Back in July 2024, the UK government announced its plans to bring a Cyber Security and Resilience Bill before parliament. The bill is designed to tackle the growing threat to the UK’s critical national infrastructure (CNI), such as water, power and healthcare.

Things have been pretty quiet ever since, beyond some theorising about what the bill might include by industry blogs and panel discussions. But, as of early April, we have movement! The Department of Science, Innovation and Technology (DSIT) has released its Cyber Security and Resilience Policy Statement, setting out legislative proposals.

Here’s everything we know about the upcoming Cyber Security and Resilience Bill and what it could mean for your business.

What are the legislative proposals?

Of course, there’s no guarantee that all of the measures in the following list will be enacted or that, if they are, they’ll have the same scope. We’ve got months of amendments in both the Commons and the Lords before we see the final bill early next year. However, this what has been sketched out.

1. Broader regulatory scope

The bill aims to broaden the scope of the 2018 NIS Regulations to include more organisations and suppliers. This would place stronger obligations on those deemed “critical” suppliers, like Managed Service Providers (MSPs) and those part of public sector or national infrastructure supply chains.

2. More power for regulators

Regulators would have greater powers to improve cybersecurity and resilience in the sectors they oversee. These powers could include:

• Technical standards: Establish clearer cybersecurity standards and requirements based on the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.
  
• Incident reporting improvements: Expanded criteria, faster (24-hour initial notification, 72-hour detailed report), streamlined reporting to regulators and the NCSC, and new transparency requirements, such as informing customers directly of significant incidents.
  
• ICO powers: Improved proactive information gathering powers for the ICO to better manage risks within digital services.
  
• Cost recovery: Regulators could recover the costs of oversight through fees, reducing the taxpayer’s burden.

3. A more flexible cyber framework

The proposals would give the government greater flexibility to update cybersecurity frameworks, as and when needed, without primary legislation.

This is a sensible approach, allowing regulators to become a little more agile in responding to new threats and trends. For example, this would allow the government to extend the framework to cover new sectors. In fact, we think it’s highly likely this will happen as the UK’s cyber infrastructure further matures.

4. Greater executive powers

The bill also seeks to grant the government much stronger executive powers to respond to cyber threats when necessary for national security. Essentially,  this means that if an organisation subject to regulation isn’t addressing a cyber threat that could impact national security adequately, say, a supply chain attack involving critical infrastructure, the government could step in and force them to act.

What’s still under consideration?

As with any bill at this stage of the legislative process, some areas are still under consideration. The exact scope of the powers the Secretary of State could be granted is a live debate, due to obvious concerns about executive overreach. And, there are two other proposals still being ironed out.

Data centres regulation

The government is considering regulating data centres. This is due to their newly designated (and overdue) status as critical national infrastructure. 

Any data centre with 1 megawatt capacity or more would likely be within scope of the regulations, unless they’re an enterprise data centre, in which case the threshold would be significantly higher (10 megawatt).

According to Raconteur, there are 224 such data centres, run by 68 operators, across the UK. The government expects 182 of them to fall in scope. So, if data centres are included, it’d be a major legislative change.

Statement of strategic priorities

The bill could also enshrine in law a commitment to publish a regular “statement of strategic priorities for regulators”. The thinking behind this is to create a unified and consistent approach to cybersecurity among UK regulators and ensure everyone is pulling in the same direction.

How will the Cyber Security and Resilience Bill affect MSPs?

If you run an MSP, the bill’s effect on your business will largely depend on its size and who it works with. 

According to the government’s 2024 figures, there are 11,492 MSPs active in the UK. Of these, we estimate that between 1,500 and 1,700 MSPs are potentially within scope of the NIS regulations. However, up to 600 may already be captured under existing cloud provision to their customers.

That leaves around 900 to 1,100 large and medium-sized MSPs that may need to consider the impact of regulatory compliance with NIS.

Due to their size the 3,200 small MSPs and 6,600 micro MSPs operating in the UK are likely to be exempt from regulation. But if you lead a smaller MSP, that doesn’t necessarily mean the rules won’t impact you at all. You could still feel the effects due to standards embedded by larger competitors, or if you’re with a critically important sub-sector, such as defence.

What does the industry think of the proposals?

The industry has generally welcomed the announcement. Few within the cybersecurity sector disagree that our critical national infrastructure needs stronger defences. Or that any attempt to tackle the threat has to include the thousands of businesses that make up CNI supply chains.

Last year alone saw a ransomware attack on NHS pathology provider Synnovis that led to permanent damage to patients’ health, a data breach of payroll information at the Ministry of Defence, not to mention the revelations about Thames Water’s poor security.

