not unheard of.

Jailbreaking is a common tactic that cybercriminals use to remove the software restrictions operating systems impose, making the device, vulnerable to malware and viruses.

Myth 7: Multi-factor authentication provides complete security

There’s no doubt that enabling multi-factor authentication (MFA) significantly improves cybersecurity, but it’s not infallible. 

Cybercriminals have developed ways to bypass MFA. Some of their tactics include: 

  • MFA fatigue attacks: cybercriminals flood your device with repeated MFA requests, hoping you’ll approve one. 
  • SIM swapping: hackers steal your phone number via SIM swapping, redirecting MFA codes to their device. 
  • Brute-force attacks: some MFA relies on weak security questions, which hackers can guess.

Know the facts, protect your mobile device

It’s time to face the facts – cybercrime is only getting more sophisticated. Don’t be misled by mobile device security risk myths, which breed complacency and make you vulnerable to threats. Instead, stay up to date on cybersecurity developments and keep your mobile device safe.

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.



5 types of mobile ransomware and how to protect your devices

mobile ransomware

Mobile ransomware is one of the most disruptive types of cybercrime, often resulting in substantial downtime, financial loss, and reputational damage. 

With our mobile devices storing everything from banking credentials to confidential conversations and documents, it’s a cyber threat you can’t afford to ignore.

What is mobile ransomware?

Mobile ransomware is a type of malware. Hackers use it to encrypt files and block system access to extort money.2024 was a significant year for ransomware, with the number of attacks rising by 13%. It was also the year the largest ransomware payment was recorded – £60 million ($75 million) to the Dark Angels.

How does mobile ransomware work?

Although there’s some variation between the different kinds of ransomware, they all follow the same three stages: infection, data encryption, and ransom demand. 

Cybercriminals use several methods to deliver ransomware to mobile devices, including: 

1. Phishing 

Phishing remains the delivery method of choice for mobile ransomware. Spear phishing is especially popular as it enables hackers to target specific, high-profile individuals.

Want to know more about the mobile-specific threats faced by small businesses like yours? Check out our latest research report.

2. Exploit kits

Hackers use these toolkits to scan devices for security vulnerabilities and install ransomware. 

3. Downloads

Cybercriminals disguise ransomware as legitimate apps. Once installed, the ransomware is free to spread. On the other hand, drive-by downloads don’t need user interaction – malware installs automatically when you visit a harmful website.

Types of mobile ransomware

Here are the five most common types of ransomware to be aware of.

1. Crypto ransomware

This well-known ransomware encrypts files and data, making them inaccessible without a decryption key. The attacker then demands payment, generally in the form of cryptocurrency. Cybercriminals favour cryptocurrency for its anonymity, global reach, and lack of regulation. 

Doublelocker is a notable variant of Android crypto-ransomware. It encrypts files and can change your device's PIN.

2. Locker ransomware

Rather than encrypting files, locker ransomware completely shuts you out of your device. Cybercriminals typically leave a note demanding payment to unlock it.

3. Scareware

This tactic creates fake panic but real danger. It mimics antivirus warnings and claims your device is infected, instructing you to download paid antivirus software. The kicker is that your device wasn’t infected in the first place but gets infected when you download the fake software. 

For example, a pop-up says, “Your device has 1,435 viruses! Pay £40 NOW to remove them!”

4. Leakware

Also known as extortionware or doxware. Instead of encrypting your files, leakware steals sensitive information and threatens to make it public.

5.Ransomware as a service (RaaS)

RaaS enables cybercriminals to buy or rent ransomware code from other hackers. It makes ransomware easily accessible, even to those with limited coding skills. According to the World Economic Forum, RaaS kits cost as little as £30 ($40).  

What are the most targeted industries?

Manufacturing is the most targeted sector in the UK, particularly small companies with 50-200 employees, followed by finance and healthcare.

Responding to a ransomware attack: to pay or not to pay?

Now, that is the question. UK law enforcement discourages victims from paying ransoms, as there’s no assurance that you’ll regain access to your device or data. Plus, complying with ransom demands increases the likelihood of being retargeted.

Here’s how to respond instead: 

  • Isolate affected systems: disconnect infected devices from the network to avoid ransomware spreading
  • Engage experts: consult cybersecurity professionals to guide your remediation efforts. 
  • Report the incident: notify law enforcement agencies
  • Restore backups: if available, use clean backups to restore data once you’ve eradicated the malware

How to keep your mobile devices and business safe

Following mobile device security best practices can help reduce your risks. Here are a few simple examples: 

  • Keep your operating system updated and patch security vulnerabilities
  • Regularly back up your data to an external hard drive or cloud storage 
  • Use strong passwords and enable multifactor authentication
  • Avoid downloading apps from unofficial sources 
  • Install reputable antivirus and anti-malware software to detect threats

Don’t let your data get held hostage

Cybercrime is increasingly targeting mobile devices, and ransomware is no exception.  Understanding the different types of mobile ransomware and taking proactive security measures helps keep your devices and data safe.

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.

What PPN 014 means for your business

PPN 014

Procurement Policy Note (PPN) 014 changes the requirements for government and public sector body tenders in the UK. Here’s everything you need to know.

What is PPN 014?

