fbpx

5 key findings from the CyberSmart Mobile Threat Report

Mobile threat report

To celebrate the launch of CyberSmart Active Protect for mobile, we commissioned a survey asking 250 UK CEOs from companies with under 250 employees about their mobile security habits. We hoped to find out how the UK’s small businesses are tackling mobile security threats, what their security looks like, and whether there were obvious areas for improvement.

Our resulting SME Mobile Threat Report makes for illuminating and, at times, sobering reading. Here are our key takeaways.

1. Most small businesses expect staff to use mobile phones for work

Bring your own device (BYOD) policies can offer dramatic CapEx savings. And, unsurprisingly, this is a very attractive proposition for small businesses with tightened belts. Therefore, it’s no surprise that 60% of organisations expect their employees to use mobile devices to carry out work tasks, despite not providing all of them with work phones.  Indeed, 65% of those businesses that don’t provide all staff members with mobile phones expect staff to use personal devices.

There’s nothing wrong with this in principle. Why wouldn’t you take advantage of devices your people already own, rather than investing heavily? However, as we’ll see shortly, it can pose some problems. 

2.  Many SMEs don’t have a mobile code of conduct for staff

Behaviour is essential to any successful BYOD policy. Staff need to understand what’s expected of them from a security perspective to work safely.

For example, you might enforce a policy that staff must never connect to an unsecured Wi-Fi network without using a VPN.  A clear code of conduct or security policy can help prevent your business from being exposed to unnecessary risks. 

So it’s concerning to see that while 59% of small businesses do have a code of conduct for completing work-related tasks on personal devices, over a third (39%) don’t.

3. Most SMEs don’t offer mobile security training to staff

Although it’s concerning that many small businesses are implementing BYOD programmes without clear security and conduct policies in place, we came across an even bigger problem. 

The majority (59%) of our respondents said that they don’t provide any mobile phone security training for staff. Without training on how to identify and avoid cyber threats or what safe online behaviour looks like, these businesses are courting potential disaster.

According to research from Cybint, 95% of cyber breaches stem from some sort of human error, or, in simple terms, could have been prevented. This is also backed by older research from Stanford University and Tessian which puts the figure at 88%.

Whichever figure you prefer, that’s a lot of preventable cyberattacks. And,

by not providing security awareness training to staff, it’s exactly these kinds of breaches that small businesses are risking.

Interestingly, many of our concerns around SMEs neglecting staff training and policies are born out later in the Mobile Threat Report.

According to the Department for Science Innovation & Technology (DSIT), 84% of all UK businesses have received some kind of phishing attack in the last 12 months. So, we asked SME leaders whether they or anyone at their business had clicked on a malicious link via mobile.

Although almost half (47%) of small business leaders responded no, some 38% reported that someone within their business had clicked on a phishing link – still a high number. What’s more, the real figure is likely to be somewhat higher given that a further 15% were either unsure or preferred not to answer.

This poses a real risk for small businesses. The UK has lost £1.7 billion to phishing scams in the last year, while the average cost of a breach to an SME ranged between £2,240 and £17,190. Worse still, phishing scams are often used to launch much nastier cyber threats such as ransomware and banking trojans. 

5. SME staff are engaging in risky behaviour

Perhaps unsurprisingly given the problems we outlined earlier, the day-to-day cyber hygiene of SME staff raises concerns.

For example, a quarter of respondents admitted using a mobile device for work at a public charging station (e.g., at an airport or café), and 36% of respondents have worked from a public WiFi network on a mobile device. A further 9% admitted to forwarding corporate data to a personal account, and 11% admitted to storing corporate passwords or log in credentials on a mobile device without encryption.

This risky behaviour suggests low mobile security awareness among employees and a clear lack of concrete policies.

The good news? These risks are easy to mitigate

We’ve painted a pretty bleak picture of UK SMEs’ mobile security. And, it’s true, our research indicated some areas of real concern. However, the good news is that all of the issues our survey revealed are easy to mitigate.

To find out how, read our full report here.

Seven key takeaways from the NCSC Annual Review 2024

NCSC annual review 2024

The National Cybersecurity Centre’s (NCSC) Annual Review 2024 offers a comprehensive overview of the UK’s cybersecurity landscape. This year’s report is a mixed bag for the industry. On one hand, significant progress has been made in areas such as threat prevention. However, persistent challenges remain and the report underscores the urgent need for collective action to tackle the most pervasive threats.