Meanwhile, the NCSC  reported  2024 was a record-breaking year for attacks on CNI. And, according to the 2024 Thales Data Threat Report, 93% of CNI organisations saw a rise in cyber-attacks over the last year, with  42% of those suffering a data breach. 

Against this backdrop, despite the extra obligations it places on businesses, it only be seen as welcome and long overdue.

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.

Procurement Policy Note (PPN) 014 changes the requirements for government and public sector body tenders in the UK. Here’s everything you need to know.

What is PPN 014?

PPN 014 is a government directive aimed at reducing cyber risk in public sector supply chains. Essentially, if your business supplies services or products to government departments or bodies, you’ll be required to prove you have basic cybersecurity controls in place. The simplest way to do this is to complete Cyber Essentials certification.

Why has PPN 014 been enacted?

Simply put, supply chain attacks pose a huge problem. More than 75% of software supply chains experienced cyberattacks in 2024, at a rate of one every two days. What’s more, supply chain attacks are projected to cost the global economy $138 billion (£108 billion) by 2031. 

At the same time, according to government research, UK businesses are ill-prepared for supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). PPN 014 is an attempt to plug this gap.

Want to know more about the risks posed by supply chains? Check out our guide to supply chain attacks

History and timeframes

Since 2014, suppliers bidding for certain government contracts have been expected to demonstrate a minimum level of cybersecurity. Earlier PPNs ( PPN 09/14 and PPN 09/23) built this foundation and PPN 014 updates it in line with recent legislation such as the Procurement Act 2023 and Procurement Regulations 2024.

If you’re a business PPN 014 applies to (more on which in the next section) there are a couple of dates to bear in mind:

1. 24th February 2025 – all procurements that begin on or after this date are subject to the new rules

2. Contracts awarded up to (and including) the 23rd February 2025 will continue to follow the earlier PPN 09/23  requirements

Who is in scope for PPN 014?

If you work with any of the following, you’ll be considered ‘in scope’ for PPN 014 the next time you bid for a contract: 

• Central government departments and executive agencies
• Non-departmental public bodies (NDPBs)
• NHS bodies

To bid for any of these contracts you must be prepared to demonstrate that your cybersecurity meets the standards laid out by PPN 014.

What you need to do to meet PPN 014

Procurement requirements can appear daunting, especially if you’re new to thinking about your cybersecurity. However, the provisions of PPN 014 are actually quite simple and shouldn’t require wading through hours of paperwork or reinventing the wheel. Here’s what you should do.

1. Get Cyber Essentials certified

First things first, you need to complete Cyber Essentials or Cyber Essentials Plus certification. Cyber Essentials certification will help you put in place the five basic security controls required by PPN 014. 

Plus, it’ll protect your company. Cyber Essentials is proven to defend against 98.5% of the most common cyber threats. And, organisations with Cyber Essentials are 92% less likely to claim on cyber insurance policies.

All in all, it’s the easiest route to meeting PPN 014 requirements.

2. Check your certification scope

Once you’ve completed Cyber Essentials, you need to check the scope of your certificate. Does it cover the parts of your business that are relevant to the contract you’re bidding for?

If your operations are split across multiple locations, offices or areas you’ll need to clarify which parts are included. In most cases, this will have been something you tackled when undertaking the assessment. However, it’s always worth checking nothing has changed as it could invalidate your evidence if part of your operations fall outside the scope of your certificate.

3. Prepare documentation

Next, you’ll need to provide evidence of your certification when tendering. You should receive either a digital or physical certificate once you complete the assessment.

4. Keep an eye on your renewal date

Cyber Essentials is an annual certification so you’ll need to renew it once a year to account for any changes in your business. With this in mind, it’s worth keeping an eye on when your renewal date is coming up so you don’t become ineligible for government contracts.

How to prepare for PPN 014

1. Review the guidance

Visit the National Cyber Security Centre’s (NCSC) Cyber Essentials website and use the readiness toolkit to understand the requirements.

2. Understand your contractual requirements

Check tender documents carefully to confirm whether Cyber Essentials certification (or equivalent) is needed. If in doubt, you can always ask the contracting authority or your managed service provider for clarification.

3. Talk to CyberSmart

CyberSmart is dedicated to helping small businesses build Complete Cyber Confidence within their organisations. If you’re struggling with the requirements of PPN 014 or need to start the Cyber Essentials certification process, talk to us, we can help. We offer unlimited guidance and support, free 25k cyber insurance on completion, and we often get you certified in as little as 24 hours. 

If you already work with an MSP (Managed Service Provider) or IT company, let us know so we can speak with them to support you through the process.

How can Managed Service Providers help?

Of course, if you’re an MSP who works with government bodies you’ll need to comply with the requirements of PPN 014 yourself. If this is the case, you likely need a Cyber Essentials certification (something we recommend for all MSPs, regardless of who you work with).

