The current economic climate has seen better days, but how are the UK’s small businesses weathering the storm? At CyberSmart, we’re curious about how the cost of living crisis has impacted cybersecurity and people in small businesses.

We tasked Censuswide with surveying 1,000 UK SMEs to find out how they’re coping. What followed is our  ‘SME cost of living crisis report’. It explores:

• How confident businesses are about weathering the economic storm
• The financial limitations impacting businesses
• The impact on employees
• The key impacts on cybersecurity
• The state of cybersecurity investments 
• How SMEs can approach cybersecurity in the cost of living crisis

Despite economic conditions, cybersecurity in your business doesn’t need to be all doom and gloom. Our report gives you the knowledge and understanding of the current climate to proactively protect your business. To help you, here are our key takeaways from the report. 

Want to read the report in full? Get your copy here.

1. Cost-conscious businesses are looking for value

Small businesses must be cost-conscious. Careful budgeting and knowing when to invest is key to survival. And this means many small business leaders won’t invest in cybersecurity unless they know the payoff is worthwhile. 

Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.

Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.

2. Economic uncertainty raises threat levels 

Even though businesses are overlooking the importance of cybersecurity, nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost of living crisis. 

Economic uncertainty has led to mistrust, too. 38% of leaders are worried about malicious insider threats from employees, while 32% blame higher rates of supply chain fraud. It seems that mistrust comes from inside and outside.

This is why increasing cybersecurity protocols and governance offers real business value. It provides much-needed reassurance that business data is safe, no matter where threats come from.

3. The employee skill gap is causing mistrust

Your employees are a line of defence when it comes to cybersecurity. But you must equip them with the tools and knowledge to counter potential attacks. 

80% of respondents said that their employees do not fully understand why it is important to keep confidential information secure. And this lack of cybersecurity knowledge is the leading reason for mistrust.

The cybersecurity knowledge skills gap is a prominent factor for uncertainty. Of the 620 SME leaders who claimed to trust their employees, 25% still believe that staff pose the greatest security risk.

4. SMEs are missing important cybersecurity policies 

We noticed that a lack of trust in employees, their cybersecurity knowledge, and no clear internal policies have an underlying impact on small businesses, so we did some digging.

Only 54% of SMEs have clear policies and procedures for sharing information and gaining access to confidential information. This means that just under half of SMEs don’t have important cybersecurity policies, at all. 

It’s not surprising that leaders demonstrate a lack of trust in their employees, especially when there’s no guidance for the employees in the first place. Here, cybersecurity concerns appear as a vicious circle, and there’s an important gap in employee knowledge and a lack of policies.

5. Basic measures can help to protect businesses

The report reveals that fixing basic, underlying issues can help alleviate the cybersecurity concerns as a result of the cost of living crisis. These issues are:

• Lack of employee cybersecurity training and resulting cyber confidence 
• Missing cybersecurity policies, or too few policies 
• Misunderstanding of the value of cybersecurity tools 

Luckily, investing in cybersecurity doesn’t have to cost the earth. Instead, SMEs must be smart about their investments and increase cyber confidence for their employees.

Our report takes an in-depth look at these steps and how SMEs can implement them. These steps can help increase cyber confidence in your business and protect against cybersecurity threats.

Cyber confidence is key in the cost of living crisis

Uncertain economic conditions can make even the most stable business leaders feel on edge. Improving cybersecurity governance can help decision-makers protect their business and provide much-needed reassurance that their cybersecurity is under control. 

Read our report today to learn more about the current concerns of SMEs in the cost of living crisis, and how to mitigate cybersecurity threats.

It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

• Protect your business and customers from cybersecurity threats
• Reassure customers
• Enhance your reputation
• Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

1. It’s difficult to see where you should focus your efforts
2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

• Split the project into smaller, more manageable steps
• Provide clear timelines for delivery
• Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

If your business has employees who are hybrid or remote workers, you need to ensure their devices are secure and meet the requirements of Cyber Essentials. Cyber Essentials is the UK standard for organisations to follow to remain safe and secure from cybersecurity threats, and its requirements continue to be updated. Here’s how to make sure you’re covered when working remotely.

What are the steps to achieve Cyber Essentials certification remotely?

1. Make sure your employee networks meet Cyber Essentials requirements
2. List the equipment that each remote employee is using
3. Check software and licenses are up to date

What is a network?

Any single device connected to a router can be considered a network. For the purpose of Cyber Essentials, your ‘network’ is the devices linked to share resources, exchange files, or allow communication. 

