Cybersecurity in hospitality – a growing issue?

Cybersecurity in hospitality

COVID-19 has brought with it a notable rise in attacks on all businesses. Research from Deloitte reveals that the last 12 months have seen a sharp increase in ransomware, phishing attacks and attempted hacks. 

But there’s one industry that’s right on the frontlines of the fight against cybercrime: hospitality. Why is the industry so at risk? And what can be done to improve cybersecurity in hospitality? 

What are the risks? 

While hospitality businesses face many of the same cyber risks as other industries, they’re also at risk from a few that are fairly unique to the sector. 

There are the risks associated with the contact tracing requirements for COVID-19 that every hotel, bar or restaurant has to abide by. But there are also a few other threats that particularly impact hospitality: 

DDOS (distributed denial of service) attacks

The CCTV and surveillance systems many hotels and restaurants are reliant upon for customer safety are particularly vulnerable to this type of attack. 

Human error

With staff often handling dozens of transactions in a day and constantly juggling tasks, the risk of human errors that lead to breaches is high. 


DarkHotel is targeted spear-phishing spyware that attacks high-profile business customers through the hotel’s in-house WiFi network.

Alongside these threats, phishing and ransomware attacks are also very common amongst hospitality businesses. 

What evidence is there of the risk to cybersecurity in hospitality? 

Unfortunately, we’re not short of evidence on the risks to the hospitality sector. 

In the last few years, hospitality only ranks behind fiance and retail as the industry most targeted by cybercriminals. In 2018 alone, almost 514 million hotel data records were stolen or lost worldwide. The trend continued throughout 2020, with both Mariott and Prestige Software’s Cloud Hospitality platform both suffering massive breaches. 

Why is hospitality under attack? 

Like most industries regularly attacked by cybercriminals, hospitality is seen as an easy target. A recent study into hacker forums revealed that hospitality chains Hilton and Marriott were included in 31% and 28% of mentions respectively in discussions on easy targets.  

What’s more, it’s borne out by the figures. To date, 423 million U.S. travellers have been victims of a cyberattack through their business with hotels. And 70% of hotel guests believe that hotels don’t invest enough in cybersecurity protection. 

70% of hotel guests believe that hotels don’t invest enough in cybersecurity protection. 

So what’s going wrong?

A breakdown of hotel data breach areas revealed that 64% of breaches occur via corporate internal networks and 18% in both e-commerce and at point of sale. This suggests that the problem in hospitality is largely one of employee education and poor cyber hygiene. 

So is contact tracing safe for customers and businesses? 

With the adoption of contact tracing throughout the hospitality industry during the coronavirus pandemic, hotels, restaurants and bars have become a target. This is partly down to their large databases of customer information, but it’s also due to the relatively weak cybersecurity employed by most. 

Using the COVID-19 Guardian tool, cybersecurity experts assessed 40 contact tracing apps around the world to be of risk to users. 72.5% of these apps had a least one insecure cryptographic algorithm and 75% contained a tracker that sent data to third parties. 

72.5% of contact tracing apps have a least one insecure cryptographic algorithm

However, it’s worth noting, despite the risks, all of the apps save Kyrgyzstan’s ‘Stop COVID-19 KG’ were free of malware. We’ve written at length about why the benefits of contact tracing far outweigh the risks here. But, in short, the privacy concerns relating to contact tracing are relatively minor and should be easy to iron out.  

What can be done to improve cybersecurity in hospitality? 

The good news is that the current baseline for security levels in the industry is low. This means that achieving better protection is relatively simple. 

Simply put, hotels, bars, and restaurants need to be better at the basics. This might sound easier said than done. After all, hospitality businesses tend to be populated by staff with great people skills, not cybersecurity experts. 