However, you may also need to help your clients meet these requirements. Whether by managing their IT services, helping them complete Cyber Essentials, or advising on security best practices, you have a vital role to play.

Supporting your clients

There are a few key things you can do to support your clients with PPN 014, these are:

Subcontractor management

If you work with other vendors or subcontractors, make sure they meet the necessary cybersecurity standards. By far the simplest way to do this is to insist that anyone you work with has a valid Cyber Essentials certification as a minimum requirement.

Provide advice

Many businesses, particularly SMEs, won’t be aware that they need to complete Cyber Essentials to bid for government contracts. This is your chance to walk them through the process, offer advice on best practices and, ultimately, help them become more secure.

Offer pre-tender support

Offer assistance to clients in preparing tenders that require PPN 014 compliance by outlining the certification roadmap and available resources such as the NCSC’s Active Cyber Defence guidance.

Finally, if you need support, reach out to CyberSmart. We work with over 800 MSPs across the UK and beyond. Find out how partnering with CyberSmart could benefit your business here.

Spring is on the horizon and, in the cybersecurity world, that often means only one thing: changes to the Cyber Essentials question set. Titled Willow, a new question set is due to go live on 28th April 2025, replacing 2023’s Montpellier question set.

The Willow Question Set introduces several key updates to enhance organisations’ protection and reflect modern work practices. Here’s everything you need to know. 

Why is the change happening? 

As cyber threats continue to evolve, so too must our defences. In recognition of this, IASME and the National Cyber Security Centre (NCSC) have made some subtle tweaks to the question set. 

It’s best to think of these changes as a natural evolution of Cyber Essentials to account for new forms of authentication and changing working practices. Plus, they should help make the assessment process smoother by providing better guidance for anyone completing the certification.

What are the key updates in the Willow Question Set?

Scope clarification

The new question set provides clearer guidelines on what must be included in the scope of the assessment. For example, this includes any device accessing organisational data or services, even if they connect to cloud services rather than internal systems. 

Firewall management

Under the Willow Question Set, all firewalls and routers must be listed in the network equipment section. There’s also a requirement for home and remote routers to use software firewalls.

The language around firewall management has also been updated in an attempt to drive businesses to review their firewall rules regularly.

Password management

Willow updates existing password policy best practices by emphasising the need for secure configurations. It also introduces passwordless authentication as an acceptable method for securing firewalls and routers. However, passwordless systems may still require brute-force protection methods – such as randomly generated passwords, using letters and symbols etc – if they use backup passwords.

Vulnerability fixes

The terminology for patching throughout the assessment has been changed to “vulnerability fixes.” This is to better reflect the importance of patching and includes configuration or registry changes for vulnerabilities with a CVSS score of 7 or higher, or those classified as high or critical risk.

Definitions and language

There are a few minor changes to the language within the question set. For example, updating the term "plugin" to "extension" and changing references from "home working" to "home and remote working.”

What about Cyber Essentials Plus?

As well as being subject to a new question set, there are some key changes to the Cyber Essentials Plus certification process to be aware of. Assessment tests 1 (Remote Vulnerability), 3 (Malware protection), 5 (Account Separation) remain the same. However, there have been some tweaks to tests 2 and 4.

Test 2 – Internal Vulnerability Assessment

The sampling process for the Internal Vulnerability assessment has changed substantially:

1. Auditors must conduct sampling immediately before the audit. In previous years, the sample was drawn from the self-assessment report.
   
2. Assessors validate the way sampling is conducted This means an assessor will need to see the methods used to determine the number of devices in scope for the assessment.
   
3. The assessor or certification body will hold and store sampling evidence for the one-year duration of the certificate. IASME can also request this information at any time.
   
4. The specific devices included in the assessment, including the vulnerability scanning and end user tests, will be now be determined by the assessor. 
   
5. The random sample of devices picked by the assessor will be sent to the applicant no more than 3 working days in advance.
   
6. Internal vulnerability scans will now include ‘configurational changes’ as failure conditions. In the past, high severity vulnerabilities like Unquoted Windows File Path, or Registry Key issues weren't considered conditions for failure – they are now.

Test 4 – Multi-factor Authentication for Cloud Services

Rather than testing all cloud services, as in previous years, a sample is taken instead.

Only cloud services that are accessible by users or devices included on the random scope are tested. If none of the users can access a specific cloud service, then that service is not tested.

Impact on your business

The impact of these changes on your business should be positive. The Willow Question Set provides better guidance and clarity for anyone undergoing Cyber Essentials Certification. Not only will it make the assessment processes easier, but it’ll also better equip your business to meet modern cyber threats. 

