The State of UK SME cybersecurity

UK SMEs have faced a turbulent few years. The COVID-19 pandemic altered the way many of us work forever. The conflict between Russia and the international community has raised the spectre of cyber attacks on UK businesses. And cyber threats for SMEs continue to rise.

So with all these factors in play, how are the UK’s SMEs managing? Has the rise in remote working led to a change in cybersecurity practices? How often are SMEs facing cyber threats? Most importantly, what can they do to better protect themselves?

To answer some of these questions, Gartner-owned Software Advice – a company that provides advisory services, research, and user reviews on software applications – surveyed 500 managers at UK SMEs.

And we’ve teamed up with Software Advice to bring you the results. 

What’s in the guide?

Using the data provided by Software Advice, we tackle:

  • How often SMEs are being attacked
  • The impact of COVID-19 on SME cybersecurity
  • The biggest threats facing SMEs
  • The consequences of a breach on SMEs
  • What SMEs are most worried about
  • How effective SMEs’ defences are
  • What SMEs can do to better protect themselves

And much, much more.

Where can you get a copy?

As this is such important data for the entire cybersecurity industry, we’re offering our guide free to anyone who finds it useful. All you need to do to get your copy is download it here or hit the button below.

State of SME cybersecurity

CyberSmart to lead research on cybersecurity in the post-COVID workplace

CyberSmart Research

As lockdown measures tighten once more, many organisations are considering a future where workers may never fully return to the office. 

The COVID-19 crisis hit suddenly and with little warning. As a result, many businesses made the transition to working from home suddenly, without remote working policies and little real guidance for their employees. 

There’s no doubt these hybrid home-office workplaces bring challenges when it comes to privacy and security. But with such a rapid transition, do we understand exactly what those risks are?

The Research

CyberSmart is looking for the answer. Starting this week, we’ll be putting our expertise in SME cybersecurity to good use. We’re joining a research group examining the risks to trust, identity, privacy and security in new work environments as a result of COVID-19.

The three-month project is part of SPRITE+, a consortium funded by the Engineering and Physical Sciences Research Council. The project was one of several selected for funding through a SPRITE ‘sandpit’. It aims to bring together industry experts and academics involved in research, practice, and digital policy. 

Why is CyberSmart getting involved? 

Many SMEs are struggling to protect their people and operations in our changing world. So we’ve chosen this project because of its relevance to our customers. We hope it’ll help us better understand new risks and develop the strategies to counter them. 

As our own Ben Koppelman, CyberSmart’s Head of Research and Innovation put it:

“This is important research for CyberSmart to be involved with. We want to provide an evidence-based approach to understand what new security risks have emerged due to the dramatic shift to home working.  And we want to explore the new measures taken to manage these risks.”

We’ll also be looking at how businesses can balance the security of the company with the private lives of employees. Ben added, “We want to know if employers are placing new security demands on their employees and if these demands create tensions with employees’ privacy needs.” 

The project group, made of academics from four different universities and two industry experts, will begin with a literature review. We’ll follow this up by gathering evidence directly from organisations and their employees. To gain a picture of the whole economy, we won’t just be focusing on SMEs. We’ll try to compare how home working has affected both large and small enterprises.

The academics will take the reins on research. However, we’ll offer support as an industry partner, provide access to SMEs, and contribute to the risk analysis. 

Looking to the horizon

The project is part of our horizon scanning work. We’ve been hard at work behind the scenes to better understand how COVID-19 is impacting digital transformation. In time, this research will inform our own innovation plans. But, more importantly, it’ll help us offer new security guidance to our customers. 

Are you looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Mythbusting: is contact tracing safe?

We have a problem. Well, more of a puzzle. Like much of Europe, the UK is gradually emerging from the lockdown of the last few months – this is great for business, collective sanity and our social lives. But opening up brings risks. If a second wave of COVID-19 is inevitable, and many scientists think it is, how should we avoid the mistakes of our first run?

Imposing another nationwide lockdown like the one this spring risks economic ruin for an already ailing UK economy. But with a vaccination a long way off, ‘keeping calm and carrying on’ would be even more disastrous. 

One solution you’ve probably heard a lot about in the last few months is contact tracing. Or, more specifically, the new NHS COVID-19 app. Some have boldly declared the technology, coupled with testing, the answer to a return to normality. Meanwhile, others have raised serious cybersecurity and data privacy concerns. 

So, how does contact tracing work? Are privacy activists and cybersecurity experts right to be worried about it? And, are your privacy and cybersecurity really in peril? 

How does contact tracing work?

Although there are many different ways apps like this could work. For simplicity, let’s stick with how the NHS app works.