PPN 014 is a government directive aimed at reducing cyber risk in public sector supply chains. Essentially, if your business supplies services or products to government departments or bodies, you’ll be required to prove you have basic cybersecurity controls in place. The simplest way to do this is to complete Cyber Essentials certification.

Why has PPN 014 been enacted?

Simply put, supply chain attacks pose a huge problem. More than 75% of software supply chains experienced cyberattacks in 2024, at a rate of one every two days. What’s more, supply chain attacks are projected to cost the global economy $138 billion (£108 billion) by 2031. 

At the same time, according to government research, UK businesses are ill-prepared for supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). PPN 014 is an attempt to plug this gap.

Want to know more about the risks posed by supply chains? Check out our guide to supply chain attacks

History and timeframes

Since 2014, suppliers bidding for certain government contracts have been expected to demonstrate a minimum level of cybersecurity. Earlier PPNs ( PPN 09/14 and PPN 09/23) built this foundation and PPN 014 updates it in line with recent legislation such as the Procurement Act 2023 and Procurement Regulations 2024.

If you’re a business PPN 014 applies to (more on which in the next section) there are a couple of dates to bear in mind:

  1. 24th February 2025 – all procurements that begin on or after this date are subject to the new rules

2. Contracts awarded up to (and including) the 23rd February 2025 will continue to follow the earlier PPN 09/23  requirements

Who is in scope for PPN 014?

If you work with any of the following, you’ll be considered ‘in scope’ for PPN 014 the next time you bid for a contract: 

  • Central government departments and executive agencies
  • Non-departmental public bodies (NDPBs)
  • NHS bodies

To bid for any of these contracts you must be prepared to demonstrate that your cybersecurity meets the standards laid out by PPN 014.

What you need to do to meet PPN 014

Procurement requirements can appear daunting, especially if you’re new to thinking about your cybersecurity. However, the provisions of PPN 014 are actually quite simple and shouldn’t require wading through hours of paperwork or reinventing the wheel. Here’s what you should do.

1. Get Cyber Essentials certified

First things first, you need to complete Cyber Essentials or Cyber Essentials Plus certification. Cyber Essentials certification will help you put in place the five basic security controls required by PPN 014. 

Plus, it’ll protect your company. Cyber Essentials is proven to defend against 98.5% of the most common cyber threats. And, organisations with Cyber Essentials are 92% less likely to claim on cyber insurance policies.

All in all, it’s the easiest route to meeting PPN 014 requirements.

2. Check your certification scope

Once you’ve completed Cyber Essentials, you need to check the scope of your certificate. Does it cover the parts of your business that are relevant to the contract you’re bidding for?

If your operations are split across multiple locations, offices or areas you’ll need to clarify which parts are included. In most cases, this will have been something you tackled when undertaking the assessment. However, it’s always worth checking nothing has changed as it could invalidate your evidence if part of your operations fall outside the scope of your certificate.

3. Prepare documentation

Next, you’ll need to provide evidence of your certification when tendering. You should receive either a digital or physical certificate once you complete the assessment.

4. Keep an eye on your renewal date

Cyber Essentials is an annual certification so you’ll need to renew it once a year to account for any changes in your business. With this in mind, it’s worth keeping an eye on when your renewal date is coming up so you don’t become ineligible for government contracts.

How to prepare for PPN 014

1. Review the guidance

Visit the National Cyber Security Centre’s (NCSC) Cyber Essentials website and use the readiness toolkit to understand the requirements.

2. Understand your contractual requirements

Check tender documents carefully to confirm whether Cyber Essentials certification (or equivalent) is needed. If in doubt, you can always ask the contracting authority or your managed service provider for clarification.

3. Talk to CyberSmart

CyberSmart is dedicated to helping small businesses build Complete Cyber Confidence within their organisations. If you’re struggling with the requirements of PPN 014 or need to start the Cyber Essentials certification process, talk to us, we can help. We offer unlimited guidance and support, free 25k cyber insurance on completion, and we often get you certified in as little as 24 hours. 

If you already work with an MSP (Managed Service Provider) or IT company, let us know so we can speak with them to support you through the process.

How can Managed Service Providers help?

Of course, if you’re an MSP who works with government bodies you’ll need to comply with the requirements of PPN 014 yourself. If this is the case, you likely need a Cyber Essentials certification (something we recommend for all MSPs, regardless of who you work with).

However, you may also need to help your clients meet these requirements. Whether by managing their IT services, helping them complete Cyber Essentials, or advising on security best practices, you have a vital role to play.

Supporting your clients

There are a few key things you can do to support your clients with PPN 014, these are:

Subcontractor management

If you work with other vendors or subcontractors, make sure they meet the necessary cybersecurity standards. By far the simplest way to do this is to insist that anyone you work with has a valid Cyber Essentials certification as a minimum requirement.

Provide advice

Many businesses, particularly SMEs, won’t be aware that they need to complete Cyber Essentials to bid for government contracts. This is your chance to walk them through the process, offer advice on best practices and, ultimately, help them become more secure.

Offer pre-tender support

Offer assistance to clients in preparing tenders that require PPN 014 compliance by outlining the certification roadmap and available resources such as the NCSC’s Active Cyber Defence guidance.

Finally, if you need support, reach out to CyberSmart. We work with over 800 MSPs across the UK and beyond. Find out how partnering with CyberSmart could benefit your business here.

Supply chain CTA 2