It looks like IT budgets will continue to grow this year despite the threat of a recession. 51% of organisations plan to increase their IT budget, with just 6% reporting they’d cut back on tech spending. 

At face value, this is good news. But with rising inflation, the real value of these budgets is less than last year. Because IT budgets need to stretch into every corner of businesses, there’s likely to be some pressure around spending. And the amount of IT budget spent on security could end up being less compared to last year. 

That could leave organisations more vulnerable to cyber threats, but cutting security costs doesn’t have to mean adopting a less robust security solution. Protecting your business from the most common and deadly attacks doesn’t have to break the bank.

How much should IT security cost?

It’s far too common to hear “how long is a piece of string?” when asking this question. 

For companies with 500 or more employees, it’s hard to define how much IT security should cost because their size, reach, and security needs are too variable and complex to assign a fixed number to. For example, last summer Google announced they’ll invest 10 billion dollars in cybersecurity over the next five years. 

But for smaller businesses, it doesn’t have to be complicated. 

• If you work alone, a good level of cover should cost you £1,000–£3,000 a year
• If you run a small business with 40 employees, a good level of cover should cost you £2,000–£5,000 a year
• If you have 250–499 employees, a good level of cover should cost you £8,000–£12,000 a year

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

How does that compare to the cost of a breach?

Let’s look at the amount of IT budget spent on security compared to the amount of IT budget spent because of security breaches. 

The UK Government’s Cyber Security Cyber Breaches Survey 2022 revealed that 39% of UK businesses identified a cyberattack in the 12 months before the survey. Where those businesses reported a material outcome, the average estimated cost was £4,200. For medium and large businesses, the average cost was £19,400. In another report, 73% of victims revealed they’d experienced more than one attack in a year, so the costs can quickly add up. Some costs are harder to calculate, such as damage to brand reputation and customer retention. 

What should you look for in a security solution?

Broadly speaking, you can break this up into two sections:

1. Supplier

Choose a cybersecurity supplier who can provide a good level of support, e.g. unlimited guidance. This is especially helpful if you’re a smaller or new business that’s just getting started with cybersecurity, as it’ll give you extra peace of mind. Look into the level of flexibility the supplier gives you, too. If budget and payment terms are a concern, a subscription-based service that offers monthly payments is more affordable than paying the whole year upfront.

2. Functionality

Look for a solution with buildable components so your security coverage can grow as you do.

Here are some key things to look for:

Certifications

Accreditations like the UK Cyber Essentials scheme outline the security procedures you should have in place to secure your data. It’s recommended for SMEs because it helps you to protect your business against 98.5% of the most common types of cybercrime, like phishing and malicious software. 

Privacy support

Your business must manage data safely, securely, and in compliance with data protection laws. Some providers will help you to field subject access requests, write data protection policies, and keep on top of your data protection obligations by providing tools and templates to streamline your processes.

24/7 monitoring and employee training

For complete peace of mind, look for providers that offer 24/7 monitoring of all devices connected to company data. They’ll check for the most common threats and vulnerabilities, helping you to manage risk and alerting you in the event of a breach.

To support this, look for solutions that include employee training alongside 24/7 device monitoring. More than three-quarters (77%) of senior IT leaders agree that internal security and governance risks are as high as external ones. So, it’s a good idea to keep your employees up-to-date with engaging and informative training sessions.

Insurance

Cyber insurance can support your business if you suffer a malicious attack or data breach. It can cover first-party (your assets) and third-party (customer data) so that in the event of an incident, you can recoup lost earnings due to operational downtime or reputational damage. 

What if you’re struggling to find the budget to pay for security?

Lots of companies will be trying to find ways to cut costs or reallocate money to cover non-negotiable expenses. If you’re struggling with the rising cost of living and balancing your budgets, these might help you to trim the fat a little.

• Can you reduce any old/redundant tech? This might help you to save money on subscriptions or hardware you don’t need
• Can you cut any non-essential spending? E.g., travel or office upgrades
• Could you re-evaluate partners and suppliers? Are they giving you the best deal or relying on your loyalty and pushing up prices? 

Recession-proof security

If you’re ready to take control of your business security, now’s a great time to start. It’s always better value for money to pay for security cover than suffer the cost of an attack and its repercussions. Be proactive, and make every penny count with the right solution for your business size.

Want to know more? Discover how to protect your business on a budget in our cost of living crisis guide.

With cyberattacks rife and rising all the time, cybersecurity is essential, but so too is cyber insurance. Although many businesses have been slow to adopt such cover, the world is beginning to wake up to the substantial benefits of cyber insurance for safeguarding an organisation. Here we look at the significant advantages it offers.

Why choose cyber insurance?

Businesses are increasingly at risk of falling foul of cyber-related incidents. Recent data shows that global cyberattacks increased by 38% in 2022, compared to 2021.  And the UK saw a massive 77% rise. The fact is, cybersecurity is never 100% effective.