Here’s what you need to know, supported by key statistics and expert insights from the review.

1. Ransomware remains the most immediate threat

Unsurprisingly, ransomware remains high on the NCSC’s agenda. Attacks like the one on Synnovis, which disrupted NHS services and delayed thousands of medical procedures, demonstrate the deep impact of ransomware. 

The review highlights the increasing sophistication of these attacks, with industrial control systems now a key target.

"Ransomware remains the most significant, serious, and organised cybercrime threat faced by the UK," the NCSC emphasised.

Key stat: The NCSC managed 20 ransomware incidents in 2024, 13 of which were classified as nationally significant—up from 10 in 2023.

Takeaway

Proactive resilience is essential. Adopting frameworks like Cyber Essentials can significantly reduce vulnerabilities to ransomware, as shown by the 92% reduction in insurance claims for certified organisations.

2. Nation-state threats escalate

The geopolitical landscape is amplifying cyber threats, with Russia, China, and North Korea leading state-sponsored campaigns. China, in particular, has been identified as a persistent actor targeting critical infrastructure for espionage and potential disruption.

"China state-affiliated actors routinely seek access to networks globally, targeting critical national infrastructure for espionage and disruptive purposes," warns the review.

Key stat: In 2024, the NCSC issued 1,957 cyber attack alerts, including 89 nationally significant incidents—a sharp rise from 62 the previous year.

Takeaway

The alignment of public and private sector defences is critical to counter sophisticated, state-sponsored attacks.

3. Artificial intelligence: A dual challenge

AI is reshaping cybersecurity, offering both threats and opportunities. While cybercriminals are using AI for precision reconnaissance and social engineering, defenders are harnessing AI to automate detection and improve response times.

"Generative AI will make it harder for defenders to identify social engineering attacks without the development of new mitigations," the NCSC noted.

Key stat: AI-driven tools have significantly narrowed the time between vulnerability discovery and exploitation, heightening the need for real-time defences.

Takeaway

Although cybercriminals appear to have the edge in AI at the moment, it doesn’t have to be this way. As the technology develops, organisations should explore AI-enhanced cybersecurity solutions to match adversaries’ growing capabilities.

4. Cyber Essentials: A proven solution

The Cyber Essentials scheme continues to demonstrate its value as a foundational framework for organisational security. Now in its tenth year, the programme has helped thousands of businesses mitigate common cyber threats.

"Cyber Essentials is a proven baseline that guards against the most common cyber attacks while signalling to customers that businesses take security seriously," the review stated.

Key stats: Organisations with Cyber Essentials are 92% less likely to claim on cyber insurance policies.

Over 33,000 Cyber Essentials certifications were issued in 2024, a 20% increase on the previous year.

Takeaway

Businesses of all sizes should prioritise achieving Cyber Essentials certification to protect themselves and build customer trust.

5. Securing democracy: Election protection

The NCSC played a pivotal role in safeguarding the 2024 UK General Election, implementing pre-emptive measures to secure infrastructure and provide tailored cyber support to high-risk individuals.

"The general election was delivered smoothly and securely, with no major incidents impacting the outcome," the review confirmed.

Key stat: Over 50% of the bespoke alerts issued by the NCSC in 2024 related to pre-ransomware activity, enabling organisations to act before attacks could escalate.

Takeaway

Critical events require tailored cybersecurity strategies to pre-empt threats and ensure operational continuity.

6. The role of legislation in resilience

The Cyber Security and Resilience Bill, expected to become law this year, will expand regulatory protections, enhance reporting requirements, and enforce stronger accountability across digital supply chains.

"The bill is a crucial step toward hardening the UK’s defences against sophisticated cyber threats," the NCSC stated.

Key stat: Over 70% of organisations in the NCSC’s trust groups have adopted Early Warning services to enhance preparedness.

Takeaway

Organisations must prepare to comply with stricter regulatory requirements, especially in critical infrastructure sectors.

7. Systemic market challenges

The NCSC highlights a critical gap in how technology markets prioritise security. Basic safeguards like multi-factor authentication are often treated as premium features rather than standard offerings.

"We must build a future where products are secure, private, resilient, and accessible to all," the review advocates.

Key stat: Memory safety vulnerabilities remain one of the most prevalent causes of breaches, exacerbated by insufficient adoption of secure-by-design principles.

Takeaway

Industry and regulators must champion secure-by-design principles to address systemic vulnerabilities and improve resilience.

