The current economic climate has seen better days, but how are the UK’s small businesses weathering the storm? At CyberSmart, we’re curious about how the cost of living crisis has impacted cybersecurity and people in small businesses.

We tasked Censuswide with surveying 1,000 UK SMEs to find out how they’re coping. What followed is our  ‘SME cost of living crisis report’. It explores:

• How confident businesses are about weathering the economic storm
• The financial limitations impacting businesses
• The impact on employees
• The key impacts on cybersecurity
• The state of cybersecurity investments 
• How SMEs can approach cybersecurity in the cost of living crisis

Despite economic conditions, cybersecurity in your business doesn’t need to be all doom and gloom. Our report gives you the knowledge and understanding of the current climate to proactively protect your business. To help you, here are our key takeaways from the report. 

Want to read the report in full? Get your copy here.

1. Cost-conscious businesses are looking for value

Small businesses must be cost-conscious. Careful budgeting and knowing when to invest is key to survival. And this means many small business leaders won’t invest in cybersecurity unless they know the payoff is worthwhile. 

Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.

Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.

2. Economic uncertainty raises threat levels 

Even though businesses are overlooking the importance of cybersecurity, nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost of living crisis. 

Economic uncertainty has led to mistrust, too. 38% of leaders are worried about malicious insider threats from employees, while 32% blame higher rates of supply chain fraud. It seems that mistrust comes from inside and outside.

This is why increasing cybersecurity protocols and governance offers real business value. It provides much-needed reassurance that business data is safe, no matter where threats come from.

3. The employee skill gap is causing mistrust

Your employees are a line of defence when it comes to cybersecurity. But you must equip them with the tools and knowledge to counter potential attacks. 

80% of respondents said that their employees do not fully understand why it is important to keep confidential information secure. And this lack of cybersecurity knowledge is the leading reason for mistrust.

The cybersecurity knowledge skills gap is a prominent factor for uncertainty. Of the 620 SME leaders who claimed to trust their employees, 25% still believe that staff pose the greatest security risk.

4. SMEs are missing important cybersecurity policies 

We noticed that a lack of trust in employees, their cybersecurity knowledge, and no clear internal policies have an underlying impact on small businesses, so we did some digging.

Only 54% of SMEs have clear policies and procedures for sharing information and gaining access to confidential information. This means that just under half of SMEs don’t have important cybersecurity policies, at all. 

It’s not surprising that leaders demonstrate a lack of trust in their employees, especially when there’s no guidance for the employees in the first place. Here, cybersecurity concerns appear as a vicious circle, and there’s an important gap in employee knowledge and a lack of policies.

5. Basic measures can help to protect businesses

The report reveals that fixing basic, underlying issues can help alleviate the cybersecurity concerns as a result of the cost of living crisis. These issues are:

• Lack of employee cybersecurity training and resulting cyber confidence 
• Missing cybersecurity policies, or too few policies 
• Misunderstanding of the value of cybersecurity tools 

Luckily, investing in cybersecurity doesn’t have to cost the earth. Instead, SMEs must be smart about their investments and increase cyber confidence for their employees.

Our report takes an in-depth look at these steps and how SMEs can implement them. These steps can help increase cyber confidence in your business and protect against cybersecurity threats.

Cyber confidence is key in the cost of living crisis

Uncertain economic conditions can make even the most stable business leaders feel on edge. Improving cybersecurity governance can help decision-makers protect their business and provide much-needed reassurance that their cybersecurity is under control. 

Read our report today to learn more about the current concerns of SMEs in the cost of living crisis, and how to mitigate cybersecurity threats.

It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

• Protect your business and customers from cybersecurity threats
• Reassure customers
• Enhance your reputation
• Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

1. It’s difficult to see where you should focus your efforts
2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

• Split the project into smaller, more manageable steps
• Provide clear timelines for delivery
• Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

If your business has employees who are hybrid or remote workers, you need to ensure their devices are secure and meet the requirements of Cyber Essentials. Cyber Essentials is the UK standard for organisations to follow to remain safe and secure from cybersecurity threats, and its requirements continue to be updated. Here’s how to make sure you’re covered when working remotely.

What are the steps to achieve Cyber Essentials certification remotely?

1. Make sure your employee networks meet Cyber Essentials requirements
2. List the equipment that each remote employee is using
3. Check software and licenses are up to date

What is a network?

Any single device connected to a router can be considered a network. For the purpose of Cyber Essentials, your ‘network’ is the devices linked to share resources, exchange files, or allow communication. 

For example, think of your office printer. Rather than setting up a single printer for every employee, you’ll have a single printer that everyone can use (and you’ll argue over whose turn it is to change the toner). This is the perfect example of a network.

What does a network look like in practice?

Most offices and workplaces use a Local Area Network (LAN). A LAN is usually confined to a small geographic area, say an office in Bow or a warehouse in Bolton. A LAN allows every device within the network to use a single internet connection, share files, and access or control other devices. 

It’s possible to connect everything from printers and phones to smart TVs, speakers, and security cameras. You can even connect the office fridge. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

How to get Cyber Essentials certified when working remotely

1. Check employee networks meet Cyber Essentials requirements

We’ve just gone through what a network is. However, with remote working, networks might look a little different. 