However, it’s well worth familiarising yourself with the new requirements before your next renewal.

Managed service providers

The same is true if you’re an organisation providing Cyber Essentials for businesses. Your customers should be able to get through the assessment with less support and finish it better protected to boot.

Again, it’s definitely worth getting to grips with the new requirements so you can offer support to customers where they need it.

If you have any questions about the changes or want to know more about what they mean for your business, please get in touch. We’ll be happy to walk you through it.

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.

To celebrate the launch of CyberSmart Active Protect for mobile, we commissioned a survey asking 250 UK CEOs from companies with under 250 employees about their mobile security habits. We hoped to find out how the UK’s small businesses are tackling mobile security threats, what their security looks like, and whether there were obvious areas for improvement.

Our resulting SME Mobile Threat Report makes for illuminating and, at times, sobering reading. Here are our key takeaways.

1. Most small businesses expect staff to use mobile phones for work

Bring your own device (BYOD) policies can offer dramatic CapEx savings. And, unsurprisingly, this is a very attractive proposition for small businesses with tightened belts. Therefore, it’s no surprise that 60% of organisations expect their employees to use mobile devices to carry out work tasks, despite not providing all of them with work phones.  Indeed, 65% of those businesses that don’t provide all staff members with mobile phones expect staff to use personal devices.

There’s nothing wrong with this in principle. Why wouldn’t you take advantage of devices your people already own, rather than investing heavily? However, as we’ll see shortly, it can pose some problems. 

2.  Many SMEs don’t have a mobile code of conduct for staff

Behaviour is essential to any successful BYOD policy. Staff need to understand what’s expected of them from a security perspective to work safely.

For example, you might enforce a policy that staff must never connect to an unsecured Wi-Fi network without using a VPN.  A clear code of conduct or security policy can help prevent your business from being exposed to unnecessary risks. 

So it’s concerning to see that while 59% of small businesses do have a code of conduct for completing work-related tasks on personal devices, over a third (39%) don’t.

3. Most SMEs don’t offer mobile security training to staff

Although it’s concerning that many small businesses are implementing BYOD programmes without clear security and conduct policies in place, we came across an even bigger problem. 

The majority (59%) of our respondents said that they don’t provide any mobile phone security training for staff. Without training on how to identify and avoid cyber threats or what safe online behaviour looks like, these businesses are courting potential disaster.

According to research from Cybint, 95% of cyber breaches stem from some sort of human error, or, in simple terms, could have been prevented. This is also backed by older research from Stanford University and Tessian which puts the figure at 88%.

Whichever figure you prefer, that’s a lot of preventable cyberattacks. And,

by not providing security awareness training to staff, it’s exactly these kinds of breaches that small businesses are risking.

4. Over a third of SME staff have clicked on a malicious link

Interestingly, many of our concerns around SMEs neglecting staff training and policies are born out later in the Mobile Threat Report.

According to the Department for Science Innovation & Technology (DSIT), 84% of all UK businesses have received some kind of phishing attack in the last 12 months. So, we asked SME leaders whether they or anyone at their business had clicked on a malicious link via mobile.

Although almost half (47%) of small business leaders responded no, some 38% reported that someone within their business had clicked on a phishing link – still a high number. What’s more, the real figure is likely to be somewhat higher given that a further 15% were either unsure or preferred not to answer.

This poses a real risk for small businesses. The UK has lost £1.7 billion to phishing scams in the last year, while the average cost of a breach to an SME ranged between £2,240 and £17,190. Worse still, phishing scams are often used to launch much nastier cyber threats such as ransomware and banking trojans. 

5. SME staff are engaging in risky behaviour

Perhaps unsurprisingly given the problems we outlined earlier, the day-to-day cyber hygiene of SME staff raises concerns.

For example, a quarter of respondents admitted using a mobile device for work at a public charging station (e.g., at an airport or café), and 36% of respondents have worked from a public WiFi network on a mobile device. A further 9% admitted to forwarding corporate data to a personal account, and 11% admitted to storing corporate passwords or log in credentials on a mobile device without encryption.

This risky behaviour suggests low mobile security awareness among employees and a clear lack of concrete policies.

The good news? These risks are easy to mitigate

We’ve painted a pretty bleak picture of UK SMEs’ mobile security. And, it’s true, our research indicated some areas of real concern. However, the good news is that all of the issues our survey revealed are easy to mitigate.

To find out how, read our full report here.

The National Cybersecurity Centre’s (NCSC) Annual Review 2024 offers a comprehensive overview of the UK’s cybersecurity landscape. This year’s report is a mixed bag for the industry. On one hand, significant progress has been made in areas such as threat prevention. However, persistent challenges remain and the report underscores the urgent need for collective action to tackle the most pervasive threats.