Should the worst happen, having cyber insurance could be the difference in ensuring your business gets up and running again quickly. Some 60% of small businesses close within six months of suffering a cyberattack. So having some sort of back-up plan is crucial.

But why do you specifically need cyber insurance, rather than just standard business insurance? Well, cyber insurance is a specialist product that protects you from cyber risks and those related to IT infrastructure. The fundamental benefit of cyber insurance is that it covers risks that aren’t generally included in standard commercial liability policies, which tend to just cover costs related to technical issues, such as corrupted hard drives and lost devices.

Managing a cyber incident, such as a data breach or ransomware attack, requires detailed technical knowledge, which specialist cyber insurance can offer. Cyber insurance policies provide you with the means to implement incident response measures, such as legal assistance, public relations support and forensic investigation. 

As well as minimising any business disruption and supplying financial protection during an incident, a big benefit of cyber insurance is that it could help with any legal and regulatory actions after an incident. Although it won’t solve all your cybersecurity challenges or prevent a cyberattack from happening, cyber insurance can help your organisation get back on its feet.

Want to protect your business but unsure where to start? Check out our free guide to cyber insurance.

What could your cyber insurance cover?

As with other types of insurance, the benefits your cyber insurance includes will depend on the cover you choose. Opting for first-party cover will protect you against the direct results of a cyberattack. Alternatively, third-party cover is more comprehensive and will include the indirect consequences of a cyberattack. This provides protection for managed service providers (MSPs) that supply professional services to other companies. It’s key to covering your liability should a cyberattack on you lead to losses from a partner or customer.

Online threats are multiplying all the time, and cyber insurance will cover you for a wide variety of these risks, such as data privacy breaches, phishing attacks, distributed denial of service (DDoS) attacks, and malware, including the dreaded ransomware attack. 

Depending on the exact policy you choose, it should cover:

• Loss of business income 
• Legal action and fines, like GDPR charges
• Ransom costs, if your data is held hostage
• PR support to regain damaged trust
• Possible repair costs 
• Data breach measures, such as investigative proceedings

Access to expert advice and support

A key benefit of cyber insurance is that it gives you access to expert advice and support. Expertise on threat management is an important part of cyber insurance, and some insurers supply businesses with threat monitoring and management services. For example, according to the UK government’s Cyber Security Breaches Survey 2022, one organisation said that their insurance enabled them to monitor the dark web and flag if any of their accounts were being sold there.

Access to expertise on breach recovery was also named in the survey as a key reason organisations take out an insurance policy. This benefit can help companies ensure business continuity after a disruptive breach. Some policies also include access to expert forensic analysis of what caused the breach. This is important to help a business rectify the problem and implement preventative measures to make sure it doesn’t happen again.

Enhanced cybersecurity

Another valuable benefit is that a cyber insurance policy can help you build a strong cybersecurity framework. Insurers will require you to have a good level of security to be eligible for a policy. They usually carry out a risk assessment as part of the underwriting process to ensure your business isn’t a high risk. This can involve just completing a straightforward questionnaire or may go as far as involving an in-depth analysis of your security. However, like other kinds of insurance, your premium will decrease if you are judged to be a lower risk.

The eligibility criteria for cyber insurance cover can act as a framework to ensure good cyber hygiene. But, a simple way to boost your level of cybersecurity is to gain Cyber Essentials certification. Some insurers will offer discounts on insurance premiums if you have this, and simply by being certified, you can reduce your cyber risk by 98.5%. Cyber Essentials is a UK government-backed scheme covering everything your business should do to protect against cyberattacks, demonstrating that you take cybersecurity seriously.

Peace of mind

A big benefit of cyber insurance, which shouldn’t be overlooked, is that it provides considerable peace of mind. You can have all the strong cybersecurity possible to protect your business. However, with the ever-evolving threat landscape, you can’t be 100% sure you won’t still suffer from a cyberattack. With cyber insurance, you have the final safety net in place to ensure that you won’t have to worry about recovery costs if the worst happens and disaster strikes.

While cyber insurance doesn’t prevent an attack, it’s designed to stop a bad situation from getting worse. So, if you’re concerned about a cyberattack destroying your business, cyber insurance gives you complete peace of mind. You will have an extra layer of protection in addition to your cybersecurity, to cushion the blow.

The economy has taken a battering in recent times, and there’s much talk about the so-called ‘cost-of-living crisis’ we’re now experiencing. Whether there’s a full-blown recession ahead, or not, it looks like the economic outlook won’t improve any time soon. And experts agree this will spark a surge in cyberattacks. So, let’s take a look at why cybercrime increases with the looming threat of recession.