However, the five technical controls laid out in the Cyber Essentials certification process don’t require expertise and would dramatically improve most businesses’ security. These are: 

  • A secure internet connection
  • Control over data and services
  • Regular updates,
  • Anti-virus and malware tools
  • Using the most secure settings on every device

In fact, it’s estimated that implementing these five steps can protect an organisation from up to 98.5% of the most common cyber threats. 

Beyond technical precautions, there’s another thing hospitality businesses could be doing better.  As we mentioned earlier, the majority of attacks on hospitality businesses stem from internal networks or at the point of sale. This suggests that staff either aren’t cyber aware enough to know a threat when they see them or they’re engaging in risky behaviour themselves.  

The key to fixing this is employee education. If your people aren’t aware of which behaviours are harmful and risk a breach, they can’t correct them. And it doesn’t have to be complex or require a computer science degree. Even the most basic education on proper cyber hygiene, using secure passwords, for example, could mitigate most of the risks hospitality firms face. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

What can the UK learn from the US cyber insurance market?

Cyber insurance

Why is the US streets ahead of the UK when it comes to businesses adopting cyber insurance? And what can we learn from our American cousins? 

Why is cyber insurance important? 

To illustrate why cyber insurance is important, let’s compare it to a business insurance policy. It’s widely accepted that any organisation operating without business insurance is at best foolhardy and at worst crazy. There are so many potential things that could go wrong. 

You could be the victim of fraud, a workplace accident could lead to legal action against you, or an electrical fire could turn your hardware into a husk of melted plastic. The possibilities are endless and any one of them could seriously damage or even end your business.

It’s vital for your business’s health (and a good night’s sleep) to know you’re covered should the worst happen. 

The same is true of cyber insurance. We’re unused to thinking of it in the same way as business cover, but cyber insurance is becoming increasingly necessary. Up to 88% of UK companies have suffered breaches in the last 12 months, according to Carbon Black. Meanwhile, Hiscox reports that a UK SME is successfully hacked every 19 seconds. 

Up to 88% of UK companies have suffered breaches in the last 12 months.

All this means that UK SMEs are experiencing double the number of cyber risks that they did in 2018 with the average cost of a breach also quadrupling. There’s a clear case for widespread cyber insurance adoption,  so how are UK businesses doing? 

What does the cyber insurance market look like in the UK?

Given the risks we’ve just outlined, you might think that British businesses are clamouring for cyber cover. But, unfortunately, cyber insurance adoption is relatively low in the UK. 

There are a couple of reasons for this. The first is a simple case of awareness. As we mentioned earlier, getting business insurance is considered common sense by most organisations. However, awareness of the need for cyber insurance lags some way behind. We simply aren’t used to considering it as an everyday business cost. After all, if you’re lucky enough to have never been successfully attacked, why would you?

The second reason is the cost. A Deloitte survey, looking at 504 middle-market commercial insurance buyers, found that 41% of businesses claimed insurance costs were too high. And 33% of organisations reported ‘dissatisfaction with the service.

41% of UK businesses claim insurance costs are too high.

However, it’s not all bad news. 41% of businesses still purchased cyber insurance after conducting a risk assessment. What’s more, a further  41% were prompted to buy a standalone insurance product by attacks on other industries. 

Why is the US ahead?

There’s an old adage that ‘everything’s bigger in America’. It’s usually said sarcastically by embittered Europeans, but when it comes to cyber insurance it’s true.  

Despite net premiums being low for an insurance market ($1.94b in 2018), the US market is growing fast. 40% of US businesses purchased cyber coverage in 2018, with a further 40% buying for the first time in 2019. During the same period, the average US cyber claim size shot up to around $181k for an SME and over $5.5m for a large business. 

So why is the US market more advanced than what we’re currently seeing in the UK?

It’s partly because the US is at the forefront of the fight against cybercrime. The US currently leads the world in data breaches with an average breach cost of $8.64 million and is the second most attacked country on earth after Germany. So for companies based in the US, cyber threats are seen as part and parcel of business. 

The average cost of a data breach in the US is $8.64 million.