The app is incredibly simple. It uses Bluetooth to ‘ping’ any other phones (with the app downloaded) in your vicinity. The app then stores a record of anyone you’ve been in close contact with over a relevant time frame. For example, the 2-14 days symptoms typically take to appear in those who come into contact with the virus. 

If anyone receives a COVID-19 diagnosis, the app notifies everyone recorded within the infection range. It then sends a message asking users to self-isolate. 

What are the privacy concerns? 

At this point, you may be wondering what the problem is. The app seems intuitive, it has the crucial benefit of simplicity, and it’s easy to scale (after all, 79% of us own a smartphone). 

Most experts are broadly in agreement that the system is needed and a good idea. Where opinion differs is in the best way to design an app to accommodate it. 

This argument centres around whether we should be building centralised or decentralised apps to tackle contact tracing. A centralised app means that in the event a user flags a positive test result, the data from their phone is sent to a centralised database run by a healthcare body or the government. This central database then unlocks the identities of the infected person and anyone they’ve been near. 

In a decentralised model, this same process is repeated on the phone itself, meaning the government or healthcare body never receives any identifying information about app users. Instead, any data they collect is depersonalised, for example, the number of people infected and their geographic spread.

Privacy and security campaigners worry about the centralised model because it’s open to ‘scope creep’. Or, to put it another way, just because the technology is being used for benign purposes now, doesn’t mean it couldn’t be applied for mass surveillance in the future. 

The UK had planned to use a centralised model. However, partly due to these concerns, and Apple and Google declaring they wouldn’t allow its use on their phones, it’s now switched to a decentralised model

What about security? 

The other big concern about any contact tracing app stems from whether its data is completely safe from cyber attacks. A recent report from two academics specialising in cybersecurity, reveals that contact tracing apps may have some unforeseen vulnerabilities.

We won’t delve too far into the technical reasons behind the findings. In essence, most of the models for apps we’ve seen from governments so far transmit encrypted and unencrypted data side-by-side. Security experts fear that this could mean would-be hackers have an ‘in’ to identify individual users and steal their data.

Are your cybersecurity and privacy really at risk? 

We’ve outlined some of the security and privacy concerns about contact tracing apps, but how at risk is anyone who uses one?

Privacy – Had the UK government pushed ahead with its plan to use a centralised model, this would have been a very different article. However, the move to a decentralised approach has mitigated most privacy concerns. 

A decentralised app won’t share any personal information about you. It won’t share your geographic location with any third party. And, from an inter-user standpoint, the design shouldn’t allow anyone to work out who in their recent contacts has become symptomatic. 

Security – This issue is a little thornier. The questions raised by the report we mentioned earlier haven’t gone away, but at this stage, they remain theoretical problems rather than something users are reporting. What’s more, the GCHQ National Cyber Security Centre (NCSC) is aware of the findings of the report and is working towards fixing them. 

Contact tracing apps aren’t perfect, but it’s a balancing act. As with any state-run technology, they face questions about privacy and security. On the other hand, the risks to privacy are small and security is only likely to improve as the technology does. More importantly, contact tracing has enormous potential to help us get back to something more like the pre-COVID world. So perhaps the real question is can we afford not to use it? 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

New webinar: Staying cyber secure as the UK reopens

We’ve all read the headlines about ‘unprecedented times’ and how ‘things will never be the same again’ post-COVID-19. Some of the commentary on our post-pandemic world might seem a little overblown. However, for cybersecurity at least, a lot of it rings true.

As the UK begins to reopen and offices welcome staff back, businesses have emerged from the crisis into a hybrid world. The mix of remote and office working adopted by many organisations brings with it opportunity. But it also brings new security risks too
(more on that here).

A recent report from VMWare reveals that 91% of organisations have seen an increase in cyber attacks as a result home working. In this environment, online protection has become more important than ever before. But how can businesses, particularly SMEs without large security budgets, become more cyber secure?

Join CyberSmart CEO and cybersecurity supremo, Jamie Akhtar and Guy Waller, Partnerships Manager at Starling Bank as they tackle the following questions in a short webinar.

  • What are the new and existing cyber-threats for businesses?
  • As businesses reopen, and staff are working both from home and the office, what new challenges does this pose?
  • What are the best ways businesses can protect themselves and stay one step ahead?

To learn more, watch the full webinar, for free, here or below.

If changes in working practices have got you thinking about improving your cybersecurity, a great place to start is with Cyber Essentials certification. It’s a simple, 24-hour certification process that could improve your protection from cyber-attacks by 99%. Get started today here.

Get started

How to shift to working from home permanently without compromising your cybersecurity

Coronavirus has the potential to change the world of work forever.

Unless you’ve spent the last few months consciously avoiding the media, chances are you’ve read that sentence a lot. From morning talk shows to breathless newspaper op-eds, it feels like everyone is talking about the society-wide shift to working from home.