Why we can expect cybercrime to increase

The word among industry analysts is that the ongoing economic downturn will result in a significant rise in cyberattacks. Cybercriminals are already exploiting the financial situation, with an increase in social engineering attacks such as phishing emails offering rebates on energy bills to target vulnerable individuals and businesses. And, by all accounts, we can expect a great deal more of the same to come, as a distinct correlation exists between an uptick in cyberattacks and economic uncertainty.

Data shows that some types of cyberattacks are already rising considerably. According to Kaspersky Lab, the percentage of users affected by targeted ransomware doubled in the first 10 months of 2022. Phishing attacks also increased by 61% in 2022, according to the 2022 State of Phishing report from SlashNext. And, the Anti-Phishing Working Group (APWG) reported that there were a total of three million phishing attacks in the third quarter of the year – amounting to the worst quarter it had ever seen. 

Considering cyber insurance for your business? Check out our new guide for everything you need to know.

What role do businesses play? 

There are many reasons why cybercrime is increasing amid the current economic uncertainty. But most importantly, businesses are having to make difficult decisions to rein in costs. This is completely understandable in the climate. After all, we’re all trying to keep our heads above water, but this could have a direct effect on businesses’ online safety.

Although it’s ill-advised to reduce cybersecurity budgets, many business leaders underestimate the value of cybersecurity. The situation isn’t helped by the perceptions of cybersecurity within organisations. IT leaders can often find it difficult to justify spending on cybersecurity, which doesn’t often deliver visible benefits in the way other OPEX spending does. Think about it; you’re unlikely to hear much about your business’s cybersecurity unless something goes wrong. 

The result is often cuts in places they shouldn’t happen. Consequently, such companies are at higher risk of falling foul of cyberattacks.

Businesses may also decide to cut spending by letting staff go or not replacing those that leave. And this can also impact a company’s resilience to cybercrime. Cutting IT staff may mean you have fewer people to provide the necessary protection. 

This also increases the pressure on your remaining staff which can lead to mistakes and oversights, which weaken your defences further. For example, if they receive a phishing email they’re more likely to make an error of judgement and click on a link that could download malware into your network.

Cybercriminals aren’t immune to economic instability

If you’re still wondering why cybercrime is increasing, well, a recession hits cybercriminals as well as their victims. So, this can be a strong motivating factor for the bad guys to redouble their efforts and make more money. The hard fact is that a recession, or economic downturn, incentivises cybercriminals to invent new types of threats. This was demonstrated during the recession of 2008 when the FBI reported a 22.3% increase in online crime. 

More recently, a crisis of a different sort, the pandemic, sparked a similar surge in cybercrime. And there’s no reason to think the current hardships won’t create a similar spike. Companies will continue to lay off employees in the months ahead, and some may be tempted into cybercrime to make ends meet. Disgruntled employees who’ve been fired could also launch damaging attacks on businesses that have let them go, especially if they still have access to sensitive data.

Another repercussion of the recession is a possible rise in insider attacks from employees who are feeling the pinch. This is particularly likely in businesses that have been forced to freeze salaries. Cybercriminals can specifically target possible insiders to help with data breaches or cyberattacks, using social media and offering bribes. 

Fighting back on a budget

Cybersecurity isn’t a nice to have, it’s business critical. And this is never truer than in times of economic crisis. 

Small and medium-sized businesses often underestimate the danger they’re in. In part, due to the perception that only large corporates are targets. However, the truth is that cybercriminals don’t discriminate and the effects can be devastating. In fact, research has found that 43% of all data breaches involve small businesses.

However, you don’t need expensive tools, expert consultants, or an in-house technical team, to protect your business from cyber threats. It’s perfectly possible to build good defences on a sensible budget. Tools like CyberSmart Active Protect offer everything you need to get your cybersecurity in order, without huge investment. 

Active Protect provides secures all employee devices that touch your company data. Just send a downloadable link to staff, and Active Protect will check around the clock for the most common cyber threats and vulnerabilities It also includes our training academy, which provides your employees with the basic cyber skills to better protect themselves and your business. 

Want to know more? Then check out our guide to cybersecurity on a budget.

If you’re wondering ‘Is cybersecurity really worth it?’ The short answer to this question is unequivocally, ‘Yes!’. Especially now that the economic climate is taking a downturn. In this cost-of-living crisis, the threat to your business from rising cybercrime rates could be even higher. But let’s see why cybersecurity is worth spending some money on compared to the cost of cybercrime.

False economy

Rising costs for just about everything means businesses have to make cutbacks. The trick to riding out the storm is recognising what’s an essential and what’s a luxury to cut. Cybersecurity falls into the ‘essential’ category. 

Cybersecurity should be thought of as an investment, not an expense. It protects you from the much greater costs of cybercrime. For example, business disruption and financial losses. In fact, all you can do to protect yourself in preparation for a possible attack will save you money in future. Cutting back on such a necessity would only be a false economy.