However, it’s also down to public perceptions of cybercrime. Many of the most high-profile cyberattacks have been on large American companies such as Twitter, Microsoft and Marriott, meaning cybercrime is given loud and regular media coverage. This makes the threat appear much more immediate than elsewhere.

What can the UK learn from the US?

Before we delve into what the UK can learn, it’s important to note that the US market has its limitations. As recently as 2017, 75% of SMEs in the US didn’t have cyber insurance, meaning adoption hasn’t always been as widespread as figures suggest. And there’s still some mistrust of the industry.  For evidence, look no further than US Pharma Giant, Merck which found itself at the centre of a media storm after being denied a payout following a breach. 

But for the time being, at least, the US remains ahead of the UK market. So what can we learn? 

Close the expectation gap

First, UK insurers need to close the expectation gap between service and consumer within the industry. Many small businesses view themselves as not ‘valuable enough’ to be attacked. And insurers need to do more to convince SMEs that they’re being threatened because they’re ‘vulnerable rather than valuable’. 

Update the industry model 

One of the biggest barriers to greater adoption of cyber insurance is the perception among SMEs that it’s expensive. 

The current cyber insurance model was created in the early 2000s, aimed at multinationals and large tech firms on the west coast of America. The world has changed a lot since then. In an age where even the smallest businesses are online, a new approach is needed. Insurance professionals need a better understanding of the financial limitations of their market and a pricing structure to suit.

Make it easier to address cybersecurity concerns 

Perhaps the greatest difference between the US and the UK market is how proactive US insurers are. In the UK, we tend to focus on educating businesses on the importance of cybersecurity rather than helping them to get cyber secure.

Cybersecurity can be confusing and for a small business owner, the prospect of going it alone can be daunting. So more needs to be done to guide businesses along the path to better cyber hygiene. For example, recommending all clients get Cyber Essentials certified is a great start. 

What does the future hold? 

Although the UK is currently behind the US, things are unlikely to stay that way for long. The US market is slowing. Meanwhile, many insurance brokers in the City of London are targeting cyber insurance as a key area for growth post-covid. 

So are we about to enter a future where cyber insurance becomes as commonplace as business or contents insurance? That depends on insurers adapting the current, dated model in favour of an approach that supports SMEs. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cyber hygiene.

CTA button.

The Cyber Essentials questionnaire: are you prepared?

In 2015, a research team at Lancaster University concluded that 99% of cyber risks could be avoided through following a set of surprisingly simple security measures. These measures, or controls, make up the basis of the government’s standard for security certification, Cyber Essentials, which is what we help businesses achieve here at CyberSmart.

However, there’s a lot you can do on your own to prepare yourself for the Cyber Essentials assessment or just to improve your general cyber hygiene around its guidelines. We’re going to walk you through some of the processes you will need to have in place when you complete the self-assessment for Cyber Essentials before it is reviewed by an assessor.

Keep in mind that the Cyber Essentials questionnaire is asking you to evaluate every device in your company (laptops, personal computers used for work, phones, the works) and whether it complies with the rules. If it is being used for work, it should be included.

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the settings of your device and try to turn off a function that you don’t need

☐ Find the settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges to your data and on which machines

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

If you can follow this guidance now, you can pass certification quickly and with flying colours. If you struggle with any of them, CyberSmart has helped guide hundreds of SMEs of all sizes and experience through the same process, so feel free to get in touch. We offer a quick and simple step by step process so you can get Cyber Essentials certified today.

What is Cyber Essentials Plus?

Cyber Essentials Plus

If you’re a UK SME and part of a big supply chain or going for government tenders, you’re likely to be aware of the needs of Cyber Essentials. The original Cyber Essentials certification was designed to provide businesses with the basics of cyber safety and ethical business practices online; from managing firewalls and user accounts to appropriately protecting their business against malware and data theft. To remain compliant with modern UK business requirements, Cyber Essentials is – well, an essential.