What is the key takeaway?

Above all, the NCSC’s Annual Review is a stark reminder that, from small businesses to national infrastructure, the UK’s cyber resilience requires urgent attention. That might sound like a gargantuan task. However, in reality, all it requires is that everyone pitches in. 

"Improving resilience is not a technical challenge—it’s a matter of urgency and leadership," the review concludes.

Whether you’re an SME or part of a critical national sector, the time to act is now. Adopt frameworks, collaborate with trusted partners, and embed security into your operations. Together, we can close the resilience gap and create a safer digital future.

Want to know more about the threats facing small businesses like yours? Check out our latest research, The SME Mobile Threat Report.

Press release: Poor mobile security practices rife at SMEs, CyberSmart survey finds

CyberSmart SME mobile security report

Cybersecurity incidents and poor mobile cybersecurity hygiene is endemic across the UK's SMEs

London, UK – 04/12/2024 - New research conducted by CyberSmart, a leading provider of SME security solutions, indicates that mobile cybersecurity incidents at small businesses are widespread. 

The research, conducted by OnePoll in Autumn 2024, polled 250 small-medium enterprise (SME) business owners or leaders in the UK, found that over a third (38%) of small business employees or owners report clicking on a phishing link via mobile. 

Elsewhere, 30% of respondents reported losing or having stolen a mobile phone containing sensitive corporate information, leaving their business more vulnerable to potential cybercriminal activity. 

While these dramatic incidents are a concern from a security perspective, the minutiae of business activity taking place on a mobile, without policies in place, also suggest a concerning lack of security awareness from SMEs. For example, a quarter of respondents admitted using a mobile device used for work to a public charging station (e.g., at an airport or café), and 36% of respondents have worked from a public WiFi network on a mobile device. A further 9% admitted to forwarding corporate data to a personal account, and 11% admitted storing corporate passwords or login credentials on a mobile device without encryption. 

“These results are obviously a concern for SMEs and their employees. Large organisations are more likely to implement security awareness training for mobile devices and implement a code of conduct for corporate devices. This is not a luxury afforded to most SMEs, who do not have the resources or time to do so.” Said Jamie Akhtar, Co-Founder and CEO at CyberSmart. “It is the responsibility of the cybersecurity industry to change this, and to make security more accessible for the small businesses which make up 99% of the UK economy.” 

You can find the full results of the survey here.

Press release: Mobile security policy missing at most SMEs, CyberSmart survey finds

CyberSmart research

CyberSmart research reveals 60% of businesses expect their employees to carry out work tasks on their personal mobile phone.

London, UK – 26/11/2024 - New research conducted by CyberSmart, a leading provider of SME security solutions indicates that organisations not only allow employees to use their personal mobile phones to compete work tasks but actively expect them to.

The research, conducted by OnePoll in Autumn 2024, polled 250 small-medium enterprise (SME) business owners or leaders in the UK, found that 60% of organisations expect their employees to use mobile devices to carry out work tasks despite not providing all of them with work mobile phones.

Equally concerning is that almost two thirds (60%) of staff members are not expected to carry out mobile security training. An organisation that allows employees to use personal mobile phones to carry out work without security training is massively increasing the chance of a breach.

Elsewhere, the survey unearthed a worrying lack of concern from business leaders regarding cyber security and employee security. 40% of organisations do not have a mobile code of conduct in place for employees. 

“While these results are concerning, SMEs in the UK remain chronically underserviced by the cybersecurity industry” said Jamie Akhtar, Co-Founder and CEO at CyberSmart. “It is important to make the distinction that many of these organisations have limited resources and are already stretched thin making it difficult for them to invest in cybersecurity.

We would advise SMEs to engage with solution providers who understand their specific needs, and more broadly would advise them to consistently focus on cybersecurity training, IT policies and fostering a more security-conscious culture would help them to achieve a more secure workplace.” 

You can find the full results of the survey here.

Key takeaways from the Cyber Essentials Impact Evaluation Report

Cyber Essentials Impact Evaluation Report

As anyone in the cybersecurity industry knows, October marks an important anniversary for the sector. The government-backed Cyber Essentials scheme turns 10 this year. And, alongside a bunting-draped celebration at the House of Lords, the Department for Science Technology and Innovation (DSIT) has commissioned the Cyber Essentials Impact Evaluation Report.