If you run a small business, you could be forgiven for thinking that cybersecurity isn’t worth it. You may conclude that your business isn’t at risk if you’ve seen the media coverage of cyberattacks on large corporations. Unfortunately, this isn’t true. No business is too large or too small to be subjected to cybercrime. Research suggests that 43% of all data breaches involve small businesses. In fact, smaller businesses can be an attractive target as they may be less likely to have the necessary cybersecurity to keep their data safe.

Strong cybersecurity is always worth it. Beyond the immediate financial cost of cybercrime, which can be high, the damage to your business’s reputation if confidential data is exposed can be long-lasting. This may affect your ability to do business in future, especially if you’re in a sector that handles highly sensitive data, such as financial services and healthcare. Potential customers will think twice before handing over personal and financial details if they doubt that they’ll be protected.

The true cost of cybercrime to a business can be complex and far-reaching and may include:

• Significant monetary theft
• Substantial business downtime
• Damage to your business’s reputation
• An increase in your insurance premiums
• Loss of intellectual property
• Network repairs
• Public relation costs
• Compliance fines

Confused about Cyber Insurance? Check out our new guide for everything you need to know.

A good return on investment

Good cybersecurity delivers a good return on investment (ROI) by preventing or mitigating the impact of an attack. According to the UK Government’s Cyber Security Cyber Breaches Survey 2022, in the last 12 months, 39% of UK businesses identified a cyberattack. And, in the case of those organisations that reported a material outcome, such as loss of money or data, there was an average estimated cost of £4,200. However, where only medium and large businesses were considered, this figure rose to £19,400. Far worse, according to a study by TrendMicro, 60% of small businesses close within six months of a cyberattack. 

What’s more, another survey found that 83% of small and medium-sized businesses aren’t financially prepared to recover from a cyberattack. Indeed, a report by the European Union Agency for Cybersecurity (ENISA) revealed that 85% of surveyed small and medium-sized enterprises agreed that cybersecurity issues would seriously affect their businesses, and 57% admitted they would most likely go out of business.

Even if your company survives such an attack, the cost of cybercrime can be devastating. A study by Cisco found that 40% of small businesses that are hit by a severe cyberattack experienced at least eight hours of downtime, accounting for a large part of the overall cost of a security breach. 

So, a relatively small investment in cybersecurity today gives you a good ROI by saving you money in the long run.

The rising rate of cybercrime

The chances of being the victim of cybercrime are also growing fast, so the time is right to get your house in order and protect your business with reliable cybersecurity. 

Rates of cybercrime have been increasing for years, with a rapid rise in remote and hybrid working heightening companies’ vulnerability to attack. But over the last year, attacks have spiked. For example, the percentage of users impacted by targeted ransomware doubled in the first 10 months of 2022. And, according to the 2022 State of Phishing report from SlashNext, phishing attacks have also increased by 61% in 2022.

Experts warn that with the cost-of-living crisis, we should expect cybercrime to escalate even more and cyberattacks to increase in sophistication. Unfortunately, there is a correlation between tough economic times and a rise in cyberattacks. More people may be tempted to turn to cybercrime, and there could be an increase in social engineering attacks specifically designed to exploit the financial hardship of recipients, manipulating vulnerable victims into handing over valuable data.

So, now is not the time to cut back on cybersecurity, as the cost of cybercrime means it’s just not worth taking the risk.

Good cybersecurity needn’t be daunting

This may all sound worrying, but it really is easy to protect your business, and this doesn’t have to cost the earth. As the UK Government’s Small Business Guide: Cyber Security says: ‘Cyber security needn’t be a daunting challenge for small business owners’. 

However, many enterprises still need to protect themselves sufficiently. According to a report from Kaspersky, as many as a quarter of UK companies admit to underfunding cybersecurity, even though 82% have suffered cyberattacks. Another study also found that one-third of companies with 50 or fewer employees were using free, consumer-grade cybersecurity, leaving themselves more vulnerable to attacks.

A big reason for this could be that protecting your business on a budget can be tricky – employing experts or investing in the latest tools can be costly. However, reliable cybersecurity does not have to be prohibitively expensive or complicated. CyberSmart Active Protect provides robust protection with no need for pricey tools, consultants, or an in-house team. It’s a cost-effective and easy way to secure all employee devices that touch your company data. Simply send a downloadable link to your staff and Active Protect will do the rest, checking 24/7 for the most common cyber threats and vulnerabilities.

So, when you consider the cost of cybercrime and the rising number of attacks, cybersecurity is undoubtedly worth it.

Business email compromise (or BEC) attacks are a threat to organisations of any size. Here’s everything you need to know to protect your business.

How does a business email compromise attack work? 

A BEC scam is a form of social engineering attack. It usually involves an attacker impersonating the top dog (such as the CEO or founder) in a business to defraud the company and its employees, partners and customers. 