But for businesses wanting to go beyond the basics and improve their safety and the security of their business online, Cyber Essentials Plus is the answer. As one of the services we offer our clients, we deliver the Cyber Essentials Plus certification through IASME and know just how important this higher compliance standard from achieving the ‘Plus’ certificate can be to your businesses.

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

So what exactly is the difference between the two certifications? It all comes down to the use of an independent auditor. Cyber Essentials Plus requires still requires businesses to comply with the same five factors as the non-plus model. Known as technical security controls, these include:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

In addition to these basic requirements to be certified, Cyber Essentials Plus goes a step further than the self-certification of Cyber Essentials and requires an independent assessment of the business’s internal security controls to achieve this higher level full certification.

Why an independent assessment?

Robust credibility is the driving reason why Cyber Essentials plus uses independent assessment as this ensures companies are indeed compliant with the requirements of the Cyber Essentials scheme. The additional step ensures the safety of the business but further helps authenticate the certification. By verifying you are compliant, the resultant certification award is more trustworthy than an in-house DIY version of the Cyber Essentials certificate.

Which form of certification is best for your business? If at all possible, upgrading from Cyber Essentials to a higher-level certification is the ideal choice for any company. Each assessment includes a vulnerability scan to ensure your business data and information is well protected. If you are genuinely committed to safer online and network practices, for your business and your clients, then investing in Cyber Essentials PLUS certification could be your best move.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

GDPR Subject access request (SAR) – 6 steps to deal with it

A Subject Access Request (SAR) is the Right of Access allowing an individual to obtain records to their personal information, held by an organisation. GDPR, which became applicable in May 2018, provides individuals with the right of access to information.

It is essential that your organisation is aware of the basics of SARs and can handle them effectively to avoid large fines. In this blog post, we provide a six-step practical guide on how you can deal with subject access requests under the GDPR in 2023.

  1. Recognise the request

The first step to responding to a SAR is to identify it. The GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or verbal, and it can be made to any part of your organisation including social media.

Therefore, it is best to assume that if an individual asks you for their personal data, regardless of the channel or mode of communication, it constitutes a valid subject access request under the GDPR. It is advised that basic training on the GDPR should be provided to all staff members and managers within an organisation.

Your employees should be able to recognise a SAR and pass it on to the relevant focal person who can handle the request.

  1. Understand the time limitations

The GDPR requires you to respond to a SAR within one month i.e. 30 days of its receipt. You must get back to the individual with the requested information without undue delay.

However, you can extend this time period to up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform the individual that you need more time within one month of the request to avoid any legal issues.

  1. Dealing with fees and excessive requests

You cannot charge a fee for providing information to individuals in response to a subject access request. However, there is one exception to this rule. If you receive a SAR that is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with the request or refuse to provide information at all.

There is still some speculation over what requests can be considered manifestly unfounded or excessive and therefore, it is advised that you take caution when refusing a SAR. Similarly, there is no certain threshold for the reasonable fee that you can charge. The ICO guidance suggests that it must be charged on the basis of the administrative costs associated with the retrieval of the requested information.

To be on a safer side, it is best not to charge a fee or refuse a SAR at all. But, if you choose to refuse to deal with a repetitive SAR then you should inform the individual within one month of the receipt of the request with the reasons for refusal.

  1. Identify, search, and gather the requested data

The most time-consuming and labour-intensive part of responding to a subject access request is gathering the requested data. If an individual makes a broad request for access to all their personal data, then it can take weeks to identify and search for the information.

Personal data is defined as any information relating to an identifiable natural person under the GDPR. This broad definition makes it difficult to identify the information that you need to provide.

The ICO states that if an organisation processes a large amount of personal information, then it should ask individuals to clarify their request for information. Therefore, a good approach is to ask for additional parameters or specific pieces of information that individuals need from the SAR. However, it is important to understand that you will need to comply with the SAR even if the individual refuses to provide additional parameters.