Undertaken by Pye Tait Consulting, the study examines the scheme’s effectiveness, organisations’ motivations for certification, and the ease of adopting its technical controls. However, the report is also 110 pages long. So, to save you several hours, here are our key takeaways from the report. 

Cyber Essentials technical controls boost cyber confidence

The study reveals that Cyber Essentials’ five technical controls are remarkably effective. Citing research on the protections, it concludes they mitigate 99% of ‘internet-originating’ vulnerabilities when implemented. 

This isn’t really news. Researchers at Lancaster University concluded the same as far back as 2015. However, what’s far more interesting is how Cyber Essentials makes business leaders feel. A significant majority (82%) of users express confidence that these controls protect against common cyber threats, with 80% believing they help mitigate organisational risks.

In other words, Cyber Essentials is a key step towards building complete cyber confidence.

Cyber Essentials has been effective in building cyber awareness

Cyber Essentials was always intended to do more than help businesses put technical controls in place. The plan was that by completing the assessment process, organisations would also become more aware of the threats and better equipped to counter them.

Cyber Essentials has also been a success by this measure. The report reveals that Cyber Essentials users have a heightened ability to identify unsophisticated cyberattacks, with 64% agreeing that certification aids in this identification. And that’s not all. Certified organisations also demonstrate greater concern about cyberattacks and better appreciate the potential impact than non-certified organisations.

The same is true for the understanding of cybersecurity. Most users (85%) reported an improved understanding of cyber risks and how to reduce them (88%). Perhaps most importantly, this positive trend was most notable among senior management, with 86% saying Cyber Essentials has improved their understanding. 

Cyber Essentials stimulates wider security practices

Another of the original aims of Cyber Essentials was that it would act as a catalyst for bigger things. Think of it as a strong foundation that businesses could build the rest of their security architecture on top of. 

Again, the study finds that the scheme has been largely successful at doing just that. 76% of certified organisations have taken additional steps beyond the technical controls to enhance their cybersecurity. Alongside this, almost three-quarters (71%) of respondents agreed that the scheme has strengthened how seriously they take cybersecurity. And, hearteningly, this has helped foster a culture of shared responsibility for cybersecurity within their organisations, encouraging regular discussions and proactive measures.

Cyber Essentials as a supply chain assurance tool 

There’s also some evidence that Cyber Essentials has grown some extra functions over its ten-year lifespan. For example, Cyber Essentials is increasingly used as a supply chain assurance tool.

Those surveyed revealed that a third (33%) of all contracts they’ve entered into in the last year required them to be Cyber Essentials certified. What’s more, a growing number of businesses are setting these obligations for their own suppliers. Some 15% of Cyber Essentials users have made it mandatory for their suppliers to be certified and plan to continue doing so, while a further third (33%) are actively considering mandating Cyber Essentials in the future. 

However, there is definitely room for improvement on this count. Just under half of Cyber Essentials users (45%) take Cyber Essentials into account when assessing the cyber risk a supplier poses, meaning we’ve some way to go before Cyber Essentials can be considered a universal stamp of assurance for suppliers. 

The scheme has created value beyond security for businesses

One of the biggest historical barriers to Cyber Essentials adoption, particularly among small businesses, has been value for money. It’s not uncommon for those new to the scheme to ask ‘Do I really need this?’

Nevertheless, those who’ve taken up Cyber Essentials certification have been overwhelmingly positive about the commercial benefits. 69% of surveyees noticed increased competitiveness post-certification. Meanwhile, 80% agreed that being certified can reduce the financial cost to their organisation of a common, unsophisticated cyberattack.

There’s also some evidence that Cyber Essentials has a positive impact on businesses' cyber insurance costs. Firstly, through the, often free, bundled insurance offered alongside Cyber Essentials by many certification providers. And, secondly by dramatically decreasing the likelihood of a claim.

The report cites the NCSC’s 2023 Annual Review which suggests that 80% fewer cyber insurance claims are made when Cyber Essentials is in place, compared with organisations that have the same insurance policy and don’t have Cyber Essentials certification. Although, according to the government's latest figures, this is now even higher at 92%.

There is still room for improvement 

Despite the positive findings of the report, it does have a blind spot. Although general cyber awareness among Cyber Essentials users is excellent, it’s debatable whether the same is true across society.

The NCSC's 2024 Cyber Security Breaches Survey revealed that awareness of Cyber Essentials has actually declined in recent years. Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. This is consistent with 2023 figures but represents a decrease over the past 2-3 years.