Here’s what you need to know, supported by key statistics and expert insights from the review.

1. Ransomware remains the most immediate threat

Unsurprisingly, ransomware remains high on the NCSC’s agenda. Attacks like the one on Synnovis, which disrupted NHS services and delayed thousands of medical procedures, demonstrate the deep impact of ransomware. 

The review highlights the increasing sophistication of these attacks, with industrial control systems now a key target.

"Ransomware remains the most significant, serious, and organised cybercrime threat faced by the UK," the NCSC emphasised.

Key stat: The NCSC managed 20 ransomware incidents in 2024, 13 of which were classified as nationally significant—up from 10 in 2023.

Takeaway

Proactive resilience is essential. Adopting frameworks like Cyber Essentials can significantly reduce vulnerabilities to ransomware, as shown by the 92% reduction in insurance claims for certified organisations.

2. Nation-state threats escalate

The geopolitical landscape is amplifying cyber threats, with Russia, China, and North Korea leading state-sponsored campaigns. China, in particular, has been identified as a persistent actor targeting critical infrastructure for espionage and potential disruption.

"China state-affiliated actors routinely seek access to networks globally, targeting critical national infrastructure for espionage and disruptive purposes," warns the review.

Key stat: In 2024, the NCSC issued 1,957 cyber attack alerts, including 89 nationally significant incidents—a sharp rise from 62 the previous year.

Takeaway

The alignment of public and private sector defences is critical to counter sophisticated, state-sponsored attacks.

3. Artificial intelligence: A dual challenge

AI is reshaping cybersecurity, offering both threats and opportunities. While cybercriminals are using AI for precision reconnaissance and social engineering, defenders are harnessing AI to automate detection and improve response times.

"Generative AI will make it harder for defenders to identify social engineering attacks without the development of new mitigations," the NCSC noted.

Key stat: AI-driven tools have significantly narrowed the time between vulnerability discovery and exploitation, heightening the need for real-time defences.

Takeaway

Although cybercriminals appear to have the edge in AI at the moment, it doesn’t have to be this way. As the technology develops, organisations should explore AI-enhanced cybersecurity solutions to match adversaries’ growing capabilities.

4. Cyber Essentials: A proven solution

The Cyber Essentials scheme continues to demonstrate its value as a foundational framework for organisational security. Now in its tenth year, the programme has helped thousands of businesses mitigate common cyber threats.

"Cyber Essentials is a proven baseline that guards against the most common cyber attacks while signalling to customers that businesses take security seriously," the review stated.

Key stats: Organisations with Cyber Essentials are 92% less likely to claim on cyber insurance policies.

Over 33,000 Cyber Essentials certifications were issued in 2024, a 20% increase on the previous year.

Takeaway

Businesses of all sizes should prioritise achieving Cyber Essentials certification to protect themselves and build customer trust.

5. Securing democracy: Election protection

The NCSC played a pivotal role in safeguarding the 2024 UK General Election, implementing pre-emptive measures to secure infrastructure and provide tailored cyber support to high-risk individuals.

"The general election was delivered smoothly and securely, with no major incidents impacting the outcome," the review confirmed.

Key stat: Over 50% of the bespoke alerts issued by the NCSC in 2024 related to pre-ransomware activity, enabling organisations to act before attacks could escalate.

Takeaway

Critical events require tailored cybersecurity strategies to pre-empt threats and ensure operational continuity.

6. The role of legislation in resilience

The Cyber Security and Resilience Bill, expected to become law this year, will expand regulatory protections, enhance reporting requirements, and enforce stronger accountability across digital supply chains.

"The bill is a crucial step toward hardening the UK’s defences against sophisticated cyber threats," the NCSC stated.

Key stat: Over 70% of organisations in the NCSC’s trust groups have adopted Early Warning services to enhance preparedness.

Takeaway

Organisations must prepare to comply with stricter regulatory requirements, especially in critical infrastructure sectors.

7. Systemic market challenges

The NCSC highlights a critical gap in how technology markets prioritise security. Basic safeguards like multi-factor authentication are often treated as premium features rather than standard offerings.

"We must build a future where products are secure, private, resilient, and accessible to all," the review advocates.

Key stat: Memory safety vulnerabilities remain one of the most prevalent causes of breaches, exacerbated by insufficient adoption of secure-by-design principles.

Takeaway

Industry and regulators must champion secure-by-design principles to address systemic vulnerabilities and improve resilience.

What is the key takeaway?

Above all, the NCSC’s Annual Review is a stark reminder that, from small businesses to national infrastructure, the UK’s cyber resilience requires urgent attention. That might sound like a gargantuan task. However, in reality, all it requires is that everyone pitches in. 