Any device connected to a router is considered a network. With multiple remote workers, you’ll have multiple networks. 

All you need to do is ensure that each router meets the requirements of cyber essentials. For example, you should ask each employee to change the default password on their router. 

2. List your remote employee equipment 

Question A2.8 of the Cyber Essentials assessment will require you to list all of your network equipment. But don’t worry, it’s pretty simple.

All you need to do is list the equipment each employee is using, as if you were in the office. 

What might this look like in practice? Let’s imagine a company with ten staff working from home. An equipment list will look something like this:

• 2 x Sky broadband with Sky router
• 6 x BT broadband with BT hub router
• 1 x TalkTalk broadband with TalkTalk router
• 1 x Virgin Media broadband with Virgin Media router
  
  

3. Check software and licenses are up to date

Any devices that home workers use to access organisation information should be covered by Cyber Essentials. And the software and licenses you use should be too. 

Make sure that software and licenses are:

• Up to date, licensed, and supported
• Removed from devices when they become unsupported
• Set to update automatically where possible

But what about other elements of the Cyber Essentials assessment process? Fortunately, as the entire assessment can be conducted remotely, you can complete the process no matter where your staff are working from. 

Hopefully, we’ve cleared up most of the confusion surrounding networks and Cyber Essentials. However, if you have any further questions, please don’t hesitate to get in touch with our team. 

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

If you’re looking to validate your cybersecurity and data protection processes, a Cyber Essentials Plus certification could be right for you.

You might decide to go for Cyber Essential Plus accreditation because:

• You want an independent assessment of your cybersecurity measures in addition to completing your self-assessment 
• You want to show clients that data protection is a top priority
• You work in an industry with higher-than-standard cybersecurity requirements

What’s the Difference Between Cyber Essentials and Cyber Essentials Plus?

For Cyber Essentials Plus, you’ll need a Cyber Essentials certification. To do this, you’ll build IT infrastructure and staff knowledge to meet standards across five categories:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Security update management

Then, you’ll take a self-assessment to get accredited. If you pass the self-assessment, you’ll be eligible to apply for Cyber Essentials Plus. 

Cyber Essentials Plus involves an independent audit of your devices, systems, and processes for extra validation – this is the key difference between Cyber Essentials and Cyber Essentials Plus.

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

What are the Benefits of a Cyber Essentials Plus Audit?

Some businesses find Cyber Essentials Plus more suitable because an independent assessment is more credible than a self-assessment. An objective, professional opinion ensures you’re as compliant as you think. It offers more peace of mind than you get with Cyber Essentials.

The verification of compliance also makes the certification more trustworthy for prospective and existing clients as there’s some external proof that you take cybersecurity and data management seriously. 

What to Expect from the Auditor

An auditor will audit a sample of your devices on-site or virtually to check they’re configured correctly. They’ll:

• Confirm your devices
• Scan devices to identify vulnerabilities using Nessus Professional scanning software
• Observe how devices process emails with test attachments
• Observe how devices handle downloads of file attachments from test websites
• Check the installation and configuration of anti-virus software
• Test Multi-Factor Authentication on applicable cloud services
• Test how well your default browsers block malicious activity
• Confirm account separation between admin and user accounts
• Capture screenshots for evidence

How to prepare for the audit

Here are some practical ways to prepare for your audit.

Check your software

• Update software on all devices, including servers
• Download and install the 7-day trial of Nessus Professional, if you don’t have it already. This means the auditor can complete a Credentialed Patch Scan. If you have an alternative PCI-approved scanning tool already, please speak to your auditor
• If you use the 7-day trial, create an account and download plugins to complete installation.
• Remove software you don’t use regularly from every device, e.g., old browsers like Firefox
  
  

If you run Windows:

• Enable file and print sharing. You can find this option in advanced sharing settings

If you run Windows 10:

• Set the Windows service “RemoteRegistry” start-up type to “manual”. Access this by typing “services” in the home screen search bar

Create a new registry value:

• Type “regedit” in the home screen search bar
• Hive and key path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
• On System, right click and select New –> DWORD (32-bit) Value / REG_DWORD
• Value name: LocalAccountTokenFilterPolicy
• Value data: 1 (decimal)

If you run macOS:

• Enable file sharing and remote login. You’ll find these options in System Preferences –> Sharing
• Update AV engines and signature files. If you use an enterprise management dashboard to do this, even better
• Activate and update AV plugins for every browser

The auditor will ask you for:

• Administrator-level domain access. Create a new admin account for the audit or ensure an admin is there to help
• A list of all in-scope devices and operating systems. If you use Windows 10, run a registry edit so the auditor can complete a scan
• User email addresses for the email/web tests
• A signed consent form

Need More Support?

If you’re not ready for a Cyber Essentials Plus audit or need some advice on which accreditation is right for you, there’s plenty of help available. Don’t rush into it. It’s important to pick based on your industry, goals, size, and the benefits you’ll experience from getting certified. It’s always good to prove your cybersecurity credentials, but that doesn’t always mean going for the most advanced accreditation.

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.