Plus, while 141,712 certificates have been issued and thousands of businesses have adopted the scheme, this only represents a small fraction of the UK’s estimated 5.6 million businesses

In short, we have an awareness problem. 

The report does list wider-reaching marketing campaigns among its recommendations, so it’s great to see that DSIT recognises the problem. But for the cybersecurity community, our mission is clear. Given the huge benefits felt by those who’ve already adopted Cyber Essentials, we need to reach more businesses and generate greater awareness of the scheme and security measures beyond it.

Achieve that and we’ll have helped build a far safer online environment for UK businesses by the time Cyber Essentials hits 20.

Have you read our 2024 MSP survey yet? It's full of insight on MSPs' cybersecurity and the future of the industry. Get your copy here.

Press release: CyberSmart partners with e92plus

e92Plus

LONDON, UK - 1st October 2024 - CyberSmart, a leading provider of cyber risk management for small businesses has today launched its partnership with e92plus, the UK’s top independent cybersecurity Value Added Distributor (VAD). 

e92plus has long been dedicated to protecting its partners and helping them accelerate business growth through its suite of channel-first security and cloud solutions. Indeed, e92plus has helped over 1,200 VARs, MSPs, SIs, CSPs and consultancies across the UK and Ireland.

CyberSmart offers an all-in-one cybersecurity monitoring, optimisation, training and insurance solution, proven to defend against the unexpected. Like e92plus, CyberSmart focuses on delivering its cybersecurity platform through the channel, making this an auspicious partnership.

The partnership will focus on delivering CyberSmart’s cyber risk management platform, including Cyber Essentials certification, products CyberSmart Active Protect and CyberSmart Vulnerability Manager, and cyber insurance to e92plus’ partners throughout the UK and Ireland. 

While the partnership is launching primarily in the UK and Ireland, e92plus plans to launch alongside CyberSmart in the Netherlands and other EU markets in the coming years.

The joining of forces between CyberSmart and e92plus is timely. A recent survey from CyberSmart reveals that 65% of MSP customers now expect their provider to manage their cybersecurity infrastructure or their cybersecurity and IT infrastructure. This partnership will help deliver the tools MSPs and VARs need to meet customer demand. 

We’re excited to be working with Cybersmart to bring their platform to our partner community” explains Mukesh Gupta, CEO at e92plus. “We’re seeing strong demand in the SMB and mid-market sectors for more assistance around cybersecurity strategy, processes and compliance standards, and this addresses that growing marketing need. The requirements are so complex and diverse, and many businesses struggle to have the internal staff and expertise to manage their cybersecurity tools, let alone manage frameworks, address staff training and ensure an organisation has the right risk management and reporting in place. For our VARs and MSPs, this is a perfect way to build their services and consultancy offering without significant investment”.

We’re delighted to be working with e92plus,” said Jamie Akhtar, CEO at CyberSmart. “Our businesses share a vision of what cybersecurity for SMBs should look like. The demand for solutions that can help smaller businesses get on top of their cybersecurity, compliance and risk management is only growing. And, this partnership addresses the demand, while giving MSPs and VARs a fast and simple route to building up their cybersecurity capabilities. We see this as another important step towards our mission of providing complete cyber confidence to every small business.”

Press release: Over 1.1 million UK SMEs at risk of collapse during current economic uncertainty

SME collapse

Over 1 in five UK SMEs (21%) are worried that their business will not survive the current economic uncertainty or expect they will have to make a significant business pivot. This is according to a survey of a thousand SME senior leaders and decision-makers across the UK, commissioned by CyberSmart (and conducted by Censuswide).

The UK government estimates that the country is home to at least 5.5 million SMEs. If we were to extrapolate the findings, it could mean 1.155 million businesses are in a precarious position and risk collapse.

Remarkably, the survey also revealed that some SME senior leaders would go to great lengths to ensure the business's survival. These behaviours range from engaging in cybercriminal activity and committing accounting fraud to neglecting compliance requirements.