The bad guys achieve this by creating an email account with a very similar address to the real thing. For example, say your CEO’s email address is ‘john.smith@cybersmart.co.uk’, the hacker’s impersonation might be something like ‘js@cybersmart.gmail.com’. 

It’s just plausible enough that, were you in a hurry or unfamiliar with the real email address, you might share sensitive information or fulfil a request without giving it too much thought.

Like all social engineering scams, BEC attacks rely on creating a sense of urgency and implied trust in an email that comes from a seemingly legitimate source. A sense of urgency because employees are likely to hop to it pretty quickly if a CEO requests something. And, trust because of the assumed gravitas an email from an important person within a company carries.

What do business email compromise attacks seek to gain?

Cybercriminals use BEC attacks for all sorts of nefarious ends. It might be that they want to steal sensitive data, gain access to company systems, set up a ransomware attack or dupe the victim into paying for something. 

Sadly, BEC attacks lend themselves to just about any purpose, making them a highly versatile weapon for cybercriminals. 

Want to know more about the cyber threats small businesses face? Check out our guide.

Are there any famous examples?

As they often lead to huge losses for the victim, you’ve likely seen the results of successful BEC scams in the media – even if they weren’t necessarily reported using the term. 

Facebook and Google

Undoubtedly the most famous of all time was the Facebook and Google scam, carried out between 2013 and 2015. A Lithuanian cybercriminal called Evaldas Rimasauskas set up a spoof company named ‘Quanta Computer’ (which also happened to be the name of a real supplier).

Rimasauskas then emailed convincing fake invoices to both tech giants. Both duly paid, again, again and again, until they’d been defrauded out of $121 million. Rimasauskas was eventually caught in 2019 and sentenced to 5 years in prison for wire fraud. 

Toyota Boshoku Corporation

In 2019, cybercriminals contacted the finance department of a company in Toyota’s supply chain posing as a legitimate business partner. They used the classic social engineering tactic of creating a sense of urgency, claiming that the transaction needed to be paid quickly to avoid slowing the manufacturing process. 

Unfortunately, someone at the company took the bait. The subsidiary transferred more than $37 million in parts orders to the fake company. It remains one of the biggest losses to a BEC scam ever recorded. 

Reading these examples, it’s easy to form the impression that BEC scams are usually targeted at large companies. However, this isn’t the case.

Although Cybercriminals’ final target is often a big corporate, they’ve become more and more inventive about how they get there. As with many other forms of attack, many BEC scams now originate in the supply chain. Even if you’re a smaller business, it’s no guarantee that cybercriminals won’t try to use you as a backdoor into a larger organisation in your supply chain.

So, how can your business protect itself?

How can you protect your business?

Secure your supply chain

As we mentioned earlier, a large proportion of BEC attacks begin in the supply chain. So the best form of defence is to secure the links in your supply chain. 

How that looks in practice will depend on your business and who it works with. However, a great place to start is by ensuring your cybersecurity is up to scratch. Once that’s the case, talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. Many a breach could’ve been avoided with better communication across a supply chain.

Finally, aim to work with businesses that have Cyber Essentials certification as a minimum. This will give you confidence the suppliers and partners you work with take cybersecurity just as seriously as you.

To find out more about securing your supply chain, check out this blog.

Educate your staff

Like all social engineering attacks, BEC scams rely on human error. If your people can recognise the signs of a BEC scam, your business is less likely to be breached. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in BEC attacks such as posing as a supplier, creating a sense of urgency, or requesting suspiciously large amounts of money. The most important way to counter a BEC scam is simply pausing to think about the request and whether it’s legitimate, Training can help this become a habit. 

Create clear cybersecurity policies

To ensure your people know what good cybersecurity practices look like,  you need a clear, easy-to-follow cybersecurity policy. And make sure they know where to find it. A cybersecurity policy is only as effective as the number of staff who’ve read and followed it. 

Create a positive cybersecurity culture

The most formidable opponent of good cybersecurity isn’t the bad guys, it’s poor communication. Your employees need to feel comfortable raising concerns or reporting anything that doesn’t seem right. Without such a culture in place, you risk security threats being raised or discovered far too late. 

Encourage everyone in your organisation to ask questions, report anything that concerns them and learn as they go.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there’s a new threat in town. ‘Smishing’.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here’s everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

“Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020. 

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC. 

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they’re unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

It started as a normal day at work. You send a few emails, drink some coffee, and attend a few meetings. But then things take a turn for the worse. Your flustered finance colleague tells you they aren’t able to access your customer database and a strange message is displaying on the screen. It’s happened. You’ve been ransomware attacked.

But what do you do next? There’s plenty of information out there on how to prevent ransomware attacks from happening, but less on what to do if the worst does happen. So, here are our top tips for what to do next.