"Improving resilience is not a technical challenge—it’s a matter of urgency and leadership," the review concludes.

Whether you’re an SME or part of a critical national sector, the time to act is now. Adopt frameworks, collaborate with trusted partners, and embed security into your operations. Together, we can close the resilience gap and create a safer digital future.

Want to know more about the threats facing small businesses like yours? Check out our latest research, The SME Mobile Threat Report.

Cybersecurity incidents and poor mobile cybersecurity hygiene is endemic across the UK's SMEs

London, UK – 04/12/2024 - New research conducted by CyberSmart, a leading provider of SME security solutions, indicates that mobile cybersecurity incidents at small businesses are widespread. 

The research, conducted by OnePoll in Autumn 2024, polled 250 small-medium enterprise (SME) business owners or leaders in the UK, found that over a third (38%) of small business employees or owners report clicking on a phishing link via mobile. 

Elsewhere, 30% of respondents reported losing or having stolen a mobile phone containing sensitive corporate information, leaving their business more vulnerable to potential cybercriminal activity. 

While these dramatic incidents are a concern from a security perspective, the minutiae of business activity taking place on a mobile, without policies in place, also suggest a concerning lack of security awareness from SMEs. For example, a quarter of respondents admitted using a mobile device used for work to a public charging station (e.g., at an airport or café), and 36% of respondents have worked from a public WiFi network on a mobile device. A further 9% admitted to forwarding corporate data to a personal account, and 11% admitted storing corporate passwords or login credentials on a mobile device without encryption. 

“These results are obviously a concern for SMEs and their employees. Large organisations are more likely to implement security awareness training for mobile devices and implement a code of conduct for corporate devices. This is not a luxury afforded to most SMEs, who do not have the resources or time to do so.” Said Jamie Akhtar, Co-Founder and CEO at CyberSmart. “It is the responsibility of the cybersecurity industry to change this, and to make security more accessible for the small businesses which make up 99% of the UK economy.” 

You can find the full results of the survey here.

CyberSmart research reveals 60% of businesses expect their employees to carry out work tasks on their personal mobile phone.

London, UK – 26/11/2024 - New research conducted by CyberSmart, a leading provider of SME security solutions indicates that organisations not only allow employees to use their personal mobile phones to compete work tasks but actively expect them to.

The research, conducted by OnePoll in Autumn 2024, polled 250 small-medium enterprise (SME) business owners or leaders in the UK, found that 60% of organisations expect their employees to use mobile devices to carry out work tasks despite not providing all of them with work mobile phones.

Equally concerning is that almost two thirds (60%) of staff members are not expected to carry out mobile security training. An organisation that allows employees to use personal mobile phones to carry out work without security training is massively increasing the chance of a breach.

Elsewhere, the survey unearthed a worrying lack of concern from business leaders regarding cyber security and employee security. 40% of organisations do not have a mobile code of conduct in place for employees. 

“While these results are concerning, SMEs in the UK remain chronically underserviced by the cybersecurity industry” said Jamie Akhtar, Co-Founder and CEO at CyberSmart. “It is important to make the distinction that many of these organisations have limited resources and are already stretched thin making it difficult for them to invest in cybersecurity.

We would advise SMEs to engage with solution providers who understand their specific needs, and more broadly would advise them to consistently focus on cybersecurity training, IT policies and fostering a more security-conscious culture would help them to achieve a more secure workplace.” 

You can find the full results of the survey here.

As anyone in the cybersecurity industry knows, October marks an important anniversary for the sector. The government-backed Cyber Essentials scheme turns 10 this year. And, alongside a bunting-draped celebration at the House of Lords, the Department for Science Technology and Innovation (DSIT) has commissioned the Cyber Essentials Impact Evaluation Report.

Undertaken by Pye Tait Consulting, the study examines the scheme’s effectiveness, organisations’ motivations for certification, and the ease of adopting its technical controls. However, the report is also 110 pages long. So, to save you several hours, here are our key takeaways from the report. 

Cyber Essentials technical controls boost cyber confidence

The study reveals that Cyber Essentials’ five technical controls are remarkably effective. Citing research on the protections, it concludes they mitigate 99% of ‘internet-originating’ vulnerabilities when implemented. 

This isn’t really news. Researchers at Lancaster University concluded the same as far back as 2015. However, what’s far more interesting is how Cyber Essentials makes business leaders feel. A significant majority (82%) of users express confidence that these controls protect against common cyber threats, with 80% believing they help mitigate organisational risks.

In other words, Cyber Essentials is a key step towards building complete cyber confidence.

Cyber Essentials has been effective in building cyber awareness

Cyber Essentials was always intended to do more than help businesses put technical controls in place. The plan was that by completing the assessment process, organisations would also become more aware of the threats and better equipped to counter them.