It is advised that organisations should allocate someone to be in charge of coordinating the process of gathering requested personal data. Document management providers can help you carry out effective searches for data using the right date range and keywords. Even though these services can increase costs, it ensures that your organisation can comply with the information needs of a SAR in time and correctly.

  1. Learn about what information to withhold

A challenging aspect of responding to a SAR is to decide what information to withhold from the requester. After you have gathered all the requested information, the next step is to filter out the information that you can legally hold back.

One particular concern is to ensure that when responding to a SAR, you should not disclose the personal data of other individuals. The Data Protection Act (DPA) 2018 states that you should not comply with a SAR if it would require you to disclose information about another identifiable individual.

The exceptions are when the other individual has given their consent to the disclosure, or the organisation finds it reasonable to comply with the request without the consent of the individual. When deciding whether you disclose the information about the third party, you should balance the GDPR’s right of access against the third party’s rights.

Other than this, Section 45(4) of the DPA 2018 specifies special cases when you can withhold personal data of an individual. These include cases when non-disclosure leads to obstruction in an official or legal enquiry, or protection of public or national security.

Therefore, you should be careful about the information that you provide when complying with a subject access request. It is important to understand what information you can withhold to prevent a breach of other’s privacy or to support the public or national interest.

  1. Developing and sending a response

Once you have all everything you need for the subject access request, the last step is to develop and send a response to the individual. Organisations need to provide the following information to the requester:

  • Legal basis for and purpose of processing the personal data of the individual.
  • Third-parties to whom the personal data has been disclosed.
  • Existence of the requester’s rights to the information including the erasure of the personal data and restriction of the processing of the personal data.
  • Expected period for which the personal data will be stored.
  • Categories of personal data.
  • Information about the origin of the personal data.

Most organisations will have provided much of the information above in their privacy policy already and so can reuse it from there.

For sending out the response in 2023, the GDPR requires that you provide the information in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. Secure online portals or encrypted email are recommended ways to deliver the response securely and efficiently.


Understanding how to deal with a subject access request is an important part of complying with the GDPR in 2023. We have outlined a step-by-step process that you can use to comply with a GDPR subject access request from individuals.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox

What’s the difference between Cyber Essentials, ISO 27001 and PCI DSS? – Cyber Security

Cyber Essentials

Practicing good cyber hygiene has never been more important for SMEs. In the last two years alone, small firms were subject to 10,000 cyberattacks daily and one in five reported suffering a breach. Regardless of their size or industry, all SMEs face similar risks. So, to counter, the UK government has developed various standards to ensure we all have access to the same resources and knowledge. 

But it’s easy to get confused between the various standards for information security. Which one should you get certified for? To help you make a decision, let’s look at the differences between Cyber Essentials, ISO 27001, and PCI DSS.

Cyber Essentials

Cyber Essentials (CE) is a UK government program for protecting information, launched in 2014. CE is the minimum certification required for any government supplier responsible for handling personal information in the UK.

For SMEs, a CE certification demonstrates you’re serious about security – both to customers and regulators. 

The Five Requirements of Cyber Essentials

The key requirements of Cyber Essentials certification are as follows:

1. Configure and deploy a firewall

A firewall is a secure buffer zone between your organisation’s internal network and the Internet. Using a firewall ensures that malicious traffic is not allowed to enter your network.

The certification requires you to configure and deploy a firewall that protects all devices, especially those connected to a public or untrustworthy network.

2. Use secure configurations for devices and software

Most devices and software come with the manufacturer’s default settings. And these aim to make the device as open and available as possible. However, these aren’t usually the most secure settings, leaving you open to cyber attacks. 

CE asks you to reconfigure these settings to maximise security. This includes using strong (and not default) passwords and introducing extra layers of security such as two-factor authentication.