Activities that SME senior leaders would consider engaging in include:

  • 15% would commit accounting fraud and lie to bankers/investors to secure funding or commit tax fraud/evasion (potentially equivalent to 825,000 SMEs)
  • 14% would cut employee salaries or benefits (potentially equivalent to 770,000 SMEs)
  • 11% would leverage proprietary information from partners/clients such as selling off the data (potentially equivalent to 605,000 SMEs)
  • 11% would neglect compliance requirements due to the additional costs they incur (potentially equivalent to 605,000 SMEs)
  • 10% would engage in cybercriminal activity such as hitting a rival company with a cyberattack (potentially equivalent to 550,000 SMEs)
  • 9% would mortgage their house (potentially equivalent to 495,000 SMEs)

SMEs decrease cybersecurity spending

Additionally, a third of SMEs have decreased cybersecurity spending due to the economic uncertainty. Or, more worryingly, admitted to never really investing in it.

In fact, as many as 42% of SME senior leaders do not believe it is worth investing in cybersecurity, with over 1 in 5 (21%) believing they are not a target. A further 16% claim it is not worth it because they have cyber insurance and 10% assert it is not a priority. Only 25% realised it was worth investing in cybersecurity because they could not afford to be breached.

CyberSmart CEO, Jamie Akhtar reacted with the following:

“As a business owner myself, I can understand the pressure many SME decision-makers are currently facing to keep their companies running and ensure their employees are taken care of, all while budgets tighten. It is during these times that emotions run high, and people might make irrational decisions that go against their own, and their company’s, best interest. It goes without saying that we would never condone criminal behaviour. Moreover, we would strongly recommend that businesses invest in cybersecurity and compliance.”

 “The business ecosystem has become highly intertwined, so no business is immune from cyberattacks. In fact, SMEs could prove to be an easy entry point for cybercriminals looking to hit others within their supply chain, if they have weak cybersecurity postures. While cyber insurance is important for risk transfer, it should not be relied on either. A comprehensive and continuous cybersecurity and compliance strategy is needed to avoid a breach's financial, reputational and even physical repercussions. Fortunately, there are solutions today that can help in doing so, without breaking the bank.”

Want to know more? Read the report in full here.

SME cost of living crisis

6 key takeaways from the DCMS Cyber Security Breaches Survey 2023

DCMS cyber security breaches survey

Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated Cyber Security Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year.

But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know. 

1. Assessing supply chain risk is rare for small businesses

We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms.

However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment.

Why is this happening? Well, it's possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need. 

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

2. A small number of businesses are taking cyber accreditations

The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation

According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).

Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023.

Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.

3. Formal incident response plans aren't widespread

The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without.

Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.

4. The number of identified breaches has declined 

At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey.

What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report.

This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.

5. Cybersecurity is less of a priority for smaller businesses

It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year.

In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.

6. Is cyber hygiene going backwards? 

Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability. 

This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.

The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example: 

  • use of password policies (79% in 2021, vs. 70% in 2023)
  • use of network firewalls (78% in 2021 vs. 66% in 2023)
  • restricting admin rights (75% in 2021, vs. 67% in 2023)
  • policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.

What have we learned from the DCMS Cyber Security Breaches Survey 2023?

Time to draw some broad-brush conclusions from the DCMS's findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs' ability to protect themselves. Whether it's the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it's clear SMEs need real assistance to bolster their defences.

Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.

Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.

Want to know more about how to reduce cybersecurity costs responsibly? Check out our free guide to cybersecurity on a budget.

Cost of living CTA 2

What do the proposed NIS regulations mean for managed service providers?

NIS regulations

As attendees of our event CyberSmart Live! will know, one of the hottest topics within the cybersecurity industry at the moment is the proposed regulatory changes for managed service providers. The Department for Science, Innovation and Technology (DSIT) is planning changes to the scope of its Network & Information Systems (NIS) regulations to include MSPS. 

So, to help you understand whether your business is affected and what you need to do, here's a quick summary of the potential changes.

What are the changes? 

Under the proposed framework, some MSPs (more on that later) will have a legal duty to:

  • Register with the Information Commissioner’s Office (ICO)
  • Take steps to secure their networks and information systems
  • Minimise the impact of incidents on their networks and information systems
  • Report incidents to the ICO

Why does this only apply to some MSPs?

The regulations don’t apply to small and micro providers. To qualify, your business must: 

  • Employ more than 50 staff
  • Have a turnover of more than €10 million per year

On top of this, only MSPs who meet the criteria of a digital service provider (DSP) under NIS regulations need to register with the ICO. NIS defines a DSP as “providing online marketplace services, cloud computing services, online search engine services or managed services.”

What are the changes to NIS regulations for? 

Cybercriminals are targeting MSPs with increasing regularity. The risk has grown so severe that security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – felt moved to issue an official warning in 2022. 