But what started as a necessary evil that many businesses adopted reluctantly has turned into something else. First came announcements from Twitter and Facebook that employees would be allowed to ‘work from home forever’ if they chose. This was followed by a host of other businesses including Google, Amazon, JPMorgan, Captial One, Slack, Salesforce, Microsoft and PayPal extending their work-from-home options.

Why is this happening?

Well, it’s actually very simple. An increasing number of businesses are seeing the real benefits of a more permanent shift to remote working.

Why rent office space for 300 people when you could use a smaller venue for essential meetings at half the cost? Why insist staff make long commutes into the office, when they’re happier and more productive working from home? 

For many organisations, the COVID-19 pandemic has turned these questions from water cooler conversations into key pillars of business strategy. 

If your business is considering making the switch to permanent remote working, are you prepared for the risks you should be aware of? And, how can you overcome them and ensure your people are working safely? 

What risks does working from home present? 

While switching to remote working offers benefits in productivity and real estate savings, it also comes with some risks. Here are a few of the most common. 

Unsecured personal devices 

The first question to ask is: can you be sure your people will follow the same security protocols they would in the office? The networks and security tools your staff use at home are likely to be far less secure than those in the office. Home office networks are 3.5 times more likely than corporate networks to be infected by malware, according to a report from BitSight. 

There may even be a psychological element to this. As ZDNet has reported, 52% of employees believe they can get away with riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. 

Lack of remote-working policies and procedures

Part of the reason employees are exposing themselves to risk at home is simply a lack of knowledge of these risks. The COVID-19 pandemic developed so quickly that many businesses didn’t have time to put in place clear policies and procedures for working from home so employees were literally left to their own devices.

This makes cybersecurity a bit of a guessing game, particularly for the less security-literate of your staff. 

Heightened risk of attack

Cybercriminals are smart but they’re largely opportunistic. And it hasn’t taken them long to figure out that switching to remote working has made businesses vulnerable.

VMWare’s recent Global Threat Report, reveals that 91% of global respondents have seen an increase in cyber attacks as a result of employees working from home. Meanwhile, the proportion of attacks targeting remote workers increased from 12% of all email traffic in March to 60% just six weeks later. 

91% of organisations have seen an increase in cyber attacks as a result of employees working from home.

Keen to exploit our hunger for coronavirus updates, cybercriminals have set up thousands of COVID-19-related ‘news’ sites. These double up as hosts for malware and domain names to launch phishing attacks from. Without the robust controls deployed by most corporate networks, it’s incredibly easy for people working from home to fall into the trap. 

The other area cybercriminals are targeting more regularly is VPNs. VPNs have long been a weak point for cybersecurity. They were only ever intended for small numbers of workers to use occasionally, not whole companies all the time. As a result, many VPNs are insecure and provide cybercriminals with a much wider ‘attack surface’ with which to launch threats

Reliance on the Cloud

We talked about some of the potential issues with cloud storage in a recent blog and, while it’s the safest option for businesses, it’s not invulnerable to attack. 

Working from home naturally increases your reliance on the Cloud. And this isn’t necessarily a bad thing. However, cybercriminals are becoming better all the time at breaking through providers’ defences and intercepting data as it moves between employees’ devices and the cloud. 

How can you overcome these risks? 

We’ve tackled some of the risks involved in switching to working from home, so what can you do about it?

Provide clear policies and encourage communication

This is the most important step on this list. If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow. If you don’t have a remote working security policy, now’s the time to draft one.

Alongside this, work to foster a culture of communication. That way, employees will feel comfortable asking for help with anything they don’t understand and reporting anything suspicious to internal security teams. All too often, security mistakes are made because staff feel ‘silly’ raising their concerns. 

Ensure the right security is in place 

Many of the most common threats can be prevented simply by ensuring your people have the tools they need. Check that all corporate-owned or managed devices are equipped with the best security capabilities. Also, make sure that the security best practices you’d use in the office are extended to the home environment. 

Maintain good password hygiene

Set up a password policy and ensure everyone follows it. Employees should always use complex passwords and two-factor authentication, as well as change passwords regularly. 

Make sure software is up to date

Your employees should regularly install updates and patches for the software on their devices, no matter how much they might enjoy not restarting their laptop for months on end. 

Keep it professional

Encourage your workers to keep work devices for work and personal devices for everything else. Limiting the number of sites employees visit can limit the risk of attack. 

Secure Wi-Fi access points

Network gateways are an underappreciated aspect of good cyber hygiene. Most of us don’t think much about our WiFi once it’s up and running. However, changing the default settings and passwords on a router can reduce the potential of attack from connected devices.