Cyber Essentials has also been a success by this measure. The report reveals that Cyber Essentials users have a heightened ability to identify unsophisticated cyberattacks, with 64% agreeing that certification aids in this identification. And that’s not all. Certified organisations also demonstrate greater concern about cyberattacks and better appreciate the potential impact than non-certified organisations.

The same is true for the understanding of cybersecurity. Most users (85%) reported an improved understanding of cyber risks and how to reduce them (88%). Perhaps most importantly, this positive trend was most notable among senior management, with 86% saying Cyber Essentials has improved their understanding. 

Cyber Essentials stimulates wider security practices

Another of the original aims of Cyber Essentials was that it would act as a catalyst for bigger things. Think of it as a strong foundation that businesses could build the rest of their security architecture on top of. 

Again, the study finds that the scheme has been largely successful at doing just that. 76% of certified organisations have taken additional steps beyond the technical controls to enhance their cybersecurity. Alongside this, almost three-quarters (71%) of respondents agreed that the scheme has strengthened how seriously they take cybersecurity. And, hearteningly, this has helped foster a culture of shared responsibility for cybersecurity within their organisations, encouraging regular discussions and proactive measures.

Cyber Essentials as a supply chain assurance tool 

There’s also some evidence that Cyber Essentials has grown some extra functions over its ten-year lifespan. For example, Cyber Essentials is increasingly used as a supply chain assurance tool.

Those surveyed revealed that a third (33%) of all contracts they’ve entered into in the last year required them to be Cyber Essentials certified. What’s more, a growing number of businesses are setting these obligations for their own suppliers. Some 15% of Cyber Essentials users have made it mandatory for their suppliers to be certified and plan to continue doing so, while a further third (33%) are actively considering mandating Cyber Essentials in the future. 

However, there is definitely room for improvement on this count. Just under half of Cyber Essentials users (45%) take Cyber Essentials into account when assessing the cyber risk a supplier poses, meaning we’ve some way to go before Cyber Essentials can be considered a universal stamp of assurance for suppliers. 

The scheme has created value beyond security for businesses

One of the biggest historical barriers to Cyber Essentials adoption, particularly among small businesses, has been value for money. It’s not uncommon for those new to the scheme to ask ‘Do I really need this?’

Nevertheless, those who’ve taken up Cyber Essentials certification have been overwhelmingly positive about the commercial benefits. 69% of surveyees noticed increased competitiveness post-certification. Meanwhile, 80% agreed that being certified can reduce the financial cost to their organisation of a common, unsophisticated cyberattack.

There’s also some evidence that Cyber Essentials has a positive impact on businesses' cyber insurance costs. Firstly, through the, often free, bundled insurance offered alongside Cyber Essentials by many certification providers. And, secondly by dramatically decreasing the likelihood of a claim.

The report cites the NCSC’s 2023 Annual Review which suggests that 80% fewer cyber insurance claims are made when Cyber Essentials is in place, compared with organisations that have the same insurance policy and don’t have Cyber Essentials certification. Although, according to the government's latest figures, this is now even higher at 92%.

There is still room for improvement 

Despite the positive findings of the report, it does have a blind spot. Although general cyber awareness among Cyber Essentials users is excellent, it’s debatable whether the same is true across society.

The NCSC's 2024 Cyber Security Breaches Survey revealed that awareness of Cyber Essentials has actually declined in recent years. Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. This is consistent with 2023 figures but represents a decrease over the past 2-3 years.

Plus, while 141,712 certificates have been issued and thousands of businesses have adopted the scheme, this only represents a small fraction of the UK’s estimated 5.6 million businesses. 

In short, we have an awareness problem. 

The report does list wider-reaching marketing campaigns among its recommendations, so it’s great to see that DSIT recognises the problem. But for the cybersecurity community, our mission is clear. Given the huge benefits felt by those who’ve already adopted Cyber Essentials, we need to reach more businesses and generate greater awareness of the scheme and security measures beyond it.

Achieve that and we’ll have helped build a far safer online environment for UK businesses by the time Cyber Essentials hits 20.

Have you read our 2024 MSP survey yet? It's full of insight on MSPs' cybersecurity and the future of the industry. Get your copy here.

LONDON, UK - 1st October 2024 - CyberSmart, a leading provider of cyber risk management for small businesses has today launched its partnership with e92plus, the UK’s top independent cybersecurity Value Added Distributor (VAD). 

e92plus has long been dedicated to protecting its partners and helping them accelerate business growth through its suite of channel-first security and cloud solutions. Indeed, e92plus has helped over 1,200 VARs, MSPs, SIs, CSPs and consultancies across the UK and Ireland.