3. Make use of access control to prevent unauthorized access to data and services

Your employees should only have the minimum access needed to perform their role. Providing extra permissions to settings, software, or online services can be a potential threat to your business if the account gets stolen or misused.

Standard accounts vs. administrative accounts

Standard accounts are made for general work purposes and have limited access. On the other hand, administrative accounts have greater privileges and are used for administrative tasks such as installing software.

In the case of a breach, unauthorised access to an administrative account can cause much more damage than access to a standard one. So it’s important to provide administrative accounts to only qualified and authorised staff. 

To get certified, you have to control access to company data. In practice, this means making administrative accounts only available to those that need them. What’s more, the actions an administrator can take should also be tightly controlled.

4. Protect yourself against malware such as viruses

Malware, an acronym for malicious software, is any computer program that causes harm to a device or its user. Perhaps the most well known type of malware is viruses. Simply put, a virus infects the software on your device to corrupt files and data. Malware can come from anywhere, but the most common sources are email attachments, malicious websites, and files from a removable device such as a USB.

Defending your business against malware

CE requests that you implement at least one of the following approaches to malware protection:

  • Anti-malware measures: For desktops and laptops, this means enabling anti-virus solutions such as Windows Defender or Mac OS XProtect. Meanwhile, for smartphones, you’ll need to keep software up to date, enable features to track and erase devices when lost, and password protection
  • Sandboxing: A sandbox is an environment that has very restricted access to the rest of your files and network. Whenever possible, you should make use of applications that support sandboxing to keep your data far from malware
  • Whitelisting: A whitelist is a list of software that is allowed to be installed and run on a device. This prevents users from running software that can be potentially harmful. Administrators create whitelists and implement them on devices including laptops, desktops, and smartphones

5. Keep devices and software updated

All devices, software, and operating systems you use should be kept updated. Alongside adding new features, device manufacturers and software developers also release updates (or patches). These are key to fixing known vulnerabilities in the software. 

CE builds on this requirement. All devices, software, and operating systems must be kept up to date and upgraded once they are no longer supported by the manufacturer or developer.

ISO 27001

ISO 27001 is an international standard for information security that was first introduced in 2005. The standard defines what is required for establishing, implementing, maintaining, and improving an information security system.

ISO 27001 is much more comprehensive than CE. However, unlike CE, it’s not yet a requirement for SMEs operating in the UK.

The 14 Controls of ISO 27001

Contrasting with CE and PCI DSS, ISO 27001 doesn’t have specific requirements for compliance. Instead, ISO 27001 provides guidelines through a set of ‘controls’. Let’s run through them. 

1. Develop an information security policy

An information security policy provides direction and support your people. It should clearly lay out how to manage information in accordance with laws, regulations and business requirements. It should also be an ever-changing document, with regular reviews to check it’s effective and everything in it is suitable.

The information security policy document should be approved by your management team and communicated to all employees and external parties.

2. Implement and manage information security within your organisation

This control’s primary goal is to provide a mechanism for managing information security within a business. This includes coordinating responsibilities to employees and maintaining appropriate contact with authorities, third-parties, and security providers.

The ISO 27001 provides the framework for managing information security in different aspects of your organisation. For example,  teleworking or project management.

3. Provide training and awareness to HR

You need to ensure that employees are aware of their responsibilities towards information security. Employees that can control or affect information security should be trained for their roles. And any changes in the employment conditions of employees should not affect your business’s security standards. 

4. Ensure organisational assets are secure

‘Information security assets’ are best defined as the devices used for information storage and processing. According to ISO 27001, you should be able to identify and classify information security assets based on the sensitivity of the information they handle. On top of this, you’ll also need to assign staff responsibility for keeping each of these devices secure. 

5. Make use of access control to protect information

Employees and third-parties should have restricted access to your information. ISO 27001 shows you how to use formal processes to grant and revoke user rights. 

6. Protect the confidentiality and integrity of information through cryptography

Use cryptography tools such as encryption to protect the confidentiality and integrity of your data. This can help keep you safe by making the data unusable for hackers – even if they do manage to get in. 