Understand the risks

Hopefully, this article has been some help in identifying some of the risks remote working presents. But it can’t be stressed enough that understanding the risks is key to preventing them. IT teams need to identify the most likely areas of attack and prioritise the protection of areas of your business that cybercriminals could do the most damage to. 

Although the switch to working from home comes with difficulties, it’s also a golden opportunity to remould the way your business functions. Alongside, the obvious real estate savings, remote working promises happier employees, more productive work and greener business practices. Don’t let poor cybersecurity stand in the way of your business embracing the future. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

When cyber security saves lives: examining the healthcare industry

Three years ago today, the UK’s National Health Service descended into chaos.

In one fell swoop, a fairly unsophisticated worldwide ransomware attack called WannaCry infected computers in hospitals across the country, hijacking thousands of pieces of connected medical equipment and holding patient and hospital data for ransom.

Becker’s Hospital Review estimates that in the United States data breaches cost the healthcare industry approximately $5.6 billion every year. The WannaCry attack cost the UK healthcare system nearly £92m. But while it was the largest breach the NHS had ever experienced, it wouldn’t be the last.

In terms of basic cyber security, the healthcare industry lags woefully behind other sectors like finance and manufacturing who often build their infrastructure with data security in mind. This is especially troubling given how attractive healthcare breaches can be to hackers (personal health information is worth an average of 10 times more than financial information on the black market). Not to mention the dire risk to patient care when day-to-day functions are interrupted. 

Here are some of the ways in which the current healthcare system is more susceptible to breach than ever and why incorporating security practices needs to be prioritised:

A complex supply chain

When we speak about the healthcare industry we aren’t just talking about hospitals and computers full of medical records.

The healthcare system is possibly the most complex supply chain in our economy. It includes everything from cleaning supplies to CRM appointment reminder software, scanning machines to climate-controlled storage of drugs shipped from all corners of the globe.

It is common practice for hackers to target the supply chains of the organisations they want to access. It is very often these small suppliers- 15 or 20 employee companies- that offer an open door through weak security practices. A November 2019 study by Orpheus of NHS suppliers showed that 95% lacked advanced security protection. 88% of them had already experienced some sort of email and employee password leaks before working with the NHS.

There is much at stake. Trust in this highly regulated industry is paramount. A data breach for a small supplier could mean the end of their business.

There is much at stake. Trust in this highly regulated industry is paramount. A data breach for a small supplier could mean the end of their business.

Data gone digital

The days of paper records are all but gone in healthcare. And with good reason. Digitised patient data makes it easy to quickly communicate between internal hospital departments and outpatient clinics, and to ensure information is always accessible and up-to-date. 

However, it also makes the institutions that hold this data an increasingly attractive target. Once acquired, patient data can be held for ransom or sold on the black market.

Last year, an Israeli research group exposed more insidious potential consequences when it demonstrated how a hacker could very quickly and realistically add or remove medical conditions (such as the appearance of a tumour) on 3D medical scans in real-time. Although this would likely only be used to target specific individuals for specific reasons- they mentioned insurance fraud and political assassination- it demonstrates how severe the consequences can be for even a simple breach.

Connected and outdated devices

From hospital lifts to MRI machines and implanted pacemakers, the healthcare system is increasingly connected to the internet. Doctors and nurses rely on these machines to monitor patient health and to serve as a partner in diagnosis.

Unfortunately, every connected device offers another potential entry point for hackers and the level of security of each device varies widely. Some of them are new and modern but others, such as expensive scanners may be ten or 15 years old. They are running on outdated operating systems and no one has the time or skillset to patch them.

A drip delivering chemotherapy drugs that had been infected with crypto-mining malware might just run a little bit more slowly. But when the precise and timely delivery of a dose is paramount, this can have disastrous results.

Hacked devices can be hard to detect and are likely running on many devices now unbeknownst to staff. A drip delivering chemotherapy drugs that had been infected with crypto-mining malware might just run a little bit more slowly. But when the precise and timely delivery of a dose is paramount, this can have disastrous results.

Over-stretched staff

A key part of any industry’s cyber health is knowledge and good practice among its organisations and employees. JAMA Internal Medicine reports that the majority of breaches related to data privacy in healthcare were the result of employee error and unauthorised disclosure.

In the already overstretched world of hospitals, it is no wonder that cyber security is the last thing on the minds of most workers. It makes sense. Our healthcare providers are trained to take care of patients, not to be IT experts. 

But the NHS is the largest employer in the UK and we must come to accept that cyber security awareness is a critical part of every job- and may do its own work to save lives.

Many of these breaches could be prevented through the basic cyber hygiene covered in the government-backed Cyber Essentials scheme. This includes maintaining strong password protection, up-to-date software and firewalls, and anti-malware. If you are a healthcare provider or supplier, consider getting certified in Cyber Essentials.