MSPs are so attractive to hackers because they’re usually part of a supply chain and have access to clients’ networks and IT environments. And, to add the icing on the cake for any cybercriminal, MSPs typically have access to large amounts of sensitive data – everything from financial information to breakdowns of customers’ security. 

We’ve seen countless examples of attacks on MSPs that lead to a huge breach across their entire client base. The NIS regulations are an answer to this. The proposed changes represent a real attempt by DSIT better to protect MSPs and their customers from the growing threat. 

When are the regulations due to come into force?

As of 13th April 2023, the Government has confirmed that it will go ahead with the proposed reforms to amend the NIS Regulations. So, we’re expecting to see the changes come into force sometime in 2024. Although, it should be noted that this is subject to the government finding “a suitable legislative vehicle”.

Is there anything else you should know?

At this point, you’ve likely got some further questions about the proposed changes. Unfortunately, we don’t have space to cover everything in this blog. But, for more information, we recommend checking out our handy set of FAQs on the regulations. You should find everything you need to know to prepare you for the changes.

Here is a follow up video we did with the Department for Science, Innovation and Technology that goes into further detail on the proposed NIS regulations for MSPs.



Times are tough for SMEs, with many facing tough financial decisions. So, to help out, we’ve put together a step-by-step guide to cybersecurity on a budget. Read it here.

Cost of living CTA 3

Press release: Heightened risk of insider threats during cost-of-living crisis, according to SME study

insider threats

Our latest research (to be released as a report) reveals fear among UK SMEs about insider threats. Some key findings include:

  • Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the cost-of-living crisis.
  • 38% believe this is due to increased malicious insider threats, and 35% believe it is due to negligent insider threats.
  • 1 in 4 believe staff are overwhelmed or concerned about meeting their financial commitments.
  • 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
  • 17% believe employees will seek to harm the company's reputation due to resentment over salary cuts/stagnation and/or layoffs.

London, UK (15th June 2023) – Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the onset of the cost-of-living crisis. Of these respondents, 38% believe this is due to increased malicious insider threats (i.e., disgruntled employees making decisions that are not in the best interest of the company) and 35% believe it is due to negligent insider threats (i.e., overworked or distracted employees making mistakes). This is according to a survey of a thousand SME senior leaders across the UK, commissioned by CyberSmart, the category leader in simple and accessible automated cybersecurity technology for small and medium-sized enterprises (SMEs), and conducted by Censuswide.

In light of the economic uncertainty, almost 1 in 3 employers (29%) admit that employee salaries have stayed the same: in effect, resulting in a decline of real wages to accommodate for inflation. A further 11% have even gone so far as to reduce salaries. What’s more, nearly a quarter (24%) of SMEs have hit pause on recruitment, while 16% have laid off employees for budgetary reasons.

It is no coincidence then that 1 in 4 employers (24%) are finding that their staff are overwhelmed or concerned about meeting their financial commitments, while nearly a fifth (18%) find they are feeling overworked. Moreover, 16% believe their staff are less engaged or productive due to the stress, 14% think they are more disgruntled and 11% have noticed an increased rift between senior leadership and employees.

Remarkably, employers expect their employees might engage in the following activities whilst in this unhappy state.

  • 22% believe employees will take on a second or third job during contractual hours.
  • 22% believe employees will be more likely to make mistakes such as clicking on a phishing link.
  • 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
  • 17% believe employees will seek to harm company reputation due to resentment over salary cuts/stagnation and/or layoffs.
  • 14% believe employees will use AI such as ChatGPT to do their job for them.
  • 14% believe employees will steal money from the company or commit financial fraud.

“Not all businesses are experiencing a negative company culture as a result of the crisis. In fact, 20% believe the cost-of-living crisis has brought the company closer together and 16% of employees are becoming more motivated to impress senior leaders. Nevertheless, in times like these, it is crucial that employers are mindful of how their staff are coping,” said Jamie Akhtar, CEO and Co-Founder of CyberSmart. “It only takes one disgruntled or overworked member of staff to make a decision that could put the entire business at risk. This research highlights the importance of conducting regular security awareness training, but also the need to show up for employees with empathy and support.”

It should be noted that SME business leaders also consider external forces to be responsible for the growing risk of cyberattacks, with 32% attributing it to higher rates of supply chain fraud and 31% expressing concern about nation-state interference from hostile countries such as Russia and China.

Want to know more? Read the report in full here.

SME cost of living crisis