1. Take a deep breath and assess the damage 

This might sound obvious or slightly patronising, but it can be very difficult to stay cool and collected in the event of a breach. Many victims rush into paying the ransom straight away, giving them no wiggle room for negotiations with the attacker. 

So, first things first, take a moment to collect yourself, the hard work starts here. Once you’re ready, start assessing the damage. Has an attack definitely happened? Do you know which systems or files have been compromised? How far have the hackers got? These are all questions you’ll need to know the answer to.

Your next course of action will likely go in one of two directions. If your organisation has an incident response plan, follow that. If it doesn’t, don’t worry, you can follow the next steps on this list. 

2. Collect evidence 

This step shouldn’t take more than a few seconds, but it’s very important. You should immediately take a photo of the ransomware note. It doesn’t matter how you do it, a screenshot or a photo on your smartphone will work, but the key thing is to document the breach. This will help you in contacting your insurers and filing a police report.

3. Isolate the breach

Once it’s in, ransomware is designed to spread like wildfire across a network. To stop it from infecting every system in your business, you need to isolate the breach. 

That might sound complicated or techy, but it’s actually very simple. The easiest thing to do is disconnect the infected system(s) from your network so the ransomware can’t spread anywhere else. Doing this can stop a relatively minor breach from becoming business-threatening. 

4. Disconnect backups 

We’ve written at length on the importance of data backups before. And a successful ransomware attack is where they really come into their own. In the best-case scenario, it could save you from having to pay a ransom at all.

Unfortunately, cybercriminals know this. So most modern ransomware strains are coded to go after any backups you have. This means it’s important to secure your backups by disconnecting them from the rest of your network. And to be extra safe, we recommend locking down access to your backups until the infection has passed. 

5. Notify insurers and your IT provider

This step will be different for everyone, depending on whether you have cyber insurance or outsource any element of your IT to a third party. However, if you do have either, now’s the time to report the breach. You’ve completed the vital first steps to contain the threat and it’s time to bring in some help.

Your insurer needs to know for obvious reasons but both should be able to help you with the next steps. Many insurers are happy to put you in touch with experts and your IT provider should also be able to lend a hand.

At this point, it’s also worth notifying law enforcement and the ICO. Your insurers may require a police report to proceed and it can also help save other organisations from the same fate.

6. Identify the strain of ransomware

Unless you’re extremely unlucky, it’s unlikely your business is the first to be hit with whatever strain it’s been infected with. And this means it should be fairly easy to identify.

Free services like ID Ransomware allow you to upload a sample of your encrypted file(s), the ransom note, and the hacker’s contact info. They’ll then analyse this information and identify who or what has attacked you.

This is important for two reasons. First, who you’re dealing with will help inform your decision on whether to pay. Second, knowing what you’re dealing with is vital when you come to attempt to decrypt your files.

7. Try decrypting your files

Once you know the type of ransomware you’ve been infected with, it’s time to have a go at decrypting your files. This might be easier with the help of a cyber expert, but it’s not too difficult to do yourself. 

There are plenty of decryption tools available online. No More Ransom has a great selection of tools to decrypt most types of ransomware. All you need to do is find the strain you’ve been hit with from the list, download it and follow the installation process. The site is updated regularly, so even if you have been struck by a newer form of ransomware there should be something to help. 

Of course, this won’t always work. Ransomware is ever-evolving, with the bad guys constantly adding extra features. But it’s always worth a try.  

8. Reset passwords

You might have already done this step earlier on in the process. If so, give yourself a hearty pat on the back. If not, it’s time to reset all your business’s passwords. This is something you should be doing regularly anyway, but it can stop hackers from gaining access to other non-infected systems and attacking those too.

And, once the infection is completely removed, don’t forget to change them again.

9. Decide whether to pay or not 

Finally, we come to the trickiest part. Should you pay the ransom?

Sadly, there’s no absolute answer either way. Whether or not you decide to pay is completely conditional depending on the scenario you find yourself in. If you’ve managed to decrypt your files and the data the hackers have isn’t sensitive, you probably don’t need to pay.

Likewise, your insurer may instruct you not to pay. Cyber insurers are currently split upon ransomware best practices after years of near unanimity.

In other cases, paying might be the best option. For example, when the hackers have access to sensitive customer or financial data.

10. One last thing…

You may have noticed we haven’t mentioned communications to partners or customers. We’ve left this until last because, like paying the ransom, the decision is situation based.

If customer data has been stolen, then you need to inform clients and partners so they can secure their accounts. However, if the breach has only affected internal data, you may not need to communicate that to clients. 

Like the incident response plan we mentioned earlier, it’s well worth having an emergency communications plan ready to go in case you do get attacked.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

According to security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – Managed Service Providers (MSPs) are increasingly at risk of cyberattacks. But why? What makes MSPs such an enticing target for the bad guys? And, more importantly, what can MSPs do to protect themselves and their customers? 