For example, think of your office printer. Rather than setting up a single printer for every employee, you’ll have a single printer that everyone can use (and you’ll argue over whose turn it is to change the toner). This is the perfect example of a network.

What does a network look like in practice?

Most offices and workplaces use a Local Area Network (LAN). A LAN is usually confined to a small geographic area, say an office in Bow or a warehouse in Bolton. A LAN allows every device within the network to use a single internet connection, share files, and access or control other devices. 

It’s possible to connect everything from printers and phones to smart TVs, speakers, and security cameras. You can even connect the office fridge. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

How to get Cyber Essentials certified when working remotely

1. Check employee networks meet Cyber Essentials requirements

We’ve just gone through what a network is. However, with remote working, networks might look a little different. 

Any device connected to a router is considered a network. With multiple remote workers, you’ll have multiple networks. 

All you need to do is ensure that each router meets the requirements of cyber essentials. For example, you should ask each employee to change the default password on their router. 

2. List your remote employee equipment 

Question A2.8 of the Cyber Essentials assessment will require you to list all of your network equipment. But don’t worry, it’s pretty simple.

All you need to do is list the equipment each employee is using, as if you were in the office. 

What might this look like in practice? Let’s imagine a company with ten staff working from home. An equipment list will look something like this:

• 2 x Sky broadband with Sky router
• 6 x BT broadband with BT hub router
• 1 x TalkTalk broadband with TalkTalk router
• 1 x Virgin Media broadband with Virgin Media router
  
  

3. Check software and licenses are up to date

Any devices that home workers use to access organisation information should be covered by Cyber Essentials. And the software and licenses you use should be too. 

Make sure that software and licenses are:

• Up to date, licensed, and supported
• Removed from devices when they become unsupported
• Set to update automatically where possible

But what about other elements of the Cyber Essentials assessment process? Fortunately, as the entire assessment can be conducted remotely, you can complete the process no matter where your staff are working from. 

Hopefully, we’ve cleared up most of the confusion surrounding networks and Cyber Essentials. However, if you have any further questions, please don’t hesitate to get in touch with our team. 

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

Cyber Essentials Plus Audit

Here at CyberSmart, we understand that organisations would like a bit more information on how the Cyber Essentials Plus process works. So, to demystify the process, we’ve put together this guide. 

The Cyber Essentials Plus audit aims to secure your business from known vulnerabilities, safeguarding your customers’ data. This not only helps ensure your business is working safely, but also builds trust with your customers and can help you win new business.

The first step in completing the Cyber Essentials Plus audit is to let our team know that you are ready to be sent the information for this assessment.

How To Schedule a Cyber Essentials Plus Audit  

Once you have confirmed, you’re ready to begin your Cyber Essentials Plus journey. We’ll send you the Qualys agent to deploy to your devices. This agent will scan your machines for known vulnerabilities and compare them against the National Vulnerability Database. Any vulnerabilities found with a CVSSv3 score of 7 and higher (Critical/High) will need to be resolved. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

The Assessment Process

On the day of the assessment, the following will take place:

• Internal vulnerability credentialed patch audit scan of all sample devices in scope using Qualys.  (unless you have your own PCI DSS approved scanner)
• External vulnerability scan of externally facing IPs/services
• Observing how devices process emails with test attachments – access to user device required via screen sharing. The email address of the user of the in-scope device will be required not a generic generated one for the assessment
• Observing how devices handle downloads of file attachments from our test websites – access to user devices is required via screen sharing.
• Checking the installation and configuration of anti-virus software.
• iOS / mobile checks (If in scope)
• Perform Multi-Factor Authentication (MFA) test on all listed Cloud Services provided in Cyber Essentials self-assessment to ensure MFA is enabled on Admin and User accounts
• Confirm Account separation between Admin and User accounts

Consent Form and Certificate

During the assessment, our assessors will carry out the Cyber Essentials Plus audit which includes a scan of your external IP addresses. Please note, that the scan can only be completed if you have signed our consent form. This will be emailed to you during the process.

It’s vital the consent form is returned to us before the day of the audit in order to ensure that it can be completed without delay. 

Once the audit has been successfully completed, our assessors will upload the results to IASME and issue your certificate.

Additional Resources

Your organisation is completely in charge of how quickly or slowly you want to take this process and our CX team is on hand to help at every stage. 

For more information on the Qualys agent please see our guide to deploying the Qualys agent.

Qualys Installation guide

If you have any questions on the Cyber Essentials Plus process please reach out to your account manager, or directly to our CX team through our Live Chat feature.