CyberSmart offers an all-in-one cybersecurity monitoring, optimisation, training and insurance solution, proven to defend against the unexpected. Like e92plus, CyberSmart focuses on delivering its cybersecurity platform through the channel, making this an auspicious partnership.

The partnership will focus on delivering CyberSmart’s cyber risk management platform, including Cyber Essentials certification, products CyberSmart Active Protect and CyberSmart Vulnerability Manager, and cyber insurance to e92plus’ partners throughout the UK and Ireland. 

While the partnership is launching primarily in the UK and Ireland, e92plus plans to launch alongside CyberSmart in the Netherlands and other EU markets in the coming years.

The joining of forces between CyberSmart and e92plus is timely. A recent survey from CyberSmart reveals that 65% of MSP customers now expect their provider to manage their cybersecurity infrastructure or their cybersecurity and IT infrastructure. This partnership will help deliver the tools MSPs and VARs need to meet customer demand. 

“We’re excited to be working with Cybersmart to bring their platform to our partner community” explains Mukesh Gupta, CEO at e92plus. “We’re seeing strong demand in the SMB and mid-market sectors for more assistance around cybersecurity strategy, processes and compliance standards, and this addresses that growing marketing need. The requirements are so complex and diverse, and many businesses struggle to have the internal staff and expertise to manage their cybersecurity tools, let alone manage frameworks, address staff training and ensure an organisation has the right risk management and reporting in place. For our VARs and MSPs, this is a perfect way to build their services and consultancy offering without significant investment”.

“We’re delighted to be working with e92plus,” said Jamie Akhtar, CEO at CyberSmart. “Our businesses share a vision of what cybersecurity for SMBs should look like. The demand for solutions that can help smaller businesses get on top of their cybersecurity, compliance and risk management is only growing. And, this partnership addresses the demand, while giving MSPs and VARs a fast and simple route to building up their cybersecurity capabilities. We see this as another important step towards our mission of providing complete cyber confidence to every small business.”

Over 1 in five UK SMEs (21%) are worried that their business will not survive the current economic uncertainty or expect they will have to make a significant business pivot. This is according to a survey of a thousand SME senior leaders and decision-makers across the UK, commissioned by CyberSmart (and conducted by Censuswide).

The UK government estimates that the country is home to at least 5.5 million SMEs. If we were to extrapolate the findings, it could mean 1.155 million businesses are in a precarious position and risk collapse.

Remarkably, the survey also revealed that some SME senior leaders would go to great lengths to ensure the business's survival. These behaviours range from engaging in cybercriminal activity and committing accounting fraud to neglecting compliance requirements.

Activities that SME senior leaders would consider engaging in include:

• 15% would commit accounting fraud and lie to bankers/investors to secure funding or commit tax fraud/evasion (potentially equivalent to 825,000 SMEs)
• 14% would cut employee salaries or benefits (potentially equivalent to 770,000 SMEs)
• 11% would leverage proprietary information from partners/clients such as selling off the data (potentially equivalent to 605,000 SMEs)
• 11% would neglect compliance requirements due to the additional costs they incur (potentially equivalent to 605,000 SMEs)
• 10% would engage in cybercriminal activity such as hitting a rival company with a cyberattack (potentially equivalent to 550,000 SMEs)
• 9% would mortgage their house (potentially equivalent to 495,000 SMEs)

SMEs decrease cybersecurity spending

Additionally, a third of SMEs have decreased cybersecurity spending due to the economic uncertainty. Or, more worryingly, admitted to never really investing in it.

In fact, as many as 42% of SME senior leaders do not believe it is worth investing in cybersecurity, with over 1 in 5 (21%) believing they are not a target. A further 16% claim it is not worth it because they have cyber insurance and 10% assert it is not a priority. Only 25% realised it was worth investing in cybersecurity because they could not afford to be breached.

CyberSmart CEO, Jamie Akhtar reacted with the following:

“As a business owner myself, I can understand the pressure many SME decision-makers are currently facing to keep their companies running and ensure their employees are taken care of, all while budgets tighten. It is during these times that emotions run high, and people might make irrational decisions that go against their own, and their company’s, best interest. It goes without saying that we would never condone criminal behaviour. Moreover, we would strongly recommend that businesses invest in cybersecurity and compliance.”

 “The business ecosystem has become highly intertwined, so no business is immune from cyberattacks. In fact, SMEs could prove to be an easy entry point for cybercriminals looking to hit others within their supply chain, if they have weak cybersecurity postures. While cyber insurance is important for risk transfer, it should not be relied on either. A comprehensive and continuous cybersecurity and compliance strategy is needed to avoid a breach's financial, reputational and even physical repercussions. Fortunately, there are solutions today that can help in doing so, without breaking the bank.”

Want to know more? Read the report in full here.