7. Prevent unauthorised physical access to your workplace

The physical areas where your information security assets are kept should be protected from unauthorised access and natural disasters. If these areas are breached, say by a break in or winter storm, it could stop your business functioning properly or expose your data. 

8. Deploy secure configurations for operational infrastructure

‘Operational infrastructure’ is the devices, software, and operating systems that manage your information security. According to the ISO 27001, secure configurations for this infrastructure include:

  • Protection against malware and loss of data through measures such as antivirus software
  • Ensuring that default settings and passwords from manufacturers are changed according business requirements
  • Gathering and recording evidence of any security vulnerabilities you have 

9. Secure configurations for network infrastructure

‘Network infrastructure’ is the devices such as routers and switches, services, and software that make up your network. ISO 27001 asks your business to: 

  • Monitor and control network traffic.
  • Ensure applications and systems using your network are secure (using measures like firewalls)
  • Produce a network services agreement that identifies security features and management requirements for the network

10. Prioritise security when acquiring, developing, and maintaining information systems

ISO 27001 states that security should be considered at every level of an information system. From the moment you set up a new system,  your business requirements should include security controls to prevent the loss or misuse of information.

11. Ensure information security for activities by suppliers

Under ISO 27001,  all outsourced activities must be monitored for information security controls. For instance, your suppliers are required to comply with the same security requirements you’ve laid out for your own organisation. 

12. Develop an effective approach for managing information security incidents

If an accident occurs or your systems are breached, you need to do the following:

  • Properly communicate the details of the security incident and event quickly
  • Gather and preserve evidence for further analysis of the security incident
  • Develop processes for improving information security and preventing the incident happening again

13. Prevent information security failures from interrupting business continuity 

‘Business continuity’ is the ability of your business to keep running even after something’s gone wrong. ISO 27001 provides a step-by-step process for ensuring your business can continue operating after a breach. A key aspect of this is making sure information systems can still be accessed even during and after an incident. 

14. Ensure compliance with information security policies and standards

Lastly, your organisation should never be in breach of any law or security standard. ISO 27001 guides you through getting compliant and staying that way.


The Payment Card Industry (PCI) Data Security Standard (DSS) is an international information security standard launched in 2004. This standard affects anyone who handles credit cards from leading card companies such Visa, MasterCard, American Express, Discover, and JCB.

Which organisations need to comply with PCI DSS?

Any organization that accepts, stores, or transmits cardholder information must comply with PCI DSS. Cardholder information includes the Primary Account Number (PAN), cardholder name, service code, and expiration date.

The Four Levels of PCI DSS:

Each organisation falls into one of four levels of PCI DSS. These levels are determined by the number of VISA transactions performed by your business annually. 

The four levels:

  • One: organisations that process over 6 million transactions per annum
  • Two: businesses that process between 1 million to 6 million transactions per annum
  • Three: organisations that process between 20,000 to 1 million e-commerce transactions per annum
  • Four:  those that process less than 20,000 e-commerce transactions or up to 1 million transactions per annum

With the exception of level 3, these categories apply regardless of the transaction channel.

The Six Goals of PCI DSS:

PCI DSS has six key goals.

1. Build and maintain a secure network 

To comply with the PCI DSS, you need a secure system and network. To achieve this, you’ll need to:

  • Install and configure a firewall for protecting your network
  • Make use of secure configurations for devices and software instead of manufacturers’ default settings

2. Protect carholders’ information 

Protecting cardholder information isn’t just about preventing breaches of your network. It’s also important that you stop any stolen records from being used. 

PCI DSS requires the use of encryption when transmitting cardholder information across public networks. Encrypting the information guarantees that it is inaccessible and unreadable, even if a breach occurs.

3. Maintain a vulnerability management program

A ‘vulnerability management program’ ensures that malware and other security vulnerabilities are adequately taken care of.