Why are MSPs being targeted? 

Upon first hearing, it might sound odd that cybercriminals are targeting, and often successfully attacking, MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although it’s true that many MSPs do have pretty robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security. 

In short, MSPs are being targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s whole customer base.

In other words, it’s a huge win for the bad guys. And cybercriminals are very obviously aware of that fact. According to new research by N-able, 90% of MSPs suffered a successful attack in the last 18 months. The study also found that the number of attacks prevented by MSPs almost doubled during the same period.

What are the consequences of a breach?

The impact of a successful attack on an MSP can be severe. The best way to think about it is to split the consequences into two categories – direct and indirect. Let’s deal with direct first.

Perhaps the most obvious impact of a breach is the disruption it could cause an MSP. Your business could be hit with a lengthy clean-up operation, systems downtime, and a big dent in staff morale. What’s more, depending on the kind of attack, there may be a financial aspect to the disruption.

A ransomware attack could lead to your business having to make a hefty payout. Meanwhile, a serious malware attack, with a long period of systems outage, could lead to you haemorrhaging revenue.

Likewise, the reputational damage to any MSP successfully breached could be grave. Most MSPs pride themselves on their strong security and market themselves thus to customers. So the news of an attack could seriously weaken customer trust, leading to a PR nightmare and potential loss of revenue.

We’ve dealt with the direct consequences, let’s move on to indirect. As we mentioned earlier, the major reason why cybercriminals are targeting MSPs is due to their customer base. And it’s your customers who could be the most affected by an attack.

A real-world example of this is the REvil ransomware attack on Kaseya, the MSP software provider. The breach spread to dozens of MSPs and over 1,500 of their customers, illustrating just how fast an attack could get out of control.

What can MSPs do to protect themselves and their customers? 

We’ve painted a pretty terrifying portrait so far. However, just because the consequences can be dire, it doesn’t mean there aren’t things you can do to protect your business and customers. Here are a few of the most important.

Set up multi-factor authentication (MFA)

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

MFA is also a sure-fire way to protect your business against cyberattacks. Passwords alone are vulnerable to data leaks and brute-force attacks. MFA, on the other hand, is very tricky for even the most sophisticated hackers to crack. 

Back up your systems and data

Backing up your systems and data can provide you with a vital failsafe after an attack. In some cases, it can even help you avoid having to pay a ransom. And, when it comes to what to back up, use this simple rule of thumb: ‘anything you don’t want to lose, back up’.

For more on how to do it, read this.

Segregate networks 

Both you and your customers should segment networks and systems as much as possible. What do we mean by segment? Well, one example is to never use admin credentials across multiple customers or systems.

Another is to ensure that no one has access or privileges beyond what they need to do their job. That might sound harsh but, in the event of an attack, it’ll allow you to isolate affected systems, customers, or accounts.

Train staff

At CyberSmart, we’re constantly pushing the importance of training. After all, if your staff don’t know which security behaviours are harmful or don’t know the warning signs of an attack, they’ll struggle to protect themselves or your business.

Training can fix this. And it’s probably the single most important thing you can do as a business. Find out more, here. 

Develop incident response plans

A successful attack on your business isn’t inevitable. Nevertheless, statistically, it is likely. So you need a coherent, easy-to-action response plan, in case the worst does happen.

You’ll also need to encourage or help your customers to develop their own. Currently, just 4% of MSPs report that all their clients have an incident response plan. And, this means thousands of weak links across the IT sector. 

Regularly patch software

Patching or updating any software you use, so that it doesn’t have easily exploited weak points, is incredibly simple but very important. Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. Applying patches released by the software provider can fix this.

Think of it as being like fixing a puncture. You apply the patch so no air can leak out. Updating your software effectively does the same thing, giving you air-tight cybersecurity. 

The best part? It won’t take you anywhere near as long as fixing a puncture, just a couple of minutes each month. 

Map your supply chain risks

Last of all, understand your supply chain risks. Assuming you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk. Alongside this, talk to your customers and partners about their cybersecurity. The best defence against threats is a unified approach and common strategy.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

UK SMEs have faced a turbulent few years. The COVID-19 pandemic altered the way many of us work forever. The conflict between Russia and the international community has raised the spectre of cyber attacks on UK businesses. And cyber threats for SMEs continue to rise.

So with all these factors in play, how are the UK’s SMEs managing? Has the rise in remote working led to a change in cybersecurity practices? How often are SMEs facing cyber threats? Most importantly, what can they do to better protect themselves?

To answer some of these questions, Gartner-owned Software Advice – a company that provides advisory services, research, and user reviews on software applications – surveyed 500 managers at UK SMEs.

And we’ve teamed up with Software Advice to bring you the results. 