Protection against malware

Anti-malware tools, whitelisting, and sandboxing should all be used to protect your business against malware. And these tools should be updated and monitored regularly. To comply with PCI DSS, you’ll need to protect all company devices against any type of malware. 

Secure systems and applications

PCI DSS instructs you to ensure the following when securing your systems: 

  • Keep all devices and software updated by installing the latest manufacturer-provided security patches
  • Establish a process for identifying and reporting newly discovered security vulnerabilities
  • Use industry best practices when developing or changing software applications and system components

4. Implement strong access controls

Access control is all about restricting users on a ‘need-to-know’ basis. Cardholder information is highly sensitive and access to it should be restricted, even for your employees. 

PCI DSS requires businesses to ensure access to system components is authorised and authenticated through user accounts. What’s more, physical access to cardholder information should be tightly controlled. This means all your system components should be stored in an inaccessible location – far away from anyone unauthorised.

5. Monitor and test networks regularly

To check for vulnerabilities in your networks, you’ll need to monitor and test them regularly. Any access to network resources, particularly cardholder data, should be tracked and monitored. This will tell you know the who’s accessing your cardholder data, when they’re doing it, and how.

PCI DSS also requires you to monitor network traffic, run scans for detecting internal and external network vulnerabilities, and set up a detection system for intruders. 

6. Maintain a policy for information security

Any organisation looking to comply with PCI DSS needs comprehensive guidelines for staff on how to handle information security. The policy should include a risk-assessment process, usage policies for technologies, information security requirements for personnel, and a formal awareness program.

A short summary

 If you’ve made it this far, you’re now well-versed in the differences between government certifications. But here’s a quick summary of the key differences between them. 

Parameter Cyber Essentials ISO 27001 PCI DSS
Creator Government of UK International Organization of Standard (ISO) PCI Council consisting of VISA, MasterCard, American Express, Discover, and JCB.
Flexibility Low High Low
Scope Depends on the business. Limited to the UK only. Depends on the business and is international. Applies to cardholders’ information only and is international
Number of Domains 5 requirements 14 controls 6 goals
Auditing None. Maintenance audits each year and recertification audits every 3 years. Network-scanning audits and onsite audits depending on the level of compliance needed.
Certification Must have for government suppliers handling personal information. Given to all organizations. Required by organizations that involve payment through credit cards.
Compliance Easy Complex Complex
Time to Compliance 1 – 2 days 6 – 9 months 1 – 2 weeks

So which should you pick?

Cyber Essentials, ISO 27001, and PCI DSS are very different standards. However, they share a common goal: information security. 

The ISO 27001 looks like the most comprehensive standard, but it isn’t the silver bullet it appears to be. Government departments in the UK often prefer (and even require) CE over both ISO 27001 and PCI DSS. So best certification for your business depends on your requirements, size and infrastructure. 

This might seem like a bit of a minefield, but that’s where we come in. At CyberSmart, we understand cybersecurity can be confusing. But we don’t believe it has to be.

So if you’re looking to improve cybersecurity but aren’t sure where to begin, talk to us. We can help you navigate tricky government standards and choose the right option for your business.

CTA button

The 5 control areas of Cyber Essentials (minus the technical jargon!)

Step 1 to CE: Boundary Firewalls and internet gateways

A firewall or gateway protects internal networks and systems against unauthorised access from the internet. They are designed to provide a basic level of protection for internet users. All business networks should have a properly configured firewall in place. The firewall monitors all network traffic, whilst identifying and blocking any traffic which can be harmful.


Step 1 to CE: Boundary Firewalls and internet gateways

A firewall or gateway protects internal networks and systems against unauthorised access from the internet. They are designed to provide a basic level of protection for internet users. All business networks should have a properly configured firewall in place. The firewall monitors all network traffic, whilst identifying and blocking any traffic which can be harmful.


Why every company should get Cyber Essentials