What’s in the guide?

Using the data provided by Software Advice, we tackle:

• How often SMEs are being attacked
• The impact of COVID-19 on SME cybersecurity
• The biggest threats facing SMEs
• The consequences of a breach on SMEs
• What SMEs are most worried about
• How effective SMEs’ defences are
• What SMEs can do to better protect themselves

And much, much more.

Where can you get a copy?

As this is such important data for the entire cybersecurity industry, we’re offering our guide free to anyone who finds it useful. All you need to do to get your copy is download it here or hit the button below.

Each year, the Department for Culture, Media and Sport releases its Cybersecurity Breaches Survey. It’s fast become one of the most influential cybersecurity reports around, driving government policy and the National Cyber Strategy.

The Cybersecurity Breaches Survey covers everything from threats to the processes businesses use to protect themselves and takes in everything from schools to start-ups. However, it’s also a very long report, with lots of tables, graphs and references – not something that’s easily digestible during your lunch hour.

So, to save you the trouble, we’ve pulled together the key takeaways for SMEs.

1. The number of cyberattacks stays stable

It’s no secret that during the first year of the COVID-19 pandemic the number of attacks on UK businesses skyrocketed. DCMS figures from 2020 show that 46% of UK businesses reported a cyberattack, up from 32% the previous year.

However, the number declined in 2021 to 39% and it’s stayed stable at the same figure this year. That might sound like great news, but there are some caveats. First of all, 39% is still too many; that’s more than a third of all UK businesses being attacked in any given year.

On top of this, there’s a chance that the figures, while accurate, don’t tell the whole story. As the report states, the better your cyber defences, the more likely you are to detect and report an attack. This suggests that smaller organisations and those with less sophisticated defences might be underreporting attacks.

2. Phishing remains the most common type of attack 

One of the most important findings of the Cybersecurity Breaches Survey is just how common social engineering attacks, particularly phishing scams, have become. 83% of all organisations surveyed said they’d experienced some form of phishing attack in the last 12 months. And this was followed, some way behind, by impersonation-style social engineering attacks with 67%.

What does this tell us?

Well, it tells us that cybercriminals have hit upon a formula that works for targeting businesses big and small. But that’s not all. It also teaches us that security training for staff has never been more important. With most cybercriminals using some form of social engineering attack, your people need to be able to spot the signs and recognise threats when they see them.

3. Few businesses are taking the supply-chain threat seriously

We’ve covered the risk posed by supply chains at length (if you haven’t already, read this). According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself.

Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it.

Despite this, only 13% of businesses assessed the risks posed by their immediate suppliers. In fact, few considered cybersecurity an important factor in the procurement process. 

4. Getting hacked costs a lot

This might not come as surprise but a successful cyber breach can really hit your business in the pocket. The average cost of a breach across businesses of all sizes is £4,200, with a figure of £3,080 for SMEs. The news is even worse if you’re a medium or large-sized business. The average figure for firms of this size stands at an eye-watering £19,400.

It’s worth noting that only one in five businesses suffer any negative consequences as a result of a breach. But, with 31% of businesses reporting that they’re attacked at least once a week, the chances of being part of that one in five is high.

5. Most small businesses don’t have a cybersecurity strategy

To be clear, the lack of a formal cybersecurity policy isn’t just a problem for small businesses; just 23% of all businesses have one. Nevertheless, the trend is much more severe among smaller businesses. While 57% of large firms have a formal strategy, just 20% of micro firms and 37% of small firms have one.

And it’s not just an overarching strategy that’s missing. Most businesses don’t have a clear plan in place for what to do if the worst happens. Just 19% of businesses surveyed said they had a formal incident response plan. 

This makes for worrying reading. It suggests that, in those crucial first few minutes and hours after an incident, too many businesses aren’t dealing with the threat in an organised way, handing a huge advantage to the bad guys. 

6. Ransomware confusion reigns

One of the worst questions any business has to answer is what to do in the event of a successful ransomware attack. Do you pay out? Or do you play hardball with the ransomers?

Although it’s a tricky question, it’s crucial to have a policy one way or another. However, one in five businesses (19%) stated they weren’t sure what they would do. On top of this, many small businesses still believe that ransomware isn’t a threat, either because they are ‘too small’ or have ‘nothing of value’ to steal.

7. Cyber Essentials uptake is still low

Unless this is your first CyberSmart blog, you’ll know we talk about Cyber Essentials certification constantly. It’s the single most important thing a small business can do to improve its cybersecurity.

But, unfortunately, the uptake of Cyber Essentials is still very low. Only 6% of businesses have the Cyber Essentials certification and just 1% have Cyber Essentials Plus. Unfortunately, this is likely a problem of awareness. Although every business could benefit from taking the certification, too few are aware of its existence. This needs to change, and fast.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity.